服务器 Gind.cn
  1. 服务器 Gind.cn
  3. strongSwan 4.5.2与iOS和小牛,连接问题
Intereting Posts
在没有DHCP的情况下访问交换机pipe理 Linux中的Setfaclconfiguration问题 如何列出哪些驱动器是每个RAIDarrays的一部分? 如果运行时间超过15分钟,请停止Windows 2008任务计划程序中的任务? 是否有可能从docker容器暴露pipe道文件? 使用启动脚本部署多个办公产品 networking链接速度正在发生变化 限制HP P420i中的RAIDarrays数量 rpm -ivh <package>和yum install <package>之间的区别 HP ProLiant ML350 G5 2.5 Sata写入速度慢 清漆redirect到Apache后端端口8000 你怎么知道你的Apache安装是否安全? 在Windows Server上安装虚拟graphics适配器 快照失败,在一个新鲜的Kilo安装 从apache移到nginx:第三方.htacces文件。 有什么build议?

strongSwan 4.5.2与iOS和小牛,连接问题

我无法configurationstrongSwan 4.5.2与iOS 7和OS X Mavericks配合使用。 我遵循了这两个指南,但仍然遇到问题。 http://teebeenator.blogspot.com/2013/06/strongswan-for-raspberry-pi.html http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)

我怀疑这个问题是和老版本的strongSwan有关的; 不幸的是,我的服务器是一个树莓派,我不认为有一个简单的方法可以在Pi上获得strongSwan 5.x。

这可能是一个红色的鲱鱼,但我怀疑我的/var/log/auth.log中的以下错误消息与我的问题有关: 

message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)

我在网上找不到有关这个错误信息的任何帮助(至less没有英文,我在德文中看到了一些提及的东西)。

这里是/etc/strongswan.conf的内容 

 # strongswan.conf - strongSwan configuration file charon { # number of worker threads in charon threads = 16 # send strongswan vendor ID? # send_vendor_id = yes plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } dhcp { identity_lease = yes } } # ... } pluto { dns1 = 192.168.0.1 } libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no }

接下来是/etc/ipsec.conf的内容 

 # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes nat_traversal=yes #charonstart=yes plutostart=yes # Add connections here. conn %default keyexchange=ikev1 authby=xauthrsasig xauth=server left=%defaultroute leftsubnet=0.0.0.0/0 leftfirewall=yes leftcert=serverCert.pem right=%any rightsubnet=10.0.0.0/24 rightsourceip=10.0.0.2 rightcert=clientCert.pem pfs=no auto=add conn rw-eap dpdaction=clear dpddelay=300s leftauth=pubkey leftcert=serverCert.pem rightauth=eap-mschapv2 rightsendcert=never include /var/lib/strongswan/ipsec.conf.inc

我已经按照指南的指示复制了以下文件: 

 cp caCert.pem /etc/ipsec.d/cacerts/ cp serverCert.pem /etc/ipsec.d/certs/ cp serverKey.pem /etc/ipsec.d/private/ cp clientCert.pem /etc/ipsec.d/certs/ cp clientKey.pem /etc/ipsec.d/private/

在生成这些证书之前,我还编辑了我的/usr/lib/ssl/openssl.cnf文件以包含适当的subjectAltName。

任何援助将不胜感激,甚至只是build议我可能会得到一个新版本的strongSwan在我的皮! 谢谢!

以下是一些更完整的auth.log输出,删除了date。

启动服务器 

 sudo: pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/sbin/ipsec start sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) ipsec_starter[22013]: Starting strongSwan 4.5.2 IPsec [starter]... sudo: pam_unix(sudo:session): session closed for user root pluto[22027]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID ipsec_starter[22026]: pluto (22027) started after 20 ms pluto[22027]: listening on interfaces: pluto[22027]: eth0 pluto[22027]: 192.168.1.9 pluto[22027]: received netlink error: Address family not supported by protocol (97) pluto[22027]: unable to create IPv6 routing table rule pluto[22027]: loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink pluto[22027]: including NAT-Traversal patch (Version 0.6c) pluto[22027]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so' ipsec_starter[22026]: charon (22028) started after 740 ms pluto[22027]: loading ca certificates from '/etc/ipsec.d/cacerts' pluto[22027]: loaded ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' pluto[22027]: loading aa certificates from '/etc/ipsec.d/aacerts' pluto[22027]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts' pluto[22027]: Changing to directory '/etc/ipsec.d/crls' pluto[22027]: loading attribute certificates from '/etc/ipsec.d/acerts' pluto[22027]: spawning 4 worker threads pluto[22027]: listening for IKE messages pluto[22027]: adding interface eth0/eth0 192.168.1.9:500 pluto[22027]: adding interface eth0/eth0 192.168.1.9:4500 pluto[22027]: adding interface lo/lo 127.0.0.1:500 pluto[22027]: adding interface lo/lo 127.0.0.1:4500 pluto[22027]: loading secrets from "/etc/ipsec.secrets" pluto[22027]: no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc" pluto[22027]: loaded private key from 'serverKey.pem' pluto[22027]: loaded XAUTH secret for peter.story pluto[22027]: loaded host certificate from '/etc/ipsec.d/certs/serverCert.pem' pluto[22027]: id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=storyzone.us.to' pluto[22027]: loaded host certificate from '/etc/ipsec.d/certs/clientCert.pem' pluto[22027]: id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=piclient' pluto[22027]: added connection description "rw-eap"

来自iOS的连接尝试 

 pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000] pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection] pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: responding to Main Mode from unknown peer 96.237.188.238 pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000] pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection] pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: responding to Main Mode from unknown peer 96.237.188.238 pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA) pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500 pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA) pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500 pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity] pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000] pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection] pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: responding to Main Mode from unknown peer 96.237.188.238 pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA) pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500 pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA) pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500 pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA) pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500 pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA) pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500 pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE