Comunidad FORTIGATE.es

Amigos,

Tengo problemas para instalar una VPN L2TP en Fortinet 200B.
He configurado una VPN acuerdo con el manual a continuación:
[Debes identificarte para poder ver enlaces.]

En los registros de eventos del servidor de seguridad que negocia la fase 2, después de la mayor parte del error en la conexión

Depuración Habilitei de error, siga el registro:

create_new_tunnel()-91: Allocated new Tunnel id=381, total count = 90
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 0, Nr = 0
check_control_hdr()-185: Updated control rec seqno. Value is now 1
__avp_protocol_version()-233: peer is using version 8, revision 128.
__avp_framing_caps()-248: supported peer framing:
__avp_bearer_caps()-264: supported peer bearers:
__avp_firmware_rev()-279: peer's firmware version 2048
_avp_hostname()-295: Peer's hostname is 'nagios.dominio.com.br'
__avp_vendor()-310: peer's vendor 'Microsoft'
__avp_assigned_tunnel()-339: peer's tunnel 3
avp_receive_window_size()-359: peer's RWS 8.
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (1). Tunnel is 3, call is 0.
run_ctrl_state_machine()-97: ** run_ctrl_state_machine - SCCRQ **
run_ctrl_state_machine()-108: Rule 189.119.180.211 to 189.119.180.211avp_put_hostname()-84: Sent the host name = 189.1
run_ctrl_state_machine()-165: Sending SCCRP
schedule_event()-94:
schedule_event()-100: Message due 1087321943, now = 1087321843
create_new_tunnel()-91: Allocated new Tunnel id=383, total count = 91
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 0, Nr = 0
check_control_hdr()-185: Updated control rec seqno. Value is now 1
__avp_protocol_version()-233: peer is using version 8, revision 128.
__avp_framing_caps()-248: supported peer framing:
__avp_bearer_caps()-264: supported peer bearers:
__avp_firmware_rev()-279: peer's firmware version 2048
_avp_hostname()-295: Peer's hostname is 'nagios.dominio.com.br'
__avp_vendor()-310: peer's vendor 'Microsoft'
__avp_assigned_tunnel()-339: peer's tunnel 3
avp_receive_window_size()-359: peer's RWS 8.
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (1). Tunnel is 3, call is 0.
run_ctrl_state_machine()-97: ** run_ctrl_state_machine - SCCRQ **
run_ctrl_state_machine()-108: Rule 189.119.180.211 to 189.119.180.211L2TPD 96: 136:Peer requested tunnel 3 twice, will ignore second one.
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
schedule_event()-94:
schedule_event()-100: Message due 1087322040, now = 1087321940
close_call()-424: Closing call 384
free_call()-211: ** free_call **
create_new_tunnel()-91: Allocated new Tunnel id=385, total count = 92
handle_control_packet()-550:
handle_control_packet()-579: L2TP received control ZLB.
l2tp_handle_calls()-287: closing down tunnel 383
close_tunnel()-445: ** close_tunnel **
close_tunnel()-458: Closing and destroying tunnel 383
L2TPD 26: 460:Client 189.119.180.211 control connection (id 383) finished
close_calls_for_tunnel()-100:
free_call()-211: ** free_call **
free_tunnel()-117: Done close_calls_for_tunnel
create_new_tunnel()-91: Allocated new Tunnel id=387, total count = 92
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 0, Nr = 0
check_control_hdr()-185: Updated control rec seqno. Value is now 1
__avp_protocol_version()-233: peer is using version 8, revision 128.
__avp_framing_caps()-248: supported peer framing:
__avp_bearer_caps()-264: supported peer bearers:
__avp_firmware_rev()-279: peer's firmware version 2048
_avp_hostname()-295: Peer's hostname is 'nagios.dominio.com.br'
__avp_vendor()-310: peer's vendor 'Microsoft'
__avp_assigned_tunnel()-339: peer's tunnel 3
avp_receive_window_size()-359: peer's RWS 8.
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (1). Tunnel is 3, call is 0.
run_ctrl_state_machine()-97: ** run_ctrl_state_machine - SCCRQ **
run_ctrl_state_machine()-108: Rule 189.119.180.211 to 189.119.180.211L2TPD 96: 136:Peer requested tunnel 3 twice, will ignore second one.
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
schedule_event()-94:
schedule_event()-100: Message due 1087322238, now = 1087322138
close_call()-424: Closing call 388
free_call()-211: ** free_call **
create_new_tunnel()-91: Allocated new Tunnel id=389, total count = 93
handle_control_packet()-550:
handle_control_packet()-579: L2TP received control ZLB.
l2tp_handle_calls()-287: closing down tunnel 387
close_tunnel()-445: ** close_tunnel **
close_tunnel()-458: Closing and destroying tunnel 387
L2TPD 26: 460:Client 189.119.180.211 control connection (id 387) finished
close_calls_for_tunnel()-100:
free_call()-211: ** free_call **
free_tunnel()-117: Done close_calls_for_tunnel
create_new_tunnel()-91: Allocated new Tunnel id=391, total count = 93
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 0, Nr = 0
check_control_hdr()-185: Updated control rec seqno. Value is now 1
__avp_protocol_version()-233: peer is using version 8, revision 128.
__avp_framing_caps()-248: supported peer framing:
__avp_bearer_caps()-264: supported peer bearers:
__avp_firmware_rev()-279: peer's firmware version 2048
_avp_hostname()-295: Peer's hostname is 'nagios.dominio.com.br'
__avp_vendor()-310: peer's vendor 'Microsoft'
__avp_assigned_tunnel()-339: peer's tunnel 3
avp_receive_window_size()-359: peer's RWS 8.
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (1). Tunnel is 3, call is 0.
run_ctrl_state_machine()-97: ** run_ctrl_state_machine - SCCRQ **
run_ctrl_state_machine()-108: Rule 189.119.180.211 to 189.119.180.211L2TPD 96: 136:Peer requested tunnel 3 twice, will ignore second one.
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
schedule_event()-94:
schedule_event()-100: Message due 1087322638, now = 1087322538
close_call()-424: Closing call 392
free_call()-211: ** free_call **
create_new_tunnel()-91: Allocated new Tunnel id=393, total count = 94
handle_control_packet()-550:
handle_control_packet()-579: L2TP received control ZLB.
l2tp_handle_calls()-287: closing down tunnel 391
close_tunnel()-445: ** close_tunnel **
close_tunnel()-458: Closing and destroying tunnel 391
L2TPD 26: 460:Client 189.119.180.211 control connection (id 391) finished
close_calls_for_tunnel()-100:
free_call()-211: ** free_call **
free_tunnel()-117: Done close_calls_for_tunnel
create_new_tunnel()-91: Allocated new Tunnel id=395, total count = 94
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 0, Nr = 0
check_control_hdr()-185: Updated control rec seqno. Value is now 1
__avp_protocol_version()-233: peer is using version 8, revision 128.
__avp_framing_caps()-248: supported peer framing:
__avp_bearer_caps()-264: supported peer bearers:
__avp_firmware_rev()-279: peer's firmware version 2048
_avp_hostname()-295: Peer's hostname is 'nagios.dominio.com.br'
__avp_vendor()-310: peer's vendor 'Microsoft'
__avp_assigned_tunnel()-339: peer's tunnel 3
avp_receive_window_size()-359: peer's RWS 8.
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (1). Tunnel is 3, call is 0.
run_ctrl_state_machine()-97: ** run_ctrl_state_machine - SCCRQ **
run_ctrl_state_machine()-108: Rule 189.119.180.211 to 189.119.180.211L2TPD 96: 136:Peer requested tunnel 3 twice, will ignore second one.
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
schedule_event()-94:
schedule_event()-100: Message due 1087323450, now = 1087323350
close_call()-424: Closing call 396
free_call()-211: ** free_call **
create_new_tunnel()-91: Allocated new Tunnel id=397, total count = 95
handle_control_packet()-550:
handle_control_packet()-579: L2TP received control ZLB.
l2tp_handle_calls()-287: closing down tunnel 395
close_tunnel()-445: ** close_tunnel **
close_tunnel()-458: Closing and destroying tunnel 395
L2TPD 26: 460:Client 189.119.180.211 control connection (id 395) finished
close_calls_for_tunnel()-100:
free_call()-211: ** free_call **
free_tunnel()-117: Done close_calls_for_tunnel
create_new_tunnel()-91: Allocated new Tunnel id=399, total count = 95
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 0, Nr = 0
check_control_hdr()-185: Updated control rec seqno. Value is now 1
__avp_protocol_version()-233: peer is using version 8, revision 128.
__avp_framing_caps()-248: supported peer framing:
__avp_bearer_caps()-264: supported peer bearers:
__avp_firmware_rev()-279: peer's firmware version 2048
_avp_hostname()-295: Peer's hostname is 'nagios.dominio.com.br'
__avp_vendor()-310: peer's vendor 'Microsoft'
__avp_assigned_tunnel()-339: peer's tunnel 3
avp_receive_window_size()-359: peer's RWS 8.
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (1). Tunnel is 3, call is 0.
run_ctrl_state_machine()-97: ** run_ctrl_state_machine - SCCRQ **
run_ctrl_state_machine()-108: Rule 189.119.180.211 to 189.119.180.211L2TPD 96: 136:Peer requested tunnel 3 twice, will ignore second one.
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
schedule_event()-94:
schedule_event()-100: Message due 1087324440, now = 1087324340
close_call()-424: Closing call 400
free_call()-211: ** free_call **
create_new_tunnel()-91: Allocated new Tunnel id=401, total count = 96
handle_control_packet()-550:
handle_control_packet()-579: L2TP received control ZLB.
l2tp_handle_calls()-287: closing down tunnel 399
close_tunnel()-445: ** close_tunnel **
close_tunnel()-458: Closing and destroying tunnel 399
L2TPD 26: 460:Client 189.119.180.211 control connection (id 399) finished
close_calls_for_tunnel()-100:
free_call()-211: ** free_call **
free_tunnel()-117: Done close_calls_for_tunnel

Hola una vpn l2tp (es similar a la pptp)no se configura ninguna phase ipsec.

salvo que lo que quieras haces es l2tp sobre ipsec..


saludos

Hola,

La VPN L2TP con IPSec, estoy teniendo dificultades para completar la conexión.

hola, podrias mostrar lo que configuraste?

saludos

FGT-0~ # show vpn l2tp
config vpn l2tp
set eip 192.168.50.20
set sip 192.168.50.10
set status enable
set usrgrp "VPN-L2TP"
end

FGT-0~ # show vpn ipsec phase1
config vpn ipsec phase1
edit "L2TP-P1"
set type dynamic
set interface "port1"
set dhgrp 2
set proposal aes256-md5 3des-sha1 aes192-sha1
set psksecret ENC password
next
end

FGT-0~ # show vpn ipsec phase2
config vpn ipsec phase2
edit "L2TP-P2"
set encapsulation transport-mode
set keylife-type both
set pfs disable
set phase1name "L2TP-P1"
set proposal aes256-md5 3des-sha1 aes192-sha1
set keylifekbs 250000
set keylifeseconds 3600
next
end

config firewall policy
edit 142
set srcintf "REDE_INTERNA"
set dstintf "ZONA_INTERNET"
set srcaddr "all"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "L2TP-P1"
next
end

config firewall policy
edit 144
set srcintf "ZONA_INTERNET"
set dstintf "REDE_INTERNA"
set srcaddr "L2TP-CLIENT"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
end

hola eso esta bien
y estas probando desde una red diferente y en internet?

saludos

Sí,
Estoy probando un Internet móvil, la 3G.

Alguna sugerencia?

hola, desde windows te pide user y pass?
que error te da?


"zona internet" es port1???

ejemplo l2tp y ipsec:

config vpn l2tp
set sip 192.168.0.50
set eip 192.168.0.59
set status enable
set usrgrp "L2TP_group"
end

config vpn ipsec phase1
edit dialup_p1
set type dynamic
set interface port1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
set nattraversal enable
set dpd enable
end

onfig vpn ipsec phase2
edit dialup_p2
set phase1name dialup_p1
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
set encapsulation transport-mode
end

la red l2tp que sea diferente a las redes internas tuyas.

saludos

Primero, gracias por ayudarme a este.

Zone_Internet dos puertas con conexión a Internet, el puerto 1 y el puerto 3, un equilibrio de carga.

Voy a probar lo que me pare ahora y enviar el resultado.

si es una zona, omo te aseguras que ese trafico entre y salga por la wan1?
medio raro eso...
para hacer equilibrio no necesitas que esten en zona..
saludos

hola he cambiado el puerto a otro enlace, al parecer, se ha resuelto, ahora tengo dificultades a la hora de registrar el cliente VPN, la depuración de error siguiente:

find_tunnel_call () -183: no puede encontrar túnel de 1049
handle_network_packet () -197: L2TP: Túnel de 1049 no es válido paquete entrante (llamada = 1050).

que rosolviste entonces?

Yo no podía resolver, acaba de cambiar el error al cambiar la interfaz. Él intenta autenticar al usuario y al intentar registrar el PC de la red de la VPN se desconecta.

VPN se conecta, pero se reduce después de unos minutos.
Siga ERROR LOG:

create_new_tunnel()-91: Allocated new Tunnel id=1, total count = 1
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 0, Nr = 0
check_control_hdr()-185: Updated control rec seqno. Value is now 1
__avp_protocol_version()-233: peer is using version 8, revision 128.
__avp_framing_caps()-248: supported peer framing:
__avp_bearer_caps()-264: supported peer bearers:
__avp_firmware_rev()-279: peer's firmware version 2048
_avp_hostname()-295: Peer's hostname is 'nagios.dominio.com.br'
__avp_vendor()-310: peer's vendor 'Microsoft'
__avp_assigned_tunnel()-339: peer's tunnel 39
avp_receive_window_size()-359: peer's RWS 8.
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (1). Tunnel is 39, call is 0.
run_ctrl_state_machine()-97: ** run_ctrl_state_machine - SCCRQ **
run_ctrl_state_machine()-108: Rule 177.109.159.62 to 177.109.159.62avp_put_hostname()-84: Sent the host name = 177.1
run_ctrl_state_machine()-165: Sending SCCRP
schedule_event()-94:
schedule_event()-100: Message due 1104927168, now = 1104927068
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 1, Nr = 1
check_control_hdr()-185: Updated control rec seqno. Value is now 2
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (3). Tunnel is 39, call is 0.
run_ctrl_state_machine()-174: ** run_ctrl_state_machine - SCCCN **
L2TPD 97: 179:Connection established to 177.109.159.62, 1701. Local: 1, Remote: 39.
start_hello_timer()-59: L2TP: starting Hello timer for tunnel 39, next in 60 seconds.
schedule_event()-94:
schedule_event()-100: Message due 1104933138, now = 1104927138
handle_network_packet()-262: Sending a ZLB to acknowledge last message
send_zlb()-73: ** send_zlb **
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 0, Ns = 2, Nr = 1
check_control_hdr()-185: Updated control rec seqno. Value is now 3
__avp_assigned_call()-392: Parsed new call id of 1
__avp_call_serno()-418: serial number is 0
__avp_bearer_type()-445: peer's bears anamylog
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (10). Tunnel is 39, call is 1.
run_ctrl_state_machine()-224: ** run_ctrl_state_machine - ICRQ **
run_ctrl_state_machine()-234: New call was created for tunnel 39, call id = 1
run_ctrl_state_machine()-290: This call is the master_call, its peer_call_id = 2
run_ctrl_state_machine()-298: run_ctrl_state_machine: sending ICRP
schedule_event()-94:
schedule_event()-100: Message due 1104927252, now = 1104927152
handle_control_packet()-550:
check_control_hdr()-173: check_control_hdr: control, peer_call_id = 1, Ns = 3, Nr = 2
check_control_hdr()-185: Updated control rec seqno. Value is now 4
__avp_tx_speed()-495: TX is 3600000
__avp_frame_type()-474: peer's framing sync
avp_handler()-723: AVP 29 was ignored
run_ctrl_state_machine()-91: run_ctrl_state_machine: message type is (12). Tunnel is 39, call is 1.
run_ctrl_state_machine()-307: ** run_ctrl_state_machine - ICCN **
start_pppd()-156: Starting pppd
L2TPD 29: 157:Starting call (launching pppd, opening GRE)
run_ctrl_state_machine()-327: Call established with 177.109.159.62, Local: 2, Remote: 1, Serial: 0
handle_network_packet()-262: Sending a ZLB to acknowledge last message
send_zlb()-73: ** send_zlb **
L2TPD 25: 315:Client 177.109.159.62 control connection started (id 1), assigned ip 192.168.50.10
start_pppd()-328: /bin/pppd start_pppd()-328: 0 start_pppd()-328: l2tp start_pppd()-328: port2 start_pppd()-328: local start_pppd()-328: file start_pppd()-328: /etc/ppp/options start_pppd()-328: 115200 start_pppd()-328: 201.20.93.114:192.168.50.10 start_pppd()-328: +pap start_pppd()-328: +chap start_pppd()-328: peer-remote start_pppd()-328: 177.109.159.62 start_pppd()-328: lcp-echo-interval start_pppd()-328: 5 start_pppd()-328: lcp-echo-failure start_pppd()-328: 3 start_pppd()-330:
monitor_ctrl_pkt_xmit()-95:
monitor_ctrl_pkt_xmit()-117: L2TP: Peer ack'ed control packet.
monitor_ctrl_pkt_xmit()-95:
monitor_ctrl_pkt_xmit()-117: L2TP: Peer ack'ed control packet.
ike 0: IP 201.20.93.114 (28) is down
ike 0: IP 201.20.93.114 (28) is down
child_handler()-114: Child handler 28844
vf_close_calls_pppd()-75:
L2TPD 87: 86:pppd died for call 1
l2tp_vdbind_msg_handler()-87: del_vdbind message:vd=root 0 devindex=28 ppp0
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
close_call()-430: Request peer to close call 2
schedule_event()-94:
schedule_event()-100: Message due 1104930004, now = 1104929904
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
close_call()-430: Request peer to close call 2
schedule_event()-94:
schedule_event()-100: Message due 1104930019, now = 1104929919
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
close_call()-430: Request peer to close call 2
schedule_event()-94:
schedule_event()-100: Message due 1104930096, now = 1104929996
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
close_call()-430: Request peer to close call 2
schedule_event()-94:
schedule_event()-100: Message due 1104930103, now = 1104930003
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
close_call()-430: Request peer to close call 2
schedule_event()-94:
schedule_event()-100: Message due 1104930171, now = 1104930071
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
close_call()-430: Request peer to close call 2
schedule_event()-94:
schedule_event()-100: Message due 1104930256, now = 1104930156
l2tp_handle_calls()-300: closing The master call
close_call()-409: ** close_call **
close_call()-424: Closing call 2
free_call()-211: ** free_call **
monitor_ctrl_pkt_xmit()-95:
monitor_ctrl_pkt_xmit()-124: The resent packet Nr = 4
monitor_ctrl_pkt_xmit()-147: L2TP: Retransmitting packet... timeout in 1 seconds.
schedule_event()-94:
schedule_event()-100: Message due 1104930272, now = 1104930172
monitor_ctrl_pkt_xmit()-95:
monitor_ctrl_pkt_xmit()-124: The resent packet Nr = 4
monitor_ctrl_pkt_xmit()-147: L2TP: Retransmitting packet... timeout in 1 seconds.
schedule_event()-94:
schedule_event()-100: Message due 1104930272, now = 1104930172
monitor_ctrl_pkt_xmit()-95:
monitor_ctrl_pkt_xmit()-124: The resent packet Nr = 4
monitor_ctrl_pkt_xmit()-147: L2TP: Retransmitting packet... timeout in 1 seconds.
schedule_event()-94:
schedule_event()-100: Message due 1104930272, now = 1104930172
monitor_ctrl_pkt_xmit()-95:
monitor_ctrl_pkt_xmit()-124: The resent packet Nr = 4
monitor_ctrl_pkt_xmit()-147: L2TP: Retransmitting packet... timeout in 1 seconds.
schedule_event()-94:
schedule_event()-100: Message due 1104930272, now = 1104930172
monitor_ctrl_pkt_xmit()-95:
monitor_ctrl_pkt_xmit()-124: The resent packet Nr = 4
monitor_ctrl_pkt_xmit()-147: L2TP: Retransmitting packet... timeout in 1 seconds.
schedule_event()-94:
schedule_event()-100: Message due 1104930272, now = 1104930172
l2tp_handle_calls()-287: closing down tunnel 1
close_tunnel()-445: ** close_tunnel **
close_tunnel()-458: Closing and destroying tunnel 1
L2TPD 26: 460:Client 177.109.159.62 control connection (id 1) finished
close_calls_for_tunnel()-100:
free_call()-211: ** free_call **
free_tunnel()-117: Done close_calls_for_tunnel
find_tunnel_call()-183: can't find tunnel 1
handle_network_packet()-197: L2TP: invalid tunnel 1 for incoming packet (call=2).
find_tunnel_call()-183: can't find tunnel 1
handle_network_packet()-197: L2TP: invalid tunnel 1 for incoming packet (call=2).
find_tunnel_call()-183: can't find tunnel 1