问题[ipsec](ubuntu)

尝试将计算机连接到以这种方式配置的 VPN 服务器：

Router# show isakmp policy
ISAKMP policy: L2TP_VPN
  IKD_ID: 8
  negotiation mode: main
  proposal: 1
    encryption: aes256
    authentication: sha256
  proposal: 2
    encryption: aes256
    authentication: sha512
  SA lifetime: 86400
  key group: group20
  NAT traversal: yes
  dead peer detection: yes
  my address: wan1
    type: interface
  secure gateway address: 1
    address: 0.0.0.0
  secure gateway address: 2
    address: 0.0.0.0
  fall back: deactivate
  fall back check interval: 300
  authentication method: pre-share
  pre-shared key: PRESHAREDKEYHERE
  certificate: default
  local ID: 0.0.0.0
    type: ip
  peer ID: 
    type: any
  user ID: 
  type: 
  X-Auth: no
    type: server
    method: default
    allowed user: Utilisateurs_VPN
    username: 
    password: 
  EAP-Auth: no
    type: 
    aaa method: 
    allowed user: 
    allowed auth method: mschapv2
    username: 
    auth method: mschapv2
    password: 
  vcp reference count: 0
  IKE_version: IKEv1
  active: yes

第二阶段部分

Router> show crypto map VPN_CONNECTION1
cryptography mapping: VPN_CONNECTION1
  VPN gateway: L2TP_VPN
  Gateway IP Version: IPv4
  encapsulation: transport
  active protocol: esp
  transform set: 1
    encryption: aes256
    authentication: sha512
  transform set: 2
    encryption: aes256
    authentication: sha256
  SA lifetime: 28800
  PFS: group15
  nail up: no
  scenario: remote-access-server
  l2tp: yes
  local policy: L2TP_VPN_LOCAL
  remote policy: any
  protocol type: any
  configuration provide:   
    mode config: no
    configuration payload: no
    address pool: 
    first dns: 
    second dns: 
    first wins: 
    second wins: 
  policy enforcement: no
  replay detection: no
  narrowed: yes
  adjust mss: yes
  mss value: 0
  stop rekeying: no
  NetBIOS broadcast over IPSec: no
  outbound SNAT: no
    source: 
    destination: 
    target: 
  inbound SNAT: no
    source: 
    destination: 
    target: 
  inbound DNAT: no
  vcp reference count: 0
  active: yes
  VTI: 
  VPN ID: 2
  connected: no
  connectivity check: no
    check method: none
    IP address: none
    period: none
    timeout: none
    fail tolerance: none
    port: none
    log: no
  rule type: 4in4

L2TP部分：

Router# show l2tp-over-ipsec ;
L2TP over IPSec:
  activate          : yes
  crypto            : VPN_CONNECTION1
  address pool      : L2TP_VPN_IP_ADDRESS_POOL
  authentication    : default
  certificate       : default
  user              : Utilisateurs_VPN
  keepalive timer   : 60
  first dns server  : 
  second dns server : 
  first wins server : 
  second wins server: 

这是 ike-scan 看到服务器的方式：

Zulgrib@computer:~$ sudo ./ike-scan.sh GATEWAYIP | grep SA=
    SA=(Enc=AES Hash=SHA2-512 Auth=PSK Group=21 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)

我使用 NetworkManager 配置了客户端。

[connection]
id=MyVpnName
uuid=3a6d0094-ff3e-49a2-95a3-54303542b2da
type=vpn
autoconnect=false
permissions=user:Zulgrib:;
timestamp=1605784830

[vpn]
gateway=GATEWAYIP
ipsec-enabled=yes
ipsec-esp=aes256-sha256-ecp384
ipsec-ike=aes256-sha256-ecp384
ipsec-psk=PRESHAREDKEY
password-flags=1
user=testvpn
service-type=org.freedesktop.NetworkManager.l2tp

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

但是路由器方面，日志声称 VPN 客户端尝试使用 AES128 和 modp3072。

Recv:[SA][VID][VID][VID][VID][VID]
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 384 bit ECP, AES CBC key len = 128, 3072 bit MODP; ).
The cookie pair is : 0xhexhexhex / 0xhexhexhex [count=2]
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
Recv:[NOTIFY:INVALID_KEY_INFORMATION]

客户端，协商时也出错：

nov. 19 17:28:16 computer NetworkManager[1337]: initiating Main Mode IKE_SA 3a6d0094-ff3e-49a2-95a3-54303542b2da[1] to GATEWAYIP
nov. 19 17:28:16 computer NetworkManager[1337]: generating ID_PROT request 0 [ SA V V V V V ]
nov. 19 17:28:16 computer NetworkManager[1337]: sending packet: from 192.168.170.52[500] to GATEWAYIP[500] (216 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: received packet: from GATEWAYIP[500] to 192.168.170.52[500] (410 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: parsed ID_PROT response 0 [ SA V V V V V V V V V V V ]
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
nov. 19 17:28:16 computer NetworkManager[1337]: received draft-ietf-ipsec-nat-t-ike-02 vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received draft-ietf-ipsec-nat-t-ike-03 vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received NAT-T (RFC 3947) vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received XAuth vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received DPD vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:27:fc:b5:21:73:53:c1:94:4a:02:92:52:ac:c9:ab:03:8e:fa:5c:a1:d1:c6:24:15:c3:df:8e:e1:58:61:fa:ea:48:80:9d:c2:a6:c4:b
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: b6:c9:8c:ca:29:0a:eb:be:37:f1:9f:31:12:d2:d7:cb
nov. 19 17:28:16 computer NetworkManager[1337]: negotiated DH group not supported
nov. 19 17:28:16 computer NetworkManager[1337]: generating INFORMATIONAL_V1 request 1203248937 [ N(INVAL_KE) ]
nov. 19 17:28:16 computer NetworkManager[1337]: sending packet: from 192.168.170.52[500] to GATEWAYIP[500] (56 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: establishing connection '3a6d0094-ff3e-49a2-95a3-54303542b2da' failed
nov. 19 17:28:16 computer charon[30591]: 12[IKE] negotiated DH group not supported
nov. 19 17:28:16 computer charon[30591]: 12[ENC] generating INFORMATIONAL_V1 request 1203248937 [ N(INVAL_KE) ]
nov. 19 17:28:16 computer charon[30591]: 12[NET] sending packet: from 192.168.170.52[500] to GATEWAYIP[500] (56 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: Stopping strongSwan IPsec...

如何将 NetworkManager 配置为在所有阶段使用 ecp384 (DH20) 而不是 modp3072 (DH15) 以及 AES256？

路由器端配置无法更改，因为它是目前（据说）被 strongswan（由网络管理员使用）和 Win10 IPSec 客户端都支持的最强配置。

我正在尝试在 20.04 中创建一个使用 LDAP 进行用户身份验证的 L2TP/IPSEC VPN 服务器。

我假设Strongswan会这样做。

在 Strongswan 或其他配置中，我应该在哪里添加 LDAP 服务器信息？

还是它只是使用 SSSD 或 PAM 或其他东西，而您只是将 Strongswan 指向它？

我专门寻找 LDAP，而不是 Radius。我知道半径是可能的。

任何帮助，将不胜感激。我意识到有几个问题接近这个问题。但他们所有的答案都需要一个 GUI。这是一个云服务器，所以没有 gui。谢谢！

我们有两个使用 strongswan 通过 ipsec 连接的边。两台机器都是 ubuntu 16.04 服务器。问题是两端子网重叠。我们已经尝试了所有可能的 iptables 场景来映射地址，但没有运气。转发、ufw、netmap、snat、dnat。我们在双方都使用ufw。有任何想法吗？

将 libnss-sysytemd 库升级到最新版本237-3ubuntu10.12后，IPSEC/L2TP VPN 连接已建立，但我无法连接到 LAN 外部。我发现路由表和版本不一样237-3ubuntu10.11。不同之处在于IP地址的顺序。在 237-3ubuntu10.12 上，路由表中远程 vpn ip 地址的顺序是正常的，但是 VPN 连接不能正常工作。在 237-3ubuntu10.11 上，顺序是相反的，然后 VPN 连接正常。

但是今天，即使在版本上，它也再次出现在 Starbacks WIFI 上237-3ubuntu10.11。路由表如下。

Starbacks WIFI 上的 237-3ubuntu10.11

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
default         _gateway        0.0.0.0         UG    20600  0        0 wlp58s0
10.27.40.0      0.0.0.0         255.255.248.0   U     600    0        0 wlp58s0
123.234.345.456 _gateway        255.255.255.255 UGH   0      0        0 wlp58s0
192.168.10.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

237-3ubuntu10.11 上的移动网络共享。

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
default         _gateway        0.0.0.0         UG    20600  0        0 wlp58s0
10.27.40.0      0.0.0.0         255.255.248.0   U     600    0        0 wlp58s0
456.345.234.123. _gateway        255.255.255.255 UGH   0      0        0 wlp58s0
192.168.10.1   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

我确定这是systemd的错误。有没有人报告过这个错误？

我正在使用 strongswan 和 xl2tp。无论如何它不会导致这个问题。

早上好家伙，

我一直在尝试通过 IPsec vpn 在我们的服务器和我的机器之间建立安全连接以测试 VPN。我一直在关注本教程 Site So Site Ipsec VPN 但在第 2 步中：

$ cat >> /etc/sysctl.conf << EOF

回声 net.ipv4.ip_forward = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

EOF

$ sysctl -p /etc/sysctl.conf

这家伙希望我们向我们的 sysctl.conf 文件添加一些 ip 转发，但是当我添加它并重新启动我的操作系统（XFCE）时，当我连接它时，我无法再通过 SSH 连接到我的服务器了

连接到 ip.ip.ip.ip 端口：22 超时

我正在尝试在 18.04 上使用强大的天鹅设置 IPSEC 服务器

我的 ipsec.conf 是：

# ipsec.conf - strongSwan IPsec configuration file
config setup
   charondebug="cfg 2"

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=no
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=/etc/ssl/certs/domain.com.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=192.168.1.1
    rightsourceip=10.11.12.0/24
    rightsendcert=never
    eap_identity=%identity

我的 ipsec.secrets 是

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

domain.com : RSA /etc/ssl/private/strongswan.key
user %any% : EAP "pass"

据我所知，我已经设置了 ufw 以允许流量通过：

administrator@fserver:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Apache Full)   ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    Anywhere
137,138/udp (Samba)        ALLOW IN    Anywhere
139,445/tcp (Samba)        ALLOW IN    Anywhere
3389/tcp                   ALLOW IN    Anywhere
8085/tcp                   ALLOW IN    Anywhere
35000:36000/tcp            ALLOW IN    Anywhere                   # deluge
10000:20000/tcp            ALLOW IN    Anywhere                   # ftp passive
20:21/tcp                  ALLOW IN    Anywhere                   # ftp
990/tcp                    ALLOW IN    Anywhere                   # ftp tls
192.168.1.2/esp            ALLOW IN    Anywhere
500                        ALLOW IN    Anywhere                   # ipsec
4500                       ALLOW IN    Anywhere                   # ipsec
192.168.1.2/ah             ALLOW IN    Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)
137,138/udp (Samba (v6))   ALLOW IN    Anywhere (v6)
139,445/tcp (Samba (v6))   ALLOW IN    Anywhere (v6)
3389/tcp (v6)              ALLOW IN    Anywhere (v6)
8085/tcp (v6)              ALLOW IN    Anywhere (v6)
35000:36000/tcp (v6)       ALLOW IN    Anywhere (v6)              # deluge
10000:20000/tcp (v6)       ALLOW IN    Anywhere (v6)              # ftp passive
20:21/tcp (v6)             ALLOW IN    Anywhere (v6)              # ftp
990/tcp (v6)               ALLOW IN    Anywhere (v6)              # ftp tls
500 (v6)                   ALLOW IN    Anywhere (v6)              # ipsec
4500 (v6)                  ALLOW IN    Anywhere (v6)              # ipsec

不幸的是，我无法在 Windows 10 上连接。当我尝试在 Windows 上连接时，它位于“验证您的登录信息”上，然后停止并显示由于服务器停止响应而无法建立连接的错误消息。

我的系统日志显示：

Jul  3 11:20:51 fserver charon: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 06[ENC] generating INFORMATIONAL_V1 request 3859798652 [ N(NO_PROP) ]
Jul  3 11:20:51 fserver ipsec[4349]: 06[NET] sending packet: from 192.168.1.2[500] to 216.218.206.70[50231] (40 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 08[NET] received packet: from 216.218.206.98[28703] to 192.168.1.2[500] (64 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 08[ENC] parsed ID_PROT request 0 [ SA ]
Jul  3 11:20:51 fserver ipsec[4349]: 08[CFG] looking for an ike config for 192.168.1.2...216.218.206.98
Jul  3 11:20:51 fserver ipsec[4349]: 08[IKE] no IKE config found for 192.168.1.2...216.218.206.98, sending NO_PROPOSAL_CHOSEN
Jul  3 11:20:51 fserver ipsec[4349]: 08[ENC] generating INFORMATIONAL_V1 request 1302012061 [ N(NO_PROP) ]
Jul  3 11:20:51 fserver ipsec[4349]: 08[NET] sending packet: from 192.168.1.2[500] to 216.218.206.98[28703] (40 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 10[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received Vid-Initial-Contact vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] 142.68.61.15 is initiating an IKE_SA
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   proposal matches
Jul  3 11:20:51 fserver charon: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] local host is behind NAT, sending keep alives
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] remote host is behind NAT
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul  3 11:20:51 fserver ipsec[4349]: 10[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 11[IKE] sending keep alive to 142.68.61.15[500]
Jul  3 11:20:51 fserver ipsec[4349]: 12[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Jul  3 11:20:51 fserver ipsec[4349]: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver charon: 13[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver charon: 13[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver charon: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver charon: 13[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul  3 11:20:51 fserver charon: 13[IKE] received Vid-Initial-Contact vendor ID
Jul  3 11:20:51 fserver charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul  3 11:20:51 fserver charon: 13[IKE] 142.68.61.15 is initiating an IKE_SA
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   proposal matches
Jul  3 11:20:51 fserver charon: 13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul  3 11:20:51 fserver charon: 13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver charon: 13[IKE] local host is behind NAT, sending keep alives
Jul  3 11:20:51 fserver charon: 13[IKE] remote host is behind NAT
Jul  3 11:20:51 fserver charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul  3 11:20:51 fserver charon: 13[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul  3 11:21:11 fserver charon: 15[IKE] sending keep alive to 142.68.61.15[500]
Jul  3 11:21:21 fserver charon: 01[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout

看起来windows不再发送任何数据包。我已经转发了端口 500 和 4500。

也许是ufw设置不正确，我愿意深入研究iptables，但如果没有必要，我宁愿不去。

我的网络设置有点复杂，所以让我们解释一下。

但首先请记住，一切都与 ubuntu 16.04、nixOs、几种基于 Arch 的发行版和 windows 10 完美配合。

这里是 ：

[HOME NETWORK] <--l2tp-ipsec-VPN---> [OFFICE NETWORK - with a DNS] <---Site2SiteVPN----> [some other cloud resource]

预期结果示例：

• 建立从家到办公室的 VPN 连接
• 获取预期范围内的 IP（172. 而不是 192..., ）
• 获取正确的 DNS 配置
• SSH 或 HTTPS 到“其他云资源”=> 应该可以工作

在 Ubuntu 18.04 上：

sudo apt-get install network-manager-l2tp-gnome

然后配置连接，连接：是的！“锁”出现在网络图标附近。到目前为止看起来很有希望。

出现一个新的接口 ppp0，IP 看起来还可以

检查“whatsmyip.org”时，它现在显示我的办公室 IP。看起来不错

ip addr
...
...
12: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 3
  link/ppp
  inet 172.x.x.x peer 172.255.255.0/32 scope global ppp0

现在是问题所在：-无法访问“其他云资源”上的任何资源

http 连接超时，ssh 从不应答。...

我在 2 个不同位置的 3 台不同 PC 上看到了这个问题。他们都曾经使用 16.04。

连接已建立，vpn 服务器或网络管理器日志上没有出现错误，但好像所有连接都没有使用 ppp0 接口。

让我想到了某种关于“连接优先级”的方法，但我没有找到任何方法来解决这个问题。

任何建议都将受到高度欢迎。

谢谢！

PS：我还检查了“路由”命令：ppp0 以最高优先级出现