Servidor L2TP / IPsec simples não funciona (openswan, xl2tpd, Ubuntu, Windows)

5

Eu configurei o openswan e o xl2tpd em um servidor Ubuntu 12.04 (no EC2) seguindo vários tutoriais / documentação que parece dizer basicamente as mesmas coisas, mas mais recentemente este .

No entanto, minhas tentativas de conexão do Windows (que eu configurei com o segredo compartilhado e nome de usuário / senha) falham. Os logs sugerem que um túnel IPsec é estabelecido, mas nada acontece.

Aqui estão os dumps de pacotes e a atividade de log (nada ocorre no syslog, portanto, nenhuma mensagem de log do iptables):

$ sudo tcpdump -n host 64.236.139.254 and not port 22
21:00:49.843198 IP 64.236.139.254.26712 > 10.252.60.213.500: isakmp: phase 1 I ident
21:00:49.844815 IP 10.252.60.213.500 > 64.236.139.254.26712: isakmp: phase 1 R ident
21:00:49.928882 IP 64.236.139.254.26712 > 10.252.60.213.500: isakmp: phase 1 I ident
21:00:49.930819 IP 10.252.60.213.500 > 64.236.139.254.26712: isakmp: phase 1 R ident
21:00:49.972728 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 1 I ident[E]
21:00:49.973924 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 1 R ident[E]
21:00:50.000353 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.001429 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:50.030932 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.037256 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.055200 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:50.415676 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:50.415731 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:00:50.416605 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:00:53.055631 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:53.060694 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:53.088162 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:53.088180 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:00:53.088437 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:00:57.069750 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:57.070741 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:00:57.101194 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:00:57.101390 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:00:57.101817 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:05.087873 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:05.089292 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:01:05.117423 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:05.117815 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:05.118026 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:09.122471 IP 10.252.60.213.4500 > 64.236.139.254.26724: isakmp-nat-keep-alive
21:01:09.122664 IP 10.252.60.213.4500 > 64.236.139.254.26724: isakmp-nat-keep-alive
21:01:09.301582 IP 64.236.139.254.26724 > 10.252.60.213.4500: isakmp-nat-keep-alive
21:01:15.180248 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:15.181699 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:01:15.288574 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:01:15.288612 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:15.289452 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:25.229928 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:25.230090 IP 64.236.139.254.26724 > 10.252.60.213.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
21:01:25.233650 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]
21:01:25.251769 IP 10.252.60.213.4500 > 64.236.139.254.26724: NONESP-encap: isakmp: phase 2/others R inf[E]

$ tail -fn0 /var/log/syslog
Feb  6 21:00:30 ip-10-252-60-213 kernel: [11977313.441315] device eth0 entered promiscuous mode

$ tail -fn0 /var/log/auth.log
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: received Vendor ID payload [RFC 3947] method set to=109
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [FRAGMENTATION]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [Vid-Initial-Contact]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26712: ignoring Vendor ID payload [IKE CGA version 1]
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: responding to Main Mode from unknown peer 64.236.139.254
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: STATE_MAIN_R1: sent MR1, expecting MI2
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: STATE_MAIN_R2: sent MR2, expecting MI3
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: Main mode peer ID is ID_IPV4_ADDR: '10.0.2.15'
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[15] 64.236.139.254 #50: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: deleting connection "L2TP-PSK-NAT" instance with peer 64.236.139.254 {isakmp=#0/ipsec=#0}
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: new NAT mapping for #50, was 64.236.139.254:26712, now 64.236.139.254:26724
Feb  6 21:00:49 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/0
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: responding to Quick Mode proposal {msgid:01000000}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #51: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xed4ff6b8 <0x9232de04 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: responding to Quick Mode proposal {msgid:02000000}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: keeping refhim=4294901761 during rekey
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #52: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xb245cb36 <0x76292945 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0xed4ff6b8) payload: deleting IPSEC State #51
Feb  6 21:00:50 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: responding to Quick Mode proposal {msgid:03000000}
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: keeping refhim=4294901761 during rekey
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #53: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xb6953c9c <0x3331cb4f xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0xb245cb36) payload: deleting IPSEC State #52
Feb  6 21:00:53 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: responding to Quick Mode proposal {msgid:04000000}
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: keeping refhim=4294901761 during rekey
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #54: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x2ca92f36 <0x86256756 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0xb6953c9c) payload: deleting IPSEC State #53
Feb  6 21:00:57 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: responding to Quick Mode proposal {msgid:05000000}
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: keeping refhim=4294901761 during rekey
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #55: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x8df1a782 <0x61eed691 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0x2ca92f36) payload: deleting IPSEC State #54
Feb  6 21:01:05 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: the peer proposed: 54.245.182.129/32:17/1701 -> 10.0.2.15/32:17/1701
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: responding to Quick Mode proposal {msgid:06000000}
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56:     us: 10.252.60.213<10.252.60.213>[+S=C]:17/1701
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56:   them: 64.236.139.254[10.0.2.15,+S=C]:17/1701===10.0.2.15/32
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: keeping refhim=4294901761 during rekey
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #56: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x021d5dde <0xc9c31f90 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=64.236.139.254:26724 DPD=none}
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0x8df1a782) payload: deleting IPSEC State #55
Feb  6 21:01:15 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA(0x021d5dde) payload: deleting IPSEC State #56
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received and ignored informational message
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254 #50: received Delete SA payload: deleting ISAKMP State #50
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: "L2TP-PSK-NAT"[16] 64.236.139.254: deleting connection "L2TP-PSK-NAT" instance with peer 64.236.139.254 {isakmp=#0/ipsec=#0}
Feb  6 21:01:25 ip-10-252-60-213 pluto[1464]: packet from 64.236.139.254:26724: received and ignored informational message

Nada parece acontecer depois disso e o Windows desiste.

Aqui estão os pacotes que vejo no lado do cliente - vejo exatamente os mesmos pacotes, então nada é filtrado:

$ sudo tcpdump -i wlan3 -n host $ip and not port 22
12:59:16.170388 IP 10.66.230.208.53383 > 54.245.182.129.500: isakmp: phase 1 I ident
12:59:16.197972 IP 54.245.182.129.500 > 10.66.230.208.53383: isakmp: phase 1 R ident
12:59:16.255396 IP 10.66.230.208.53383 > 54.245.182.129.500: isakmp: phase 1 I ident
12:59:16.282917 IP 54.245.182.129.500 > 10.66.230.208.53383: isakmp: phase 1 R ident
12:59:16.299043 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 1 I ident[E]
12:59:16.326840 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 1 R ident[E]
12:59:16.328144 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.357804 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:16.358888 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.362385 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.741818 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:16.743117 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:16.743396 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:16.769431 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:19.383010 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:19.414362 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:19.415559 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
...
12:59:31.441952 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
12:59:31.443878 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:31.444124 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:31.476359 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:35.499825 IP 54.245.182.129.4500 > 10.66.230.208.53200: isakmp-nat-keep-alive
12:59:35.500068 IP 54.245.182.129.4500 > 10.66.230.208.53200: isakmp-nat-keep-alive
12:59:35.629175 IP 10.66.230.208.53200 > 54.245.182.129.4500: isakmp-nat-keep-alive
12:59:41.429705 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:41.534606 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R oakley-quick[E].537423 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
12:59:41.537675 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:41.642367 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:51.482628 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:51.482836 IP 10.66.230.208.53200 > 54.245.182.129.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
12:59:51.587334 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]
12:59:51.604347 IP 54.245.182.129.4500 > 10.66.230.208.53200: NONESP-encap: isakmp: phase 2/others R inf[E]

Aqui está o estado das coisas:

+ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-37-virtual (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

+ ifconfig
eth0      Link encap:Ethernet  HWaddr 22:00:0a:fc:3c:d5
          inet addr:10.252.60.213  Bcast:10.252.60.255  Mask:255.255.255.192
          inet6 addr: fe80::2000:aff:fefc:3cd5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4803 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:376849 (376.8 KB)  TX bytes:628809 (628.8 KB)
          Interrupt:25

eth0:0    Link encap:Ethernet  HWaddr 22:00:0a:fc:3c:d5
          inet addr:172.22.1.1  Bcast:172.22.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:25

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

+ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             LOG level warning prefix "blah blah: "

+ sudo egrep -v '^[[:space:]]*(#|$)' /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:172.16.0.0/12
        oe=off
        protostack=auto
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=10.252.60.213
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    forceencaps=yes

+ sudo cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

+ sudo cat /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/{accept,send}_redirects
1
0
0
0
0
0
0
0

==> /proc/sys/net/ipv4/conf/lo/send_redirects <==
0

+ grep -v '^;' /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
debug tunnel = yes

[lns default]
ip range = 172.22.1.2-172.22.1.99
local ip = 172.22.1.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

+ sudo cat /etc/ipsec.secrets
include /var/lib/openswan/ipsec.secrets.inc
10.252.60.213 %any: PSK "MYSHAREDSECRET"

+ sudo cat /etc/ppp/chap-secrets 
# client        server  secret                  IP addresses
yang l2tpd MYPASSWORD *
    
por Yang 02.02.2013 / 02:57

3 respostas

7

Bem, isso foi terrível.

Encontrei a solução no último lugar que eu teria procurado: o cliente. O Windows não suporta IPsec NAT-T por padrão, que é usado sempre que o servidor estiver atrás de um NAT (como neste caso). É necessário adicionar uma chave de registro para ativar isso - consulte o link (ainda se aplica ao Windows 8). Então tudo simplesmente funciona.

Como eu o encontrei: este post , que por minha vez encontrei como o segundo hit de Googling por openswan ipsec STATE_QUICK_R2: IPsec SA established transport mode ESP/NAT .

    
por 07.02.2013 / 00:33
1

No ipsec.conf, à esquerda não precisa ser o seu IP público, mas qualquer IP que seu servidor veja, então 10.252.194.250 neste caso. Dessa forma, ele pode "corresponder" a uma conexão do lado esquerdo / direito. Onde left = you e right =% any.

    
por 05.02.2013 / 07:12
1

Eu tive um problema semelhante.

Meu servidor não é NAT, então essa peça não é necessária, então removida:

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

E quando isso for feito, o NAT Traversel deve estar definido como sim.

nat_traversal=yes
    
por 05.11.2016 / 00:00