Temat: Jak wygrać z Xl2tpd (L2TP/IPsec)?
Witam
Od jakiegoś czasu próbuje połączyć w "kupe" wszystkie urządzenia jakie posiadam (tj. komputery, telefony, laptopy) aby mieć swobodny dostęp do nich. Wybór padł na tunel L2TP/IPsec, ponieważ wszystkie urządzenia które mam obsługują go bez żadnego kombinowania. Używam konfiguracji Strongswan + Xl2tpd. O ile z pierwszym nie mam problemu - udało mi się go skonfigurować, to xl2tpd nie potrafi nawiązać połączenia. Narazie próbuję uruchomić serwer w obrębie sieci lan. Adres serwera to 10.0.0.1, adres klienta to 10.0.0.2. Serwer: Mikrotik RB532A z LEDE 17.01.0, klient: Windows 10.
Pliki konfiguracyjne:
/etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
keyexchange=ike
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
left=10.0.0.1
leftprotoport=17/1701
right=%any
rightprotoport=17/%any/etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
10.0.0.1 : PSK "ultrasupertajnehaslo"/etc/ppp/chap-secrets
uzytkownik l2tpd "haslo" */etc/xl2tpd/xl2tpd.conf
[lns default]
ip range = 172.16.20.53-172.16.20.58
local ip = 10.0.0.1
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4Strongswan (bez włączonego xl2tpd) wypluwa mi to:
no files found matching '/etc/strongswan.d/*.conf'
Starting strongSwan 5.5.3 IPsec [starter]...
# deprecated keyword 'pfs' in conn 'L2TP-PSK-noNAT'
PFS is enabled by specifying a DH group in the 'esp' cipher suite
### 1 parsing error (0 fatal) ###
00[LIB] no files found matching '/etc/strongswan.d/*.conf'
00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.4.50, mips)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for 10.0.0.1
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark farp stroke updown xauth-generic dhcp
00[JOB] spawning 16 worker threads
charon (2158) started after 160 ms
05[CFG] received stroke: add connection 'L2TP-PSK-noNAT'
05[CFG] added configuration 'L2TP-PSK-noNAT'
13[NET] received packet: from 10.0.0.2[500] to 10.0.0.1[500] (408 bytes)
13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
13[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
13[IKE] received NAT-T (RFC 3947) vendor ID
13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
13[IKE] received FRAGMENTATION vendor ID
13[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
13[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
13[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
13[IKE] 10.0.0.2 is initiating a Main Mode IKE_SA
13[ENC] generating ID_PROT response 0 [ SA V V V V ]
13[NET] sending packet: from 10.0.0.1[500] to 10.0.0.2[500] (160 bytes)
14[NET] received packet: from 10.0.0.2[500] to 10.0.0.1[500] (388 bytes)
14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
05[MGR] ignoring request with ID 631753136, already processing
14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
14[NET] sending packet: from 10.0.0.1[500] to 10.0.0.2[500] (372 bytes)
05[NET] received packet: from 10.0.0.2[500] to 10.0.0.1[500] (76 bytes)
05[ENC] parsed ID_PROT request 0 [ ID HASH ]
05[CFG] looking for pre-shared key peer configs matching 10.0.0.1...10.0.0.2[10.0.0.2]
05[CFG] selected peer config "L2TP-PSK-noNAT"
05[IKE] IKE_SA L2TP-PSK-noNAT[1] established between 10.0.0.1[10.0.0.1]...10.0.0.2[10.0.0.2]
05[IKE] scheduling reauthentication in 28162s
05[IKE] maximum IKE_SA lifetime 28702s
05[ENC] generating ID_PROT response 0 [ ID HASH ]
05[NET] sending packet: from 10.0.0.1[500] to 10.0.0.2[500] (76 bytes)
09[NET] received packet: from 10.0.0.2[500] to 10.0.0.1[500] (476 bytes)
09[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID ]
09[IKE] received 250000000 lifebytes, configured 0
09[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID ]
09[NET] sending packet: from 10.0.0.1[500] to 10.0.0.2[500] (188 bytes)
10[NET] received packet: from 10.0.0.2[500] to 10.0.0.1[500] (60 bytes)
10[ENC] parsed QUICK_MODE request 1 [ HASH ]
10[IKE] CHILD_SA L2TP-PSK-noNAT{1} established with SPIs c0a42483_i 20d06c70_o and TS 10.0.0.1/32[udp/l2f] === 10.0.0.2/32[udp/l2f]Więc wnioskuję, że IPSec mi działa 
Xl2tpd natomiast przy połączeniu (z włączonym strongswanem) wypluwa mi coś takiego:
xl2tpd[2085]: setsockopt recvref[30]: Protocol not available
xl2tpd[2085]: Using l2tp kernel support.
xl2tpd[2085]: xl2tpd version xl2tpd-1.3.6 started on LEDE PID:2085
xl2tpd[2085]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[2085]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[2085]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[2085]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[2085]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[2085]: Connection established to 10.0.0.2, 1701. Local: 55113, Remote: 1 (ref=0/0). LNS session is 'default'
xl2tpd[2085]: result_code_avp: result code not appropriate for Incoming-Call-Request. Ignoring.
xl2tpd[2085]: start_pppd: I'm running:
xl2tpd[2085]: "/usr/sbin/pppd"
xl2tpd[2085]: "plugin"
xl2tpd[2085]: "pppol2tp.so"
xl2tpd[2085]: "pppol2tp"
xl2tpd[2085]: "7"
xl2tpd[2085]: "pppol2tp_lns_mode"
xl2tpd[2085]: "pppol2tp_tunnel_id"
xl2tpd[2085]: "55113"
xl2tpd[2085]: "pppol2tp_session_id"
xl2tpd[2085]: "14611"
xl2tpd[2085]: "passive"
xl2tpd[2085]: "nodetach"
xl2tpd[2085]: "10.0.0.1:172.16.20.53"
xl2tpd[2085]: "refuse-pap"
xl2tpd[2085]: "auth"
xl2tpd[2085]: "debug"
xl2tpd[2085]: "file"
xl2tpd[2085]: "/etc/ppp/options.xl2tpd"
xl2tpd[2085]: Call established with 10.0.0.2, Local: 14611, Remote: 1, Serial: 0
/usr/sbin/pppd: In file /etc/ppp/options.xl2tpd: unrecognized option 'crtscts'
xl2tpd[2085]: child_handler : pppd exited for call 1 with code 2
xl2tpd[2085]: call_close: Call 14611 to 10.0.0.2 disconnected
xl2tpd[2085]: control_finish: Connection closed to 10.0.0.2, port 1701 (), Local: 55113, Remote: 1
xl2tpd[2085]: Terminating pppd: sending TERM signal to pid 2090
^Cxl2tpd[2085]: death_handler: Fatal signal 2 received
root@LEDE:~# xl2tpd -D
xl2tpd[2175]: setsockopt recvref[30]: Protocol not available
xl2tpd[2175]: Using l2tp kernel support.
xl2tpd[2175]: xl2tpd version xl2tpd-1.3.6 started on LEDE PID:2175
xl2tpd[2175]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[2175]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[2175]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[2175]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[2175]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[2175]: Connection established to 10.0.0.2, 1701. Local: 61909, Remote: 3 (ref=0/0). LNS session is 'default'
xl2tpd[2175]: check_control: Received out of order control packet on tunnel 3 (got 3, expected 2)
xl2tpd[2175]: handle_packet: bad control packet!
xl2tpd[2175]: result_code_avp: result code not appropriate for Incoming-Call-Request. Ignoring.
xl2tpd[2175]: start_pppd: I'm running:
xl2tpd[2175]: "/usr/sbin/pppd"
xl2tpd[2175]: "plugin"
xl2tpd[2175]: "pppol2tp.so"
xl2tpd[2175]: "pppol2tp"
xl2tpd[2175]: "7"
xl2tpd[2175]: "pppol2tp_lns_mode"
xl2tpd[2175]: "pppol2tp_tunnel_id"
xl2tpd[2175]: "61909"
xl2tpd[2175]: "pppol2tp_session_id"
xl2tpd[2175]: "33449"
xl2tpd[2175]: "passive"
xl2tpd[2175]: "nodetach"
xl2tpd[2175]: "10.0.0.1:172.16.20.53"
xl2tpd[2175]: "refuse-pap"
xl2tpd[2175]: "auth"
xl2tpd[2175]: "debug"
xl2tpd[2175]: "file"
xl2tpd[2175]: "/etc/ppp/options.xl2tpd"
xl2tpd[2175]: Call established with 10.0.0.2, Local: 33449, Remote: 1, Serial: 0
/usr/sbin/pppd: In file /etc/ppp/options.xl2tpd: unrecognized option 'crtscts'
xl2tpd[2175]: child_handler : pppd exited for call 1 with code 2
xl2tpd[2175]: call_close: Call 33449 to 10.0.0.2 disconnected
xl2tpd[2175]: control_finish: Connection closed to 10.0.0.2, port 1701 (), Local: 61909, Remote: 3
xl2tpd[2175]: Terminating pppd: sending TERM signal to pid 2206Jak widać błąd leży w słowie "crtscts". Gdy zahaszuję to słowo problem występuje przy "modem". Robię jeszcze raz to samo dla "modem" i ostatecznie dostaję coś takiego:
xl2tpd[2175]: Call established with 10.0.0.2, Local: 48978, Remote: 1, Serial: 0
/usr/sbin/pppd: The remote system is required to authenticate itself
/usr/sbin/pppd: but I couldn't find any suitable secret (password) for it to use to do so.
xl2tpd[2175]: child_handler : pppd exited for call 1 with code 1
xl2tpd[2175]: call_close: Call 48978 to 10.0.0.2 disconnected
xl2tpd[2175]: control_finish: Connection closed to 10.0.0.2, port 1701 (), Local: 8921, Remote: 5
xl2tpd[2175]: Terminating pppd: sending TERM signal to pid 2208I nie wiem co dalej z tym zrobić 
Na innym forum wyczytałem, że bardzo możliwe iż jest to bug.
Pomożecie?
Z góry dzięk!i
Tomek
