Подключение к vpn

[easyman]

В default ipsec profile первая фаза проверяйте - hash - sha256, encryption - aes-128,aes-256,dh modp2048. Lifetime 2 часа. Во второй фазе, proposal default - hash sha1, encryption aes-256,dh modp2048. lifetime похоже на 45 минут. Попробуйте.

[nrg]

/ip ipsec export покажите

[Anton777]

В default ipsec profile первая фаза проверяйте - hash - sha256, encryption - aes-128,aes-256,dh modp2048. Lifetime 2 часа. Во второй фазе, proposal default - hash sha1, encryption aes-256,dh modp2048. lifetime похоже на 45 минут. Попробуйте.

Насколько я понял, первая фаза авторизации прошла?
Похоже я все таки что-то делаю не так. Уж извините, но без Вашей помощи никак((
Вот что теперь в логах:

Код: Выделить всё

05:41:41 ipsec,debug debug: sendto Information notify. 
05:41:41 ipsec,info debug: ISAKMP-SA established xxx.xxx.xxx.xxx[500]-xxx.xxx.xxx.xxx[500] spi:9993c6e807f66e2a:1882b7d280e6ff6f 
05:41:41 ipsec,debug debug: === 
05:41:42 ipsec,debug debug: === 
05:41:42 ipsec,debug debug: begin QUICK mode. 
05:41:42 ipsec debug: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500] 
05:41:42 ipsec,debug,packet debug: compute IV for phase2 
05:41:42 ipsec,debug,packet debug: phase1 last IV: 
05:41:42 ipsec,debug,packet debug: 3c81c375 3204c8d0 f0a23171 40afdc6e d07e0989 
05:41:42 ipsec,debug debug: hash(sha2_256) 
05:41:42 ipsec,debug,packet debug: encryption(aes) 
05:41:42 ipsec,debug,packet debug: phase2 IV computed: 
05:41:42 ipsec,debug,packet debug: 139d6cc5 6bbc1c65 1838219e a28e3e23 
05:41:42 ipsec,debug debug: call pfkey_send_getspi 22 
05:41:42 ipsec,debug debug: pfkey GETSPI sent: ESP/Transport xxx.xxx.xxx.xxx[500]->xxx.xxx.xxx.xxx[500]  
05:41:42 ipsec,debug debug: pfkey getspi sent. 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug debug: dh(modp2048) 
05:41:42 ipsec,debug,packet debug: compute DH's private. 
05:41:42 ipsec,debug,packet debug: 55612233 a58b2bfa f6f8cc10 e060820d 472b673d 25
dcf2e8 cd9919fd ae2093d4 
05:41:42 ipsec,debug,packet debug: 061cb956 38410a6c 6bdc5891 89c1a751 8bf72691 95
ef53f3 5802b8b7 a433de1e 
05:41:42 ipsec,debug,packet debug: e7086228 64ab9ed9 1d3447ad bf24542b cd4cab31 2f
7849f4 60553acf 7b436556 
05:41:42 ipsec,debug,packet debug: b61a4c75 3d62890d c466d8cd 7a2b0ac2 8266c92d f8
714b28 40e6f500 c95c9358 
05:41:42 ipsec,debug,packet debug: 64b8a2b4 75bcd207 bfd4450d 1f81f2a9 1c976385 12
206225 fff26a64 d3fbc5dc 
05:41:42 ipsec,debug,packet debug: 3ffef279 f6a3899c 2e838956 07631ebf 3ae57e18 f6
977d86 5389e4a2 f8138c9b 
05:41:42 ipsec,debug,packet debug: e58e67a7 5ba73cd8 a3176b3c 2a22e858 13ac0115 57
3289a2 98d16b07 189f598e 
05:41:42 ipsec,debug,packet debug: b981a192 68613a8c 717463ff f40644f9 ac4e1727 99
f0dd31 95a25548 bff39b0c 
05:41:42 ipsec,debug,packet debug: compute DH's public. 
05:41:42 ipsec,debug,packet debug: 85bd29e1 38e473c5 c47e6c6c 8610f14f 5f85e695 df
ce0682 822cdd50 ded5e083 
05:41:42 ipsec,debug,packet debug: 5d336543 2b2cb275 13d977c2 40280d66 e2839ec0 54
064836 a51e7a01 c2378452 
05:41:42 ipsec,debug,packet debug: e984cb23 a668e6b2 6018e5a4 953a061b 058be18c 6e
780a16 25fe6d9b 5674d2a6 
05:41:42 ipsec,debug,packet debug: 23302d4b 1414313a 07db4274 82e36aa3 52e3ccb1 b1
161fd4 a58b4abd cd6d242a 
05:41:42 ipsec,debug,packet debug: 58b28702 b48057ec 276555d1 7dd4dbe1 31138084 88
6e5f6d 5f4873a8 62462609 
05:41:42 ipsec,debug,packet debug: fba77b39 636155ae cd867b78 8f42240c b80d4be0 ec
809220 5e9dd2c7 597e9126 
05:41:42 ipsec,debug,packet debug: 70b9bce1 da5c2d15 8526a287 ff79f50d bf85c45a 33
9c2764 9eff608d 793a72b0 
05:41:42 ipsec,debug,packet debug: c2089370 a2574a61 98444568 de728752 7d566917 d9
1ef82d bdea2daf 4e35700a 
05:41:42 ipsec,debug debug: use local ID type IPv4_address 
05:41:42 ipsec,debug debug: use remote ID type IPv4_address 
05:41:42 ipsec,debug debug: IDci: 
05:41:42 ipsec,debug debug: 011106a5 bce997ee 
05:41:42 ipsec,debug debug: IDcr: 
05:41:42 ipsec,debug debug: 011106a5 bcaa1412 
05:41:42 ipsec,debug debug: add payload of len 172, next type 10 
05:41:42 ipsec,debug debug: add payload of len 24, next type 4 
05:41:42 ipsec,debug debug: add payload of len 256, next type 5 
05:41:42 ipsec,debug debug: add payload of len 8, next type 5 
05:41:42 ipsec,debug debug: add payload of len 8, next type 0 
05:41:42 ipsec,debug,packet debug: HASH with: 
05:41:42 ipsec,debug,packet debug: d07e0989 0a0000b0 00000001 00000001 000000a4 01
030405 0df3eefc 03000020 
05:41:42 ipsec,debug,packet debug: 010c0000 80010001 80020a8c 80040002 80060100 80
050002 8003000e 03000020 
05:41:42 ipsec,debug,packet debug: 020d0000 80010001 80020a8c 80040002 80060100 80
050002 8003000e 03000020 
05:41:42 ipsec,debug,packet debug: 030d0000 80010001 80020a8c 80040002 80060120 80
050002 8003000e 0300001c 
05:41:42 ipsec,debug,packet debug: 04140000 80010001 80020a8c 80040002 80060100 80
03000e 0000001c 05140000 
05:41:42 ipsec,debug,packet debug: 80010001 80020a8c 80040002 80060120 8003000e 04
00001c 9e2ceb72 829cfe95 
05:41:42 ipsec,debug,packet debug: 790c64d4 ce51d2d5 d91665e7 b4180da5 05000104 85
bd29e1 38e473c5 c47e6c6c 
05:41:42 ipsec,debug,packet debug: 8610f14f 5f85e695 dfce0682 822cdd50 ded5e083 5d
336543 2b2cb275 13d977c2 
05:41:42 ipsec,debug,packet debug: 40280d66 e2839ec0 54064836 a51e7a01 c2378452 e9
84cb23 a668e6b2 6018e5a4 
05:41:42 ipsec,debug,packet debug: 953a061b 058be18c 6e780a16 25fe6d9b 5674d2a6 23
302d4b 1414313a 07db4274 
05:41:42 ipsec,debug,packet debug: 82e36aa3 52e3ccb1 b1161fd4 a58b4abd cd6d242a 58
b28702 b48057ec 276555d1 
05:41:42 ipsec,debug,packet debug: 7dd4dbe1 31138084 886e5f6d 5f4873a8 62462609 fb
a77b39 636155ae cd867b78 
05:41:42 ipsec,debug,packet debug: 8f42240c b80d4be0 ec809220 5e9dd2c7 597e9126 70
b9bce1 da5c2d15 8526a287 
05:41:42 ipsec,debug,packet debug: ff79f50d bf85c45a 339c2764 9eff608d 793a72b0 c2
089370 a2574a61 98444568 
05:41:42 ipsec,debug,packet debug: de728752 7d566917 d91ef82d bdea2daf 4e35700a 05
00000c 011106a5 bce997ee 
05:41:42 ipsec,debug,packet debug: 0000000c 011106a5 bcaa1412 
05:41:42 ipsec,debug,packet debug: hmac(hmac_sha2_256) 
05:41:42 ipsec,debug,packet debug: HASH computed: 
05:41:42 ipsec,debug,packet debug: 3365e12c 47c48b46 b33091dd 5b58be07 57296015 e5
7e3b0d 2dcadee7 fca28466 
05:41:42 ipsec,debug debug: add payload of len 32, next type 1 
05:41:42 ipsec,debug,packet debug: begin encryption. 
05:41:42 ipsec,debug,packet debug: encryption(aes) 
05:41:42 ipsec,debug,packet debug: pad length = 4 
05:41:42 ipsec,debug,packet debug: 01000024 3365e12c 47c48b46 b33091dd 5b58be07 57
296015 e57e3b0d 2dcadee7 
05:41:42 ipsec,debug,packet debug: fca28466 0a0000b0 00000001 00000001 000000a4 01
030405 0df3eefc 03000020 
05:41:42 ipsec,debug,packet debug: 010c0000 80010001 80020a8c 80040002 80060100 80
050002 8003000e 03000020 
05:41:42 ipsec,debug,packet debug: 020d0000 80010001 80020a8c 80040002 80060100 80
050002 8003000e 03000020 
05:41:42 ipsec,debug,packet debug: 030d0000 80010001 80020a8c 80040002 80060120 80
050002 8003000e 0300001c 
05:41:42 ipsec,debug,packet debug: 04140000 80010001 80020a8c 80040002 80060100 80
03000e 0000001c 05140000 
05:41:42 ipsec,debug,packet debug: 80010001 80020a8c 80040002 80060120 8003000e 04
00001c 9e2ceb72 829cfe95 
05:41:42 ipsec,debug,packet debug: 790c64d4 ce51d2d5 d91665e7 b4180da5 05000104 85
bd29e1 38e473c5 c47e6c6c 
05:41:42 ipsec,debug,packet debug: 8610f14f 5f85e695 dfce0682 822cdd50 ded5e083 5d
336543 2b2cb275 13d977c2 
05:41:42 ipsec,debug,packet debug: 40280d66 e2839ec0 54064836 a51e7a01 c2378452 e9
84cb23 a668e6b2 6018e5a4 
05:41:42 ipsec,debug,packet debug: 953a061b 058be18c 6e780a16 25fe6d9b 5674d2a6 23
302d4b 1414313a 07db4274 
05:41:42 ipsec,debug,packet debug: 82e36aa3 52e3ccb1 b1161fd4 a58b4abd cd6d242a 58
b28702 b48057ec 276555d1 
05:41:42 ipsec,debug,packet debug: 7dd4dbe1 31138084 886e5f6d 5f4873a8 62462609 fb
a77b39 636155ae cd867b78 
05:41:42 ipsec,debug,packet debug: 8f42240c b80d4be0 ec809220 5e9dd2c7 597e9126 70
b9bce1 da5c2d15 8526a287 
05:41:42 ipsec,debug,packet debug: ff79f50d bf85c45a 339c2764 9eff608d 793a72b0 c2
089370 a2574a61 98444568 
05:41:42 ipsec,debug,packet debug: de728752 7d566917 d91ef82d bdea2daf 4e35700a 05
00000c 011106a5 bce997ee 
05:41:42 ipsec,debug,packet debug: 0000000c 011106a5 bcaa1412 7f787e03 
05:41:42 ipsec,debug,packet debug: encryption(aes) 
05:41:42 ipsec,debug,packet debug: with key: 
05:41:42 ipsec,debug,packet debug: 3c568304 7bd6a220 c7d6d57e 8c73d790 1d25ccf2 77
04bf29 919ab309 a4e51cd8 
05:41:42 ipsec,debug,packet debug: encrypted payload by IV: 
05:41:42 ipsec,debug,packet debug: 139d6cc5 6bbc1c65 1838219e a28e3e23 
05:41:42 ipsec,debug,packet debug: save IV for next: 
05:41:42 ipsec,debug,packet debug: 03de279b db67f780 a3a5cc17 f5a8d560 
05:41:42 ipsec,debug,packet debug: encrypted. 
05:41:42 ipsec,debug debug: 556 bytes from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[5
00] 
05:41:42 ipsec,debug debug: 1 times of 556 bytes message will be sent to xxx.xxx.xxx.xxx[500] 
05:41:42 ipsec,debug,packet debug: 9993c6e8 07f66e2a 1882b7d2 80e6ff6f 08102001 d0
7e0989 0000022c 5dc0c990 
05:41:42 ipsec,debug,packet debug: f960956b e6fb1ea9 c15e9bc3 f9821998 80866e1e 0c
46d4f0 6476b267 48264dad 
05:41:42 ipsec,debug,packet debug: 2772833e b8b532a1 687c799b 0a1cb67d a8dc3fa0 8a
fac7bc 724de8f6 24b96916 
05:41:42 ipsec,debug,packet debug: 4e8f5493 31bf566d f40feb54 3f89c224 18f89354 b6
74f43e a9a410ce b28f0e7e 
05:41:42 ipsec,debug,packet debug: 036ae13c 1d4a7682 5d5f7166 f29a8ce5 c95771b4 04
86b002 f4f8443c d4921ad8 
05:41:42 ipsec,debug,packet debug: 593b3ca8 dec4029f 94bdbba8 7b3a598e 5045aeb2 cd
f7565f f563f99a 11c4e51d 
05:41:42 ipsec,debug,packet debug: 74bc78b9 d3a70501 4813f742 6b6aa95e 557db6d3 9f
94d73a 80666244 a8135c8b 
05:41:42 ipsec,debug,packet debug: bd237f4e 325b585c 5c2e4781 f6d2f9ed 9fe1a460 f7
7bb1a4 e61eca62 2b36c591 
05:41:42 ipsec,debug,packet debug: 5f241049 e69b9b09 ff970bcd f67a7ee5 4397aad7 ce
358da8 7c410ace bc1f61b8 
05:41:42 ipsec,debug,packet debug: b67c973c 96917c06 6e422e8a e549921c e85910e5 c2
3431ae 91358b5c 2bbf251b 
05:41:42 ipsec,debug,packet debug: 24a1c11c 9d484e7a e2b16344 0fc3866a 0d16ba8a 11
931234 6103a5c8 912f6443 
05:41:42 ipsec,debug,packet debug: 10c78499 584aa28f 59185035 6264f6bf a5aab392 c9
8f87bc e769c761 468081f0 
05:41:42 ipsec,debug,packet debug: 756be195 0071df07 d3cd00ae 71206674 fde27e5b 8f
044b6f 094d66dc a5e49c13 
05:41:42 ipsec,debug,packet debug: cf3252e3 4e3a7517 d9efa0be b15c6518 89ef17a8 ca
8ea98c a613c483 4a1e2a78 
05:41:42 ipsec,debug,packet debug: 49af34f8 ba0f8efc ec73c20f 572fdf4b 27fafdf7 5b
8551a7 867e9bdd 1012cf8c 
05:41:42 ipsec,debug,packet debug: 8fc5420a 4d56f8f0 e7522f1e d4bd6e37 fe14b2b2 16
e31ef9 989a43c7 7498ba55 
05:41:42 ipsec,debug,packet debug: fbf67cae 6b811217 28537cf5 3e6db99a 2e0695de 38
4be7d6 23acf92f 03de279b 
05:41:42 ipsec,debug,packet debug: db67f780 a3a5cc17 f5a8d560 
05:41:42 ipsec debug: sent phase2 packet xxx.xxx.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]
 9993c6e807f66e2a:1882b7d280e6ff6f:d07e0989 
05:41:42 ipsec,debug debug: ===== received 92 bytes from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] 
05:41:42 ipsec,debug,packet debug: 9993c6e8 07f66e2a 1882b7d2 80e6ff6f 08100501 f8
1e177e 0000005c 643c8e5b 
05:41:42 ipsec,debug,packet debug: 6e099ca2 88fda3da f8e59cbc fbe8d1c3 4670c222 da
a4a9ea b361eea0 a9cb48ad 
05:41:42 ipsec,debug,packet debug: 21ea415a c814a644 9cefc05a d68a75e9 636ac081 8a
9799f6 d22cf0ce 
05:41:42 ipsec,debug debug: receive Information. 
05:41:42 ipsec,debug,packet debug: compute IV for phase2 
05:41:42 ipsec,debug,packet debug: phase1 last IV: 
05:41:42 ipsec,debug,packet debug: 3c81c375 3204c8d0 f0a23171 40afdc6e f81e177e 
05:41:42 ipsec,debug debug: hash(sha2_256) 
05:41:42 ipsec,debug,packet debug: encryption(aes) 
05:41:42 ipsec,debug,packet debug: phase2 IV computed: 
05:41:42 ipsec,debug,packet debug: a4b2fb8b 7eba306a f3669b41 4003601a 
05:41:42 ipsec,debug,packet debug: encryption(aes) 
05:41:42 ipsec,debug,packet debug: IV was saved for next processing: 
05:41:42 ipsec,debug,packet debug: d68a75e9 636ac081 8a9799f6 d22cf0ce 
05:41:42 ipsec,debug,packet debug: encryption(aes) 
05:41:42 ipsec,debug,packet debug: with key: 
05:41:42 ipsec,debug,packet debug: 3c568304 7bd6a220 c7d6d57e 8c73d790 1d25ccf2 77
04bf29 919ab309 a4e51cd8 
05:41:42 ipsec,debug,packet debug: decrypted payload by IV: 
05:41:42 ipsec,debug,packet debug: a4b2fb8b 7eba306a f3669b41 4003601a 
05:41:42 ipsec,debug,packet debug: decrypted payload, but not trimed. 
05:41:42 ipsec,debug,packet debug: 0b000024 006e0b12 e93cf15f 0f973c84 dd076f94 2d
db278f 98ea7f30 6a0c4d45 
05:41:42 ipsec,debug,packet debug: 3dc203b4 00000010 00000001 0304000e 0df3eefc 5c
86cd9d 23d836b4 db5edf0b 
05:41:42 ipsec,debug,packet debug: padding len=12 
05:41:42 ipsec,debug,packet debug: skip to trim padding. 
05:41:42 ipsec,debug,packet debug: decrypted. 
05:41:42 ipsec,debug,packet debug: 9993c6e8 07f66e2a 1882b7d2 80e6ff6f 08100501 f8
1e177e 0000005c 0b000024 
05:41:42 ipsec,debug,packet debug: 006e0b12 e93cf15f 0f973c84 dd076f94 2ddb278f 98
ea7f30 6a0c4d45 3dc203b4 
05:41:42 ipsec,debug,packet debug: 00000010 00000001 0304000e 0df3eefc 5c86cd9d 23
d836b4 db5edf0b 
05:41:42 ipsec,debug,packet debug: HASH with: 
05:41:42 ipsec,debug,packet debug: f81e177e 00000010 00000001 0304000e 0df3eefc 
05:41:42 ipsec,debug,packet debug: hmac(hmac_sha2_256) 
05:41:42 ipsec,debug,packet debug: HASH computed: 
05:41:42 ipsec,debug,packet debug: 006e0b12 e93cf15f 0f973c84 dd076f94 2ddb278f 98
ea7f30 6a0c4d45 3dc203b4 
05:41:42 ipsec,debug debug: hash validated. 
05:41:42 ipsec,debug debug: begin. 
05:41:42 ipsec,debug debug: seen nptype=8(hash) len=36 
05:41:42 ipsec,debug debug: seen nptype=11(notify) len=16 
05:41:42 ipsec,debug debug: succeed. 
05:41:42 ipsec,debug debug: xxx.xxx.xxx.xxx notify: NO-PROPOSAL-CHOSEN 
05:41:42 ipsec debug: xxx.xxx.xxx.xxx fatal NO-PROPOSAL-CHOSEN notify messsage, phas
e1 should be deleted. 
05:41:42 ipsec,debug debug: xxx.xxx.xxx.xxx notification message 14:NO-PROPOSAL-CHOS
EN, doi=1 proto_id=3 spi=0df3eefc(size=4).

[Anton777]

/ip ipsec export покажите

/ip ipsec policy group
add name=group1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 lifetime=2h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=45m pfs-group=modp2048

[nrg]

Попробуйте явно задать пира. Я использую аутентификацию по сертификату, по этому в вашем случае конфиг будет отличаться в этой части . У меня сделано так:


/ip ipsec peer profile
add dh-group=modp1024 name=profile_1

/ip ipsec peer
add address=aa.bb.cc.dd/32 auth-method=rsa-signature certificate=user.crt_0 exchange-mode=main-l2tp profile=profile_1


/interface l2tp-client
add connect-to=aa.bb.cc.dd disabled=no name=l2tp-srv password=password use-ipsec=yes user=user

[nrg]

еще вариант конфига для более свежей версии (6.45.1)

/ip ipsec peer
add address=aa.bb.cc.dd/32 name=CR

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc

/ip ipsec identity
add auth-method=digital-signature certificate=client.crt_0 peer=CR

/ip ipsec policy
add dst-address=aa.bb.cc.dd/32 peer=CR protocol=udp src-address=0.0.0.0/0

/interface l2tp-client
add connect-to=aa.bb.cc.dd disabled=no name=l2tp-CR password=password use-ipsec=yes user=client

[easyman]

Да, я «явно задавать пир» хотел избежать). Еще можно с pfs «поиграться» в proposal -выставить modp1024 или вообще отключить.

[Anton777]

Спасибо всем, кто пытался помочь!
Особая благодарность easyman, без Вас эта проблема возможно так и осталась бы нерешенной!
Авторизация прошла успешно после изменения PFS Group на none в Proposals.