我有一个新的IPsec安装问题,在两个节点之间进行testing。 Eveery节点使用静态IP连接到互联网,日志显示了ipsec.secrets有什么问题,但我看不到在哪里。
节点A:具有公共IP的服务器
节点B服务器私有IP与外部NAT
configuration/etc/ipsec.conf/usr/share/applications/thunderbird.desktop
config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn ipsec-test left=MyPublicIPA leftid=MyPublicIPA leftsourceip=MyPublicIPA right=MyPublicIPB rightid=MyPublicIPB rightsubnet=10.0.1.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=clear authby=secret auto=start keyexchange=ikev2 type=tunnel /etc/ipsec.secrets
MyPublicIPA MyPublicIPB : PSK "test1234"
日志:
Jul 13 15:30:06 vpnserver2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64) Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loaded IKE secret for MyPublicIPB Jul 13 15:30:06 vpnserver2 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown Jul 13 15:30:06 vpnserver2 charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies) Jul 13 15:30:06 vpnserver2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Jul 13 15:30:06 vpnserver2 charon: 00[JOB] spawning 16 worker threads Jul 13 15:30:06 vpnserver2 charon: 11[CFG] received stroke: add connection 'ipsec-test' Jul 13 15:30:06 vpnserver2 charon: 11[CFG] added configuration 'ipsec-test' Jul 13 15:30:06 vpnserver2 charon: 12[CFG] received stroke: initiate 'ipsec-test' Jul 13 15:30:06 vpnserver2 charon: 12[IKE] initiating IKE_SA ipsec-test[1] to MyPublicIPB Jul 13 15:30:06 vpnserver2 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 13 15:30:06 vpnserver2 charon: 12[NET] sending packet: from MyPublicIPA[500] to MyPublicIPB[500] (304 bytes) Jul 13 15:30:06 vpnserver2 charon: 15[NET] received packet: from MyPublicIPB[500] to MyPublicIPA[500] (312 bytes) Jul 13 15:30:06 vpnserver2 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Jul 13 15:30:06 vpnserver2 charon: 15[IKE] remote host is behind NAT Jul 13 15:30:06 vpnserver2 charon: 15[IKE] authentication of 'MyPublicIPA' (myself) with pre-shared key Jul 13 15:30:06 vpnserver2 charon: 15[IKE] establishing CHILD_SA ipsec-test Jul 13 15:30:06 vpnserver2 charon: 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jul 13 15:30:06 vpnserver2 charon: 15[NET] sending packet: from MyPublicIPA[4500] to MyPublicIPB[4500] (288 bytes) Jul 13 15:30:06 vpnserver2 charon: 06[NET] received packet: from MyPublicIPB[4500] to MyPublicIPA[4500] (80 bytes) Jul 13 15:30:06 vpnserver2 charon: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jul 13 15:30:06 vpnserver2 charon: 06[IKE] received AUTHENTICATION_FAILED notify error
configurationB:
/etc/ipsec.conf
config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn ipsec-test left=10.0.1.5 leftid=10.0.1.5 leftsubnet=10.0.1.0/24 right=MyPublicIPA rightid=MyPublicIPA ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=clear authby=secret auto=start keyexchange=ikev2 type=tunnel
/etc/ipsec.secrets
MyPublicIPA : PSK "test1234"
日志:
Jul 13 15:30:06 vpnserver charon: 16[NET] received packet: from MyPublicIPA[500] to 10.0.1.5[500] (304 bytes) Jul 13 15:30:06 vpnserver charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 13 15:30:06 vpnserver charon: 16[IKE] MyPublicIPA is initiating an IKE_SA Jul 13 15:30:06 vpnserver charon: 16[IKE] local host is behind NAT, sending keep alives Jul 13 15:30:06 vpnserver charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Jul 13 15:30:06 vpnserver charon: 16[NET] sending packet: from 10.0.1.5[500] to MyPublicIPA[500] (312 bytes) Jul 13 15:30:06 vpnserver charon: 05[NET] received packet: from MyPublicIPA[4500] to 10.0.1.5[4500] (288 bytes) Jul 13 15:30:06 vpnserver charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jul 13 15:30:06 vpnserver charon: 05[CFG] looking for peer configs matching 10.0.1.5[MyPublicIPB]...MyPublicIPA[MyPublicIPA] Jul 13 15:30:06 vpnserver charon: 05[CFG] no matching peer config found Jul 13 15:30:06 vpnserver charon: 05[IKE] peer supports MOBIKE Jul 13 15:30:06 vpnserver charon: 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jul 13 15:30:06 vpnserver charon: 05[NET] sending packet: from 10.0.1.5[4500] to MyPublicIPA[4500] (80 bytes)
可能我会使用certifciates,但首先我更喜欢知道哪里失败这个configuration。 build议?
检查我发现了类似的问题,但我testing了修改ipsec.secrets并继续失败