L2TP / IPSec не может подключиться (Ubuntu 18.04)
Я пытаюсь подключиться к своей корпоративной VPN через Ubuntu 18.04. Я не очень разбираюсь в сети, но соединение прерывистое. После успешного подключения он остается подключенным, пока я снова не отключусь. Но заставить его подключиться сложно.
Мои системные журналы:
May 20 01:53:45 charon[1996]: 07[CFG] loaded IKE secret for %any
May 20 01:53:45 charon[1996]: 10[CFG] received stroke: initiate '51daa580-ce85-43c8-b0ed-9c387f904ee5'
May 20 01:53:45 charon[1996]: 11[IKE] initiating Main Mode IKE_SA 51daa580-ce85-43c8-b0ed-9c387f904ee5[1] to x.x.x.x
May 20 01:53:45 charon[1996]: 11[IKE] initiating Main Mode IKE_SA 51daa580-ce85-43c8-b0ed-9c387f904ee5[1] to x.x.x.x
May 20 01:53:45 charon[1996]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
May 20 01:53:45 charon[1996]: 11[NET] sending packet: from 192.168.0.32[500] to x.x.x.x[500] (236 bytes)
May 20 01:53:45 charon[1996]: 12[NET] received packet: from x.x.x.x[500] to 192.168.0.32[500] (156 bytes)
May 20 01:53:45 charon[1996]: 12[ENC] parsed ID_PROT response 0 [ SA V V V V ]
May 20 01:53:45 charon[1996]: 12[IKE] received XAuth vendor ID
May 20 01:53:45 charon[1996]: 12[IKE] received NAT-T (RFC 3947) vendor ID
May 20 01:53:45 charon[1996]: 12[IKE] received DPD vendor ID
May 20 01:53:45 charon[1996]: 12[IKE] received FRAGMENTATION vendor ID
May 20 01:53:45 charon[1996]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
May 20 01:53:45 charon[1996]: 12[NET] sending packet: from 192.168.0.32[500] to x.x.x.x[500] (244 bytes)
May 20 01:53:45 charon[1996]: 13[NET] received packet: from x.x.x.x[500] to 192.168.0.32[500] (228 bytes)
May 20 01:53:45 charon[1996]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 20 01:53:45 charon[1996]: 13[IKE] local host is behind NAT, sending keep alives
May 20 01:53:45 charon[1996]: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
May 20 01:53:45 charon[1996]: 13[NET] sending packet: from 192.168.0.32[4500] to x.x.x.x[4500] (68 bytes)
May 20 01:53:49 charon[1996]: 16[IKE] sending retransmit 1 of request message ID 0, seq 3
May 20 01:53:49 charon[1996]: 16[NET] sending packet: from 192.168.0.32[4500] to x.x.x.x[4500] (68 bytes)
May 20 01:53:55 NetworkManager[883]: Stopping strongSwan IPsec...
May 20 01:53:55 charon[1996]: 00[DMN] signal of type SIGINT received. Shutting down
May 20 01:53:55 charon[1996]: 00[IKE] destroying IKE_SA in state CONNECTING without notification
May 20 01:53:55 NetworkManager[883]: initiating Main Mode IKE_SA 51daa580-ce85-43c8-b0ed-9c387f904ee5[1] to x.x.x.x
May 20 01:53:55 NetworkManager[883]: generating ID_PROT request 0 [ SA V V V V V ]
May 20 01:53:55 NetworkManager[883]: sending packet: from 192.168.0.32[500] to x.x.x.x[500] (236 bytes)
May 20 01:53:55 NetworkManager[883]: received packet: from x.x.x.x[500] to 192.168.0.32[500] (156 bytes)
May 20 01:53:55 NetworkManager[883]: parsed ID_PROT response 0 [ SA V V V V ]
May 20 01:53:55 NetworkManager[883]: received XAuth vendor ID
May 20 01:53:55 NetworkManager[883]: received NAT-T (RFC 3947) vendor ID
May 20 01:53:55 NetworkManager[883]: received DPD vendor ID
May 20 01:53:55 NetworkManager[883]: received FRAGMENTATION vendor ID
May 20 01:53:55 NetworkManager[883]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
May 20 01:53:55 NetworkManager[883]: sending packet: from 192.168.0.32[500] to x.x.x.x[500] (244 bytes)
May 20 01:53:55 NetworkManager[883]: received packet: from x.x.x.x[500] to 192.168.0.32[500] (228 bytes)
May 20 01:53:55 NetworkManager[883]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
May 20 01:53:55 NetworkManager[883]: local host is behind NAT, sending keep alives
May 20 01:53:55 NetworkManager[883]: generating ID_PROT request 0 [ ID HASH ]
May 20 01:53:55 NetworkManager[883]: sending packet: from 192.168.0.32[4500] to x.x.x.x[4500] (68 bytes)
May 20 01:53:55 NetworkManager[883]: sending retransmit 1 of request message ID 0, seq 3
May 20 01:53:55 NetworkManager[883]: sending packet: from 192.168.0.32[4500] to x.x.x.x[4500] (68 bytes)
May 20 01:53:55 NetworkManager[883]: destroying IKE_SA in state CONNECTING without notification
May 20 01:53:55 NetworkManager[883]: establishing connection '51daa580-ce85-43c8-b0ed-9c387f904ee5' failed
May 20 01:53:55 ipsec_starter[1995]: child 1996 (charon) has quit (exit code 0)
May 20 01:53:55 ipsec_starter[1995]:
May 20 01:53:55 ipsec_starter[1995]: charon stopped after 200 ms
May 20 01:53:55 ipsec_starter[1995]: ipsec starter stopped
May 20 01:53:55 nm-l2tp-service[1948]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
May 20 01:53:55 NetworkManager[883]: <info> [1589954035.7044] vpn-connection[0x55c18d2e60d0,51daa580-ce85-43c8-b0ed-9c387f904ee5,"Alert",0]: VPN plugin: state changed: stopped (6)
May 20 01:53:55 NetworkManager[883]: <info> [1589954035.7067] vpn-connection[0x55c18d2e60d0,51daa580-ce85-43c8-b0ed-9c387f904ee5,"Alert",0]: VPN service disappeared
May 20 01:53:55 NetworkManager[883]: <warn> [1589954035.7076] vpn-connection[0x55c18d2e60d0,51daa580-ce85-43c8-b0ed-9c387f904ee5,"Alert",0]: VPN connection: failed to connect: 'Message recipient
Результат отладки:
$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[6392] <debug> nm-l2tp-service (version 1.2.18) starting...
nm-l2tp[6392] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[6392] <info> ipsec enable flag: yes
** Message: 09:57:18.894: Check port 1701
connection
id : "Alert" (s)
uuid : "51daa580-ce85-43c8-b0ed-9c387f904ee5" (s)
interface-name : NULL (sd)
type : "vpn" (s)
permissions : ["user:hari:"] (s)
autoconnect : FALSE (s)
autoconnect-priority : 0 (sd)
autoconnect-retries : -1 (sd)
timestamp : 0 (sd)
read-only : FALSE (sd)
zone : NULL (sd)
master : NULL (sd)
slave-type : NULL (sd)
autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
secondaries : NULL (sd)
gateway-ping-timeout : 0 (sd)
metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
lldp : -1 (sd)
mdns : -1 (sd)
stable-id : NULL (sd)
auth-retries : -1 (sd)ipv6
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0x55e24a35ef40) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0x55e24a35ef60) (s)
route-metric : -1 (sd)
route-table : 0 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
addr-gen-mode : 1 (sd)
token : NULL (sd)proxy
method : 0 (sd)
browser-only : FALSE (sd)
pac-url : NULL (sd)
pac-script : NULL (sd)vpn
service-type : "org.freedesktop.NetworkManager.l2tp" (s)
user-name : NULL (sd)
persistent : FALSE (sd)
data : ((GHashTable*) 0x7f6598006de0) (s)
secrets : ((GHashTable*) 0x7f6598006de0) (s)
timeout : 0 (sd)ipv4
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0x55e24a35f060) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0x55e24a35f080) (s)
route-metric : -1 (sd)
route-table : 0 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
dhcp-client-id : NULL (sd)
dhcp-fqdn : NULL (sd)nm-l2tp[6392] <info> starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.6.2 IPsec [starter]...
Loading config setup
Loading conn '51daa580-ce85-43c8-b0ed-9c387f904ee5'
found netkey IPsec stack
nm-l2tp[6392] <info> Spawned ipsec up script with PID 6452.
initiating Main Mode IKE_SA 51daa580-ce85-43c8-b0ed-9c387f904ee5[1] to x.x.x.x
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.0.32[500] to x.x.x.x[500] (236 bytes)
received packet: from x.x.x.x[500] to 192.168.0.32[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.32[500] to x.x.x.x[500] (244 bytes)
received packet: from x.x.x.x[500] to 192.168.0.32[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.0.32[4500] to x.x.x.x[4500] (68 bytes)
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.0.32[4500] to x.x.x.x[4500] (68 bytes)
nm-l2tp[6392] <warn> Timeout trying to establish IPsec connection
nm-l2tp[6392] <info> Terminating ipsec script with PID 6452.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '51daa580-ce85-43c8-b0ed-9c387f904ee5' failed
nm-l2tp[6392] <warn> Could not establish IPsec tunnel.(nm-l2tp-service:6392): GLib-GIO-CRITICAL **: 09:57:32.052: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Вот что я сделал до сих пор:
- Это соединение работает без проблем на моем телефоне с Windows и Android.
- Я также исследовал, может ли это быть проблемой маршрутизатора, поскольку мой был приобретен на заказ, а не тот, который шел с Comcast. В итоге я нашел страницу https://kb.netgear.com/26099/C3700-C3000-VPN-Pass-through-HotFix-for-Windows. И если это было правдой, то я не понимаю, почему мое VPN-соединение иногда могло быть успешным.