[VPN IPSEC] IPsec vpnserver / L2TP - Linux en overige clients

vrijdag 25 augustus 2006 11:40

Acties:

Topicstarter

Ben al lange tijd bezig met het opzetten van een VPN server, eerst met PoPtOp, MPPC compressie, maar dat krijg ik niet aan de gang omdat er geen patches meer uitgebracht worden voor nieuwere kernels.

Nu ben ik bezig met een IPSEC / L2TP combinatie VPN server met preshared keys. Heb een nette howto gevonden op de volgende site: http://teh.sh.nu/HowTo/index.php

Alles lijkt goed te gaan, IPSEC en L2TP starten beide keurig op, zonder fouten. Echter op het moment dat ik verbinding wil gaan maken dat gaat het mis.

Versienummers:

Kernel: 2.6.16-r7 (Gentoo distro)
IPSEC-tools: ipsec-tools-0.6.2-r1
Openswan: Linux Openswan U2.4.4/K2.6.16-gentoo-r7 (netkey)
L2TP: l2tpd-0.70_pre20031121
PPP: ppp-2.4.3-r16

Als ik L2TP herstart:

code:

Aug 25 11:21:41 lnx-server l2tpd[21245]: This binary does not support kernel L2TP.
Aug 25 11:21:41 lnx-server l2tpd[21246]: l2tpd version 1.04-X started on lnx-server PID:21246
Aug 25 11:21:41 lnx-server l2tpd[21246]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 25 11:21:41 lnx-server l2tpd[21246]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 25 11:21:41 lnx-server l2tpd[21246]: Inherited by Jeff McAdams, (C) 2002
Aug 25 11:21:41 lnx-server l2tpd[21246]: Listening on IP address 0.0.0.0, port 1701

Als ik IPSEC herstart:

code:

Aug 25 11:23:24 lnx-server ipsec_setup: Starting Openswan IPsec 2.4.4...
Aug 25 11:23:24 lnx-server ipsec_setup: insmod /lib/modules/2.6.16-gentoo-r7/kernel/net/key/af_key.ko
Aug 25 11:23:24 lnx-server NET: Registered protocol family 15
Aug 25 11:23:24 lnx-server Initializing IPsec netlink socket
Aug 25 11:23:24 lnx-server ipsec_setup: KLIPS ipsec0 on eth0 83.83.xx.xx/255.255.xx.0 broadcast 83.83.7.255 mtu 1410
Aug 25 11:23:24 lnx-server ipsec_setup: insmod /lib/modules/2.6.16-gentoo-r7/kernel/net/ipv4/xfrm4_tunnel.ko
Aug 25 11:23:24 lnx-server ipsec_setup: insmod /lib/modules/2.6.16-gentoo-r7/kernel/net/xfrm/xfrm_user.ko
Aug 25 11:23:24 lnx-server ipsec__plutorun: Starting Pluto subsystem...
Aug 25 11:23:24 lnx-server pluto[22270]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Aug 25 11:23:24 lnx-server pluto[22270]: Setting NAT-Traversal port-4500 floating to on
Aug 25 11:23:24 lnx-server pluto[22270]:    port floating activation criteria nat_t=1/port_fload=1
Aug 25 11:23:24 lnx-server pluto[22270]:   including NAT-Traversal patch (Version 0.6c)
Aug 25 11:23:24 lnx-server pluto[22270]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 25 11:23:24 lnx-server pluto[22270]: starting up 1 cryptographic helpers
Aug 25 11:23:24 lnx-server pluto[22270]: started helper pid=22271 (fd:6)
Aug 25 11:23:24 lnx-server pluto[22270]: Using Linux 2.6 IPsec interface code on 2.6.16-gentoo-r7
Aug 25 11:23:24 lnx-server pluto[22270]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Aug 25 11:23:24 lnx-server pluto[22270]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Aug 25 11:23:24 lnx-server pluto[22270]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Aug 25 11:23:24 lnx-server pluto[22270]: Changing to directory '/etc/ipsec/ipsec.d/crls'
Aug 25 11:23:24 lnx-server pluto[22270]:   Warning: empty directory
Aug 25 11:23:24 lnx-server ipsec_setup: ...Openswan IPsec started
Aug 25 11:23:25 lnx-server pluto[22270]: added connection description "roadwarrior-l2tp"
Aug 25 11:23:25 lnx-server pluto[22270]: added connection description "roadwarrior"
Aug 25 11:23:25 lnx-server pluto[22270]: added connection description "roadwarrior-all"
Aug 25 11:23:25 lnx-server pluto[22270]: added connection description "roadwarrior-net"
Aug 25 11:23:25 lnx-server pluto[22270]: added connection description "roadwarrior-l2tp-updatedwin"
Aug 25 11:23:25 lnx-server pluto[22270]: listening for IKE messages
Aug 25 11:23:25 lnx-server pluto[22270]: adding interface lo/lo 127.0.0.1:500
Aug 25 11:23:25 lnx-server pluto[22270]: adding interface lo/lo 127.0.0.1:4500
Aug 25 11:23:25 lnx-server pluto[22270]: adding interface eth1/eth1 192.168.20.254:500
Aug 25 11:23:25 lnx-server pluto[22270]: adding interface eth1/eth1 192.168.20.254:4500
Aug 25 11:23:25 lnx-server pluto[22270]: adding interface eth0/eth0 83.83.xx.xx:500
Aug 25 11:23:25 lnx-server pluto[22270]: adding interface eth0/eth0 83.83.xx.xx:4500
Aug 25 11:23:25 lnx-server pluto[22270]: loading secrets from "/etc/ipsec/ipsec.secrets"

Komen dus geen errors, alleen dat L2TP kernel niet gesupport is, maar is geen fout, L2TP lui zijn nooit aan de kernel drivers toegekomen ofzo.

Configs heb ik vrijwel letterlijk overgenomen van de howto, alleen wat Subnets voor mijn private zooi aangepast.

IPSEC.CONF:

code:

# This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        overridemtu=1410
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.20.0/24

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn roadwarrior-net
        leftsubnet=192.168.20.0/24
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        pfs=no
        left=%defaultroute
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

IPSEC.secrets:

code:

1 2	#Openswan Secrets file 83.83xx.xx %any: PSK "langekey"

L2TPD.conf:

code:

; l2tpd.conf
;
[global]
port = 1701

[lns default]
ip range = 192.168.20.234-192.168.20.239
local ip = 192.168.20.253
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

options.l2tpd:

code:

ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.20.254
noccp
auth
crtscts
idle 1800
mtu 1400
mru 1400
+mschap-v2
nodefaultroute
debug
local
proxyarp
connect-delay 5000
silent

Volgens mij waren dat alle config files wel.

De fout die ontstaat is de volgende:

code:

pluto[22270]: packet from 80.127.xx.xx:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto[22270]: packet from 80.127.xx.xx:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto[22270]: packet from 80.127.xx.xx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
pluto[22270]: packet from 80.127.xx.xx:500: ignoring Vendor ID payload [Vid-Initial-Contact]
pluto[22270]: "roadwarrior-l2tp"[1] 80.127.xx.xx #1: responding to Main Mode from unknown peer 80.127.xx.xx
pluto[22270]: "roadwarrior-l2tp"[1] 80.127.xx.xx #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[22270]: "roadwarrior-l2tp"[1] 80.127.xx.xx #1: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[22270]: "roadwarrior-l2tp"[1] 80.127.xx.xx #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto[22270]: "roadwarrior-l2tp"[1] 80.127.xx.xx #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[22270]: "roadwarrior-l2tp"[1] 80.127.xx.xx #1: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[22270]: "roadwarrior-l2tp"[1] 80.127.xx.xx #1: Main mode peer ID is ID_FQDN: '@wxp-fujitsu'
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #1: deleting connection "roadwarrior-l2tp" instance with peer 80.127.xx.xx {isakmp=#0/ipsec=#0}
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #1: I did not send a certificate because I do not have one.
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[22270]: | NAT-T: new mapping 80.127.xx.xx:500/61592)
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: responding to Quick Mode {msgid:0f0bb5ee}
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: ERROR: netlink response for Add SA esp.92996c14@83.83.xx.xx included errno 93: Protocol not supported
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: next payload type of ISAKMP Hash Payload has an unknown value: 235
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: malformed payload in packet
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: sending notification PAYLOAD_MALFORMED to 80.127.xx.xx:61592
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: next payload type of ISAKMP Hash Payload has an unknown value: 235
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: malformed payload in packet
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #2: sending notification PAYLOAD_MALFORMED to 80.127.xx.xx:61592
pluto[22270]: "roadwarrior-l2tp"[2] 80.127.xx.xx #1: received Delete SA payload: deleting ISAKMP State #1
pluto[22270]: packet from 80.127.xx.xx:61592: received and ignored informational message

De fout die mij het meeste opvalt is Errno 93: Protocol not supported.

Ik kan echter nergens vinden wat dit moet inhouden.... Heeft iemand hier ervaring mee, of een idee waar ik kan kijken ???

Reageer