服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Strongswan VPN:找不到匹配的对等configuration
Intereting Posts
SBS2003将电子邮件转发到Exchange 2013 冗余/地理优化的networking托pipe解决scheme的想法 NFS守护进程没有启动,并显示错误信息“内核没有伪根支持” 预启动分段故障与ptrace 镜像从x网卡到VMware播放器的stream量 从VMWare ESX主机上绘制CMDS / s / IOPS Openssl自定义扩展 在Exchange 2013中查看传递报告所需的权限是什么? 如何看看使用了什么样的supervisordconfiguration 使用FilesMatch来增加安全性 在使用上游负载平衡的同时冲洗Nginx DNScaching 用NIS奇怪的小故障 slapd没有运行 木偶有条件包括基于selinux其实不行 了解鱿鱼access.log

Strongswan VPN:找不到匹配的对等configuration

我正在尝试设置一个Strongswan VPN,但无法使其正常工作。 它找不到匹配的对等configuration,我不知道为什么:

日志: 

[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] [NET] <1> sending packet: from 111.111.111.111[500] to 222.222.222.222[34460] (312 bytes) [NET] <1> received packet: from 222.222.222.222[34495] to 111.111.111.111[4500] (428 bytes) [ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 D_N) N( NON_FIRST_FRAG) SA TSi TSr ] [CFG] <1> looking for peer configs matching 111.111.111.111[@vpn.example.net]...222.222.222.222[333.333.333.333] [CFG] <1> no matching peer config found [IKE] <1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding [IKE] <1> peer supports MOBIKE [ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] [NET] <1> sending packet: from 111.111.111.111[4500] to 222.222.222.222[34495] (76 bytes)

ipsec.conf文件: 

 config setup conn %default # Wait for peer connection auto=add keyexchange=ikev2 # Win7, iOS and Mac ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, mo dp1024; OS X is 3DES, sha-1, modp1024 esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1 # Win7 only #ike=aes256-sha1-modp1024! #esp=aes256-sha1! # Dead peer detection dpdaction=clear dpddelay=300s # Win7 does not like rekeying rekey=no # Helps with restrictive firewalls forceencaps=yes # Suggest and accept compression compress=yes conn bbnet # VPN Gateway is reachable via any network interface left=%any # For now tunnel all traffic, later we may refine this to specific subnets # https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig leftsubnet=0.0.0.0/0 # Auth leftauth=pubkey leftcert=serverCert.pem [email protected] # Mac/iOS: https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) leftsendcert=always # Peers: # Allow all since peers have dynamic IPs # Assign them IPs in the range 10.67.1.0-10.67.1.255 right=%any rightsourceip=10.67.1.0/24 rightid=%any # Peer auth rightauth=eap-mschapv2 rightsendcert=never # Not sure if needed eap_identity=%any

ipsec.secret: 

 : RSA serverKey.pem donny : EAP "abcd1234"

iOS / OSX客户端:服务器:vpn.example.net远程ID:@ vpn.example.net本地ID:

Auth:User / PW => donny / abcd1234

我的scheme目前与https://www.strongswan.org/testing/testresults/ikev2/rw-eap-mschapv2-id-rsa/index.html非常相似,但同行匹配在我的机器上不起作用。

更新: Win8可以连接,但不是我的iOS / OS X设备。 这里是一个成功的胜利8日志authentication和连接: 

 [NET] <1> received packet: from 111.111.111.111[500] to 222.222.222.222[500] (880 bytes) [ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) VVVV ] [ENC] <1> received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09 [ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 [ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 [ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 [IKE] <1> 111.111.111.111 is initiating an IKE_SA [IKE] <1> remote host is behind NAT [ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] [NET] <1> sending packet: from 222.222.222.222[500] to 111.111.111.111[500] (312 bytes) [NET] <1> received packet: from 111.111.111.111[4500] to 222.222.222.222[4500] (5708 bytes) [ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi [IKE] <1> received cert request for "C=FR, O=strongSwan, CN=strongSwan CA" [IKE] <1> received 262 cert requests for an unknown ca [CFG] <1> looking for peer configs matching 222.222.222.222[%any]...111.111.111.111[333.333.333.333] [CFG] <bbnet|1> selected peer config 'bbnet' [IKE] <bbnet|1> initiating EAP_IDENTITY method (id 0x00) [IKE] <bbnet|1> peer supports MOBIKE [IKE] <bbnet|1> authentication of 'vpn.blubyte.de' (myself) with RSA signature successful [IKE] <bbnet|1> sending end entity cert "C=FR, O=strongSwan, CN=vpn.blubyte.de" [ENC] <bbnet|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] [NET] <bbnet|1> sending packet: from 222.222.222.222[4500] to 111.111.111.111[4500] (1228 bytes) [NET] <bbnet|1> received packet: from 111.111.111.111[4500] to 222.222.222.222[4500] (76 bytes) [ENC] <bbnet|1> parsed IKE_AUTH request 2 [ EAP/RES/ID ] [IKE] <bbnet|1> received EAP identity 'donny' [IKE] <bbnet|1> initiating EAP_MSCHAPV2 method (id 0x0D) [ENC] <bbnet|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] [NET] <bbnet|1> sending packet: from 222.222.222.222[4500] to 111.111.111.111[4500] (108 bytes) [NET] <bbnet|1> received packet: from 111.111.111.111[4500] to 222.222.222.222[4500] (140 bytes) [ENC] <bbnet|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] ...

还需要知道如何使它与iOS / OS X兼容…