Monter un VPN Ipsec / L2TP

dortek · Février 21, 2016, 8:39pm

Bonjour,
J’espère m’y prendre correctement pour ma demande.

Je souhaite monter un VPN L2TP/IPsec sur un serveur Debian (3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 GNU/Linux).

J’ai donc suivit ce tuto: fcojean.spodylo.com/2014/01/28/u … -openswan/ avec quelques adaptations.

ipsec.conf:

# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
# Add connections here
include /etc/ipsec.d/l2tp-psk.conf

l2tp-psk.conf:

conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        # Ip du serveur
        left=192.168.1.60
        leftprotoport=17/1701
        leftnexthop=%defaultroute
        #
        # The remote user.
        right=%any
        rightprotoport=17/%any
        # Evite un bug a la deconnexion empechant la reconnexion avec OSX et iOs
        dpddelay=15
        dpdtimeout=30
        dpdaction=clear

conn passthrough-for-non-l2tp
        type=passthrough
        # IP du serveur
        left=192.168.1.60
        leftnexthop=%defaultroute
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

xl2Tp.conf:


[global]
ipsec saref = yes

[lns default]
ip range = 192.168.1.80-192.168.1.90
local ip = 192.168.1.60
length bit = yes
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd

L’objectif ici c’est de connecter un client Windows Phone (il supporte l2tp / IPsec depuis peu) à mon Lan afin d’accéder a des services locaux.
L’ip du serveur VPN est 192.168.1.60(hostname hibiscus) (ma gateway 192.168.1.1). Je suis derrière une sfr box, j’ai bien créé les règles de NAT sur les ports 500, 4500 et 1701 en UDP.

Le soucis c’est que lorsque j’essaye de me connecter j’obtiens deux erreurs:
des fois 13012 des fois 809.

un tail /var/log/auth.log:

Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222:     us: 192.168.1.60<192.168.1.60>[+S=C]:17/1701---192.168.1.1
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222:   them: MONIPPUBLIQUE[100.126.86.15,+S=C]:17/1701===100.126.86.15/32
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222: keeping refhim=4294901761 during rekey
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #222: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x9ee438e4 <0xafd767eb xfrm=AES_128-HMAC_SHA1 NATOA=100.126.86.15 NATD=92.90.16.131:54472 DPD=none}
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #216: received Delete SA(0xefdd064a) payload: deleting IPSEC State #221
Aug  4 19:36:14 hibiscus pluto[23519]: "L2TP-PSK-NAT"[64] MONIPPUBLIQUE #216: received and ignored informational message

J’ai l’impression qu’il me colle une IP 100.126.86.15 dans le VPN alors que ce n’est pas du tout dans le range indiqué.
J’avoue coincer là d’où mon appel à l’aide.

au cas ou, ipsec verify:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.37/K3.2.0-4-686-pae (netkey)
Checking for IPsec support in kernel                        	[OK]
 SAref kernel support                                       	[N/A]
 NETKEY:  Testing XFRM related proc values                  	[OK]
	[OK]
	[OK]
Checking that pluto is running                              	[OK]
 Pluto listening for IKE on udp 500                         	[OK]
 Pluto listening for NAT-T on udp 4500                      	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for 'ip' command                                   	[OK]
Checking /bin/sh is not /bin/dash                           	[WARNING]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

Encore une fois j’espère m’y être pris correctement pour ma demande

Merci d’avance !