当Windows 8尝试连接到我的Strongswan VPN时出现以下错误,
错误13843:收到无效的有效负载。
我不知道如何解决它或是什么原因造成的。 我的charon日志有这个,
15[IKE] IKE_SA roadwarrior[2] established between 10.0.10.81[DNREDACTED1]...75.108.226.117[DNREDACTED2] 15[IKE] scheduling reauthentication in 9771s 15[IKE] maximum IKE_SA lifetime 10311s 15[IKE] sending end entity cert "REDACTED GW CERT" 15[IKE] peer requested virtual IP %any 15[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE 15[IKE] configuration payload negotiation failed, no CHILD_SA built 15[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ] 15[NET] sending packet: from 10.0.10.81[4500] to 75.108.226.117[4500] 16[NET] received packet: from 75.108.226.117[4500] to 10.0.10.81[4500] 16[ENC] parsed INFORMATIONAL request 2 [ D ] 16[IKE] received DELETE for IKE_SA roadwarrior[2] 16[IKE] deleting IKE_SA roadwarrior[2] between 10.0.10.81[DNREDACTED1]...75.108.226.117[DNREDACTED2] 16[IKE] IKE_SA deleted 16[ENC] generating INFORMATIONAL response 2 [ ] 16[NET] sending packet: from 10.0.10.81[4500] to 75.108.226.117[4500] ipsec.conf文件
conn %default dpdaction=clear dpddelay=300s keyexchange=ikev2 auto=add conn roadwarrior keyexchange=ikev2 auto=add left=%defaultroute leftcert=gw-cert.pem leftsubnet=10.0.10.0/24 right=%any rightsubnet=192.168.1.1/24
strongswan.conf
charon { threads = 16; # Two defined file loggers. Each subsection is either a file # in the filesystem or one of: stdout, stderr. filelog { /var/log/charon.log { # add a timestamp prefix time_format = %b %e %T # loggers to files also accept the append option to open files in # append mode at startup (default is yes) append = no # the default loglevel for all daemon subsystems (defaults to 1). default = 1 # flush each line to disk flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 2 knl = 3 # prepend connection name, simplifies grepping ike_name = yes } } # And two loggers using syslog. The subsections define the facility to log # to, currently one of: daemon, auth. syslog { # optional identifier used with openlog(3), prepended to each log message # by syslog. if not configured, openlog(3) is not called, so the value will # depend on system defaults (usually the program name) identifier = charon-custom # default level to the LOG_DAEMON facility daemon { } # very minimalistic IKE auditing logs to LOG_AUTHPRIV auth { default = -1 ike = 0 } } dns1=4.2.2.1 dns2=4.2.2.2 }
在你的ipsec.conf日志里有
rightsubnet = 192.168.1.1 / 24
应该是
rightosourceip = 192.168.1.1 / 24
左/ rightsubnetlogging为,
left | rightsubnet = [[]] [,…]
左参与者后面的私有子网,表示为networking/networking掩码; 如果省略,则本质上认为是左/ 32 | 128,表示连接的左端仅向左右参加者。 对等体的configuration的子网可能不同,协议缩小到最大的公共子网。 从5.0.0开始,这也是为IKEv1完成的,但是由于这可能会导致其他实现出现问题,请确保在此类configuration中configuration相同的子网。 IKEv2支持以逗号分隔的多个子网,除非Cisco Unity扩展插件已启用(自5.0.1起可用),否则IKEv1仅解释此类定义的第一个子网。
从5.1.0开始,用方括号括起来的每个子网之后的可选部分指定一个协议/端口来限制该子网的select器。 例子:leftsubnet = 10.0.0.1 [tcp / http],10.0.0.2 [6/80]或leftsubnet = fec1 :: 1 [udp],10.0.0.0 / 16 [/ 53]。 而不是省略任何值%任何可用于相同的效果,例如leftsubnet = fec1 :: 1 [udp /%any],10.0.0.0 / 16 [%any / 53]
对于RFC 4301 OPAQUEselect器,端口值也可以采用%opaque的值,或采用1024-65535的数值范围。 内核后端都不支持不透明或端口范围,而是使用%any来代替策略。
可以使用%dynamic来replaceIKE地址,而不是指定一个子网,与完全省略left | rightsubnet具有相同的效果。 使用%dynamic可以用来定义多个dynamicselect器,每个dynamicselect器都有可能不同的协议/端口定义。
而rightsourceip被logging为,
rightsourceip =%config | / | %池名称
在远程对等体的隧道中使用的内部源IP。 如果值是响应方的configuration,则发起方必须提出一个地址,然后回显。 还支持地址池表示为/或使用%poolname使用外部IP地址池,其中poolname是用于查找的IP地址池的名称(有关详细信息,请参阅虚拟IP)。 从5.0.1开始,以逗号分隔的IP地址/池列表被接受,例如,定义不同地址族的池。