我试图configurationDebian挤作为用于Android设备的L2TP / IPSec VPN,但没有取得很大的成功。
到目前为止,我做了以下工作:
通过openswan实现IPSec成功configuration了Debian。 由于Android 4中的错误,我可以使用Android 2.3连接设备,但不能使用Android 4设备连接(请参阅http://code.google.com/p/android/issues/detail?id=23124 )
在用浣熊replaceopenswan后,我来谈谈,其中:
我的configuration如下:
racoon.conf会:
path pre_shared_key "/etc/racoon/psk.txt"; log info; listen { isakmp 172.31.251.122[500]; isakmp_natt 172.31.251.122[4500]; } timer { natt_keepalive 10sec; } remote anonymous { exchange_mode aggressive; my_identifier fqdn "mydomain.com.pl"; doi ipsec_doi; generate_policy on; situation_identity_only; lifetime time 28800 sec; passive on; initial_contact off; nat_traversal on; proposal_check obey; proposal { encryption_algorithm aes; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } proposal { encryption_algorithm aes; hash_algorithm md5; authentication_method xauth_psk_server; dh_group 2; } } mode_cfg { auth_source system; network4 100.99.99.1; netmask4 255.255.255.0; pool_size 254; dns4 172.16.0.10; wins4 172.16.0.10; default_domain "mydomain.com.pl"; split_network include 172.16.0.0/16; split_dns "mydomain.com.pl"; save_passwd on; pfs_group 2; } sainfo anonymous { encryption_algorithm aes, 3des; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } x2ltpd.conf:
[global] ; Global parameters: port = 1701 ; * Bind to port 1701 auth file = /etc/ppp/chap-secrets ; * Where our challenge secrets are access control = no ; * Refuse connections without IP match rand source = dev ; Source for entropy for random #debug avp = yes #debug network = yes debug state = yes debug tunnel = yes [lns default] ; Our fallthrough LNS definition exclusive = no ; * Only permit one tunnel per host ip range = 100.99.99.1-100.99.99.254 local ip = 172.16.116.202 require chap = yes refuse pap = yes require authentication = yes name = l2tp ppp debug = yes length bit = yes pppoptfile = /etc/ppp/xl2tpd-options
一个重要的注意事项:我的Debian框在NAT后面,所以地址172.16.116.202是LAN地址,172.31.251.122是“公共”地址。
任何线索或build议?
– 编辑— @SmalllClanger:
打开x2ltpd.conf中的所有debugging选项后,我收到以下日志:
Apr 22 12:22:07 l2tp racoon: INFO: respond new phase 1 negotiation: private_ip_of_my_server[500]<=>public_ip_of_adnroid_client[500] Apr 22 12:22:07 l2tp racoon: INFO: begin Aggressive mode. Apr 22 12:22:07 l2tp racoon: INFO: received broken Microsoft ID: FRAGMENTATION Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: RFC 3947 Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Apr 22 12:22:07 l2tp racoon: INFO: received Vendor ID: DPD Apr 22 12:22:07 l2tp racoon: INFO: Selected NAT-T version: RFC 3947 Apr 22 12:22:07 l2tp racoon: INFO: Adding remote and local NAT-D payloads. Apr 22 12:22:07 l2tp racoon: INFO: Hashing public_ip_of_adnroid_client[500] with algo #1 Apr 22 12:22:07 l2tp racoon: INFO: Hashing private_ip_of_my_server[500] with algo #1 Apr 22 12:22:07 l2tp racoon: INFO: NAT-T: ports changed to: public_ip_of_adnroid_client[4500]<->private_ip_of_my_server[4500] Apr 22 12:22:07 l2tp racoon: INFO: Hashing private_ip_of_my_server[4500] with algo #1 Apr 22 12:22:07 l2tp racoon: INFO: NAT-D payload #0 doesn't match Apr 22 12:22:07 l2tp racoon: INFO: Hashing public_ip_of_adnroid_client[4500] with algo #1 Apr 22 12:22:07 l2tp racoon: INFO: NAT-D payload #1 doesn't match Apr 22 12:22:07 l2tp racoon: INFO: NAT detected: ME PEER Apr 22 12:22:07 l2tp racoon: INFO: ISAKMP-SA established private_ip_of_my_server[4500]-public_ip_of_adnroid_client[4500] spi:2ea51a231acb960b:e21a79f71e04b7e2 Apr 22 12:22:08 l2tp racoon: INFO: respond new phase 2 negotiation: private_ip_of_my_server[4500]<=>public_ip_of_adnroid_client[4500] Apr 22 12:22:08 l2tp racoon: INFO: no policy found, try to generate the policy : private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in Apr 22 12:22:08 l2tp racoon: INFO: Adjusting my encmode UDP-Transport->Transport Apr 22 12:22:08 l2tp racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) Apr 22 12:22:08 l2tp racoon: INFO: IPsec-SA established: ESP/Transport public_ip_of_adnroid_client[4500]->private_ip_of_my_server[4500] spi=35407234(0x21c4582) Apr 22 12:22:08 l2tp racoon: INFO: IPsec-SA established: ESP/Transport private_ip_of_my_server[4500]->public_ip_of_adnroid_client[4500] spi=41649440(0x27b8520) Apr 22 12:22:08 l2tp racoon: ERROR: such policy does not already exist: "private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in" Apr 22 12:22:08 l2tp racoon: ERROR: such policy does not already exist: "public_ip_of_my_server/32[1701] private_ip_of_adnroid_client/32[0] proto=udp dir=out"
我已经注意到线条说:
ERROR: such policy does not already exist: "private_ip_of_adnroid_client/32[0] public_ip_of_my_server/32[1701] proto=udp dir=in" ERROR: such policy does not already exist: "public_ip_of_my_server/32[1701] private_ip_of_adnroid_client/32[0] proto=udp dir=out"
这明显表明SA策略是错误的(服务器和客户端都在NAT后面,现在我不可能在任何一方改变它)
所以我已经对/etc/ipsec-tools.conf文件做了适当的修改,如下所示:
spdadd public_ip_of_my_server[l2tp] 0.0.0.0/0 udp -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 public_ip_of_my_server[l2tp] udp -P in ipsec esp/transport//require;
但没有帮助。
PS还有一个小问题。 我的configuration要求客户端同时指定PSK用户名和PSK密钥,但PSK用户名(IPSec标识符)只能在安装了Android 4的设备上指定。在安装了Android 2.x的设备上没有此选项。 我已经尝试用浣熊psk.txt文件中的*****replace这个值,但aganin没有成功。 如何指定PSK密钥而不强制客户端使用IPSec标识符?