IPSec VPNlogin失败证书authentication

我正在研究IPSec VPN解决scheme，允许iPhone / iPad连接到运行Gentoo的Linux服务器。我已经能够使用PSK身份validation（PSK +login+密码）来获得VPN的预期function，但是我无法使用证书身份validation（证书+login+密码）来访问VPN。我只运行Racoon（IPSEC），没有l2tp。

当我尝试从iPhone连接时，它有时会成功（很less，我什么时候也找不到模式）。大多数情况下，iPhone无法连接“与VPN服务器协商失败”。

通过easy-rsa（使用openvpn安装）生成authentication。如下：

build-key-server ipsec-server build-key --pkcs11 mgorbach_mobile_iPhone

我是否错过了我的设置？

 path certificate "/etc/racoon/ssl"; remote anonymous { exchange_mode main,aggressive; ca_type x509 "ca.crt"; certificate_type x509 "ipsec_server.crt" "ipsec_server.key"; proposal_check claim; generate_policy on; verify_cert off; nat_traversal on; dpd_delay 20; mode_cfg on; ike_frag on; passive on; my_identifier asn1dn; script "/etc/racoon/phase1-up.sh" phase1_up; script "/etc/racoon/phase1-down.sh" phase1_down; proposal { encryption_algorithm aes 256; hash_algorithm sha1; authentication_method xauth_rsa_server; dh_group 5; lifetime time 3600 sec; } } mode_cfg { conf_source local; network4 10.0.8.1; netmask4 255.255.255.0; pool_size 10; auth_source system; save_passwd off; split_network include 172.16.1.0/24; pfs_group 2; } sainfo anonymous { pfs_group 5; lifetime time 3600 sec; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; compression_algorithm deflate; }

在故障情况下从服务器logging日志：

 2012-02-14 20:41:19: INFO: 172.16.1.102[500] used for NAT-T 2012-02-14 20:41:19: INFO: 172.16.1.102[500] used as isakmp port (fd=11) 2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used for NAT-T 2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used as isakmp port (fd=12) 2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[500] used as isakmp port (fd=13) 2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[4500] used as isakmp port (fd=14) 2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[500] used as isakmp port (fd=15) 2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[4500] used as isakmp port (fd=16) 2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[500] used as isakmp port (fd=17) 2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[4500] used as isakmp port (fd=18) 2012-02-14 20:41:56: INFO: respond new phase 1 negotiation: 172.16.1.102[500] <=>174.252.45.42[5331] 2012-02-14 20:41:56: INFO: begin Identity Protection mode. 2012-02-14 20:41:56: INFO: received Vendor ID: RFC 3947 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2012-02-14 20:41:56: INFO: received Vendor ID: CISCO-UNITY 2012-02-14 20:41:56: INFO: received Vendor ID: DPD 2012-02-14 20:41:56: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947 2012-02-14 20:41:56: INFO: Adding xauth VID payload. 2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2 2012-02-14 20:41:56: INFO: NAT-D payload #0 doesn't match 2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2 2012-02-14 20:41:56: INFO: NAT-D payload #1 doesn't match 2012-02-14 20:41:56: INFO: NAT detected: ME PEER 2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2 2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2 2012-02-14 20:41:56: INFO: Adding remote and local NAT-D payloads. 2012-02-14 20:41:58: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500] 2012-02-14 20:41:58: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335] 2012-02-14 20:41:58: WARNING: CERT validation disabled by configuration 2012-02-14 20:41:58: INFO: Sending Xauth request 2012-02-14 20:41:58: [174.252.45.42] INFO: received INITIAL-CONTACT 2012-02-14 20:41:58: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9 2012-02-14 20:41:58: INFO: Using port 0 2012-02-14 20:41:58: INFO: login succeeded for user "mgorbach" 2012-02-14 20:41:58: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY 2012-02-14 20:41:58: ERROR: Cannot open "/etc/motd" 2012-02-14 20:41:58: WARNING: Ignored attribute 28683 2012-02-14 20:41:58: INFO: unsupported PF_KEY message REGISTER 2012-02-14 20:41:59: INFO: purging ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0. 2012-02-14 20:41:59: INFO: purged ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0. 2012-02-14 20:41:59: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9 2012-02-14 20:41:59: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335] 2012-02-14 20:41:59: INFO: Released port 0 2012-02-14 20:41:59: INFO: unsupported PF_KEY message REGISTER 2012-02-14 20:41:59: INFO: respond new phase 1 negotiation: 172.16.1.102[500]<=>174.252.45.42[5331] 2012-02-14 20:41:59: INFO: begin Identity Protection mode. 2012-02-14 20:41:59: INFO: received Vendor ID: RFC 3947 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2012-02-14 20:41:59: INFO: received Vendor ID: CISCO-UNITY 2012-02-14 20:41:59: INFO: received Vendor ID: DPD 2012-02-14 20:41:59: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947 2012-02-14 20:41:59: INFO: Adding xauth VID payload. 2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2 2012-02-14 20:41:59: INFO: NAT-D payload #0 doesn't match 2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2 2012-02-14 20:41:59: INFO: NAT-D payload #1 doesn't match 2012-02-14 20:41:59: INFO: NAT detected: ME PEER 2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2 2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2 2012-02-14 20:41:59: INFO: Adding remote and local NAT-D payloads. 2012-02-14 20:42:01: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500] 2012-02-14 20:42:01: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335] 2012-02-14 20:42:01: WARNING: CERT validation disabled by configuration 2012-02-14 20:42:01: INFO: Sending Xauth request 2012-02-14 20:42:01: [174.252.45.42] INFO: received INITIAL-CONTACT 2012-02-14 20:42:01: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8 2012-02-14 20:42:16: INFO: purging ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8. 2012-02-14 20:42:16: INFO: purged ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8. 2012-02-14 20:42:16: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8 2012-02-14 20:42:16: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335] 2012-02-14 20:42:16: INFO: unsupported PF_KEY message REGISTER