我尝试通过strongswanbuild立从根服务器到我的家庭networking的VPN连接。 我已经为VPN PSK XAUTH连接configuration了我的路由器(FritzBox 7490)。 我的Android智能手机的VPN连接工作。
我正在努力正确configurationstrongswan。 我研究了手册,我正在摆脱想法。 我甚至不知道如何解释日志。
这两个configuration文件和日志是:
/etc/strongswan/ipsec.conf
#/etc/strongswan/ipsec.conf config setup uniqueids=no #charondebug="ike 4, knl 4, cfg 4, mgr 4, chd 4, dmn 4, esp 4, lib 4, tnc 4" conn %default ike=aes256-sha-modp1024! esp=3des-md5! ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 conn wb auto=add aggressive=yes xauth_identity=montblanc left=5.196.66.46 leftid=keyid:montblanc leftsourceip=%config4 #leftgroups2=montblanc #leftfirewall=yes leftauth=psk leftauth2=xauth right=nanga.no-ip.biz rightid=%any rightsubnet=192.168.178.0/24 rightauth=psk /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file %any : PSK "something" montblanc : XAUTH "somethingelse"
login时连接:
initiating Aggressive Mode IKE_SA wb[3] to 93.104.35.40 generating AGGRESSIVE request 0 [ SA KE No ID VVVV ] sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (341 bytes) received packet: from 93.104.35.40[500] to 5.196.66.46[500] (412 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID HASH VVVVV NAT-D NAT-D ] received XAuth vendor ID received DPD vendor ID received NAT-T (RFC 3947) vendor ID received draft-ietf-ipsec-nat-t-ike-03 vendor ID received unknown vendor ID: a2:22:6f:c3:64:50:0f:56:34:ff:77:db:3b:74:f4:1b generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ] sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (108 bytes) received packet: from 93.104.35.40[500] to 5.196.66.46[500] (92 bytes) parsed INFORMATIONAL_V1 request 3080152599 [ HASH N(INITIAL_CONTACT) ] received packet: from 93.104.35.40[500] to 5.196.66.46[500] (92 bytes) parsed TRANSACTION request 3809505870 [ HASH CPRQ(X_TYPE X_USER X_PWD) ] generating TRANSACTION response 3809505870 [ HASH CPRP(X_USER X_PWD) ] sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (108 bytes) received packet: from 93.104.35.40[500] to 5.196.66.46[500] (76 bytes) parsed TRANSACTION request 3809505870 [ HASH CPS(X_STATUS) ] XAuth authentication of 'montblanc' (myself) successful IKE_SA wb[3] established between 5.196.66.46[montblanc]...93.104.35.40[93.104.35.40] scheduling reauthentication in 3410s maximum IKE_SA lifetime 3590s generating TRANSACTION response 3809505870 [ HASH CPA(X_STATUS) ] sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (76 bytes) generating TRANSACTION request 835986006 [ HASH CPRQ(ADDR DNS) ] sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (76 bytes) received packet: from 93.104.35.40[500] to 5.196.66.46[500] (76 bytes) parsed TRANSACTION response 835986006 [ HASH CPRP(ADDR DNS) ] installing DNS server 192.168.178.1 to /etc/strongswan/resolv.conf installing new virtual IP 192.168.178.202 generating QUICK_MODE request 2471505598 [ HASH SA No ID ID ] sending packet: from 5.196.66.46[500] to 93.104.35.40[500] (172 bytes) received packet: from 93.104.35.40[500] to 5.196.66.46[500] (76 bytes) parsed INFORMATIONAL_V1 request 1883469062 [ HASH N(INVAL_ID) ] received INVALID_ID_INFORMATION error notify establishing connection 'wb' failed
我很乐意提供所有build议。
当客户端在IKEv1快速模式交换期间收到INVALID_ID_INFORMATION通知时,意味着响应者不喜欢用于在这些交换机中传输stream量select器(子网)的ID有效负载的内容。 这可能是因为子网configuration不正确(两端必须匹配)。 比较configuration,并根据实施情况,咨询响应者的日志可能会有所帮助。
一些IKEv1实现使用Cisco Unity扩展,它允许在ModeConfig交换期间传输隧道远程子网。 通常,他们希望快速模式交换中的远程子网设置为0.0.0.0/0而不是任何实际的子网。 因此,请尝试在strongSwan中启用unity插件 ,并configurationrightsubnet=0.0.0.0/0 ,这可能是响应者期望的。