L2TP +IPSec VPN - Проблема



  • 2.4.4
    Делал все по инструкции:

    https://knasys.ru/4-настройка-l2tp-в-pfsense/

    логи такие:
    Oct 18 10:23:36 charon: 10[IKE] <44> IKE_SA (unnamed)[44] state change: CONNECTING => DESTROYING
    Oct 18 10:23:36 charon: 10[NET] <44> sending packet: from Server-ip[500] to Client-ip[500] (56 bytes)
    Oct 18 10:23:36 charon: 10[ENC] <44> generating INFORMATIONAL_V1 request 3604237970 [ N(INVAL_KE) ]
    Oct 18 10:23:36 charon: 10[IKE] <44> activating INFORMATIONAL task
    Oct 18 10:23:36 charon: 10[IKE] <44> activating new tasks
    Oct 18 10:23:36 charon: 10[IKE] <44> queueing INFORMATIONAL task
    Oct 18 10:23:36 charon: 10[IKE] <44> no shared key found for Server-ip - Client-ip
    Oct 18 10:23:36 charon: 10[IKE] <44> no shared key found for 'Server-ip'[Server-ip] - '%any'[Client-ip]
    Oct 18 10:23:36 charon: 10[CFG] <44> candidate "con-mobile", match: 1/1/28 (me/other/ike)
    Oct 18 10:23:36 charon: 10[CFG] <44> candidate "bypasslan", match: 1/1/24 (me/other/ike)
    Oct 18 10:23:36 charon: 10[IKE] <44> remote host is behind NAT
    Oct 18 10:23:36 charon: 10[ENC] <44> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
    Oct 18 10:23:36 charon: 10[NET] <44> received packet: from Client-ip[500] to Server-ip[500] (388 bytes)
    Oct 18 10:23:36 charon: 10[NET] <44> sending packet: from Server-ip[500] to Client-ip[500] (160 bytes)
    Oct 18 10:23:36 charon: 10[ENC] <44> generating ID_PROT response 0 [ SA V V V V ]
    Oct 18 10:23:36 charon: 10[IKE] <44> sending NAT-T (RFC 3947) vendor ID
    Oct 18 10:23:36 charon: 10[IKE] <44> sending FRAGMENTATION vendor ID
    Oct 18 10:23:36 charon: 10[IKE] <44> sending DPD vendor ID
    Oct 18 10:23:36 charon: 10[IKE] <44> sending XAuth vendor ID
    Oct 18 10:23:36 charon: 10[CFG] <44> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    Oct 18 10:23:36 charon: 10[CFG] <44> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    Oct 18 10:23:36 charon: 10[CFG] <44> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    Oct 18 10:23:36 charon: 10[CFG] <44> proposal matches
    Oct 18 10:23:36 charon: 10[CFG] <44> selecting proposal:
    Oct 18 10:23:36 charon: 10[CFG] <44> no acceptable ENCRYPTION_ALGORITHM found
    Oct 18 10:23:36 charon: 10[CFG] <44> selecting proposal:
    Oct 18 10:23:36 charon: 10[CFG] <44> no acceptable DIFFIE_HELLMAN_GROUP found
    Oct 18 10:23:36 charon: 10[CFG] <44> selecting proposal:
    Oct 18 10:23:36 charon: 10[IKE] <44> IKE_SA (unnamed)[44] state change: CREATED => CONNECTING
    Oct 18 10:23:36 charon: 10[IKE] <44> Client-ip is initiating a Main Mode IKE_SA
    Oct 18 10:23:36 charon: 10[ENC] <44> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
    Oct 18 10:23:36 charon: 10[ENC] <44> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
    Oct 18 10:23:36 charon: 10[ENC] <44> received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
    Oct 18 10:23:36 charon: 10[IKE] <44> received FRAGMENTATION vendor ID
    Oct 18 10:23:36 charon: 10[IKE] <44> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
    Oct 18 10:23:36 charon: 10[IKE] <44> received NAT-T (RFC 3947) vendor ID
    Oct 18 10:23:36 charon: 10[IKE] <44> received MS NT5 ISAKMPOAKLEY vendor ID
    Oct 18 10:23:36 charon: 10[ENC] <44> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
    Oct 18 10:23:36 charon: 10[CFG] <44> found matching ike config: %any...%any with prio 28
    Oct 18 10:23:36 charon: 10[CFG] <44> c



  • Доброго.

    Почему ipsec?
    Если оба конца поддерживают openvpn - пользуйте его. Он гибче, удобнее в настройках и управлении.



  • @werter Пока не ясно ,в чем проблема ))) Виден только кусок лога 1 фазы
    и задача , стоящая перед ТС , тоже не понятна

    P.S.
    для ТС
    попробуйте настроить вот по этой инструкции
    https://www.netgate.com/docs/pfsense/vpn/ipsec/l2tp-ipsec.html

    и обратите внимание про текст для клиентов Windows за NAT . Возможно , это Ваш случай