IPSec VPN Debian Squeeze Server для Mac OS X

Я пытаюсь настроить IPSec VPN на моем домашнем сервере Debian, чтобы я мог получить доступ к моей домашней сети и просматривать, не отключая мою интернет-фильтрацию в моей сети колледжа, и чтобы я мог выполнять обслуживание моей домашней сети из колледжа по мере необходимости. Я установил свой сервер, следуя этой ссылке , и когда я попытаюсь подключиться к нему через Mac OS X 10.7.4, он скажет: «Сервер L2TP-VPN не ответил. Попробуйте повторно подключиться. Если проблема не исчезнет, ​​проверьте свои настройки и обратитесь к своему администратору ». Он выводит на консоль следующее:

8/11/12 7:11:11.532 PM configd: SCNC: start, triggered by SystemUIServer, type L2TP, status 0 8/11/12 7:11:11.669 PM pppd: pppd 2.4.2 (Apple version 560.13) started by Jon, uid 501 8/11/12 7:11:11.687 PM pppd: L2TP connecting to server '10.0.1.100' (10.0.1.100)... 8/11/12 7:11:11.688 PM pppd: IPSec connection started 8/11/12 7:11:11.708 PM racoon: Connecting. 8/11/12 7:11:11.709 PM racoon: IPSec Phase1 started (Initiated by me). 8/11/12 7:11:11.709 PM racoon: IKE Packet: transmit success. (Initiator, Main-Mode message 1). 8/11/12 7:11:14.712 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit). 8/11/12 7:11:17.716 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit). 8/11/12 7:11:20.719 PM racoon: IKE Packet: transmit success. (Phase1 Retransmit). 8/11/12 7:11:21.710 PM pppd: IPSec connection failed 

Я отключил отладку на уровне 3, и когда я попробовал еще раз и вытащил журналы с сервера, и ничего не печатается в журналах. Я думаю, что по какой-то причине сервер не получает или не распознает попытку подключения vpn, поскольку он печатает то же самое в журналах, когда я пытаюсь подключиться к серверу, которого не существует. Сервер имеет IP 10.0.1.100, который является IP-адресом, к которому я пытаюсь подключиться, на случай, если что-то не так с переадресацией портов на маршрутизаторе. Вот мои три файла конфигурации, сконфигурированные в соответствии с инструкциями по использованию, перечисленными выше. (Я заменил секреты звездочками)

/etc/freeradius/clients.conf

 # -*- text -*- ## ## clients.conf -- client configuration directives ## ## $Id$ ####################################################################### # # Define RADIUS clients (usually a NAS, Access Point, etc.). # # Defines a RADIUS client. # # '127.0.0.1' is another name for 'localhost'. It is enabled by default, # to allow testing of the server after an initial installation. If you # are not going to be permitting RADIUS queries from localhost, we suggest # that you delete, or comment out, this entry. # # # # Each client has a "short name" that is used to distinguish it from # other clients. # # In version 1.x, the string after the word "client" was the IP # address of the client. In 2.0, the IP address is configured via # the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x # format is still accepted. # client localhost { # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) ipaddr = 127.0.0.1 # OR, you can use an IPv6 address, but not both # at the same time. # ipv6addr = :: # any. ::1 == localhost # # A note on DNS: We STRONGLY recommend using IP addresses # rather than host names. Using host names means that the # server will do DNS lookups when it starts, making it # dependent on DNS. ie If anything goes wrong with DNS, # the server won't start! # # The server also looks up the IP address from DNS once, and # only once, when it starts. If the DNS record is later # updated, the server WILL NOT see that update. # # One client definition can be applied to an entire network. # eg 127/8 should be defined with "ipaddr = 127.0.0.0" and # "netmask = 8" # # If not specified, the default netmask is 32 (ie /32) # # We do NOT recommend using anything other than 32. There # are usually other, better ways to achieve the same goal. # Using netmasks of other than 32 can cause security issues. # # You can specify overlapping networks (127/8 and 127.0/16) # In that case, the smallest possible network will be used # as the "best match" for the client. # # Clients can also be defined dynamically at run time, based # on any criteria. eg SQL lookups, keying off of NAS-Identifier, # etc. # See raddb/sites-available/dynamic-clients for details. # # netmask = 32 # # The shared secret use to "encrypt" and "sign" packets between # the NAS and FreeRADIUS. You MUST change this secret from the # default, otherwise it's not a secret any more! # # The secret can be any string, up to 8k characters in length. # # Control codes can be entered vi octal encoding, # eg "\101\102" == "AB" # Quotation marks can be entered by escaping them, # eg "foo\"bar" # # A note on security: The security of the RADIUS protocol # depends COMPLETELY on this secret! We recommend using a # shared secret that is composed of: # # upper case letters # lower case letters # numbers # # And is at LEAST 8 characters long, preferably 16 characters in # length. The secret MUST be random, and should not be words, # phrase, or anything else that is recognizable. # # The default secret below is only for testing, and should # not be used in any real environment. # secret = ******** # # Old-style clients do not send a Message-Authenticator # in an Access-Request. RFC 5080 suggests that all clients # SHOULD include it in an Access-Request. The configuration # item below allows the server to require it. If a client # is required to include a Message-Authenticator and it does # not, then the packet will be silently discarded. # # allowed values: yes, no require_message_authenticator = no # # The short name is used as an alias for the fully qualified # domain name, or the IP address. # # It is accepted for compatibility with 1.x, but it is no # longer necessary in 2.0 # # shortname = localhost # # the following three fields are optional, but may be used by # checkrad.pl for simultaneous use checks # # # The nastype tells 'checkrad.pl' which NAS-specific method to # use to query the NAS for simultaneous use. # # Permitted NAS types are: # # cisco # computone # livingston # max40xx # multitech # netserver # pathras # patton # portslave # tc # usrhiper # other # for all other types # nastype = other # localhost isn't usually a NAS... # # The following two configurations are for future use. # The 'naspasswd' file is currently used to store the NAS # login name and password, which is used by checkrad.pl # when querying the NAS for simultaneous use. # # login = !root # password = someadminpas # # As of 2.0, clients can also be tied to a virtual server. # This is done by setting the "virtual_server" configuration # item, as in the example below. # # virtual_server = home1 # # A pointer to the "home_server_pool" OR a "home_server" # section that contains the CoA configuration for this # client. For an example of a coa home server or pool, # see raddb/sites-available/originate-coa # coa_server = coa } # IPv6 Client #client ::1 { # secret = testing123 # shortname = localhost #} # # All IPv6 Site-local clients #client fe80::/16 { # secret = testing123 # shortname = localhost #} #client some.host.org { # secret = testing123 # shortname = localhost #} # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # ie The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} # #client 192.168.0.0/16 { # secret = testing123-2 # shortname = private-network-2 #} #client 10.10.10.10 { # # secret and password are mapped through the "secrets" file. # secret = testing123 # shortname = liv1 # # the following three fields are optional, but may be used by # # checkrad.pl for simultaneous usage checks # nastype = livingston # login = !root # password = someadminpas #} ####################################################################### # # Per-socket client lists. The configuration entries are exactly # the same as above, but they are nested inside of a section. # # You can have as many per-socket client lists as you have "listen" # sections, or you can re-use a list among multiple "listen" sections. # # Un-comment this section, and edit a "listen" section to add: # "clients = per_socket_clients". That IP address/port combination # will then accept ONLY the clients listed in this section. # #clients per_socket_clients { # client 192.168.3.4 { # secret = testing123 # } #} 

/ И т.д. / l2tpns / начальная конфигурация

 # Debugging level set debug 2 # Log file: comment out to use stderr, use "syslog:facility" for syslog set log_file "/var/log/l2tpns" # Write pid to this file set pid_file "/var/run/l2tpns.pid" # Shared secret with LAC set l2tp_secret "" # MTU of interface for L2TP traffic #set l2tp_mtu 1500 # PPP counter and timer values #set ppp_restart_time 3 #set ppp_max_configure 10 #set ppp_max_failure 5 # Only 2 DNS server entries are allowed set primary_dns 10.0.1.1 set secondary_dns 8.8.8.8 # Can have multiple radius server entries, but ony one radius secret set primary_radius 127.0.0.1 #set primary_radius_port 1645 #set secondary_radius 0.0.0.0 #set secondary_radius_port 1645 set radius_secret "********" # Acceptable authentication types (pap, chap) in order of preference #set radius_authtypes "pap" # Turn on or off Radius Accounting #set radius_accounting no # Port for DAE RADIUS requests #set radius_dae_port 3799 # Allow multiple logins for the same username #set allow_duplicate_users no # Write usage accounting files into specified directory set accounting_dir "/var/run/l2tpns/acct" # Listen address for L2TP set bind_address 10.0.1.100 # Send a gratiuitous ARP for bind address set send_garp yes # Gateway address given to clients set peer_address 10.0.1.1 # Default throttle rate in kb/s #set throttle_speed 0 # Number of buckets to allocate for throttling #set throttle_buckets 3000 # If set to anything other than 0, setuid when initialised. #set setuid 0 # If set to true, dump current speed to stderr every second #set dump_speed no # Number of packets to read from tun/udp/cluster fd when select # returns readable #set multi_read_count 10 # Set scheduling priority of process to SCHED_FIFO #set scheduler_fifo no # Lock pages into memory #set lock_pages no # Maximum number of host unreachable packets to send per second #set icmp_rate 0 # Maximum number of downstream packets per 0.1s to handle for each # session (0 = ulimited) #set packet_limit 0 # Cluster multicast address, interface #set cluster_address 239.192.13.13 set cluster_interface eth1 # Cluster multicast TTL #set cluster_mcast_ttl 1 # Cluster timers (1/10th second) set cluster_hb_interval 100 set cluster_hb_timeout 20 # Minimum number of slaves before master withdraws routes #set cluster_master_min_adv 1 # Drop/kill sessions #load plugin "sessionctl" # Throttle/snoop based on RADIUS #load plugin "autothrottle" #load plugin "autosnoop" # Control throttle/snoop with nsctl #load plugin "throttlectl" #load plugin "snoopctl" # Punt RX speed if not supplied #load plugin "setrxspeed" # Remove domain from username #load plugin "stripdomain" # Walled garden #load plugin "garden" 

/etc/ipsec.conf

 # /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!abc0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12:!10.0.1.0/24 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey # #interfaces="ipsec0=br0" uniqueids=no conn road_warrior rekey=no authby=secret pfs=no keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear compress=yes # left=10.0.0.100 leftprotoport=17/1701 leftnexthop=10.0.1.1 # right=%any rightprotoport=17/%any rightsubnet=vhost:%no,%priv # auto=add 

/etc/ipsec.secrets

 # /etc/ipsec.secrets # The IPSec Secrets File 10.0.1.100: PSK "********" 

Кто-нибудь видит проблему в этих конфигурационных файлах? Я в тупике …

Linux и Unix - лучшая ОС в мире.