Mac OS X用IPSec VPN Debian Squeezeサーバー

Mac OS X用IPSec VPN Debian Squeezeサーバー

私はDebianホームサーバーにIPSec VPNを設定しようとしています。これにより、大学ネットワークはインターネットをフィルタリングせずにホームネットワークにアクセスして閲覧できます。これにより、大学にいる間にホームネットワークのメンテナンスを行うことができます。 。私は次のようにサーバーを設定しました。このリンク、Mac OS経由で接続しようとすると、コンソールに次のものが印刷されます。

8/11/12 7:11:11.532 PM configd: SCNC: start, triggered by SystemUIServer, type L2TP, status 0
8/11/12 7:11:11.669 PM pppd: pppd 2.4.2 (Apple version 560.13) started by Jon, uid 501
8/11/12 7:11:11.687 PM pppd: L2TP connecting to server '10.0.1.100' (10.0.1.100)...
8/11/12 7:11:11.688 PM pppd: IPSec connection started
8/11/12 7:11:11.708 PM racoon: Connecting.
8/11/12 7:11:11.709 PM racoon: IPSec Phase1 started (Initiated by me).
8/11/12 7:11:11.709 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
8/11/12 7:11:14.712 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
8/11/12 7:11:17.716 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
8/11/12 7:11:20.719 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit).
8/11/12 7:11:21.710 PM pppd: IPSec connection failed

デバッグをレベル3に設定して再試行してサーバーからログを取得すると、ログには何も印刷されません。存在しないサーバーに接続しようとすると、ログに同じ内容が印刷されるため、サーバーはVPN接続の試みを取得または認識しないようです。サーバーのIPは10.0.1.100ですが、ルーターのポート転送に問題がある場合に備えて接続したいIPです。上記の方法ガイドに従って設定された3つの設定ファイルは次のとおりです。 (パスワードをアスタリスクに置き換えました)

/etc/freeradius/clients.conf

# -*- text -*-
##
## clients.conf -- client configuration directives
##
##  $Id$

#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
    #  Allowed values are:
    #   dotted quad (1.2.3.4)
    #       hostname    (radius.example.com)
    ipaddr = 127.0.0.1

    #  OR, you can use an IPv6 address, but not both
    #  at the same time.
#   ipv6addr = ::   # any.  ::1 == localhost

    #
    #  A note on DNS:  We STRONGLY recommend using IP addresses
    #  rather than host names.  Using host names means that the
    #  server will do DNS lookups when it starts, making it
    #  dependent on DNS.  i.e. If anything goes wrong with DNS,
    #  the server won't start!
    #
    #  The server also looks up the IP address from DNS once, and
    #  only once, when it starts.  If the DNS record is later
    #  updated, the server WILL NOT see that update.
    #

    #  One client definition can be applied to an entire network.
    #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
    #  "netmask = 8"
    #
    #  If not specified, the default netmask is 32 (i.e. /32)
    #
    #  We do NOT recommend using anything other than 32.  There
    #  are usually other, better ways to achieve the same goal.
    #  Using netmasks of other than 32 can cause security issues.
    #
    #  You can specify overlapping networks (127/8 and 127.0/16)
    #  In that case, the smallest possible network will be used
    #  as the "best match" for the client.
    #
    #  Clients can also be defined dynamically at run time, based
    #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
    #  etc.
    #  See raddb/sites-available/dynamic-clients for details.
    #

#   netmask = 32

    #
    #  The shared secret use to "encrypt" and "sign" packets between
    #  the NAS and FreeRADIUS.  You MUST change this secret from the
    #  default, otherwise it's not a secret any more!
    #
    #  The secret can be any string, up to 8k characters in length.
    #
    #  Control codes can be entered vi octal encoding,
    #   e.g. "\101\102" == "AB"
    #  Quotation marks can be entered by escaping them,
    #   e.g. "foo\"bar"
    #
    #  A note on security:  The security of the RADIUS protocol
    #  depends COMPLETELY on this secret!  We recommend using a
    #  shared secret that is composed of:
    #
    #   upper case letters
    #   lower case letters
    #   numbers
    #
    #  And is at LEAST 8 characters long, preferably 16 characters in
    #  length.  The secret MUST be random, and should not be words,
    #  phrase, or anything else that is recognizable.
    #
    #  The default secret below is only for testing, and should
    #  not be used in any real environment.
    #
    secret      = ********

    #
    #  Old-style clients do not send a Message-Authenticator
    #  in an Access-Request.  RFC 5080 suggests that all clients
    #  SHOULD include it in an Access-Request.  The configuration
    #  item below allows the server to require it.  If a client
    #  is required to include a Message-Authenticator and it does
    #  not, then the packet will be silently discarded.
    #
    #  allowed values: yes, no
    require_message_authenticator = no

    #
    #  The short name is used as an alias for the fully qualified
    #  domain name, or the IP address.
    #
    #  It is accepted for compatibility with 1.x, but it is no
    #  longer necessary in 2.0
    #
#   shortname   = localhost

    #
    # the following three fields are optional, but may be used by
    # checkrad.pl for simultaneous use checks
    #

    #
    # The nastype tells 'checkrad.pl' which NAS-specific method to
    #  use to query the NAS for simultaneous use.
    #
    #  Permitted NAS types are:
    #
    #   cisco
    #   computone
    #   livingston
    #   max40xx
    #   multitech
    #   netserver
    #   pathras
    #   patton
    #   portslave
    #   tc
    #   usrhiper
    #   other       # for all other types

    #
    nastype     = other # localhost isn't usually a NAS...

    #
    #  The following two configurations are for future use.
    #  The 'naspasswd' file is currently used to store the NAS
    #  login name and password, which is used by checkrad.pl
    #  when querying the NAS for simultaneous use.
    #
#   login       = !root
#   password    = someadminpas

    #
    #  As of 2.0, clients can also be tied to a virtual server.
    #  This is done by setting the "virtual_server" configuration
    #  item, as in the example below.
    #
#   virtual_server = home1

    #
    #  A pointer to the "home_server_pool" OR a "home_server"
    #  section that contains the CoA configuration for this
    #  client.  For an example of a coa home server or pool,
    #  see raddb/sites-available/originate-coa
#   coa_server = coa
}

# IPv6 Client
#client ::1 {
#   secret      = testing123
#   shortname   = localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
#   secret      = testing123
#   shortname   = localhost
#}

#client some.host.org {
#   secret      = testing123
#   shortname   = localhost
#}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#   secret      = testing123-1
#   shortname   = private-network-1
#}
#
#client 192.168.0.0/16 {
#   secret      = testing123-2
#   shortname   = private-network-2
#}


#client 10.10.10.10 {
#   # secret and password are mapped through the "secrets" file.
#   secret      = testing123
#   shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#   nastype     = livingston
#   login       = !root
#   password    = someadminpas
#}

#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#   client 192.168.3.4 {
#       secret = testing123
#        }
#}

/etc/l2tpns/startup 設定

# Debugging level
set debug 2

# Log file: comment out to use stderr, use "syslog:facility" for syslog
set log_file "/var/log/l2tpns"

# Write pid to this file
set pid_file "/var/run/l2tpns.pid"

# Shared secret with LAC
set l2tp_secret ""

# MTU of interface for L2TP traffic
#set l2tp_mtu 1500

# PPP counter and timer values
#set ppp_restart_time 3
#set ppp_max_configure 10
#set ppp_max_failure 5

# Only 2 DNS server entries are allowed
set primary_dns 10.0.1.1
set secondary_dns 8.8.8.8

# Can have multiple radius server entries, but ony one radius secret
set primary_radius 127.0.0.1
#set primary_radius_port 1645
#set secondary_radius 0.0.0.0
#set secondary_radius_port 1645
set radius_secret "********"

# Acceptable authentication types (pap, chap) in order of preference
#set radius_authtypes "pap"

# Turn on or off Radius Accounting
#set radius_accounting no

# Port for DAE RADIUS requests
#set radius_dae_port 3799

# Allow multiple logins for the same username
#set allow_duplicate_users no

# Write usage accounting files into specified directory
set accounting_dir "/var/run/l2tpns/acct"

# Listen address for L2TP
set bind_address 10.0.1.100

# Send a gratiuitous ARP for bind address
set send_garp yes

# Gateway address given to clients
set peer_address 10.0.1.1

# Default throttle rate in kb/s
#set throttle_speed 0

# Number of buckets to allocate for throttling
#set throttle_buckets 3000

# If set to anything other than 0, setuid when initialised.
#set setuid 0

# If set to true, dump current speed to stderr every second
#set dump_speed no

# Number of packets to read from tun/udp/cluster fd when select
# returns readable
#set multi_read_count 10

# Set scheduling priority of process to SCHED_FIFO
#set scheduler_fifo no

# Lock pages into memory
#set lock_pages no

# Maximum number of host unreachable packets to send per second
#set icmp_rate 0

# Maximum number of downstream packets per 0.1s to handle for each
# session (0 = ulimited)
#set packet_limit 0

# Cluster multicast address, interface
#set cluster_address 239.192.13.13
set cluster_interface eth1

# Cluster multicast TTL
#set cluster_mcast_ttl 1

# Cluster timers (1/10th second)
set cluster_hb_interval 100
set cluster_hb_timeout 20

# Minimum number of slaves before master withdraws routes
#set cluster_master_min_adv 1

# Drop/kill sessions
#load plugin "sessionctl"

# Throttle/snoop based on RADIUS
#load plugin "autothrottle"
#load plugin "autosnoop"

# Control throttle/snoop with nsctl
#load plugin "throttlectl"
#load plugin "snoopctl"

# Punt RX speed if not supplied
#load plugin "setrxspeed"

# Remove domain from username
#load plugin "stripdomain"

# Walled garden
#load plugin "garden"

/etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12:!10.0.1.0/24
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        #
        #interfaces="ipsec0=br0"
        uniqueids=no

conn road_warrior
        rekey=no
        authby=secret
        pfs=no
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        compress=yes
        #
        left=10.0.0.100
        leftprotoport=17/1701
        leftnexthop=10.0.1.1
        #
        right=%any
        rightprotoport=17/%any
        rightsubnet=vhost:%no,%priv
        #
        auto=add

/etc/ipsec.secrets

# /etc/ipsec.secrets
# The IPSec Secrets File

10.0.1.100: PSK "********"

この設定ファイルで問題を発見した人はいますか?混乱しています...

関連情報