+7 495 320-55-52
- Назад
- Телефоны
- +7 495 320-55-52
- Заказать звонок
info@mikrotik.moscow
г. Москва, ул. Бакунинская, 84
Пн-Пт: 09-00 до 18-00
Сб-Вс: выходной

IPSec работает, а L2TP не удаётся установить – клиент остался один.

IPSec работает, а L2TP не удаётся установить – клиент остался один., RouterOS

ners

Guest

23.07.2013 15:03:00

Привет, у меня проблемы с настройкой L2TP+IPSec на RouterOS 6.1. Уже пару дней бьюсь над этим. Подскажите, пожалуйста, что не так с моей конфигурацией? Судя по всему, клиент не получает никаких управляющих ответов L2TP от сервера. Вот мои настройки:

`/ip ipsec peer add exchange-mode=main-l2tp generate-policy=port-strict hash-algorithm=sha1 nat-traversal=yes secret=govno send-initial-contact=no`
`/ppp profile add local-address=10.20.36.1 name=L2TP remote-address=l2tp use-encryption=no`
`/ppp secret add name=user password=test profile=L2TP service=l2tp`
`/interface l2tp-server server set authentication=chap default-profile=L2TP enabled=yes`
`/ip firewall filter add chain=input comment=L2TP dst-port=4500 protocol=udp`
`/ip firewall filter add chain=input comment=IPSEC protocol=ipsec-esp`
`/ip firewall filter add chain=input comment=l2tp port=500 protocol=udp`
`/ip firewall filter add chain=input comment=l2tp port=1701 protocol=udp`

Вот что пишет клиент в логах:

`7/23/13 6:49:59.837 PM pppd[3419]: pppd 2.4.2 (Apple version 596.13) started by vitaly, uid 501`
`7/23/13 6:49:59.878 PM pppd[3419]: L2TP connecting to server '81.92.25.1' (81.92.25.1)...`
`7/23/13 6:49:59.881 PM pppd[3419]: IPSec connection started`
`7/23/13 6:49:59.906 PM racoon[3422]: Connecting.`
`7/23/13 6:49:59.906 PM racoon[3422]: IPSec Phase1 started (Initiated by me).`
`7/23/13 6:49:59.909 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).`
`7/23/13 6:49:59.929 PM racoon[3422]: IKE Packet: receive success. (Initiator, Main-Mode message 2).`
`7/23/13 6:49:59.936 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Main-Mode message 3).`
`7/23/13 6:49:59.982 PM racoon[3422]: IKE Packet: receive success. (Initiator, Main-Mode message 4).`
`7/23/13 6:50:00.003 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Main-Mode message 5).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Main-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Main-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Main-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.000 PM kernel[0]: L2TP domain init`
`7/23/13 6:50:00.000 PM kernel[0]: L2TP domain init complete`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Main-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 4).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 4).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 4).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 4).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 4).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 4).`

`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 1).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 4).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 5).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 5).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 5).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 AUTH: success. (Initiator, Quick-Mode Message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`
`7/23/13 6:50:00.020 PM racoon[3422]: IKEv1 Phase1 Initiator: success. (Initiator, Quick-Mode).`
`7/23/13 6:50:00.020 PM racoon[3422]: IPSec Phase1 established (Initiated by me).`
`7/23/13 6:50:01.022 PM racoon[3422]: IPSec Phase2 started (Initiated by me).`
`7/23/13 6:50:01.023 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 2).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 3).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: transmit success. (Initiator, Quick-Mode message 5).`
`7/23/13 6:50:01.047 PM racoon[3422]: IKE Packet: receive success. (Initiator, Quick-Mode message 6).`

It seems you're experiencing an unusual situation where the log messages are repeating in a loop. This indicates a problem in the log output or handling. It's not a failure of the VPN itself, but rather a reporting issue.

Here are a few potential causes and how to troubleshoot them:

**1. Logging Configuration:**

* **Circular Buffer:** Your logging system (e.g., syslog, local system logs) might have a fixed-size buffer. When the buffer is full, it overwrites older entries. This would cause the repeated messages to be the most recent ones. Check the size of your log buffer in your logging configuration.
* **Logging Interval:** If you have configured logging to occur at fixed intervals, a recurring event can trigger multiple log messages within that interval. Examine your logging interval settings.
* **Log Rotation:** Ensure that your log rotation settings are configured correctly. If rotation is not occurring (or is occurring too slowly), the log file will grow, and the circular buffer will be filled.

**2. Software Bug:**

* **Rare, but Possible:** A bug in the VPN software itself could cause it to repeatedly log the same message. This is less likely, but still a possibility. Check for updates to your VPN software and see if others have reported similar issues.

**3. Event Trigger:**

* **Recurring Event:** The VPN might be repeatedly trying to perform an action that's triggering the same log message. For example, a failed authentication attempt that keeps happening. Look into what the VPN is doing to try to determine the cause of the recurring event.

**Troubleshooting Steps:**

1. **Check Your Logging Configuration:** This is the *most likely* cause.
* Determine where your VPN is logging to (e.g., syslog server, local system log).
* Inspect the configuration files for that logging destination. Look for settings like:
* `log_buffer_size` (or similar).
* `log_interval`.
* `log_rotate_interval`.
* `max_log_files` (or similar).
* Adjust these settings to provide more logging space and/or to rotate logs more frequently.
2. **Examine the VPN Configuration:** Review the VPN configuration itself to see if there are any settings that might be causing the VPN to repeatedly attempt the same action.
3. **Temporarily Disable Logging:** If possible, temporarily disable logging and see if the repeating messages stop. This would help confirm that the issue is directly related to the logging system.
4. **Update VPN Software:** Ensure that you are running the latest version of your VPN software. Bug fixes in newer versions might address the problem.
5. **Check VPN Logs Earlier:** If possible, look at logs from an earlier time to see if the repeating messages started after a specific change.
6. **Review System Resources:** Check CPU, memory, and disk usage on the VPN server. High resource utilization can sometimes lead to unexpected behavior.

**In summary, the most probable cause is a logging configuration issue.** By adjusting the size of your log buffer, log rotation settings, or logging interval, you should be able to resolve the repeating messages. If that doesn't work, investigate the VPN configuration and software itself for potential problems.

StephenDearden Guest	#2 0 11.12.2014 20:51:00 Та же проблема. IPsec настраивается нормально, а вот туннель L2TP не подключается.

43north Guest	#3 0 14.12.2014 07:46:00 Какую ошибку показывает лог, когда ты пытаешься подключиться к L2TP-туннелю?

StephenDearden

Guest

15.12.2014 17:50:00

Вот что появляется в логе потом: Срд, 10 дек 2014 13:23:44 : publish_entry SCDSet() failed: Успех!
Срд, 10 дек 2014 13:23:44 : L2TP подключается к серверу '50.160.18.125' (50.160.18.125)...
Срд, 10 дек 2014 13:23:44 : IPSec соединение начато
Срд, 10 дек 2014 13:23:44 : IPSec фаза 1 клиент началась
Срд, 10 дек 2014 13:23:45 : IPSec фаза 1 сервер ответил
Срд, 10 дек 2014 13:23:45 : IPSec фаза 2 началась
Срд, 10 дек 2014 13:23:46 : IPSec фаза 2 установлена
Срд, 10 дек 2014 13:23:46 : IPSec соединение установлено
Срд, 10 дек 2014 13:23:46 : L2TP отправлен SCCRQ
Срд, 10 дек 2014 13:24:06 : L2TP не может подключиться к серверу. Есть ли способ получить более подробный лог ошибки? Не знаю, как это сделать, если это вообще возможно. Спасибо за ответ. Я новичок в этом и искал решение везде.

tomaskir Guest	#5 0 16.12.2014 09:26:00 Какую версию RouterOS вы используете? Приложите вывод из: /ip add /ip ipsec /ip fi /ppp Не стесняйтесь удалить конфиденциальную информацию.

zopper

Guest

27.12.2014 15:49:00

У меня та же проблема. Лог с L2TP-клиента выглядит абсолютно так же, как в посте StephenDearden’а. А в логах Mikrotik видно, что клиент отправляет SCCRQ-пакеты, а Mikrotik отвечает SCCRP, но ответ так и не доходит до клиента. #Это повторяется несколько раз до таймаута:

Dec/27/2014 16:31:58 l2tp,debug,packet получен контрольный сообщение от 37.48.38.83:53552
Dec/27/2014 16:31:58 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Message-Type=SCCRQ
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Protocol-Version=0x01:00
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Framing-Capabilities=0x3
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Host-Name=0x4a:61:6e:73:2d:4d:61:63:42:6f:6f:6b:2d:50:72:6f
Dec/27/2014 16:31:58 l2tp,debug,packet 2e:6c:6f:63:61:6c:00
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=42
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Receive-Window-Size=4
Dec/27/2014 16:31:58 l2tp,debug,packet отправлен контрольный сообщение (ack) 37.48.38.83:53552
Dec/27/2014 16:31:58 l2tp,debug,packet tunnel-id=42, session-id=0, ns=1, nr=1
Dec/27/2014 16:31:58 l2tp,debug,packet отправлен контрольный сообщение 37.48.38.83:53552
Dec/27/2014 16:31:58 l2tp,debug,packet tunnel-id=42, session-id=0, ns=0, nr=1
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Message-Type=SCCRP
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Protocol-Version=0x01:00
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Framing-Capabilities=0x1
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Bearer-Capabilities=0x0
Dec/27/2014 16:31:58 l2tp,debug,packet Firmware-Revision=0x1
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Host-Name="MikroTik"
Dec/27/2014 16:31:58 l2tp,debug,packet Vendor-Name="MikroTik"
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Assigned-Tunnel-ID=41
Dec/27/2014 16:31:58 l2tp,debug,packet (M) Receive-Window-Size=4

Некоторая информация о сети: Mikrotik-маршрутизатор находится за другим маршрутизатором (ASUS SOHO-бокс с Mikrotik в DMZ), который перенаправляет все входящие соединения на Mikrotik - интерфейс шлюза имеет IP 192.168.254.2, шлюз 192.168.254.1. Локальная сеть имеет адресное пространство 192.168.2.0/24, но я подумал начать с другого адресного пространства в VPN, чтобы избежать каких-то проблем с локальной сетью. PPTP на моем Mikrotik работает, так что сеть вроде бы в порядке. Версия Router OS: # dec/27/2014 16:18:59 by RouterOS 6.23

# software id = V18U-266H
Запрошенные экспорты: /ip address
add address=192.168.2.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.2.0
add address=192.168.254.2/24 interface=ether1-gateway network=192.168.254.0
/ip ipsec peer
add enc-algorithm=3des,aes-128,aes-192,aes-256 generate-policy=port-strict \
secret=some_secret
/ip firewall filter
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add chain=forward comment="default configuration" connection-state=invalid
add chain=input dst-port=1194 in-interface=ether1-gateway protocol=tcp
add chain=input comment="L2TP " dst-port=1701,500,4500 protocol=udp
add chain=input comment=L2TP protocol=ipsec-esp
add action=drop chain=input connection-state=new connection-type="" disabled=\
yes in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="http(s) to server" dst-port=80,443 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.2
add action=dst-nat chain=dstnat comment="SSH to server" dst-port=22 \
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.2
/ppp profile
set 0 local-address=192.168.3.30 remote-address=vpn-pool
add address-list="" local-address=192.168.3.30 name=L2TP remote-address=\
vpn-pool use-encryption=no
set 2 local-address=192.168.3.30 remote-address=vpn-pool use-encryption=\
required
/ppp secret
add name=login password=pass

gcraenen

Guest

29.12.2014 09:49:00

Такая же проблема! Запрошенные экспорты: /ip add # 29.12.2014 10:59:29 by RouterOS 6.24
# software id = CDRV-B447
#
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2
network=192.168.88.0
add address=192.168.90.1/24 comment="IP Guest wlan" interface=duck network=\
192.168.90.0 /ip ipsec # 29.12.2014 11:00:33 by RouterOS 6.24
# software id = CDRV-B447
#
/ip ipsec policy group
set
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc pfs-group=none
/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=\
secret
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip fi # 29.12.2014 11:01:25 by RouterOS 6.24
# software id = CDRV-B447
#
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=add-src-to-address-list address-list=Login_tries address-list-timeout=1d \
chain=input dst-port=20-23,8291 log=yes protocol=tcp
add action=drop chain=input comment="Block home network --> guests" dst-address=\
192.168.90.0/24 src-address=192.168.88.0/24
add action=drop chain=input comment="Block guests --> home network" dst-address=\
192.168.88.0/24 src-address=192.168.90.0/24
add chain=input comment=l2tp connection-state=new dst-port=500,1701,4500 in-interface=\
ether1-gateway log=yes log-prefix=vpn- protocol=udp
add chain=input connection-state=new in-interface=ether1-gateway log=yes log-prefix=\
VPN-FW protocol=ipsec-esp
add chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=\
ether1-gateway
add action=masquerade chain=srcnat comment="masq. vpn traffic" out-interface=\
ether1-gateway src-address=192.168.89.0/24
add action=masquerade chain=srcnat log=yes out-interface=ether1-gateway src-address=\
192.168.90.0/24
/ip firewall service-port
set tftp disabled=yes /ppp # 29.12.2014 11:04:08 by RouterOS 6.24
# software id = CDRV-B447
#
/ppp profile
add change-tcp-mss=yes dns-server=192.168.88.1 local-address=192.168.89.1 nam
L2TP-profile remote-address=vpn
set 2 local-address=192.168.89.1 remote-address=vpn
/ppp secret
add name=vpn password=secret profile=L2TP-profile service=l2tp

Заранее спасибо, если кто-нибудь займется этим!

kielerjung Guest	#8 0 31.12.2014 12:58:00 У меня та же проблема. Конфиги выглядят как в предыдущем сообщении.

gcraenen Guest	#9 0 05.01.2015 08:55:00 Привет, я перестал заморачиваться и использую OpenVPN вместо этого. На YouTube есть неплохой “туториал” по настройке OVPN от Pascom: https://www.youtube.com/channel/UCSnsMvX609Q9wagJREg9EdA. Работает нормально в моей ситуации с “road-warriors”.

zaedi Guest	#10 0 26.08.2015 03:44:00 Как настроить VPN L2TP/IPsec, когда у интерфейса WAN несколько публичных IP-адресов?

zopper

Guest

#11

19.09.2015 15:17:00

Так я наконец-то заставил это работать. Не уверен, что я не внес никаких других изменений, но переходом от нерабочего состояния к рабочему было посещение раздела IP/IPSec/Policy и включение стандартной записи, которая там есть. /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes Когда эта политика была отключена, я видел входящие соединения в логах, а также мог видеть удаленных пользователей, которые подключались ненадолго в разделе IPSec/Remote Peers, но после короткого времени они отключались с тайм-аутом. После включения всё заработало как часы. (К слову, именно эта ветка разговора подтолкнула меня посмотреть в сторону политики.)

andyanthoine Guest	#12 0 21.09.2015 04:24:00 Насколько я понимаю, у меня всё отлично работает на моём роутере, поэтому я попробую объяснить, как у меня настроено. Сначала: PPP > Interface, включаем L2TP Server, делаем то же самое для USE IPSEC и указываем IPSEC-ключ. Затем: создаём пользователя, выбираем сервис: L2TP, указываем локальный и удалённый адрес и маршрут. Допустим, ваш транспортный блок 172.24.103.0/24, локальный адрес: 172.24.103.254, удалённый: 172.24.103.2, маршрут: 172.24.103.0/24, 172.24.103.254, 1. В профиле редактируем связанный профиль и добавляем IP-адрес вашего DNS-сервера. У меня 172.24.102.254 (это адрес моей MKT в моей локальной сети). И всё! С тех пор как добавили правило IPSEC для L2TP SERVER, настройка стала намного проще, не должно быть сложнее, чтобы заработало. Кстати, не забудьте открыть все необходимые порты для L2TP, IPSEC и т.д.

Читают тему

Главная Каталог 0 Корзина 0 Избранные Кабинет 0 Сравнение Акции Контакты Услуги Бренды Отзывы Компания Лицензии Документы Реквизиты Поиск Блог Обзоры