我正在尝试在 Debian 10 服务器上创建一个 VPN 服务器,该服务器将使 Windows 10 和 Android 客户端能够使用 L2TP over IPSEC 和预共享密钥 (PSK) 进行连接。
相同的客户端通过简单的 GUI 配置成功地与 Ubiquity UDM-Pro Dream Machine 的 VPS 服务器一起工作,同样在 Windows 10 和 Android Samsung Galaxy A12 和 Samsung Galaxy Tab S6 Lite 上进行了测试。
我是 libreswan 的新手。我使用的版本是默认的3.27-6+deb10u1。
我正在尝试从我们预先存在的 DHCP 池中分配 eth1 上 192.168.100.10-192.168.100.253 范围内的 IP 地址,该 DHCP 池可通过 NAT 访问,并且主机将自身显示为 161.53.235.3(对世界)和 192.168。 100.1(到 NAT 后面的主机)。
(这很方便,因为经过身份验证的客户端可以“看到”他们的业务 PC 并通过 RDP 连接,这是基本思想。)
感谢您考虑此请求。
NAT配置如下:
root@domac:/home/admin/mtodorov# iptables-save -t nat
# Generated by xtables-save v1.8.2 on Mon Nov 22 14:26:47 2021
*nat
:PREROUTING ACCEPT [17288678:2026230352]
:INPUT ACCEPT [10182155:755518594]
:POSTROUTING ACCEPT [2533708:173476436]
:OUTPUT ACCEPT [9707250:822554753]
-A POSTROUTING -o eth0 -j SNAT --to-source 161.53.235.3
COMMIT
# Completed on Mon Nov 22 14:26:47 2021
root@domac:/home/admin/mtodorov#
我的配置如下:
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
# Normally, pluto logs via syslog.
logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
plutodebug="all crypt"
# plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%v4:192.198.186.218/32
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
我/etc/ipsec.d/l2tp-psk.conf的如下:
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
# Use a Preshared Key. Disable Perfect Forward Secrecy.
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=30
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=transport
#
# left will be filled in automatically with the local address of the default-route interface (as determined at IPsec startup time).
left=%defaultroute
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
# Using the magic port of "%any" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any
我/etc/ipsec.d/domac-alu.secrets的是:
%any : PSK "<mysecret>"
我/etc/ppp/chap-secrets的是
# Secrets for authentication using CHAP
# client server secret IP addresses
mtodorov * <mypasswd> *
# end.
我/etc/xl2tpd/xl2tpd.conf的是:
[global]
listen-addr = 161.53.235.3
ipsec saref = no
access control = no
debug network = yes
debug tunnel = yes
[lns default]
ip range = 192.168.100.10-192.168.100.253
local ip = 192.168.100.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes
我/etc/ppp/xl2tpd-options的是:
ipcp-accept-local
ipcp-accept-remote
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
来自 Windows 10 的错误消息如下所示:
来自 /var/log/pluto.log 事件的错误日志是:
这是关闭了加密调试的那个:
请问有什么帮助吗?我的选择已经不多了,这必须奏效......我们需要为在这种 COVID 情况下在家工作的人建立一个 VPN......
(日志中的对等193.198.186.218也是我的客户端 PC。)
xl2tpd日志如下:
Nov 22 14:48:57 domac xl2tpd[26982]: IPsec SAref does not work with L2TP kernel mode yet, enabling force userspace=yes
Nov 22 14:48:57 domac xl2tpd[26982]: Not looking for kernel SAref support.
Nov 22 14:48:57 domac xl2tpd[26979]: Starting xl2tpd: xl2tpd.
Nov 22 14:48:57 domac xl2tpd[26982]: Not looking for kernel support.
Nov 22 14:48:57 domac xl2tpd[26983]: xl2tpd version xl2tpd-1.3.12 started on domac PID:26983
Nov 22 14:48:57 domac xl2tpd[26983]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Nov 22 14:48:57 domac xl2tpd[26983]: Forked by Scott Balmos and David Stipp, (C) 2001
Nov 22 14:48:57 domac xl2tpd[26983]: Inherited by Jeff McAdams, (C) 2002
Nov 22 14:48:57 domac xl2tpd[26983]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Nov 22 14:48:57 domac xl2tpd[26983]: Listening on IP address 161.53.235.3, port 1701
非常感谢转发。
这得到了很多苦差事的解决,所以我想发布一个答案。
问题出在中间的防火墙上。除非我求助于我们的学术网络 NOC 人员,否则我不可能在一百万年内解决它,他们声称他们已经全部通过了。然后我得到了一台笔记本电脑,它的相同配置在无线、wifi 热点和我们的商业 ISP 上工作,但它不适用于我们的学术网络。
然后他们做了一些事情,它突然开始工作而没有代表我做任何改变。
libreswan 开发人员批准的最后一个有效配置是:
/etc/ipsec.d/l2tp-psk.conf:
关键变化(从开发人员那里收到)是:
rightsubnet=vhost:%no对于非 NAT 连接。然后所有其他配置都有效。我希望这可以帮助别人。
亲切的问候,马文