Openswan и IPhone
Всем пинга и аптайма!
Хочется мне поднять у себя на VDS L2TP/IPSEC-сервер. Чтоб, значит, можно было со всяких разных хотспотов ходить во вконтактик без опаски.
Поднял по одному из многочисленных хауту, проверил на андроиде - работает. Проверяю на яблофоне - не работает. Говорит, L2TP-сервер не отвечает. Как быть?
x.x.x.x - это ип клиента
[Логи]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [RFC 3947] method set to=109
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [Dead Peer Detection]
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: responding to Main Mode from unknown peer x.x.x.x
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:15 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:16 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:17 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:18 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:18 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:18 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:19 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:20 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:21 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:21 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:21 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:22 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:37 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:37 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:40 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
[Конфиги]
root@nixman ~ # cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 10.0.10.2-10.0.10.254
local ip = 10.0.10.1
;require chap = yes
refuse pap = yes
refuse chap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
exclusive = no
assign ip = yes
name = VPN-Server
root@nixman ~ # cat /etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
root@nixman ~ # cat /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=start
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
#force all to be nat'ed. because of iOS
forceencaps=yes
root@nixman ~ #
Судя по логам l2tpd, до него вообще нет попыток достучаться.
Колеса пинал, фары протирал :( Направьте, пожалуйста, на путь истинный.
Кросс-пост в ру-сисадминс
Хочется мне поднять у себя на VDS L2TP/IPSEC-сервер. Чтоб, значит, можно было со всяких разных хотспотов ходить во вконтактик без опаски.
Поднял по одному из многочисленных хауту, проверил на андроиде - работает. Проверяю на яблофоне - не работает. Говорит, L2TP-сервер не отвечает. Как быть?
x.x.x.x - это ип клиента
[Логи]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [RFC 3947] method set to=109
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug 6 08:11:14 nixman pluto[21617]: packet from x.x.x.x:46189: received Vendor ID payload [Dead Peer Detection]
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: responding to Main Mode from unknown peer x.x.x.x
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:14 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:15 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:16 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:17 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:18 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:18 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:18 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:19 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:20 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:21 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:21 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:21 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:22 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:24 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:37 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_SAK) at the outermost level
Aug 6 08:11:37 nixman pluto[21617]: "L2TP-PSK-NAT"[2] x.x.x.x #3: sending notification INVALID_PAYLOAD_TYPE to x.x.x.x:46189
Aug 6 08:11:40 nixman pluto[21617]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to x.x.x.x port 17702, complainant x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
[Конфиги]
root@nixman ~ # cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 10.0.10.2-10.0.10.254
local ip = 10.0.10.1
;require chap = yes
refuse pap = yes
refuse chap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
exclusive = no
assign ip = yes
name = VPN-Server
root@nixman ~ # cat /etc/ppp/options.xl2tpd
refuse-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
root@nixman ~ # cat /etc/ipsec.conf
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
oe=off
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=start
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
#force all to be nat'ed. because of iOS
forceencaps=yes
root@nixman ~ #
Судя по логам l2tpd, до него вообще нет попыток достучаться.
Колеса пинал, фары протирал :( Направьте, пожалуйста, на путь истинный.
Кросс-пост в ру-сисадминс