VPN Linux-Windows z wykorzystanie IPsec

[ifrit]

Witam, stoję przed zadaniem stworzenia bezpieczne go tunelu VPN pomiędzy serwerem, klientem windowsowym.

Topologia wygląda tak:
Windows(192.168.0.212)========IPsec========Linux(192.168.0.149)

plik ipsec.conf

Kod: Zaznacz cały

config setup
   nat_traversal=yes
   protostack=netkey
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
   interfaces=%none
   oe=off

conn windows
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.0.149
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

ipsec.secrets

Kod: Zaznacz cały

192.168.0.149 %any: PSK "xxxxxx"

xl2tpd.conf

Kod: Zaznacz cały

[global]
ipsec saref=yes

[lns default]
ip range = 192.168.0.160-192.168.0.196
lacal ip = 192.168.0.149
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/option.xl2tpd
length bit = yes

Kod: Zaznacz cały

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
 ifrit           *       "XXXXXXX"                   *

auth.log
ay 14 18:31:50 ifrit-VirtualBox ipsec__plutorun: Starting Pluto subsystem...
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: Starting Pluto (Openswan
Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:4284
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: SAref support
[disabled]: Protocol not available
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: SAbind support
[disabled]: Protocol not available
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: Setting NAT-Traversal
port-4500 floating to on
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: port floating
activation criteria nat_t=1/port_float=1
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: NAT-Traversal support
[enabled]
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: using /dev/urandom as
source of random entropy
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: starting up 1
cryptographic helpers
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: started helper pid=4287 (fd:7)
May 14 18:31:51 ifrit-VirtualBox pluto[4284]: Using Linux 2.6 IPsec
interface code on 2.6.38-8-generic (experimental code)
May 14 18:31:51 ifrit-VirtualBox pluto[4287]: using /dev/urandom as
source of random entropy
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_add(): ERROR:
Algorithm already exists
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_add(): ERROR:
Algorithm already exists
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_add(): ERROR:
Algorithm already exists
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_add(): ERROR:
Algorithm already exists
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_add(): ERROR:
Algorithm already exists
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: Changed path to
directory '/etc/ipsec.d/cacerts'
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: loaded CA cert file
'cacert.pem' (3253 bytes)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: Changed path to
directory '/etc/ipsec.d/aacerts'
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: Changed path to
directory '/etc/ipsec.d/ocspcerts'
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: Changing to directory
'/etc/ipsec.d/crls'
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: loaded crl file
'crl.pem' (467 bytes)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: added connection
description "$$$$$$$$"
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: listening for IKE messages
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: NAT-Traversal: Trying
new style NAT-T
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: NAT-Traversal: Trying
old style NAT-T
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: adding interface
eth0/eth0 192.168.0.149:500
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: adding interface
eth0/eth0 192.168.0.149:4500
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: adding interface lo/lo
127.0.0.1:500
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: adding interface lo/lo
127.0.0.1:4500
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: adding interface lo/lo ::1:500
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: loading secrets from
"/etc/ipsec.secrets"
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: loaded private key
file '/etc/ipsec.d/private/server.key' (963 bytes)
May 14 18:31:52 ifrit-VirtualBox pluto[4284]: loaded private key for
keyid: PPK_RSA:AwEAAcbay
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: packet from
192.168.0.212:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: packet from
192.168.0.212:500: ignoring Vendor ID payload [FRAGMENTATION]
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: packet from
192.168.0.212:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: packet from
192.168.0.212:500: ignoring Vendor ID payload [Vid-Initial-Contact]
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: responding to Main Mode from unknown peer 192.168.0.212
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: STATE_MAIN_R1: sent MR1, expecting MI2
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no
NAT detected
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 14 18:32:08 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: STATE_MAIN_R2: sent MR2, expecting MI3
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.212'
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: the peer proposed: 192.168.0.149/32:17/1701 ->
192.168.0.212/32:17/0
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#2: responding to Quick Mode proposal {msgid:11eeb783}
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#2: us: 192.168.0.149<192.168.0.149>[+S=C]:17/1701
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#2: them: 192.168.0.212[+S=C]:17/1701
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 14 18:32:09 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
May 14 18:32:10 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 14 18:32:10 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#2: STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0xa7869149 <0xaa000b35 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
DPD=none}
May 14 18:32:44 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: received Delete SA(0xa7869149) payload: deleting IPSEC State #2
May 14 18:32:45 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: received and ignored informational message
May 14 18:32:45 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212
#1: received Delete SA payload: deleting ISAKMP State #1
May 14 18:32:45 ifrit-VirtualBox pluto[4284]: "$$$$$$$$"[1] 192.168.0.212:
deleting connection "$$$$$$$$" instance with peer 192.168.0.212
{isakmp=#0/ipsec=#0}
May 14 18:32:45 ifrit-VirtualBox pluto[4284]: packet from
192.168.0.212:500: received and ignored informational message

Gdy po stronie windows próbuje się połączyć dostaje komunikat o błędzie: Błąd 678 "The remote computer did not respond" (Komputer zdalny nie odpowiedział).
W wiresharku widzę, że następuje ustanowienie połączenie i zakończenie fazy ustanawiania SA. Z adresu 192.168.0.212(windows) przychodzą pakiety szyfrowane ESP,
natomiast w drugą stronę pojawia się komunikat, że adres(port docelowy) jest nieosiągalny.
Chętnie przyjmę sugestie w czym może tkwić problem. Czy jest to wina konfiguracji linuxa czy windowsa?