L2TP e IPSec (OpenSwan) no tempo limite do Centos ao conectar

1

Estou com problemas para configurar uma VPN muito simples. Usando o Centos 6.

Meu endereço do servidor: 61.34.26.32 (fictício)

Sempre que tento me conectar (do iPhone5 ou MacOS X), recebo um tempo limite de conexão.

Ainda não experimentei no Windows, mas devo trabalhar pelo menos no Mac para as minhas necessidades.

Estou tirando meus cabelos! Passou mais de 4 horas já, deve estar faltando algo realmente óbvio aqui, mas não consigo descobrir o que.

Este é o meu registro de erros:

Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [RFC 3947] method set to=109 
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jan 21 16:15:25 isis pluto[9793]: packet from 178.197.232.17:229: received Vendor ID payload [Dead Peer Detection]
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: responding to Main Mode from unknown peer 178.197.232.17
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: Main mode peer ID is ID_IPV4_ADDR: '10.131.32.219'
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[17] 178.197.232.17 #19: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: deleting connection "L2TP-PSK-NAT" instance with peer 178.197.232.17 {isakmp=#0/ipsec=#0}
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: new NAT mapping for #19, was 178.197.232.17:229, now 178.197.232.17:24818
Jan 21 16:15:25 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: the peer proposed: 61.34.26.32/32:17/1701 -> 10.131.32.219/32:17/0
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: responding to Quick Mode proposal {msgid:fcf22de5}
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20:     us: 61.34.26.32<61.34.26.32>[+S=C]:17/1701
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20:   them: 178.197.232.17[10.131.32.219,+S=C]:17/54977===10.131.32.219/32
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 16:15:26 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #20: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x020bc811 <0x4fd90791 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=178.197.232.17:24818 DPD=none}
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received Delete SA(0x020bc811) payload: deleting IPSEC State #20
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received and ignored informational message
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17 #19: received Delete SA payload: deleting ISAKMP State #19
Jan 21 16:15:46 isis pluto[9793]: "L2TP-PSK-NAT"[18] 178.197.232.17: deleting connection "L2TP-PSK-NAT" instance with peer 178.197.232.17 {isakmp=#0/ipsec=#0}
Jan 21 16:15:46 isis pluto[9793]: packet from 178.197.232.17:24818: received and ignored informational message

ipsec.conf:

config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=61.34.26.32        
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [420453:322899972]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A INPUT -j LOG --log-prefix REJECTEDINPUT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
-A FORWARD -j LOG --log-prefix REJECTEDFORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -p udp --sport 500 -j ACCEPT
-A OUTPUT -p udp --sport 4500 -j ACCEPT
-A OUTPUT -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [180037:54564759]
:POSTROUTING ACCEPT [149:12428]
:OUTPUT ACCEPT [12263:921919]
-I POSTROUTING 1 -p 50 -j ACCEPT
-A POSTROUTING -o eth0 -d ! 10.1.2.0/24 -j MASQUERADE
COMMIT

e finalmente xl2tpd.conf

[global]
ipsec saref = yes
listen-addr = 61.34.26.32
[lns default]
ip range = 10.1.2.2-10.1.2.254   
local ip = 10.1.2.1   
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
    
por Disco 21.01.2013 / 16:21

0 respostas