Почему возникает ошибка 789? Доброго времени суток.
Не могу понять почему не работает xl2tpd + openswan...
Есть 2 системы (оба сервера на debian 9.5), одну настраивал давно и она работает, а теперь купил vps вне россии, делаю всё по той же инструкции, но ничего не работает.
До проверки логина\пароля не доходит и вылетает ошибка 789.
Помогите разобраться.
my_ext_ip - это мой внешний IP сервера
файлы конфигураций:/etc/ipsec.confconfig setup
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
nhelpers=0
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=my_ext_ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes/etc/ipsec.secretmy_ext_ip %any: PSK "my_pass"/etc/sysctl.confnet.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.ens3.send_redirects = 0
net.ipv4.conf.ens3.accept_redirects = 0/etc/xl2tpd/xl2tpd.conf[global]
listen-addr = my_ext_ip
port = 1701
ipsec saref = no
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes
auth file = /etc/ppp/chap-secrets
;
[lns default]
ip range = 172.16.254.1-172.16.254.253 ; Диапазон IP-адресов, которые выдаются подключающимся клиентам
local ip = 172.16.254.254 ; Локальный IP-адрес сервера для VPN-клиентов
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = VPN
assign ip = yes/etc/ppp/chap-secrets.confwebporoh VPN my_pass *
test VPN testtest */etc/ppp/options.xl2tpdrequire-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
debug
name VPN
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4grep pluto /var/log/auth.logroot@he3apa3a:~# grep pluto /var/log/auth.log
Sep 26 08:53:42 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 08:53:42 he3apa3a pluto[20631]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:20631
Sep 26 08:53:42 he3apa3a pluto[20631]: LEAK_DETECTIVE support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: OCF support for IKE [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: SAref support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: SAbind support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: NSS support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: HAVE_STATSD notification support not compiled in
Sep 26 08:53:42 he3apa3a pluto[20631]: Setting NAT-Traversal port-4500 floating to on
Sep 26 08:53:42 he3apa3a pluto[20631]: port floating activation criteria nat_t=1/port_float=1
Sep 26 08:53:42 he3apa3a pluto[20631]: NAT-Traversal support [enabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: using /dev/urandom as source of random entropy
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 08:53:42 he3apa3a pluto[20631]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-6-amd64
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-NAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-noNAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: listening for IKE messages
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 08:53:42 he3apa3a pluto[20631]: loading secrets from "/etc/ipsec.secrets"
Sep 26 09:52:47 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 09:52:47 he3apa3a pluto[3983]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:3983
Sep 26 09:52:47 he3apa3a pluto[3983]: LEAK_DETECTIVE support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: OCF support for IKE [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: SAref support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: SAbind support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: NSS support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: HAVE_STATSD notification support not compiled in
Sep 26 09:52:47 he3apa3a pluto[3983]: Setting NAT-Traversal port-4500 floating to on
Sep 26 09:52:47 he3apa3a pluto[3983]: port floating activation criteria nat_t=1/port_float=1
Sep 26 09:52:47 he3apa3a pluto[3983]: NAT-Traversal support [enabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: using /dev/urandom as source of random entropy
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 09:52:47 he3apa3a pluto[3983]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-8-amd64
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-NAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-noNAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: listening for IKE messages
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 09:52:47 he3apa3a pluto[3983]: loading secrets from "/etc/ipsec.secrets"
Все настройки на обоих серверах идентичны, но к одному подключаюсь за считанные секунды, а к этому не могу никак подключиться...
Подскажите куда копать...
Почему возникает ошибка 789? Доброго времени суток.
Не могу понять почему не работает xl2tpd + openswan...
Есть 2 системы (оба сервера на debian 9.5), одну настраивал давно и она работает, а теперь купил vps вне россии, делаю всё по той же инструкции, но ничего не работает.
До проверки логина\пароля не доходит и вылетает ошибка 789.
Помогите разобраться.
my_ext_ip - это мой внешний IP сервера
файлы конфигураций:/etc/ipsec.confconfig setup
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
nhelpers=0
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=my_ext_ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes/etc/ipsec.secretmy_ext_ip %any: PSK "my_pass"/etc/sysctl.confnet.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.ens3.send_redirects = 0
net.ipv4.conf.ens3.accept_redirects = 0/etc/xl2tpd/xl2tpd.conf[global]
listen-addr = my_ext_ip
port = 1701
ipsec saref = no
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes
auth file = /etc/ppp/chap-secrets
;
[lns default]
ip range = 172.16.254.1-172.16.254.253 ; Диапазон IP-адресов, которые выдаются подключающимся клиентам
local ip = 172.16.254.254 ; Локальный IP-адрес сервера для VPN-клиентов
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = VPN
assign ip = yes/etc/ppp/chap-secrets.confwebporoh VPN my_pass *
test VPN testtest */etc/ppp/options.xl2tpdrequire-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
debug
name VPN
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4grep pluto /var/log/auth.logroot@he3apa3a:~# grep pluto /var/log/auth.log
Sep 26 08:53:42 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 08:53:42 he3apa3a pluto[20631]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:20631
Sep 26 08:53:42 he3apa3a pluto[20631]: LEAK_DETECTIVE support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: OCF support for IKE [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: SAref support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: SAbind support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: NSS support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: HAVE_STATSD notification support not compiled in
Sep 26 08:53:42 he3apa3a pluto[20631]: Setting NAT-Traversal port-4500 floating to on
Sep 26 08:53:42 he3apa3a pluto[20631]: port floating activation criteria nat_t=1/port_float=1
Sep 26 08:53:42 he3apa3a pluto[20631]: NAT-Traversal support [enabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: using /dev/urandom as source of random entropy
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 08:53:42 he3apa3a pluto[20631]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-6-amd64
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-NAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-noNAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: listening for IKE messages
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 08:53:42 he3apa3a pluto[20631]: loading secrets from "/etc/ipsec.secrets"
Sep 26 09:52:47 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 09:52:47 he3apa3a pluto[3983]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:3983
Sep 26 09:52:47 he3apa3a pluto[3983]: LEAK_DETECTIVE support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: OCF support for IKE [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: SAref support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: SAbind support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: NSS support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: HAVE_STATSD notification support not compiled in
Sep 26 09:52:47 he3apa3a pluto[3983]: Setting NAT-Traversal port-4500 floating to on
Sep 26 09:52:47 he3apa3a pluto[3983]: port floating activation criteria nat_t=1/port_float=1
Sep 26 09:52:47 he3apa3a pluto[3983]: NAT-Traversal support [enabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: using /dev/urandom as source of random entropy
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 09:52:47 he3apa3a pluto[3983]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-8-amd64
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-NAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-noNAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: listening for IKE messages
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 09:52:47 he3apa3a pluto[3983]: loading secrets from "/etc/ipsec.secrets"
Все настройки на обоих серверах идентичны, но к одному подключаюсь за считанные секунды, а к этому не могу никак подключиться...
Подскажите куда копать...
Не могу понять почему не работает xl2tpd + openswan...
Есть 2 системы (оба сервера на debian 9.5), одну настраивал давно и она работает, а теперь купил vps вне россии, делаю всё по той же инструкции, но ничего не работает.
До проверки логина\пароля не доходит и вылетает ошибка 789.
Помогите разобраться.
my_ext_ip - это мой внешний IP сервера
файлы конфигураций:/etc/ipsec.confconfig setup
nat_traversal = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
nhelpers=0
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=my_ext_ip
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
forceencaps=yes/etc/ipsec.secretmy_ext_ip %any: PSK "my_pass"/etc/sysctl.confnet.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.ens3.send_redirects = 0
net.ipv4.conf.ens3.accept_redirects = 0/etc/xl2tpd/xl2tpd.conf[global]
listen-addr = my_ext_ip
port = 1701
ipsec saref = no
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes
auth file = /etc/ppp/chap-secrets
;
[lns default]
ip range = 172.16.254.1-172.16.254.253 ; Диапазон IP-адресов, которые выдаются подключающимся клиентам
local ip = 172.16.254.254 ; Локальный IP-адрес сервера для VPN-клиентов
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
name = VPN
assign ip = yes/etc/ppp/chap-secrets.confwebporoh VPN my_pass *
test VPN testtest */etc/ppp/options.xl2tpdrequire-mschap-v2
refuse-mschap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
debug
name VPN
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4grep pluto /var/log/auth.logroot@he3apa3a:~# grep pluto /var/log/auth.log
Sep 26 08:53:42 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 08:53:42 he3apa3a pluto[20631]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:20631
Sep 26 08:53:42 he3apa3a pluto[20631]: LEAK_DETECTIVE support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: OCF support for IKE [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: SAref support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: SAbind support [disabled]: Protocol not available
Sep 26 08:53:42 he3apa3a pluto[20631]: NSS support [disabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: HAVE_STATSD notification support not compiled in
Sep 26 08:53:42 he3apa3a pluto[20631]: Setting NAT-Traversal port-4500 floating to on
Sep 26 08:53:42 he3apa3a pluto[20631]: port floating activation criteria nat_t=1/port_float=1
Sep 26 08:53:42 he3apa3a pluto[20631]: NAT-Traversal support [enabled]
Sep 26 08:53:42 he3apa3a pluto[20631]: using /dev/urandom as source of random entropy
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 08:53:42 he3apa3a pluto[20631]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-6-amd64
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-NAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: adding connection: "L2TP-PSK-noNAT"
Sep 26 08:53:42 he3apa3a pluto[20631]: listening for IKE messages
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo 127.0.0.1:4500
Sep 26 08:53:42 he3apa3a pluto[20631]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 08:53:42 he3apa3a pluto[20631]: loading secrets from "/etc/ipsec.secrets"
Sep 26 09:52:47 he3apa3a ipsec__plutorun: Starting Pluto subsystem...
Sep 26 09:52:47 he3apa3a pluto[3983]: Starting Pluto (Openswan Version 2.6.50.1; Vendor ID OSWI~E[im}hv) pid:3983
Sep 26 09:52:47 he3apa3a pluto[3983]: LEAK_DETECTIVE support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: OCF support for IKE [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: SAref support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: SAbind support [disabled]: Protocol not available
Sep 26 09:52:47 he3apa3a pluto[3983]: NSS support [disabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: HAVE_STATSD notification support not compiled in
Sep 26 09:52:47 he3apa3a pluto[3983]: Setting NAT-Traversal port-4500 floating to on
Sep 26 09:52:47 he3apa3a pluto[3983]: port floating activation criteria nat_t=1/port_float=1
Sep 26 09:52:47 he3apa3a pluto[3983]: NAT-Traversal support [enabled]
Sep 26 09:52:47 he3apa3a pluto[3983]: using /dev/urandom as source of random entropy
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: no helpers will be started, all cryptographic operations will be done inline
Sep 26 09:52:47 he3apa3a pluto[3983]: Using Linux XFRM/NETKEY IPsec interface code on 4.9.0-8-amd64
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 09:52:47 he3apa3a pluto[3983]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-NAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: adding connection: "L2TP-PSK-noNAT"
Sep 26 09:52:47 he3apa3a pluto[3983]: listening for IKE messages
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface ens3/ens3 my_ext_ip:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:500 (AF_INET)
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo 127.0.0.1:4500
Sep 26 09:52:47 he3apa3a pluto[3983]: adding interface lo/lo ::1:500 (AF_INET6)
Sep 26 09:52:47 he3apa3a pluto[3983]: loading secrets from "/etc/ipsec.secrets"
Все настройки на обоих серверах идентичны, но к одному подключаюсь за считанные секунды, а к этому не могу никак подключиться...
Подскажите куда копать...
Не можешь разобраться в этой теме?
Обратись за помощью к экспертам
Гарантированные бесплатные доработки
Быстрое выполнение от 2 часов
Проверка работы на плагиат
Интересные статьи из справочника
Поможем написать учебную работу
Отвечай на вопросы, зарабатывай баллы и трать их на призы.
Подробнее
Подробнее
Ошибка 789 может возникать из-за неправильной конфигурации VPN сервера. В вашем случае, по логам видно, что у вас есть проблемы с конфигурацией алгоритмов шифрования.
В логах видно следующее сообщение:
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Sep 26 08:53:42 he3apa3a pluto[20631]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Это может указывать на проблемы с алгоритмами шифрования AES. Попробуйте проверить и обновить конфигурацию, чтобы использовать правильные алгоритмы. Также убедитесь, что ваш клиент поддерживает выбранные алгоритмы.
Также у вас может возникать проблема с NAT-T (NAT Traversal), проверьте его настройки в вашем конфигурационном файле и убедитесь, что используемые порты (4500 UDP) не блокируются вашим интернет провайдером или брандмауэром.
Если после проверки вышеупомянутых моментов проблема не решится, попробуйте изучить логи более подробно и обратиться к документации для дополнительной помощи.