我试图在AWS中托pipe的两个对等设备之间设置一个ipsec VPN,但是我无法使其工作,我的环境如下:
一个对等体拥有10.10.1.100作为私有IP,8.abc作为公共IP,远程客户机可以从IP 9.dec访问,我已经被告知在configuration中遵循这个参数:
阶段1设置:
•IKE版本:IKEv2
IKE身份validation方法:预共享密钥
•IKEencryptionalgorithm:AES256
•IKEvalidationalgorithm:HMAC_SHA256
•IKE Diffie-Hellman组:组2 – 1024位
IKE阶段1生命周期:86400s
•IKE交换模式:主要
阶段2设置:
•encryptionalgorithm:AES256
•validationalgorithm:HMAC_SHA256
•Diffie-Hellman组:组2 – 1024位
•阶段2的生命周期:3600s
所以我在ipsec.conf文件中设置了一个同伴
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charondebug="ike 4, knl 2, cfg 2, net 4, lib 2, chd 4, mgr 4, enc 4" # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections conn cet authby=secret keyexchange=ikev2 esp=aes256-sha256-modp1024 ikelifetime=86400s ike=aes256-sha256-modp1024 keylife=3600s leftsubnet=10.10.1.0/24 left=10.10.1.100 right=9.dec rightsubnet=192.168.1.0/24 mobike=no auto=start 而/etc/ipsec.secrets文件如下所示:
#ipsec.secrets - strongSwan IPsec secrets file 54.169.72.161 : PSK "oddRandomCharacters"
但是,当我尝试build立VPN连接这是我得到的输出:
initiating IKE_SA cet[68] to 9.def generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 10.10.1.100[500] to 9.def[500] (900 bytes) received packet: from 9.def[500] to 10.10.1.100[500] (336 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] local host is behind NAT, sending keep alives remote host is behind NAT authentication of '10.10.1.100' (myself) with pre-shared key establishing CHILD_SA cet generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 10.10.1.100[4500] to 9.def[4500] (384 bytes) received packet: from 9.def[4500] to 10.10.1.100[4500] (80 bytes) parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error establishing connection 'cet' failed
我猜测我错过了阶段2的参数,因为就我而言,阶段1协商是好的,但是当隧道试图build立它时失败。 私钥是正确的,configuration参数是之前共享的,所以不应该成为问题,不幸的是我没有访问远程对等日志,所以/ var / log / syslog是我所有:
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[IKE] successfully created shared key MAC Aug 27 02:03:11 ap-southeast-2-gw charon: 10[IKE] establishing CHILD_SA cet Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] proposing traffic selectors for us: Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] 10.10.1.0/24 Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] proposing traffic selectors for other: Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] 192.168.1.0/24 Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ Aug 27 02:03:11 ap-southeast-2-gw charon: 10[KNL] got SPI cd02b0dc Aug 27 02:03:11 ap-southeast-2-gw charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] Aug 27 02:03:11 ap-southeast-2-gw charon: 10[NET] sending packet: from 10.10.1.100[4500] to 54.169.72.161[4500] (384 bytes) Aug 27 02:03:11 ap-southeast-2-gw charon: 05[NET] sending packet: from 10.10.1.100[4500] to 54.169.72.161[4500] Aug 27 02:03:12 ap-southeast-2-gw charon: 03[NET] received packet: from 54.169.72.161[4500] to 10.10.1.100[4500] Aug 27 02:03:12 ap-southeast-2-gw charon: 03[NET] waiting for data on sockets Aug 27 02:03:12 ap-southeast-2-gw charon: 15[NET] received packet: from 54.169.72.161[4500] to 10.10.1.100[4500] (80 bytes) Aug 27 02:03:12 ap-southeast-2-gw charon: 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Aug 27 02:03:12 ap-southeast-2-gw charon: 15[IKE] received AUTHENTICATION_FAILED notify error
我错过了什么吗?
AFAIK Ikev2不支持秘密作为身份validation方法。 。
编辑:这可能不是在站点到站点设置。 我只使用Strongswan作为Windows 10客户端的roadwarrior设置,而秘密或PSK在Windows中不适用于Ikev2。
您可能需要在EAP-TLS两端执行相互的EAP方法,或者在请求端使用EAP,在服务器端使用公钥。
编辑:你可以分享从另一端的configuration?