问题[point-to-point-protocol](server)

我正在建立从公司网络到客户端的 VPN 连接。目前：L2TP VPN。我的第一步是克隆当前的 router-VM（它是一台 Hyper-V 机器）。然后我开始配置和试验克隆。一旦我得到了我想要的结果，我就在原件上重新做了必要的步骤。设置现在是相同的（除了 IP 地址）。但是由于某种原因，只有克隆可以连接（并且始终如此），而原始几乎总是失败 - 但出于某种原因确实连接了一次。

设置是这样的。

• 操作系统：Debian GNU/Linux 10（破坏者）
• ipsec：Linux strongSwan U5.7.2/K4.19.0-9-amd64
• xl2tpd：xl2tpd-1.3.12

/etc/ipsec.conf

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=3des-sha1-modp1024
  esp=3des-sha1-modp1024

conn vpnTheClient
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/%any
  rightprotoport=17/%any
  right=10.20.30.40

/etc/ipsec.secrets

  %any 10.20.30.40 : PSK "somestrongstring"

/etc/xl2tpd/xl2tpd.conf

[global]
debug tunnel = yes
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes

[lac vpnTheClient]
lns = 10.20.30.40
ppp debug = yes
pppoptfile = /etc/ppp/options.TheClient.l2tpd
length bit = yes

/etc/ppp/options.TheClient.l2tpd

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
noaccomp
mtu 1280
mru 1280
noipdefault
#defaultroute
nodefaultroute
#usepeerdns
unit 3
connect-delay 5000
name vpnusername
password vpnPasswrd!

现在我sudo xl2tpd -D从一个会话和sudo /bin/sh -c 'echo "c vpnTheClient" > /var/run/xl2tpd/l2tp-control'另一个会话开始。

最初的第一次失败尝试如下所示。

xl2tpd[11360]: Not looking for kernel SAref support.
xl2tpd[11360]: Using l2tp kernel support.
xl2tpd[11360]: xl2tpd version xl2tpd-1.3.12 started on debian-router PID:11360
xl2tpd[11360]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[11360]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[11360]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[11360]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[11360]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[11360]: get_call: allocating new tunnel for host 10.20.30.40, port 1701.
xl2tpd[11360]: Connecting to host 10.20.30.40, port 1701
xl2tpd[11360]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
packet dump:
HEX: { C8 02 00 6E 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 13 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 47 7A 80 08 00 00 00 0A 00 04 }
ASCII: {    n                                                          debian-router      xelerance.com      Gz        }
xl2tpd[11360]: control_finish: sending SCCRQ
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: network_thread: select timeout with max retries: 5 for tunnel: 18298
xl2tpd[11360]: Maximum retries exceeded for tunnel 18298.  Closing.

现在从克隆，完全相同的设置：

xl2tpd[2299]: Not looking for kernel SAref support.
xl2tpd[2299]: Using l2tp kernel support.
xl2tpd[2299]: xl2tpd version xl2tpd-1.3.12 started on debian-router-copy PID:2299
xl2tpd[2299]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[2299]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[2299]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[2299]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[2299]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[2299]: get_call: allocating new tunnel for host 10.20.30.40, port 1701.
xl2tpd[2299]: Connecting to host 10.20.30.40, port 1701
xl2tpd[2299]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
packet dump:
HEX: { C8 02 00 73 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 18 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 2D 63 6F 70 79 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 9C 82 80 08 00 00 00 0A 00 04 }
ASCII: {    s                                                          debian-router-copy      xelerance.com
}
xl2tpd[2299]: control_finish: sending SCCRQ
xl2tpd[2299]: network_thread: recv packet from 10.20.30.40, size = 96, tunnel = 40066, call = 0 ref=0 refhim=0
packet dump:
  <etc now everything is working>

然后我尝试添加noaccomp选项，突然间原来的工作。

xl2tpd[11881]: Not looking for kernel SAref support.
xl2tpd[11881]: Using l2tp kernel support.
xl2tpd[11881]: xl2tpd version xl2tpd-1.3.12 started on debian-router PID:11881
xl2tpd[11881]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[11881]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[11881]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[11881]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[11881]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[11881]: get_call: allocating new tunnel for host 10.20.30.40, port 1701.
xl2tpd[11881]: Connecting to host 10.20.30.40, port 1701
xl2tpd[11881]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
packet dump:
HEX: { C8 02 00 6E 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 03 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 06 90 80 13 00 00 00 07 64 65 62 69 61 6E 2D 72 6F 75 74 65 72 00 13 00 00 00 08 78 65 6C 65 72 61 6E 63 65 2E 63 6F 6D 80 08 00 00 00 09 64 83 80 08 00 00 00 0A 00 04 }
ASCII: {    n                                                          debian-router      xelerance.com      d         }
xl2tpd[11881]: control_finish: sending SCCRQ
xl2tpd[11881]: network_thread: recv packet from 10.20.30.40, size = 96, tunnel = 25731, call = 0 ref=0 refhim=0
packet dump:
  <etc now everything is working>

但只有这一次。

问题：我如何调试这个东西（我只是一个非常新手的 Linux 用户）？这可能是什么原因？我想强调一下，克隆从来没有任何连接问题——据我所知，配置完全相同。

我正在使用 debian jessie 上的 nftables 重建我的路由器。在我的 ISP 决定通过重新连接我的 DSL 链路重新分配新的 WAN IP 之前，我有一个工作设置。重新连接后，路由器本身具有在线连接，但伪装不再起作用。

重新连接前的 nftable 设置：

# nft list table nat
table ip nat {
    chain prerouting {
            type nat hook prerouting priority 0; policy accept;
    }

    chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            oif ppp0 masquerade
    }
}

重新连接后的 nftable 设置：

# nft list table nat
table ip nat {
    chain prerouting {
            type nat hook prerouting priority 0; policy accept;
    }

    chain postrouting {
            type nat hook postrouting priority 100; policy accept;
            oif 8 masquerade
    }
}

所以我假设重新连接期间 ppp0 的停机时间会导致相关规则成为某种unassigned。手动重新应用 nft 规则（刷新 + 添加）可以解决此问题，直到下一次重新连接。

如何确保在重新建立连接后将临时禁用的规则自动重新分配给 ppp0？

基本配置是一台运行 rp-pppoe 的 CentOS 机器和一个单独的路由器，两者都通过一个简单的交换机连接到 DSL 调制解调器。每个设备都有自己单独的 PAP id/密码。

这种配置多年来一直运行良好，直到更换了 linux 机器并安装了新版本的 rp-pppoe。现在似乎发生的是，当路由器尝试进行身份验证时，centos 机器会做出响应并回复它没有提供的帐户的密码。将路由器直接连接到调制解调器以允许其进行身份验证，然后快速将其重新插入交换机可以暂时缓解问题。

pppoe-server[26658]: Session 40 created for client 00:17:c5:14:0a:b9 (10.67.15.40) on eth0 using Service-Name ''
pppd[26658]: pppd 2.4.5 started by admin, uid 0
pppd[26658]: Using interface ppp1
pppd[26658]: Connect: ppp1 <--> /dev/pts/3
pppd[26658]: no PAP secret found for [email protected]
pppd[26658]: PAP peer authentication failed for [email protected]
pppd[26658]: Connection terminated.

我的问题是这是 rp-pppoe/其配置的问题还是我的设置中的固有问题？