| View previous topic :: View next topic |
| Author |
Message |
Bender007
Tux's lil' helper
Joined: 11 Aug 2003
Posts: 110
Location: Göttingen
|
 Posted: Fri Dec 10, 2004 11:22 am Post subject: L2TPD Antwortet nicht |
 |
|
Hi
Ich versuche schon seit knapp 2 Wochen mein VPN Server an den start zu bringen (racoon+l2tpd). Habe es auch hinbekommen das er einen Tunnel zu meinem Server aufbaut allerdings nur vom internen Netz (192.168.0.2 -> 192.168.0.1) aus.
Das Prblem ist das wenn ich von einem externen Rechner sprich aus dem Internet versuche eine Verbindung aufzubauen reagiert Racoon auch und stellt eine verbindung her, allerdings reagieren l2tpd und pppd nicht.
Aus dem internen netz von meiner Arbeitsstation funktioniert alles wunderbar. Aber ist ja nicht sinn der sache im intranet ne VPN verbindung aufzubauen um auf die daten zuzugreifen... 
Hier mal meine Firewall Settings:
firewall.sh:
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
#modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
#VPN
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 1701 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i ppp0 -p 50 -j ACCEPT
# SSH
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 50900 -j ACCEPT
#iptables -A FORWARD -i ppp0 -o eth0 -p udp --dport 50900 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 50900 -i ppp0 -j DNAT --to-destination 192.168.0.2:50900
#iptables -A FORWARD -i ppp0 -o eth0 -p udp --dport 6502 -j ACCEPT
#iptables -t nat -A PREROUTING -p udp --dport 6502 -i ppp0 -j DNAT --to-destination 192.168.0.2:6502
# IPSEC
#iptables -A INPUT -i ppp0 -p 50 -j ACCEPT
#iptables -A INPUT -i ppp0 -p 51 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 500 -j ACCEPT
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
# Routing
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Reverse-Path-Filter
# Auskommentiert, da IPSEC mit RP_Filter nicht funktioniert!
# for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
Und die Racoon meldung:
Dec 7 21:22:49 [racoon] INFO: respond new phase 1 negotiation: 217.226.221.58[500]<=>217.84.226.70[500]_
Dec 7 21:22:49 [racoon] INFO: begin Identity Protection mode._
Dec 7 21:22:49 [racoon] INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY_
Dec 7 21:22:49 [racoon] INFO: ISAKMP-SA established 217.226.221.58[500]-217.84.226.70[500] spi:36f670d18328c321:9a76ba7ff94a74e1_
Dec 7 21:22:49 [racoon] INFO: respond new phase 2 negotiation: 217.226.221.58[0]<=>217.84.226.70[0]_
Dec 7 21:22:49 [racoon] INFO: no policy found, try to generate the policy : 192.168.0.2/32[1701] 217.226.221.58/32[0] proto=udp dir=in_
Dec 7 21:22:49 [racoon] INFO: IPsec-SA established: ESP/Transport 217.84.226.70->217.226.221.58 spi=1684565(0x19b455)_
Dec 7 21:22:49 [racoon] INFO: IPsec-SA established: ESP/Transport 217.226.221.58->217.84.226.70 spi=4071072641(0xf2a7a381)_
Dec 7 21:22:49 [racoon] ERROR: such policy does not already exist: 192.168.0.2/32[1701] 217.226.221.58/32[0] proto=udp dir=in_
Dec 7 21:22:49 [racoon] ERROR: such policy does not already exist: 217.226.221.58/32[0] 192.168.0.2/32[1701] proto=udp dir=out_
Dec 7 21:23:24 [racoon] INFO: purged IPsec-SA proto_id=ESP spi=4071072641._
Dec 7 21:23:24 [racoon] INFO: purged ISAKMP-SA proto_id=ISAKMP spi=36f670d18328c321:9a76ba7ff94a74e1._ |
|
| Back to top |
|
 |
Bender007
Tux's lil' helper
Joined: 11 Aug 2003
Posts: 110
Location: Göttingen
|
| Posted: Sat Dec 11, 2004 7:45 pm Post subject: |
|
|
ich habe jetzt mal den l2tpd von hand gestartet und versucht vom windows client zu connecten
l2tpd -D -c /etc/l2tpd/l2tpd.conf -s /etc/ppp/chap-secrets
der l2tp hat als ich connectet habe auch eine fehlermeldung ausgegeben:
This binary does not support kernel L2TP.
l2tpd version 0.69 started on matrix PID:16462
Linux version 2.6.9 on a i686, listening on IP address 0.0.0.0, port 1701
ourtid = 3849, entropy_buf = f09
check_control: control, cid = 0, Ns = 0, Nr = 0
handle_avps: handling avp's for tunnel 3849, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: sync
bearer_caps_avp: supported peer bearers:
firmware_rev_avp: peer reports firmware version 1280 (0x0500)
hostname_avp: peer reports hostname 'bender'
vendor_avp: peer reports vendor 'Microsoft'
assigned_tunnel_avp: using peer's tunnel 14
receive_window_size_avp: peer wants RWS of 8. Will use flow control.
ourtid = 24116, entropy_buf = 5e34
check_control: control, cid = 0, Ns = 0, Nr = 0
handle_avps: handling avp's for tunnel 24116, call 0
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: sync
bearer_caps_avp: supported peer bearers:
firmware_rev_avp: peer reports firmware version 1280 (0x0500)
hostname_avp: peer reports hostname 'bender'
vendor_avp: peer reports vendor 'Microsoft'
assigned_tunnel_avp: using peer's tunnel 14
receive_window_size_avp: peer wants RWS of 8. Will use flow control.
control_finish: Peer requested tunnel 14 twice, ignoring second one.
control_xmit: Maximum retries exceeded for tunnel 3849. Closing.
call_close : Connection 14 closed to 192.168.0.2, port 1701 (Timeout)
control_xmit: Unable to deliver closing message for tunnel 3849. Destroying anyway.
hat einer n plan was das sein kann ich hab einfach keine idee mehr woran das liegen könnte... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Deutsches Forum (German)
