Jump to content
  • 0
Sign in to follow this  
Ivan Buiko

L2TP VPN сервер, ошибка SSL

Question

После обновления на 3.0B (с последней стабильной, 2.15) при подключении к VPN серверу L2TP на KN-1810 (Ultra) используя стандартный клиент Mac OS, стали появляться ошибки "ERR_SSL_PROTOCOL_ERROR" при попытке открыть любой сайт. Если нажать обновить страницу -- и все становиться ок (иногда два раза подряд ошибка, но редко).

Если в том же brew попытаться обновить пакеты, то выдается ошибка "curl: (56) LibreSSL SSL_read: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt, errno 0"

При этом в логах кинетика почти нет ошибок:

Май 10 13:43:07 ppp-l2tp
l2tp tunnel 55593-75 (<CLIENT_IP>:63465): impossible to send ZLB: sending packet failed
Май 10 13:43:07 ppp-l2tp
l2tp tunnel 55593-75 (<CLIENT_IP>:63465): impossible to reply to incoming messages: message transmission failed, deleting tunnel
Май 10 13:43:09 ppp-l2tp
l2tp: discarding unexpected message from <CLIENT_IP>: invalid tid 55593

Полный лог соединения в тот момент, когда была ошибка: (прикрепленный селф-тест тоже с моментом ошибки) 

Скрытый текст

Май 10 13:21:43 ipsec
10[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Май 10 13:21:43 ipsec
10[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Май 10 13:21:43 ipsec
10[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ
Май 10 13:21:43 ipsec
10[IKE] received 21474836000 lifebytes, configured 21474836480
Май 10 13:21:43 ipsec
10[IKE] detected rekeying of CHILD_SA VPNL2TPServer{83}
Май 10 13:21:43 ipsec
13[IKE] CHILD_SA VPNL2TPServer{84} established with SPIs c0bd367e_i c9293152_o and TS <KEENETIC_IP>/32[udp/l2tp] === 178.120.205.101/32[udp/41200]
Май 10 13:21:43 ndm
IpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "178.120.205.101" is established.
Май 10 13:21:44 ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Май 10 13:21:44 ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Май 10 13:21:48 ndm
kernel: EIP93: build inbound ESP connection, (SPI=c0bd367e)
Май 10 13:21:48 ndm
kernel: EIP93: build outbound ESP connection, (SPI=c9293152)
Май 10 13:21:50 ipsec
15[KNL] creating rekey job for CHILD_SA ESP/0xc7d189b3/<KEENETIC_IP>
Май 10 13:22:01 ipsec
11[KNL] creating rekey job for CHILD_SA ESP/0xc4a097d9/178.120.205.101
Май 10 13:22:22 ipsec
11[IKE] received DELETE for ESP CHILD_SA with SPI c4a097d9
Май 10 13:22:22 ipsec
11[IKE] closing CHILD_SA VPNL2TPServer{83} with SPIs c7d189b3_i (72621 bytes) c4a097d9_o (68905 bytes) and TS <KEENETIC_IP>/32[udp/l2tp] === 178.120.205.101/32[udp/41200]
Май 10 13:22:22 ndm
kernel: EIP93: release SPI c7d189b3
Май 10 13:22:22 ndm
kernel: EIP93: release SPI c4a097d9
Май 10 13:27:35 ipsec
07[IKE] received NAT-T (RFC 3947) vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Май 10 13:27:35 ipsec
07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Май 10 13:27:35 ipsec
07[IKE] received FRAGMENTATION vendor ID
Май 10 13:27:35 ipsec
07[IKE] received DPD vendor ID
Май 10 13:27:35 ipsec
07[IKE] <CLIENT_IP> is initiating a Main Mode IKE_SA
Май 10 13:27:35 ipsec
07[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Май 10 13:27:35 ipsec
[truncated] 07[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:DES_CBC/HMAC_MD5_96/PRF_HMA
Май 10 13:27:35 ipsec
07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Май 10 13:27:35 ipsec
07[IKE] sending DPD vendor ID
Май 10 13:27:35 ipsec
07[IKE] sending FRAGMENTATION vendor ID
Май 10 13:27:35 ipsec
07[IKE] sending NAT-T (RFC 3947) vendor ID
Май 10 13:27:35 ipsec
06[IKE] remote host is behind NAT
Май 10 13:27:35 ipsec
06[IKE] linked key for crypto map '(unnamed)' is not found, still searching
Май 10 13:27:35 ipsec
15[CFG] looking for pre-shared key peer configs matching <KEENETIC_IP>...<CLIENT_IP>[<CLIENT_VPN_IP>]
Май 10 13:27:35 ipsec
15[CFG] selected peer config "VPNL2TPServer"
Май 10 13:27:35 ipsec
15[IKE] IKE_SA VPNL2TPServer[102] established between <KEENETIC_IP>[<KEENETIC_IP>]...<CLIENT_IP>[<CLIENT_VPN_IP>]
Май 10 13:27:35 ipsec
15[IKE] scheduling reauthentication in 28761s
Май 10 13:27:35 ipsec
15[IKE] maximum IKE_SA lifetime 28781s
Май 10 13:27:36 ipsec
09[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Май 10 13:27:36 ipsec
09[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Май 10 13:27:36 ipsec
09[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ
Май 10 13:27:36 ipsec
09[IKE] received 3600s lifetime, configured 28800s
Май 10 13:27:36 ipsec
09[IKE] received 0 lifebytes, configured 21474836480
Май 10 13:27:36 ndm
kernel: EIP93: build inbound ESP connection, (SPI=ce02c931)
Май 10 13:27:36 ipsec
05[IKE] CHILD_SA VPNL2TPServer{85} established with SPIs ce02c931_i 09ad1006_o and TS <KEENETIC_IP>/32[udp/l2tp] === <CLIENT_IP>/32[udp/63465]
Май 10 13:27:36 ndm
IpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "<CLIENT_IP>" is established.
Май 10 13:27:36 ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Май 10 13:27:36 ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Май 10 13:27:37 ndm
kernel: EIP93: build outbound ESP connection, (SPI=09ad1006)
Май 10 13:27:37 ppp-l2tp
l2tp: new tunnel 55593-75 created following reception of SCCRQ from <CLIENT_IP>:63465
Май 10 13:27:37 ppp-l2tp
l2tp tunnel 55593-75 (<CLIENT_IP>:63465): established at <KEENETIC_IP>:1701
Май 10 13:27:37 ppp-l2tp
l2tp tunnel 55593-75 (<CLIENT_IP>:63465): new session 6651-30282 created following reception of ICRQ
Май 10 13:27:37 ppp-l2tp
ppp2:<KEENETIC_USER_NAME>: connect: ppp2 <--> l2tp(<CLIENT_IP>:63465 session 55593-75, 6651-30282)
Май 10 13:27:37 ppp-l2tp
ppp2:<KEENETIC_USER_NAME>: <KEENETIC_USER_NAME>: authentication succeeded
Май 10 13:27:37 ndm
kernel: l2tp1: renamed from ppp2
Май 10 13:27:37 ppp-l2tp
l2tp1:<KEENETIC_USER_NAME>: session started over l2tp session 55593-75, 6651-30282
Май 10 13:27:37 ndm
IpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "<KEENETIC_USER_NAME>" connected from "<CLIENT_IP>" with address "192.168.100.211".
Май 10 13:36:34 wmond
WifiMaster0/AccessPoint0: (MT7615) STA(ac:38:70:3d:6e:2c) set key done in WPA2/WPA2PSK.
Май 10 13:38:15 ndm
kernel: AP 2.4GHz: run channel auto-switch
Май 10 13:38:19 ndm
kernel: ACS result: Primary Channel 12, Min Channel Busy = 0, BW = 20
Май 10 13:38:19 wmond
WifiMaster0/AccessPoint0: (MT7615) BSS(ra0) channel switched to 12.
Май 10 13:39:56 ndm
UPnP::Manager: redirect and forward rules deleted: tcp 58989.
Май 10 13:39:56 ndm
UPnP::Manager: a new nat rule appended.
Май 10 13:39:56 ndm
UPnP::Manager: redirect rule added: tcp PPPoE0:58989 -> 192.168.100.200:58989.
Май 10 13:39:56 ndm
UPnP::Manager: a new filter rule appended.
Май 10 13:39:56 ndm
UPnP::Manager: forward rule added: tcp PPPoE0 -> 192.168.100.200:58989.
Май 10 13:39:57 ndm
UPnP::Manager: redirect and forward rules deleted: udp 58989.
Май 10 13:39:57 ndm
UPnP::Manager: a new nat rule appended.
Май 10 13:39:57 ndm
UPnP::Manager: redirect rule added: udp PPPoE0:58989 -> 192.168.100.200:58989.
Май 10 13:39:57 ndm
UPnP::Manager: a new filter rule appended.
Май 10 13:39:57 ndm
UPnP::Manager: forward rule added: udp PPPoE0 -> 192.168.100.200:58989.
Май 10 13:43:07 ipsec
16[IKE] received DELETE for ESP CHILD_SA with SPI 09ad1006
Май 10 13:43:07 ipsec
16[IKE] closing CHILD_SA VPNL2TPServer{85} with SPIs ce02c931_i (4657102 bytes) 09ad1006_o (143553591 bytes) and TS <KEENETIC_IP>/32[udp/l2tp] === <CLIENT_IP>/32[udp/63465]
Май 10 13:43:07 ppp-l2tp
l2tp session 55593-75, 6651-30282: CDN received from peer (result: 768, error: 0, message: ""), disconnecting session
Май 10 13:43:07 ppp-l2tp
l2tp tunnel 55593-75 (<CLIENT_IP>:63465): no more session, disconnecting tunnel
Май 10 13:43:07 ndm
IpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "<KEENETIC_USER_NAME>" with address "192.168.100.211" (from "<CLIENT_IP>") disconnected.
Май 10 13:43:07 ndm
kernel: EIP93: release SPI ce02c931
Май 10 13:43:07 ndm
kernel: EIP93: release SPI 09ad1006
Май 10 13:43:07 ipsec
06[IKE] received DELETE for IKE_SA VPNL2TPServer[102]
Май 10 13:43:07 ipsec
06[IKE] deleting IKE_SA VPNL2TPServer[102] between <KEENETIC_IP>[<KEENETIC_IP>]...<CLIENT_IP>[<CLIENT_VPN_IP>]
Май 10 13:43:07 ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Май 10 13:43:07 ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Май 10 13:43:07 ppp-l2tp
l2tp tunnel 55593-75 (<CLIENT_IP>:63465): impossible to send ZLB: sending packet failed
Май 10 13:43:07 ppp-l2tp
l2tp tunnel 55593-75 (<CLIENT_IP>:63465): impossible to reply to incoming messages: message transmission failed, deleting tunnel
Май 10 13:43:09 ppp-l2tp
l2tp: discarding unexpected message from <CLIENT_IP>: invalid tid 55593
Май 10 13:43:33 ppp-l2tp
Core::Syslog: last message repeated 6 times.
Май 10 13:43:34 ipsec
06[IKE] received NAT-T (RFC 3947) vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Май 10 13:43:34 ipsec
06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Май 10 13:43:34 ipsec
06[IKE] received FRAGMENTATION vendor ID
Май 10 13:43:34 ipsec
06[IKE] received DPD vendor ID
Май 10 13:43:34 ipsec
06[IKE] <CLIENT_IP> is initiating a Main Mode IKE_SA
Май 10 13:43:34 ipsec
06[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Май 10 13:43:34 ipsec
[truncated] 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:DES_CBC/HMAC_MD5_96/PRF_HMA
Май 10 13:43:34 ipsec
06[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Май 10 13:43:34 ipsec
06[IKE] sending DPD vendor ID
Май 10 13:43:34 ipsec
06[IKE] sending FRAGMENTATION vendor ID
Май 10 13:43:34 ipsec
06[IKE] sending NAT-T (RFC 3947) vendor ID
Май 10 13:43:35 ipsec
10[IKE] remote host is behind NAT
Май 10 13:43:35 ipsec
10[IKE] linked key for crypto map '(unnamed)' is not found, still searching
Май 10 13:43:35 ipsec
14[CFG] looking for pre-shared key peer configs matching <KEENETIC_IP>...<CLIENT_IP>[<CLIENT_VPN_IP>]
Май 10 13:43:35 ipsec
14[CFG] selected peer config "VPNL2TPServer"
Май 10 13:43:35 ipsec
14[IKE] IKE_SA VPNL2TPServer[103] established between <KEENETIC_IP>[<KEENETIC_IP>]...<CLIENT_IP>[<CLIENT_VPN_IP>]
Май 10 13:43:35 ipsec
14[IKE] scheduling reauthentication in 28778s
Май 10 13:43:35 ipsec
14[IKE] maximum IKE_SA lifetime 28798s
Май 10 13:43:35 ipsec
09[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Май 10 13:43:35 ipsec
09[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
Май 10 13:43:35 ipsec
09[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ
Май 10 13:43:35 ipsec
09[IKE] received 3600s lifetime, configured 28800s
Май 10 13:43:35 ipsec
09[IKE] received 0 lifebytes, configured 21474836480
Май 10 13:43:35 ndm
kernel: EIP93: build inbound ESP connection, (SPI=c6dd59ad)
Май 10 13:43:35 ipsec
05[IKE] CHILD_SA VPNL2TPServer{86} established with SPIs c6dd59ad_i 0e0f8754_o and TS <KEENETIC_IP>/32[udp/l2tp] === <CLIENT_IP>/32[udp/49570]
Май 10 13:43:36 ndm
IpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "<CLIENT_IP>" is established.
Май 10 13:43:36 ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Май 10 13:43:36 ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Май 10 13:43:36 ndm
kernel: EIP93: build outbound ESP connection, (SPI=0e0f8754)
Май 10 13:43:36 ppp-l2tp
l2tp: new tunnel 16653-76 created following reception of SCCRQ from <CLIENT_IP>:49570
Май 10 13:43:36 ppp-l2tp
l2tp tunnel 16653-76 (<CLIENT_IP>:49570): established at <KEENETIC_IP>:1701
Май 10 13:43:36 ppp-l2tp
l2tp tunnel 16653-76 (<CLIENT_IP>:49570): new session 15314-38653 created following reception of ICRQ
Май 10 13:43:36 ppp-l2tp
ppp2:<KEENETIC_USER_NAME>: connect: ppp2 <--> l2tp(<CLIENT_IP>:49570 session 16653-76, 15314-38653)
Май 10 13:43:36 ppp-l2tp
ppp2:<KEENETIC_USER_NAME>: <KEENETIC_USER_NAME>: authentication succeeded
Май 10 13:43:36 ndm
kernel: l2tp1: renamed from ppp2
Май 10 13:43:36 ppp-l2tp
l2tp1:<KEENETIC_USER_NAME>: session started over l2tp session 16653-76, 15314-38653
Май 10 13:43:36 ndm
IpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "<KEENETIC_USER_NAME>" connected from "<CLIENT_IP>" with address "192.168.100.211".

 

self-test.txt

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0
7 часов назад, Ivan Buiko сказал:
После обновления на 3.0B (с последней стабильной, 2.15) при подключении к VPN серверу L2TP на KN-1810 (Ultra) используя стандартный клиент Mac OS, стали появляться ошибки "ERR_SSL_PROTOCOL_ERROR" при попытке открыть любой сайт. Если нажать обновить страницу -- и все становиться ок (иногда два раза подряд ошибка, но редко).Если в том же brew попытаться обновить пакеты, то выдается ошибка "curl: (56) LibreSSL SSL_read: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt, errno 0"

При этом в логах кинетика почти нет ошибок:

 


Май 10 13:43:07 ppp-l2tpl2tp tunnel 55593-75 (:63465): impossible to send ZLB: sending packet failedМай 10 13:43:07 ppp-l2tpl2tp tunnel 55593-75 (:63465): impossible to reply to incoming messages: message transmission failed, deleting tunnelМай 10 13:43:09 ppp-l2tpl2tp: discarding unexpected message from : invalid tid 55593
 

Полный лог соединения в тот момент, когда была ошибка: (прикрепленный селф-тест тоже с моментом ошибки) 

Скрытый текст

 


Май 10 13:21:43 ipsec10[CFG] received proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQМай 10 13:21:43 ipsec10[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQМай 10 13:21:43 ipsec10[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQМай 10 13:21:43 ipsec10[iKE] received 21474836000 lifebytes, configured 21474836480Май 10 13:21:43 ipsec10[iKE] detected rekeying of CHILD_SA VPNL2TPServer{83}Май 10 13:21:43 ipsec13[iKE] CHILD_SA VPNL2TPServer{84} established with SPIs c0bd367e_i c9293152_o and TS /32[udp/l2tp] === 178.120.205.101/32[udp/41200]Май 10 13:21:43 ndmIpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "178.120.205.101" is established.Май 10 13:21:44 ndmIpSec::IpSecNetfilter: start reloading netfilter configuration...Май 10 13:21:44 ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done.Май 10 13:21:48 ndmkernel: EIP93: build inbound ESP connection, (SPI=c0bd367e)Май 10 13:21:48 ndmkernel: EIP93: build outbound ESP connection, (SPI=c9293152)Май 10 13:21:50 ipsec15[KNL] creating rekey job for CHILD_SA ESP/0xc7d189b3/Май 10 13:22:01 ipsec11[KNL] creating rekey job for CHILD_SA ESP/0xc4a097d9/178.120.205.101Май 10 13:22:22 ipsec11[iKE] received DELETE for ESP CHILD_SA with SPI c4a097d9Май 10 13:22:22 ipsec11[iKE] closing CHILD_SA VPNL2TPServer{83} with SPIs c7d189b3_i (72621 bytes) c4a097d9_o (68905 bytes) and TS /32[udp/l2tp] === 178.120.205.101/32[udp/41200]Май 10 13:22:22 ndmkernel: EIP93: release SPI c7d189b3Май 10 13:22:22 ndmkernel: EIP93: release SPI c4a097d9Май 10 13:27:35 ipsec07[iKE] received NAT-T (RFC 3947) vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-08 vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-07 vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-06 vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-05 vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-04 vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-03 vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-02 vendor IDМай 10 13:27:35 ipsec07[iKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor IDМай 10 13:27:35 ipsec07[iKE] received FRAGMENTATION vendor IDМай 10 13:27:35 ipsec07[iKE] received DPD vendor IDМай 10 13:27:35 ipsec07[iKE]  is initiating a Main Mode IKE_SAМай 10 13:27:35 ipsec07[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024Май 10 13:27:35 ipsec[truncated] 07[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAМай 10 13:27:35 ipsec07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024Май 10 13:27:35 ipsec07[iKE] sending DPD vendor IDМай 10 13:27:35 ipsec07[iKE] sending FRAGMENTATION vendor IDМай 10 13:27:35 ipsec07[iKE] sending NAT-T (RFC 3947) vendor IDМай 10 13:27:35 ipsec06[iKE] remote host is behind NATМай 10 13:27:35 ipsec06[iKE] linked key for crypto map '(unnamed)' is not found, still searchingМай 10 13:27:35 ipsec15[CFG] looking for pre-shared key peer configs matching ...[]Май 10 13:27:35 ipsec15[CFG] selected peer config "VPNL2TPServer"Май 10 13:27:35 ipsec15[iKE] IKE_SA VPNL2TPServer[102] established between []...[]Май 10 13:27:35 ipsec15[iKE] scheduling reauthentication in 28761sМай 10 13:27:35 ipsec15[iKE] maximum IKE_SA lifetime 28781sМай 10 13:27:36 ipsec09[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQМай 10 13:27:36 ipsec09[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQМай 10 13:27:36 ipsec09[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQМай 10 13:27:36 ipsec09[iKE] received 3600s lifetime, configured 28800sМай 10 13:27:36 ipsec09[iKE] received 0 lifebytes, configured 21474836480Май 10 13:27:36 ndmkernel: EIP93: build inbound ESP connection, (SPI=ce02c931)Май 10 13:27:36 ipsec05[iKE] CHILD_SA VPNL2TPServer{85} established with SPIs ce02c931_i 09ad1006_o and TS /32[udp/l2tp] === /32[udp/63465]Май 10 13:27:36 ndmIpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "" is established.Май 10 13:27:36 ndmIpSec::IpSecNetfilter: start reloading netfilter configuration...Май 10 13:27:36 ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done.Май 10 13:27:37 ndmkernel: EIP93: build outbound ESP connection, (SPI=09ad1006)Май 10 13:27:37 ppp-l2tpl2tp: new tunnel 55593-75 created following reception of SCCRQ from :63465Май 10 13:27:37 ppp-l2tpl2tp tunnel 55593-75 (:63465): established at :1701Май 10 13:27:37 ppp-l2tpl2tp tunnel 55593-75 (:63465): new session 6651-30282 created following reception of ICRQМай 10 13:27:37 ppp-l2tpppp2:: connect: ppp2  l2tp(:63465 session 55593-75, 6651-30282)Май 10 13:27:37 ppp-l2tpppp2:: : authentication succeededМай 10 13:27:37 ndmkernel: l2tp1: renamed from ppp2Май 10 13:27:37 ppp-l2tpl2tp1:: session started over l2tp session 55593-75, 6651-30282Май 10 13:27:37 ndmIpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "" connected from "" with address "192.168.100.211".Май 10 13:36:34 wmondWifiMaster0/AccessPoint0: (MT7615) STA(ac:38:70:3d:6e:2c) set key done in WPA2/WPA2PSK.Май 10 13:38:15 ndmkernel: AP 2.4GHz: run channel auto-switchМай 10 13:38:19 ndmkernel: ACS result: Primary Channel 12, Min Channel Busy = 0, BW = 20Май 10 13:38:19 wmondWifiMaster0/AccessPoint0: (MT7615) BSS(ra0) channel switched to 12.Май 10 13:39:56 ndmUPnP::Manager: redirect and forward rules deleted: tcp 58989.Май 10 13:39:56 ndmUPnP::Manager: a new nat rule appended.Май 10 13:39:56 ndmUPnP::Manager: redirect rule added: tcp PPPoE0:58989 -> 192.168.100.200:58989.Май 10 13:39:56 ndmUPnP::Manager: a new filter rule appended.Май 10 13:39:56 ndmUPnP::Manager: forward rule added: tcp PPPoE0 -> 192.168.100.200:58989.Май 10 13:39:57 ndmUPnP::Manager: redirect and forward rules deleted: udp 58989.Май 10 13:39:57 ndmUPnP::Manager: a new nat rule appended.Май 10 13:39:57 ndmUPnP::Manager: redirect rule added: udp PPPoE0:58989 -> 192.168.100.200:58989.Май 10 13:39:57 ndmUPnP::Manager: a new filter rule appended.Май 10 13:39:57 ndmUPnP::Manager: forward rule added: udp PPPoE0 -> 192.168.100.200:58989.Май 10 13:43:07 ipsec16[iKE] received DELETE for ESP CHILD_SA with SPI 09ad1006Май 10 13:43:07 ipsec16[iKE] closing CHILD_SA VPNL2TPServer{85} with SPIs ce02c931_i (4657102 bytes) 09ad1006_o (143553591 bytes) and TS /32[udp/l2tp] === /32[udp/63465]Май 10 13:43:07 ppp-l2tpl2tp session 55593-75, 6651-30282: CDN received from peer (result: 768, error: 0, message: ""), disconnecting sessionМай 10 13:43:07 ppp-l2tpl2tp tunnel 55593-75 (:63465): no more session, disconnecting tunnelМай 10 13:43:07 ndmIpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "" with address "192.168.100.211" (from "") disconnected.Май 10 13:43:07 ndmkernel: EIP93: release SPI ce02c931Май 10 13:43:07 ndmkernel: EIP93: release SPI 09ad1006Май 10 13:43:07 ipsec06[iKE] received DELETE for IKE_SA VPNL2TPServer[102]Май 10 13:43:07 ipsec06[iKE] deleting IKE_SA VPNL2TPServer[102] between []...[]Май 10 13:43:07 ndmIpSec::IpSecNetfilter: start reloading netfilter configuration...Май 10 13:43:07 ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done.Май 10 13:43:07 ppp-l2tpl2tp tunnel 55593-75 (:63465): impossible to send ZLB: sending packet failedМай 10 13:43:07 ppp-l2tpl2tp tunnel 55593-75 (:63465): impossible to reply to incoming messages: message transmission failed, deleting tunnelМай 10 13:43:09 ppp-l2tpl2tp: discarding unexpected message from : invalid tid 55593Май 10 13:43:33 ppp-l2tpCore::Syslog: last message repeated 6 times.Май 10 13:43:34 ipsec06[iKE] received NAT-T (RFC 3947) vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-08 vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-07 vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-06 vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-05 vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-04 vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-03 vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-02 vendor IDМай 10 13:43:34 ipsec06[iKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor IDМай 10 13:43:34 ipsec06[iKE] received FRAGMENTATION vendor IDМай 10 13:43:34 ipsec06[iKE] received DPD vendor IDМай 10 13:43:34 ipsec06[iKE]  is initiating a Main Mode IKE_SAМай 10 13:43:34 ipsec06[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024Май 10 13:43:34 ipsec[truncated] 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_384, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/ECP_256, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAМай 10 13:43:34 ipsec06[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024Май 10 13:43:34 ipsec06[iKE] sending DPD vendor IDМай 10 13:43:34 ipsec06[iKE] sending FRAGMENTATION vendor IDМай 10 13:43:34 ipsec06[iKE] sending NAT-T (RFC 3947) vendor IDМай 10 13:43:35 ipsec10[iKE] remote host is behind NATМай 10 13:43:35 ipsec10[iKE] linked key for crypto map '(unnamed)' is not found, still searchingМай 10 13:43:35 ipsec14[CFG] looking for pre-shared key peer configs matching ...[]Май 10 13:43:35 ipsec14[CFG] selected peer config "VPNL2TPServer"Май 10 13:43:35 ipsec14[iKE] IKE_SA VPNL2TPServer[103] established between []...[]Май 10 13:43:35 ipsec14[iKE] scheduling reauthentication in 28778sМай 10 13:43:35 ipsec14[iKE] maximum IKE_SA lifetime 28798sМай 10 13:43:35 ipsec09[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQМай 10 13:43:35 ipsec09[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQМай 10 13:43:35 ipsec09[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQМай 10 13:43:35 ipsec09[iKE] received 3600s lifetime, configured 28800sМай 10 13:43:35 ipsec09[iKE] received 0 lifebytes, configured 21474836480Май 10 13:43:35 ndmkernel: EIP93: build inbound ESP connection, (SPI=c6dd59ad)Май 10 13:43:35 ipsec05[iKE] CHILD_SA VPNL2TPServer{86} established with SPIs c6dd59ad_i 0e0f8754_o and TS /32[udp/l2tp] === /32[udp/49570]Май 10 13:43:36 ndmIpSec::Configurator: "VPNL2TPServer": IPsec connection to L2TP/IPsec server from "" is established.Май 10 13:43:36 ndmIpSec::IpSecNetfilter: start reloading netfilter configuration...Май 10 13:43:36 ndmIpSec::IpSecNetfilter: netfilter configuration reloading is done.Май 10 13:43:36 ndmkernel: EIP93: build outbound ESP connection, (SPI=0e0f8754)Май 10 13:43:36 ppp-l2tpl2tp: new tunnel 16653-76 created following reception of SCCRQ from :49570Май 10 13:43:36 ppp-l2tpl2tp tunnel 16653-76 (:49570): established at :1701Май 10 13:43:36 ppp-l2tpl2tp tunnel 16653-76 (:49570): new session 15314-38653 created following reception of ICRQМай 10 13:43:36 ppp-l2tpppp2:: connect: ppp2  l2tp(:49570 session 16653-76, 15314-38653)Май 10 13:43:36 ppp-l2tpppp2:: : authentication succeededМай 10 13:43:36 ndmkernel: l2tp1: renamed from ppp2Май 10 13:43:36 ppp-l2tpl2tp1:: session started over l2tp session 16653-76, 15314-38653Май 10 13:43:36 ndmIpSec::Configurator: "VPNL2TPServer": L2TP/IPsec client "" connected from "" with addres . Self отдельным сообщением скройте.  Отправлено с моего iPhone используя Tapatalk
 
 
 
Edited by PASPARTU

Share this post


Link to post
Share on other sites
  • 0
23 минуты назад, PASPARTU сказал:


Self отдельным сообщением скройте.
 

Вы уж тогда и в своем посту удалите self-test  от Ivan Buiko Отредактировали.

Edited by AndreBA

Share this post


Link to post
Share on other sites
  • 0

Обнаружил еще -- сайт нетфликса вообще не открываетя через l2tp. В гугл хроме таже ошибка,  

curl:

Скрытый текст

curl -v https://www.netflix.com/
*   Trying 54.186.9.111...
* TCP_NODELAY set
* Connected to www.netflix.com (54.186.9.111) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* error:1400A098:SSL routines:CONNECT_CR_CERT_REQ:excessive message size
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1400A098:SSL routines:CONNECT_CR_CERT_REQ:excessive message size

 

Если без l2tp, то все ок:

Скрытый текст

curl -v https://www.netflix.com/
*   Trying 54.69.16.110...
* TCP_NODELAY set
* Connected to www.netflix.com (54.69.16.110) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=CA; L=Los Gatos; O=Netflix, Inc.; OU=Operations; CN=www.netflix.com
*  start date: Feb  7 00:00:00 2018 GMT
*  expire date: Feb  7 12:00:00 2020 GMT
*  subjectAltName: host "www.netflix.com" matched cert's "www.netflix.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.netflix.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 302 Found

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...