我试图通过从OS X 10.10连接来testing一个新的(正在进行的)StrongSwan IPSec VPN服务器。
这是非常令人沮丧的,因为这些日志显示了一系列的“成功”信息,但是随后系统爆炸了。 我也很疑惑为什么安全协会是“ (unnamed)[3] “。
这个页面通过如何捕获racoonconfiguration,看起来像这样:
remote myvpc.mydomain.com { doi ipsec_doi; situation identity_only; exchange_mode main; verify_identifier off; shared_secret keychain "SOME-HASH.SS"; local_address 10.0.0.149; nonce_size 16; dpd_delay 20; dpd_retry 5; dpd_maxfail 5; dpd_algorithm dpd_blackhole_detect; initial_contact on; support_proxy on; proposal_check obey; xauth_login "staff"; mode_cfg on; proposal { authentication_method xauth_psk_client; hash_algorithm sha1; encryption_algorithm aes 256; lifetime time 3600 sec; dh_group 2; } ... }
我最好的尝试将其移植到服务器上的/etc/ipsec.conf中:
conn %default keyexchange=ikev2 ike=aes256-sha1-modp1536 esp=aes256-sha1 authby=psk ikelifetime=24h lifetime=1h leftid=myvpc.mydomain.com auto=start conn osx keyexchange=ikev1 authby=xauthpsk xauth=server ike=aes256-sha1-modp1024 left=10.200.0.32/27 leftsubnet=10.200.0.96/27 right=1.2.3.4 rightid=staff
当我尝试使用Cisco IPSec VPN从Mac连接服务器日志时:
charon: 16[MGR] checkout IKE_SA by message charon: 16[MGR] created IKE_SA (unnamed)[3] charon: 16[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes) charon: 16[ENC] parsed ID_PROT request 0 [ SA VVVVVVVVVVVVVV ] charon: 16[CFG] looking for an ike config for 10.200.0.50...1.2.3.4 charon: 16[CFG] candidate: 10.200.0.32/27...1.2.3.4, prio 2292 charon: 16[CFG] found matching ike config: 10.200.0.32/27...1.2.3.4 with prio 2292 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID charon: 16[IKE] received XAuth vendor ID charon: 16[IKE] received Cisco Unity vendor ID charon: 16[IKE] received FRAGMENTATION vendor ID charon: 16[IKE] received DPD vendor ID charon: 16[IKE] 1.2.3.4 is initiating a Main Mode IKE_SA charon: 16[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING charon: 16[CFG] selecting proposal: charon: 16[CFG] proposal matches charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 charon: 16[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP charon: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 charon: 16[IKE] sending XAuth vendor ID charon: 16[IKE] sending DPD vendor ID charon: 16[IKE] sending NAT-T (RFC 3947) vendor ID charon: 16[ENC] generating ID_PROT response 0 [ SA VVV ] charon: 16[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes) charon: 16[MGR] checkin IKE_SA (unnamed)[3] charon: 16[MGR] check-in of IKE_SA successful. charon: 07[MGR] checkout IKE_SA by message charon: 07[MGR] IKE_SA (unnamed)[3] successfully checked out charon: 07[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes) charon: 07[IKE] received retransmit of request with ID 0, retransmitting response charon: 07[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes) charon: 07[MGR] checkin IKE_SA (unnamed)[3] charon: 07[MGR] check-in of IKE_SA successful. charon: 09[MGR] checkout IKE_SA by message charon: 09[MGR] IKE_SA (unnamed)[3] successfully checked out charon: 09[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes) charon: 09[IKE] received retransmit of request with ID 0, retransmitting response charon: 09[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes) charon: 09[MGR] checkin IKE_SA (unnamed)[3] charon: 09[MGR] check-in of IKE_SA successful. charon: 08[MGR] checkout IKE_SA by message charon: 08[MGR] IKE_SA (unnamed)[3] successfully checked out charon: 08[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes) charon: 08[IKE] received retransmit of request with ID 0, retransmitting response charon: 08[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes) charon: 08[MGR] checkin IKE_SA (unnamed)[3] charon: 08[MGR] check-in of IKE_SA successful.
当地日志对我来说并不是那么有帮助,但是如果对其他人有用的话:
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: Received a start command from SystemUIServer[503] nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to connecting nesessionmanager[25701]: IPSec connecting to server myvpc.mydomain.com nesessionmanager[25701]: IPSec Phase1 starting. racoon[27001]: accepted connection on vpn control socket. --- last message repeated 1 time --- racoon[27001]: IPSec connecting to server myvpc.mydomain.com --- last message repeated 1 time --- racoon[27001]: Connecting. racoon[27001]: IPSec Phase 1 started (Initiated by me). --- last message repeated 1 time --- racoon[27001]: IKE Packet: transmit success. (Initiator, Main-Mode message 1). racoon[27001]: >>>>> phase change status = Phase 1 started by us --- last message repeated 1 time --- racoon[27001]: IKE Packet: transmit success. (Phase 1 Retransmit). --- last message repeated 2 times --- nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnecting nesessionmanager[25701]: IPSec disconnecting from server myvpc.mydomain.com racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com --- last message repeated 1 time --- racoon[27001]: failed to send vpn_control message: Broken pipe --- last message repeated 1 time --- racoon[27001]: glob found no matches for path "/var/run/racoon/*.conf" --- last message repeated 1 time --- racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com --- last message repeated 1 time --- nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnected, last stop reason 0 UserNotificationCenter[27003]: *** WARNING: Method userSpaceScaleFactor in class NSWindow is deprecated on 10.7 and later. It should not be used in new applications. Use convertRectToBacking: instead.
当我在VPN网关服务器上运行ipsec statusall的同时,OS X试图连接它说:
Listening IP addresses: 10.200.0.50 Connections: osx: 10.200.0.32/27...<public ip> IKEv1 osx: local: [my-server.my-domain.com] uses pre-shared key authentication osx: remote: [staff] uses pre-shared key authentication osx: remote: uses XAuth authentication: any osx: child: 10.200.0.96/27 === dynamic TUNNEL Security Associations (0 up, 1 connecting): (unnamed)[3]: CONNECTING, 10.200.0.50[%any]...1.2.3.4[%any] (unnamed)[3]: IKEv1 SPIs: HEX_CHARS_i HEX_CHARS_r* (unnamed)[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 (unnamed)[3]: Tasks passive: ISAKMP_VENDOR MAIN_MODE ISAKMP_NATD
这是我的工作configuration:
ipsec.conf :
conn rw-ikev1 left=%any leftsubnet=0.0.0.0/0,::0/0 leftauth=pubkey leftcert="hubud2.pem" [email protected] right=%any rightauth=pubkey rightauth2=xauth-radius rightgroups="cn=vpn_users_trusted/ou=roles/dc=y7/dc=hu" rightsourceip=192.168.100.0/28,2a01:270:1035:ff::/120 leftupdown=/etc/ipsec.d/up.d/debug keyexchange=ikev1 auto=add #ike=aes256-sha1-modp1024! #esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no
OS X端的racoon.conf :
remote 1.2.3.4 { doi ipsec_doi; situation identity_only; exchange_mode main; my_identifier asn1dn; peers_identifier address "1.2.3.4"; verify_identifier off; certificate_type x509 in_keychain "c3N1aQ[...]5QRU="; verify_cert on; certificate_verification sec_framework use_peers_identifier; local_address 192.168.213.102; nonce_size 16; dpd_delay 20; dpd_retry 5; dpd_maxfail 5; dpd_algorithm dpd_blackhole_detect; initial_contact on; support_proxy on; proposal_check obey; xauth_login "vpn.mbp"; mode_cfg on; proposal { [... all the proposals...] } }
ipsec状态显示:
Security Associations (1 up, 0 connecting): rw-ikev1[807]: ESTABLISHED 8 minutes ago, 1.2.3.4[xxx.atw.hu]...178.129.52.79[CN=xxx] rw-ikev1[807]: Remote XAuth identity: vpn.mbp rw-ikev1[807]: IKEv1 SPIs: 1581b804f3aaa79d_i 00c78ea635a7fbe9_r*, rekeying disabled rw-ikev1[807]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 rw-ikev1{279}: INSTALLED, TUNNEL, ESP in UDP SPIs: cda86008_i 0f272fa7_o rw-ikev1{279}: AES_CBC_128/HMAC_SHA1_96, 205529 bytes_i (1346 pkts, 3s ago), 925037 bytes_o (1563 pkts, 3s ago), rekeying disabled rw-ikev1{279}: 0.0.0.0/0 === 192.168.100.2/32