Jump to content
  • 0

L2TP + IPSEC - HOW TO ????


Lacho

Question

Здравейте,

Имам следната дилема :

Трябва да пусна ВПН с L2TP + IPSEC, но съм с ros 5.2 и туторияли никакви няма из нета. Всичко което е изписано съм пробвал, но без успех.

Моля някой ако е пускал да даде стъпка по стъпка как стават нещата.

Благодаря :)

Link to comment
Share on other sites

Recommended Posts

  • 0

Еми примерно - win7, iphone.... такива обикновени джаджи.

ето ти моя конфиг ;)

99.99... е примерно адреса на клиента

работи и с win7 и с vista


[admin@VPN] > interface l2tp-server server print 

          enabled: yes

          max-mtu: 1460

          max-mru: 1460

             mrru: disabled

   authentication: mschap2

  default-profile: default-encryption

[admin@VPN] > ip ipsec proposal print            

Flags: X - disabled 

 0   name="default" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=30m pfs-group=modp1024 

[admin@VPN] > ip ipsec peer print                

Flags: X - disabled 

 0   address=99.99.99.99/32 port=500 auth-method=pre-shared-key secret="**********" generate-policy=yes exchange-mode=main send-initial-contact=no 

     nat-traversal=yes my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 

     dpd-interval=disable-dpd dpd-maximum-failures=1

Link to comment
Share on other sites

  • 0

При такава конфигурация ми дава следната грешка в дебъг режим :

11:28:14 ipsec,debug couldn't find configuration.

А ето и конфигурацията :

> /interface l2tp-server server print

enabled: yes

max-mtu: 1460

max-mru: 1460

mrru: disabled

authentication: mschap2

default-profile: default-encryption

> /ip ipsec proposal print

Flags: X - disabled

0 name="proposal1" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=30m pfs-group=modp1024

> /ip ipsec peer print

0 address=192.168.0.5/32 port=500 auth-method=pre-shared-key secret="test" generate-policy=yes exchange-mode=main

send-initial-contact=no nat-traversal=yes my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1

enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

Трябва още нещо да се конфигурира, но какво е ?

Link to comment
Share on other sites

  • 0

от 192.168.0.5 ли се пробваш да се вържеш?

може да сложиш на peer-а address=0.0.0.0 и да пробваш

това в proposal незнам дали има толкова значение , не съм спец по IPSEC :)

При такава конфигурация ми дава следната грешка в дебъг режим :

11:28:14 ipsec,debug couldn't find configuration.

А ето и конфигурацията :

> /interface l2tp-server server print

enabled: yes

max-mtu: 1460

max-mru: 1460

mrru: disabled

authentication: mschap2

default-profile: default-encryption

> /ip ipsec proposal print

Flags: X - disabled

0 name="proposal1" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=30m pfs-group=modp1024

> /ip ipsec peer print

0 address=192.168.0.5/32 port=500 auth-method=pre-shared-key secret="test" generate-policy=yes exchange-mode=main

send-initial-contact=no nat-traversal=yes my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1

enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

Трябва още нещо да се конфигурира, но какво е ?

Link to comment
Share on other sites

  • 0

Такамм...

Сега пък излезе друга дилема "invalid length of payload"

Много съм ти балодарен за хелпа :)

това е лога в дебъг :

19:04:17 ipsec,debug,packet ==========

19:04:17 ipsec,debug,packet 68 bytes message received from xx.xx.xx.xx[31091] to xx.xx.xx.xx[4500]

19:04:17 ipsec,debug,packet c3194dca 6e35bbee fabafead 7af830e8 05100201 00000000 00000044 639c1291

19:04:17 ipsec,debug,packet 305e690c ede50622 1968cdca b723e518 ff35f794 3f8d39c0 9fe1ea0b cdcc8a7e

19:04:17 ipsec,debug,packet b78cbd12

19:04:17 ipsec,debug,packet encryption(3des)

19:04:17 ipsec,debug,packet IV was saved for next processing:

19:04:17 ipsec,debug,packet cdcc8a7e b78cbd12

19:04:17 ipsec,debug,packet encryption(3des)

19:04:17 ipsec,debug,packet with key:

19:04:17 ipsec,debug,packet 3c7e22b4 3c7e22b4 3c7e22b4 4727fcc9 3c7e22b4 3c7e22b4

19:04:17 ipsec,debug,packet decrypted payload by IV:

19:04:17 ipsec,debug,packet 3c7e22b4 3c7e22b4

19:04:17 ipsec,debug,packet decrypted payload, but not trimed.

19:04:17 ipsec,debug,packet 3c7e22b4 3c7e22b4 3c7e22b4 3c7e22b4 3c7e22b4 3c7e22b4 3c7e22b4 3c7e22b4

19:04:17 ipsec,debug,packet 3a2b0611 79ac1abf

19:04:17 ipsec,debug,packet padding len=192

19:04:17 ipsec,debug,packet skip to trim padding.

19:04:17 ipsec,debug,packet decrypted.

19:04:17 ipsec,debug,packet 3c7e22b4 3c7e22b4 fabafead 3c7e22b4 05100201 00000000 00000044 ebdd592a

19:04:17 ipsec,debug,packet e8656618 cfb73969 9579a4c3 3c7e22b4 3c7e22b4 3c7e22b4 053f14db 3a2b0611

19:04:17 ipsec,debug,packet 79ac1abf

19:04:17 ipsec,debug,packet begin.

19:04:17 ipsec,debug,packet seen nptype=5(id)

19:04:17 ipsec,debug invalid length of payload

19:04:23 ipsec,debug,packet ==========

Link to comment
Share on other sites

  • 0
  • Administrator

намали max-mtu/max-mru вероятно някъде фрагментира

как е с 1440

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

  • 0
  • Administrator

свали още на 1396

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

  • 0

отново нямам успех :(

други идеи ?

П.С. - ето пак грешката

Jan/03/1970 05:34:21 ipsec,debug,packet ==========

Jan/03/1970 05:34:21 ipsec,debug,packet 68 bytes message received from XX.XX.XX.XX[11650] to XX.XX.XX.XX[4500]

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet encryption(3des)

Jan/03/1970 05:34:21 ipsec,debug,packet IV was saved for next processing:

Jan/03/1970 05:34:21 ipsec,debug,packet 5ee01d2e 12b87b5b

Jan/03/1970 05:34:21 ipsec,debug,packet encryption(3des)

Jan/03/1970 05:34:21 ipsec,debug,packet with key:

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet decrypted payload by IV:

Jan/03/1970 05:34:21 ipsec,debug,packet fe168a04 63db61de

Jan/03/1970 05:34:21 ipsec,debug,packet decrypted payload, but not trimed.

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80 dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet padding len=211

Jan/03/1970 05:34:21 ipsec,debug,packet skip to trim padding.

Jan/03/1970 05:34:21 ipsec,debug,packet decrypted.

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80 dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet dd69bc80

Jan/03/1970 05:34:21 ipsec,debug,packet begin.

Jan/03/1970 05:34:21 ipsec,debug,packet seen nptype=5(id)

Jan/03/1970 05:34:21 ipsec,debug invalid length of payload

Jan/03/1970 05:34:25 ipsec,debug,packet ==========

Edited by Lacho
Link to comment
Share on other sites

  • 0
  • Administrator

Следва 1360 ама ще имаш вътре тунелно фрагментиране

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

  • 0
  • Administrator

поиграй си с кодировката

под над 13 символа парола

100% нещо тъпо ще се окаже

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.