我尝试通过 strongswan 建立从我的根服务器到我的家庭网络的 VPN 连接。我已经为 VPN PSK XAUTH 连接配置了我的路由器 (FritzBox 7490)。来自我的 Android 智能手机的 VPN 连接有效。
我正在努力解决strongswan的正确配置。我研究了手册,但我已经没有想法了。我什至不确定如何解释日志。
两个配置文件和日志分别是:
/etc/strongswan/ipsec.conf
#/etc/strongswan/ipsec.conf
config setup
uniqueids=no
#charondebug="ike 4, knl 4, cfg 4, mgr 4, chd 4, dmn 4, esp 4, lib 4, tnc 4"
conn %default
ike=aes256-sha-modp1024!
esp=3des-md5!
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn wb
auto=add
aggressive=yes
xauth_identity=montblanc
left=5.196.66.46
leftid=keyid:montblanc
leftsourceip=%config4
#leftgroups2=montblanc
#leftfirewall=yes
leftauth=psk
leftauth2=xauth
right=nanga.no-ip.biz
rightid=%any
rightsubnet=192.168.178.0/24
rightauth=psk
/etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
%any : PSK "something"
montblanc : XAUTH "somethingelse"
连接时记录:
initiating Aggressive Mode IKE_SA wb[3] to 93.104.35.40
generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (341 bytes)
received packet: from 93.104.35.40[500] to 5.196.66.46[500] (412 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V V NAT-D NAT-D ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-03 vendor ID
received unknown vendor ID: a2:22:6f:c3:64:50:0f:56:34:ff:77:db:3b:74:f4:1b
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (108 bytes)
received packet: from 93.104.35.40[500] to 5.196.66.46[500] (92 bytes)
parsed INFORMATIONAL_V1 request 3080152599 [ HASH N(INITIAL_CONTACT) ]
received packet: from 93.104.35.40[500] to 5.196.66.46[500] (92 bytes)
parsed TRANSACTION request 3809505870 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 3809505870 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (108 bytes)
received packet: from 93.104.35.40[500] to 5.196.66.46[500] (76 bytes)
parsed TRANSACTION request 3809505870 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'montblanc' (myself) successful
IKE_SA wb[3] established between 5.196.66.46[montblanc]...93.104.35.40[93.104.35.40]
scheduling reauthentication in 3410s
maximum IKE_SA lifetime 3590s
generating TRANSACTION response 3809505870 [ HASH CPA(X_STATUS) ]
sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (76 bytes)
generating TRANSACTION request 835986006 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (76 bytes)
received packet: from 93.104.35.40[500] to 5.196.66.46[500] (76 bytes)
parsed TRANSACTION response 835986006 [ HASH CPRP(ADDR DNS) ]
installing DNS server 192.168.178.1 to /etc/strongswan/resolv.conf
installing new virtual IP 192.168.178.202
generating QUICK_MODE request 2471505598 [ HASH SA No ID ID ]
sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (172 bytes)
received packet: from 93.104.35.40[500] to 5.196.66.46[500] (76 bytes)
parsed INFORMATIONAL_V1 request 1883469062 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify
establishing connection 'wb' failed
我很高兴所有的建议。
当客户端在 IKEv1 快速模式交换期间收到 INVALID_ID_INFORMATION 通知时,这意味着响应者不喜欢 ID 有效载荷的内容,ID 有效载荷用于在这些交换中传输流量选择器(子网)。这可能是因为子网配置不正确(它们必须在两端匹配)。比较配置,并根据实施情况,查阅响应者的日志可能会有所帮助。
某些 IKEv1 实现使用 Cisco Unity 扩展,允许在 ModeConfig 交换期间传输隧道远程子网。通常,他们希望将快速模式交换中的远程子网设置为0.0.0.0/0而不是任何实际子网。所以尝试在 strongSwan 中启用unity 插件并配置rightsubnet=0.0.0.0/0,这可能是响应者所期望的。
| 归档时间: |
|
| 查看次数: |
10592 次 |
| 最近记录: |