strongSwan + xl2tpd VPNサーバー:いくつかの構成ファイルを構成する方法は?
Ubuntuサーバー16.04でstrongSwanとxl2tpdを使用してVPNサーバーをセットアップしました。設定後、iPadから接続を試みましたが、次のエラーが発生しました。
Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (788 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received NAT-T (RFC 3947) vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received FRAGMENTATION vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received DPD vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] 61.205.5.249 is initiating a Main Mode IKE_SA
Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] generating ID_PROT response 0 [ SA V V V ]
Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (136 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (380 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] local Host is behind NAT, sending keep alives
Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] remote Host is behind NAT
Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (396 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] received packet: from 61.205.5.249[4500] to 192.168.193.3[4500] (108 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.193.3...61.205.5.249[100.75.130.131]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode
Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] generating INFORMATIONAL_V1 request 2960834334 [ HASH N(AUTH_FAILED) ]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] sending packet: from 192.168.193.3[4500] to 61.205.5.249[4500] (108 bytes)
エラーの重要なポイントは、「一致する構成が1つ見つかりましたが、メインモードを使用した事前共有キー認証は許可されていません」と考えました。誰かがこのエラーを解決する方法を知っていますか?
/etc/ipsec.confに「aggressiveness = yes」を追加することを提案するこの問題の答えを見つけて試しましたが、機能しませんでした...(「aggressiveness = yes」という行を間違った位置に追加した可能性があります。 。私はLinuxの初心者です...)
次のサイトで設定ファイルを設定します: http://qiita.com/namoshika/items/30c348b56474d422ef64 (申し訳ありませんが日本語で書かれています...コード部分は読めると思います少なくとも。)
L2TP/IPsecを備えたUbuntu16.04でVPNサーバーを設定するための信頼できる指示書を誰かが教えてくれれば、私はそれを感謝します。
アグレッシブモードは使用しないでください。接続の安全性が低下します。とにかく、この構成で試してください。 strongswan-5.3.5およびxl2tpd-1.3.6を使用するVPNサーバーで使用しています
ipsec.conf
config setup
cachecrls=yes
uniqueids=yes
charondebug=""
conn %default
keyingtries=%forever
dpddelay=30s
dpdtimeout=120s
conn L2TP
dpdaction=clear
#Server IP
left=192.168.1.130
#Server default gateway
leftnexthop=192.168.1.254
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightsubnet=0.0.0.0/0
leftauth=psk
rightauth=psk
leftid="<insert-the-public-ip-here>"
ikelifetime=1h
keylife=8h
ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
auto=add
keyexchange=ike
type=transport
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
ipsec.secrets
<insert-the-left-id-here> %any : PSK "<my-password>"
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no
[lns default]
ip range = 10.0.0.20-10.0.0.30
local ip = 10.0.0.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
auth
idle 1800
mtu 1200
mru 1200
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
login
/ etc/ppp/chap-secrets
username * "l2tppassword" *
サービスを再開する
Sudo service strongswan restart
Sudo service xl2tpd restart