我正在尝试在运行4.1的Android设备和运行strongSwan 5.0的Fedora 17 Linux框之间configurationVPN隧道。 设备报告已连接,并且strongSwan statusall返回存在IKE SA,但不显示隧道。 我使用wiki中的iOS说明来生成证书并configurationstrongSwan。 由于Android使用了一个修改版本的racoon,所以这个应该可以工作,而且由于连接已经部分build立,我想我正走在正确的轨道上。 我没有看到任何关于不能创build隧道的错误。
这是strongSwan连接的configuration
conn android2 keyexchange=ikev1 authby=xauthrsasig xauth=server left=96.244.142.28 leftsubnet=0.0.0.0/0 leftfirewall=yes leftcert=serverCert.pem right=%any rightsubnet=10.0.0.0/24 rightsourceip=10.0.0.2 rightcert=clientCert.pem ike=aes256-sha1-modp1024 auto=add
这是strongswan statusall的输出
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64): uptime: 20 minutes, since Oct 31 10:27:31 2012 malloc: sbrk 270336, mmap 0, used 198144, free 72192 worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7 loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic Virtual IP pools (size/online/offline): android-hybrid: 1/0/0 android2: 1/1/0 Listening IP addresses: 96.244.142.28 Connections: android-hybrid: %any...%any IKEv1 android-hybrid: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication android-hybrid: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org" android-hybrid: remote: [%any] uses XAuth authentication: any android-hybrid: child: dynamic === dynamic TUNNEL android2: 96.244.142.28...%any IKEv1 android2: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication android2: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org" android2: remote: [C=CH, O=strongSwan, CN=client] uses public key authentication android2: cert: "C=CH, O=strongSwan, CN=client" android2: remote: [%any] uses XAuth authentication: any android2: child: 0.0.0.0/0 === 10.0.0.0/24 TUNNEL Security Associations (1 up, 0 connecting): android2[3]: ESTABLISHED 10 seconds ago, 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client] android2[3]: Remote XAuth identity: android android2[3]: IKEv1 SPIs: 4151e371ad46b20d_i 59a56390d74792d2_r*, public key reauthentication in 56 minutes android2[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ip -s xfrm policy的输出
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket in action allow index 3819 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-10-31 13:29:08 use 2012-10-31 13:29:39 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket out action allow index 3812 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-10-31 13:29:08 use 2012-10-31 13:29:22 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket in action allow index 3803 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-10-31 13:29:08 use 2012-10-31 13:29:20 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket out action allow index 3796 priority 0 ptype main share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-10-31 13:29:08 use 2012-10-31 13:29:20
因此,即使设备和strongswan之间存在SA,也不会为连接创buildxfrm策略。 在android设备上执行ip -s xfrm policy产生以下输出:
src 0.0.0.0/0 dst 10.0.0.2/32 uid 0 dir in action allow index 40 priority 2147483648 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-10-31 13:42:08 use - tmpl src 96.244.142.28 dst 25.239.33.30 proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel level required share any enc-mask 00000000 auth-mask 00000000 comp-mask 00000000 src 10.0.0.2/32 dst 0.0.0.0/0 uid 0 dir out action allow index 33 priority 2147483648 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2012-10-31 13:42:08 use - tmpl src 25.239.33.30 dst 96.244.142.28 proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel level required share any enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
来自charon的日志:
00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64) 00[KNL] listening on interfaces: 00[KNL] em1 00[KNL] 96.244.142.28 00[KNL] fe80::224:e8ff:fed2:18b2 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" from '/etc/strongswan/ipsec.d/cacerts/caCert.pem' 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts' 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls' 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/clientKey.pem' 00[CFG] loaded IKE secret for %any 00[CFG] loaded EAP secret for android 00[CFG] loaded EAP secret for android 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic 08[NET] waiting for data on sockets 16[LIB] created thread 16 [15338] 16[JOB] started worker thread 16 11[CFG] received stroke: add connection 'android-hybrid' 11[CFG] conn android-hybrid 11[CFG] left=%any 11[CFG] leftsubnet=(null) 11[CFG] leftsourceip=(null) 11[CFG] leftauth=pubkey 11[CFG] leftauth2=(null) 11[CFG] leftid=(null) 11[CFG] leftid2=(null) 11[CFG] leftrsakey=(null) 11[CFG] leftcert=serverCert.pem 11[CFG] leftcert2=(null) 11[CFG] leftca=(null) 11[CFG] leftca2=(null) 11[CFG] leftgroups=(null) 11[CFG] leftupdown=ipsec _updown iptables 11[CFG] right=%any 11[CFG] rightsubnet=(null) 11[CFG] rightsourceip=96.244.142.3 11[CFG] rightauth=xauth 11[CFG] rightauth2=(null) 11[CFG] rightid=%any 11[CFG] rightid2=(null) 11[CFG] rightrsakey=(null) 11[CFG] rightcert=(null) 11[CFG] rightcert2=(null) 11[CFG] rightca=(null) 11[CFG] rightca2=(null) 11[CFG] rightgroups=(null) 11[CFG] rightupdown=(null) 11[CFG] eap_identity=(null) 11[CFG] aaa_identity=(null) 11[CFG] xauth_identity=(null) 11[CFG] ike=aes256-sha1-modp1024 11[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536 11[CFG] dpddelay=30 11[CFG] dpdtimeout=150 11[CFG] dpdaction=0 11[CFG] closeaction=0 11[CFG] mediation=no 11[CFG] mediated_by=(null) 11[CFG] me_peerid=(null) 11[CFG] keyexchange=ikev1 11[KNL] getting interface name for %any 11[KNL] %any is not a local address 11[KNL] getting interface name for %any 11[KNL] %any is not a local address 11[CFG] left nor right host is our side, assuming left=local 11[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem' 11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org' 11[CFG] added configuration 'android-hybrid' 11[CFG] adding virtual IP address pool 'android-hybrid': 96.244.142.3/32 13[CFG] received stroke: add connection 'android2' 13[CFG] conn android2 13[CFG] left=96.244.142.28 13[CFG] leftsubnet=0.0.0.0/0 13[CFG] leftsourceip=(null) 13[CFG] leftauth=pubkey 13[CFG] leftauth2=(null) 13[CFG] leftid=(null) 13[CFG] leftid2=(null) 13[CFG] leftrsakey=(null) 13[CFG] leftcert=serverCert.pem 13[CFG] leftcert2=(null) 13[CFG] leftca=(null) 13[CFG] leftca2=(null) 13[CFG] leftgroups=(null) 13[CFG] leftupdown=ipsec _updown iptables 13[CFG] right=%any 13[CFG] rightsubnet=10.0.0.0/24 13[CFG] rightsourceip=10.0.0.2 13[CFG] rightauth=pubkey 13[CFG] rightauth2=xauth 13[CFG] rightid=(null) 13[CFG] rightid2=(null) 13[CFG] rightrsakey=(null) 13[CFG] rightcert=clientCert.pem 13[CFG] rightcert2=(null) 13[CFG] rightca=(null) 13[CFG] rightca2=(null) 13[CFG] rightgroups=(null) 13[CFG] rightupdown=(null) 13[CFG] eap_identity=(null) 13[CFG] aaa_identity=(null) 13[CFG] xauth_identity=(null) 13[CFG] ike=aes256-sha1-modp1024 13[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536 13[CFG] dpddelay=30 13[CFG] dpdtimeout=150 13[CFG] dpdaction=0 13[CFG] closeaction=0 13[CFG] mediation=no 13[CFG] mediated_by=(null) 13[CFG] me_peerid=(null) 13[CFG] keyexchange=ikev0 13[KNL] getting interface name for %any 13[KNL] %any is not a local address 13[KNL] getting interface name for 96.244.142.28 13[KNL] 96.244.142.28 is on interface em1 13[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem' 13[CFG] id '96.244.142.28' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org' 13[CFG] loaded certificate "C=CH, O=strongSwan, CN=client" from 'clientCert.pem' 13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=client' 13[CFG] added configuration 'android2' 13[CFG] adding virtual IP address pool 'android2': 10.0.0.2/32 08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500] 15[CFG] looking for an ike config for 96.244.142.28...208.54.35.241 15[CFG] candidate: %any...%any, prio 2 15[CFG] candidate: 96.244.142.28...%any, prio 5 15[CFG] found matching ike config: 96.244.142.28...%any with prio 5 01[JOB] next event in 29s 999ms, waiting 15[IKE] received NAT-T (RFC 3947) vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID 15[IKE] received XAuth vendor ID 15[IKE] received Cisco Unity vendor ID 15[IKE] received DPD vendor ID 15[IKE] 208.54.35.241 is initiating a Main Mode IKE_SA 15[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING 15[CFG] selecting proposal: 15[CFG] proposal matches 15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 15[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160 15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 15[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235] 04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235] 15[MGR] checkin IKE_SA (unnamed)[1] 15[MGR] check-in of IKE_SA successful. 08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500] 08[NET] waiting for data on sockets 07[MGR] checkout IKE_SA by message 07[MGR] IKE_SA (unnamed)[1] successfully checked out 07[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500] 07[LIB] size of DH secret exponent: 1023 bits 07[IKE] remote host is behind NAT 07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 07[ENC] generating NAT_D_V1 payload finished 07[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235] 07[MGR] checkin IKE_SA (unnamed)[1] 07[MGR] check-in of IKE_SA successful. 04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235] 08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 10[IKE] ignoring certificate request without data 10[IKE] received end entity cert "C=CH, O=strongSwan, CN=client" 10[CFG] looking for XAuthInitRSA peer configs matching 96.244.142.28...208.54.35.241[C=CH, O=strongSwan, CN=client] 10[CFG] candidate "android-hybrid", match: 1/1/2/2 (me/other/ike/version) 10[CFG] candidate "android2", match: 1/20/5/1 (me/other/ike/version) 10[CFG] selected peer config "android2" 10[CFG] certificate "C=CH, O=strongSwan, CN=client" key: 2048 bit RSA 10[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" 10[CFG] checking certificate status of "C=CH, O=strongSwan, CN=client" 10[CFG] ocsp check skipped, no ocsp found 10[CFG] certificate status is not available 10[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 2048 bit RSA 10[CFG] reached self-signed root ca with a path length of 0 10[CFG] using trusted certificate "C=CH, O=strongSwan, CN=client" 10[IKE] authentication of 'C=CH, O=strongSwan, CN=client' with RSA successful 10[ENC] added payload of type ID_V1 to message 10[ENC] added payload of type SIGNATURE_V1 to message 10[IKE] authentication of 'C=CH, O=strongSwan, CN=vpn.strongswan.org' (myself) successful 10[IKE] queueing XAUTH task 10[IKE] sending end entity cert "C=CH, O=strongSwan, CN=vpn.strongswan.org" 10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 10[IKE] activating new tasks 10[IKE] activating XAUTH task 10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 01[JOB] next event in 3s 999ms, waiting 10[MGR] checkin IKE_SA android2[1] 10[MGR] check-in of IKE_SA successful. 08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 08[NET] waiting for data on sockets 12[MGR] checkout IKE_SA by message 12[MGR] IKE_SA android2[1] successfully checked out 12[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 12[MGR] checkin IKE_SA android2[1] 12[MGR] check-in of IKE_SA successful. 08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 16[MGR] checkout IKE_SA by message 16[MGR] IKE_SA android2[1] successfully checked out 16[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 08[NET] waiting for data on sockets 16[IKE] XAuth authentication of 'android' successful 16[IKE] reinitiating already active tasks 16[IKE] XAUTH task 16[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 16[MGR] checkin IKE_SA android2[1] 01[JOB] next event in 3s 907ms, waiting 16[MGR] check-in of IKE_SA successful. 08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 09[MGR] checkout IKE_SA by message 09[MGR] IKE_SA android2[1] successfully checked out 09[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] .8rS 09[IKE] IKE_SA android2[1] established between 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client] 09[IKE] IKE_SA android2[1] state change: CONNECTING => ESTABLISHED 09[IKE] scheduling reauthentication in 3409s 09[IKE] maximum IKE_SA lifetime 3589s 09[IKE] activating new tasks 09[IKE] nothing to initiate 09[MGR] checkin IKE_SA android2[1] 09[MGR] check-in of IKE_SA successful. 09[MGR] checkout IKE_SA 09[MGR] IKE_SA android2[1] successfully checked out 09[MGR] checkin IKE_SA android2[1] 09[MGR] check-in of IKE_SA successful. 01[JOB] next event in 3s 854ms, waiting 08[NET] waiting for data on sockets 08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 14[MGR] checkout IKE_SA by message 14[MGR] IKE_SA android2[1] successfully checked out 14[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] 14[IKE] processing INTERNAL_IP4_ADDRESS attribute 14[IKE] processing INTERNAL_IP4_NETMASK attribute 14[IKE] processing INTERNAL_IP4_DNS attribute 14[IKE] processing INTERNAL_IP4_NBNS attribute 14[IKE] processing UNITY_BANNER attribute 14[IKE] processing UNITY_DEF_DOMAIN attribute 14[IKE] processing UNITY_SPLITDNS_NAME attribute 14[IKE] processing UNITY_SPLIT_INCLUDE attribute 14[IKE] processing UNITY_LOCAL_LAN attribute 14[IKE] processing APPLICATION_VERSION attribute 14[IKE] peer requested virtual IP %any 14[CFG] assigning new lease to 'android' 14[IKE] assigning virtual IP 10.0.0.2 to peer 'android' 14[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 14[MGR] checkin IKE_SA android2[1] 14[MGR] check-in of IKE_SA successful. 04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595] 08[NET] waiting for data on sockets 01[JOB] got event, queuing job for execution 01[JOB] next event in 91ms, waiting 13[MGR] checkout IKE_SA 13[MGR] IKE_SA android2[1] successfully checked out 13[MGR] checkin IKE_SA android2[1] 13[MGR] check-in of IKE_SA successful. 01[JOB] got event, queuing job for execution 01[JOB] next event in 24s 136ms, waiting 15[MGR] checkout IKE_SA 15[MGR] IKE_SA android2[1] successfully checked out 15[MGR] checkin IKE_SA android2[1] 15[MGR] check-in of IKE_SA successful.
Android设备:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes 09:58:28.990424 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 504) 10.1.12.140.500 > 96.244.142.28.500: isakmp 1.0 msgid : phase 1 I ident: [|sa] 09:58:29.037879 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 164) 96.244.142.28.500 > 10.1.12.140.500: isakmp 1.0 msgid : phase 1 R ident: [|sa] 09:58:29.058692 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 256) 10.1.12.140.500 > 96.244.142.28.500: isakmp 1.0 msgid : phase 1 I ident: [|ke] 09:58:29.111273 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 337) 96.244.142.28.500 > 10.1.12.140.500: isakmp 1.0 msgid : phase 1 R ident: [|ke] 09:58:29.174781 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1212) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id] 09:58:29.204199 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 1276) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 1 R ident[E]: [encrypted id] 09:58:29.204352 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash] 09:58:29.207953 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I inf[E]: [encrypted hash] 09:58:29.208869 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash] 09:58:29.283637 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 124) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others ? inf[E]: [encrypted hash] 09:58:29.283881 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash] 09:58:29.285498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash] 09:58:29.286658 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 156) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash] 09:58:29.323554 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash] 09:58:48.447272 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.1.12.140.4500 > 96.244.142.28.4500: isakmp-nat-keep-alive
Strongswan机器:
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 09:58:29.005470 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 504) 96.244.142.3.isakmp > 96.244.142.28.isakmp: isakmp 1.0 msgid 00000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=8 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024)) (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024)) (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024)) (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024)) (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024)) (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024)) (t: #7 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024)) (t: #8 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024)))) (vid: len=16) (vid: len=16) (vid: len=16) (vid: len=16) (vid: len=8) (vid: len=16) (vid: len=20) (vid: len=16) 09:58:29.021590 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 164) 96.244.142.28.isakmp > 96.244.142.3.isakmp: isakmp 1.0 msgid 00000000: phase 1 R ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=fded)(type=lifetype value=sec)(type=lifeduration value=7080)))) (vid: len=8) (vid: len=16) (vid: len=16) 09:58:29.065654 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 256) 96.244.142.3.isakmp > 96.244.142.28.isakmp: isakmp 1.0 msgid 00000000: phase 1 I ident: (ke: key len=128) (nonce: n len=16) (pay20) (pay20) 09:58:29.073252 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 337) 96.244.142.28.isakmp > 96.244.142.3.isakmp: isakmp 1.0 msgid 00000000: phase 1 R ident: (ke: key len=128) (nonce: n len=32) (cr: len=61 type=x509sign) (pay20) (pay20) 09:58:29.172970 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 1212) 96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id] 09:58:29.182596 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1276) 96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted id] 09:58:29.183033 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 25eb381b: phase 2/others R #6[E]: [encrypted hash] 09:58:29.250287 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 140) 96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid bbbe7b6d: phase 2/others I inf[E]: [encrypted hash] 09:58:29.250325 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 140) 96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 25eb381b: phase 2/others I #6[E]: [encrypted hash] 09:58:29.256037 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124) 96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid beb336b4: phase 2/others ? inf[E]: [encrypted hash] 09:58:29.257801 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 15d8cae0: phase 2/others R #6[E]: [encrypted hash] 09:58:29.300333 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 124) 96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 15d8cae0: phase 2/others I #6[E]: [encrypted hash] 09:58:29.300362 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 156) 96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid b96496f8: phase 2/others I #6[E]: [encrypted hash] 09:58:29.307755 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid b96496f8: phase 2/others R #6[E]: [encrypted hash] 09:58:48.449886 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 29) 96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: isakmp-nat-keep-alive 09:59:08.488463 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 29)
您在strongswan statusall输出中看到的SA是IKE_SA(或ISAKMP SA,因为这是IKEv1)而不是IPsec SA。 因此,主模式结束后,肯定会出现一些问题。
ModeConfig(虚拟IP和其他属性的分配)似乎工作正常,这也反映在Android设备上安装的IPsec策略。 但缺less的是快速模式请求(即IPsec SA将被协商时):
14[IKE] assigning virtual IP 10.0.0.2 to peer 'android' 14[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
这是发送到Android设备的ModeConfig响应,但charon之后不会收到任何消息。
我现在能够重现这一点。 这种行为是有目的的。 当ModeConfig完成并且ISAKMP SAbuild立时,以下内容被logging到logcat :
I/racoon (11096): ISAKMP-SA established [...] D/VpnJni ( 310): Route added on tun0: 0.0.0.0/0 I/LegacyVpnRunner( 310): Connected!
此外,在ModeConfig期间接收到的虚拟IP(在你的情况下是10.0.0.2 )被添加到tun0并且10.0.0.2 <=> 0.0.0.0/0 IPsec安全策略10.0.0.2 <=> 0.0.0.0/0被安装在内核中(这也可以在ip xfrm policies您发布的ip xfrm policies输出)。
现在,IPsec SA在stream量匹配出站策略之前不会build立。 由于0.0.0.0/0用作远程stream量select器(也用于通过tun0的路由),因此任何数据包都将与策略相匹配,从而触发快速模式协商。
在我的情况下,只要我打开浏览器logging以下内容:
I/racoon (15504): initiate new phase 2 negotiation: [...] I/racoon (15504): NAT detected -> UDP encapsulation (ENC_MODE 1->3). W/racoon (15504): attribute has been modified. I/racoon (15504): Adjusting my encmode UDP-Tunnel->Tunnel I/racoon (15504): Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) W/racoon (15504): low key length proposed, mine:256 peer:128. W/racoon (15504): authtype mismatched: my:hmac-md5 peer:hmac-sha I/racoon (15504): IPsec-SA established: ESP/Tunnel [...]
这也导致了strongSwan网关的预期产出:
android2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cd7ceff0_i 0e7ab2fc_o android2{1}: AES_CBC_128/HMAC_SHA1_96, 60 bytes_i, 0 bytes_o, rekeying in 41 minutes android2{1}: 0.0.0.0/0 === 10.0.0.2/32