アライグマIPSec/L2TPクライアント

tag-icon tag-icon windows vpn ipsec
アライグマIPSec/L2TPクライアント

Windows 2003 サーバーに接続するために racoon IPSec/L2TP クライアントを構成しようとしています。サーバーはもともとWindows XPクライアントと連携するように設計されていました(Windows XP SP3では正常にテストされましたが、XP SP1またはWindows 7では機能しません)。状況をより複雑にするには、事前共有キーとx509証明書の両方を使用してください。私は作業中のクライアントから次を推測し、racoonで設定を複製してみました。

  • NAT-Tなし(Windows XP SP2から削除済み)
  • いいえtunneling mode(Windows XPではサポートされていません)
  • いいえAH(Windows XPではサポートされていません)
  • 3des暗号化アルゴリズムに使用
  • sha1ハッシングアルゴリズムの場合
  • dh_group 2
  • 認証モードがわからないし、両方pre_shared_key試してみました。rsasig

私のものracoon.conf

log debug2;

path certificate "/home/ipsec/out/etc/certs";
path pre_shared_key "/etc/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.1.2 {

       exchange_mode main;

       my_identifier user_fqdn "[email protected]";
       certificate_type x509 "client.example.crt" "client.example.key";
       ca_type x509 "ca.crt";

       passive off;
       generate_policy on;
       dpd_delay 20;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
}

sainfo anonymous {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

私のものsetkey.conf

# Flush the SAD and SPD
flush;
spdflush;


spdadd 0.0.0.0/0 vpn.example.com[1701] any -P out ipsec
        esp/transport//require;


spdadd vpn.example.com [1701] 0.0.0.0/0 any -P in ipsec
        esp/transport//require;

私は走ってsetkey -f /etc/setkey.confまた走ったracoon -F。私のアライグマのログは次のとおりです。

Foreground mode.
2015-07-18 17:25:25: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
2015-07-18 17:25:25: INFO: @(#)This product linked OpenSSL 1.0.0a 1 Jun 2010 (http://www.openssl.org/)
2015-07-18 17:25:25: INFO: Reading configuration from "/home/ipsec/out/etc/racoon.conf"
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/client.example.crt
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/ca.crt
2015-07-18 17:25:26: DEBUG2: lifetime = 28800
2015-07-18 17:25:26: DEBUG2: lifebyte = 0
2015-07-18 17:25:26: DEBUG2: encklen=0
2015-07-18 17:25:26: DEBUG2: p:1 t:1
2015-07-18 17:25:26: DEBUG2: 3DES-CBC(5)
2015-07-18 17:25:26: DEBUG2: SHA(2)
2015-07-18 17:25:26: DEBUG2: 1024-bit MODP group(2)
2015-07-18 17:25:26: DEBUG2: pre-shared key(1)
2015-07-18 17:25:26: DEBUG2: 
2015-07-18 17:25:26: DEBUG2: Etype mismatch: got 2, expected 4.
2015-07-18 17:25:26: DEBUG: no check of compression algorithm; not supported in sadb message.
2015-07-18 17:25:26: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
2015-07-18 17:25:26: DEBUG2: parse successed.
2015-07-18 17:25:26: DEBUG: open /home/ipsec/out/var/racoon/racoon.sock as racoon management.
2015-07-18 17:25:26: DEBUG: Netlink: address 192.168.110.57 added
2015-07-18 17:25:26: INFO: 192.168.110.57[500] used as isakmp port (fd=7)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.1 added
2015-07-18 17:25:26: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.0 added
2015-07-18 17:25:26: INFO: 127.0.0.0[500] used as isakmp port (fd=9)
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 01000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000300 7a010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 02000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000100 70010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 03000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff200000 020006a5 d401c161 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4410aa55 00000000 00000000 00000000
04001200 02000200 69010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 04000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 2c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 05000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 23000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 06000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 1c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 07000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 13000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 08000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 0c000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:27: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:27: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:27: DEBUG2: 
02120000 16000100 00000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 03000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out

その後、トラフィックは確立されたVPNを通過せず(接続が確立されたかどうかわからない)、setkey -DSADは報告されません。

編集する:

探してみると、最大の問題はルーティング。 L2TPモードですが、transportサーバーはサーバーの背後にあるネットワークのゲートウェイとして機能する必要がありますが、トラフィックはl2tpを介してサーバーに到達しません。したがって、トンネルは開始されません。私は成功せずにパスを追加しようとしました。

ベストアンサー1

おすすめ記事