一个公网ip出口的环境下只允许同时一个用户登录? #62
Comments
|
@kernelsky 你好!由于 IPsec/L2TP 以及 Libreswan 的局限性,目前不支持同一个 NAT 后面的多个用户同时连接。参见 [1]。 |
|
了解了。感谢。 |
letoams
added a commit
to libreswan/libreswan
that referenced
this issue
Sep 8, 2018
…4 behind same NAT This is referenced in a number of bugs: #166 hwdsl2/setup-ipsec-vpn#314 hwdsl2/setup-ipsec-vpn#323 hwdsl2/setup-ipsec-vpn#357 hwdsl2/docker-ipsec-vpn-server#62 Note that this patch only is half of the fix. The other fix is commit 9ccfe20 which prevents being stuck on the 0th lease when can_share_lease() is FALSE (as it is for authby=secret)
|
note libreswan 3.26 was released that addresses the issue related to bad lease ip re-use |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
您好,首先很感谢楼主镜像,我在使用过程中遇到了一个问题,还请帮忙分析一下,我在机房部署了docker-ipsec-vpn-server,在办公区使用的时候只要有一个同事登录成功后其他同事就无法正常登陆,windows自带vpn报789错误,L2TP连接尝试失败,因为安全层在初始化与远程计算机的协商时遇到一个处理错误。也就是说同一个公网出口同时只能一个用户登陆。vpn客户端配置确定都没有问题,因为我们都能挨个交替登陆。
docker logs日志如下:
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Maximum retries exceeded for tunnel 56949. Closing.
xl2tpd[1]: Terminating pppd: sending TERM signal to pid 684
xl2tpd[1]: Connection 27413 closed to 59.8.8.8, port 40589 (Timeout)
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Can not find tunnel 40364 (refhim=0)
xl2tpd[1]: network_thread: unable to find call or tunnel to handle packet. call = 53277, tunnel = 40364 Dumping.
xl2tpd[1]: Unable to deliver closing message for tunnel 56949. Destroying anyway.
ipsec status显示如下:
000 Connection list:
000
000 "l2tp-psk": 172.17.0.2/32===172.17.0.2<172.17.0.2>[69.8.8.8]:17/1701---172.17.0.1...%any:17/%any; unrouted; eroute owner: #0
000 "l2tp-psk": oriented; my_ip=unset; their_ip=unset
000 "l2tp-psk": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "l2tp-psk": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "l2tp-psk": labeled_ipsec:no;
000 "l2tp-psk": policy_label:unset;
000 "l2tp-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "l2tp-psk": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "l2tp-psk": policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "l2tp-psk": dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "l2tp-psk": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2)
000 "l2tp-psk": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2)
000 "l2tp-psk": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk"[3]: 172.17.0.2/32===172.17.0.2<172.17.0.2>[69.8.8.8]:17/1701---172.17.0.1...59.8.8.8[192.168.123.203]:17/1701; erouted; eroute owner: #14
000 "l2tp-psk"[3]: oriented; my_ip=unset; their_ip=unset
000 "l2tp-psk"[3]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "l2tp-psk"[3]: modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "l2tp-psk"[3]: labeled_ipsec:no;
000 "l2tp-psk"[3]: policy_label:unset;
000 "l2tp-psk"[3]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "l2tp-psk"[3]: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "l2tp-psk"[3]: sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no;
000 "l2tp-psk"[3]: policy: PSK+ENCRYPT+DONT_REKEY+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "l2tp-psk"[3]: conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "l2tp-psk"[3]: dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "l2tp-psk"[3]: newest ISAKMP SA: #3; newest IPsec SA: #14;
000 "l2tp-psk"[3]: IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2)
000 "l2tp-psk"[3]: IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2)
000 "l2tp-psk"[3]: IKE algorithm newest: AES_CBC_256-SHA1-MODP2048
000 "l2tp-psk"[3]: ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk"[3]: ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "l2tp-psk"[3]: ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000 "xauth-psk": 0.0.0.0/0===172.17.0.2<172.17.0.2>[69.8.8.8,MS+XS+S=C]...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk": oriented; my_ip=unset; their_ip=unset
000 "xauth-psk": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk": modecfg info: us:server, them:client, modecfg policy:pull, dns1:8.8.8.8, dns2:8.8.4.4, domain:unset, banner:unset;
000 "xauth-psk": labeled_ipsec:no;
000 "xauth-psk": policy_label:unset;
000 "xauth-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3;
000 "xauth-psk": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "xauth-psk": sha2_truncbug:no; initial_contact:no; cisco_unity:yes; fake_strongswan:no; send_vendorid:no;
000 "xauth-psk": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "xauth-psk": conn_prio: 0,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset;
000 "xauth-psk": dpd: action:clear; delay:15; timeout:30; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "xauth-psk": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "xauth-psk": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP2048(14), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_000-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_000-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_000-MODP1024(2)
000 "xauth-psk": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP2048(14), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-SHA2_512(6)_512-MODP2048(14), AES_CBC(7)_256-SHA2_512(6)_512-MODP1536(5), AES_CBC(7)_256-SHA2_512(6)_512-MODP1024(2)
000 "xauth-psk": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000 "xauth-psk": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000, AES(12)_000-SHA1(2)_000, AES(12)_256-SHA2_512(7)_000
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #14: "l2tp-psk"[3] 59.8.8.8:49806 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 2406s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #14: "l2tp-psk"[3] 59.8.8.8 esp.1af9f176@59.8.8.8 esp.8b44f14e@172.17.0.2 ref=0 refhim=4294901761 Traffic: ESPin=227B ESPout=0B! ESPmax=244B
000 #3: "l2tp-psk"[3] 59.8.8.8:49806 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 27542s; newest ISAKMP; nodpd; idle; import:not set
000
000 Bare Shunt list:
000
The text was updated successfully, but these errors were encountered: