我需要做一个站点到站点的 vpn,但是使用 strongswan vpn 客户端却没有成功。在线研究并阅读手册都无济于事,如能得到任何帮助我将不胜感激。关闭 UFW 只是为了确认不是防火墙。
- 左侧 IP:lll.lll.lll.lll
- 正确的 IP:rrr.rrr.rrr.rrr
- 预共享密钥(psk):pskpskpskpskpskpskpsk
/etc/ipsec.secrets
lll.lll.lll.lll : PSK "pskpskpskpskpskpsk"
rrr.rrr.rrr.rrr : PSK "pskpskpskpskpskpsk"
/etc/ipsec.conf
conn ikev2-vpn
right=lll.lll.lll.lll
rightid=rrr.rrr.rrr.rrr
rightsubnet=0.0.0.0/0
rightauth=secret
leftid=lll.lll.lll.lll
leftsubnet=0.0.0.0/0
auto=start
尾部-f / var / log / syslog
Jun 19 16:53:59 server-2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-73-generic, x86_64)
Jun 19 16:53:59 server-2 charon: 00[LIB] providers loaded by OpenSSL: legacy default
Jun 19 16:53:59 server-2 charon: 00[NET] using forecast interface eth0
Jun 19 16:53:59 server-2 charon: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Jun 19 16:53:59 server-2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 19 16:53:59 server-2 charon: 00[CFG] loaded IKE secret for lll.lll.lll.lll
Jun 19 16:53:59 server-2 charon: 00[CFG] loaded IKE secret for rrr.rrr.rrr.rrr
Jun 19 16:53:59 server-2 charon: 00[CFG] loaded 0 RADIUS server configurations
Jun 19 16:53:59 server-2 charon: 00[CFG] HA config misses local/remote address
Jun 19 16:53:59 server-2 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Jun 19 16:53:59 server-2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 19 16:53:59 server-2 charon: 00[JOB] spawning 16 worker threads
Jun 19 16:53:59 server-2 charon: 05[CFG] received stroke: add connection 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 05[CFG] added configuration 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 07[CFG] received stroke: initiate 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 07[IKE] initiating IKE_SA ikev2-vpn[1] to lll.lll.lll.lll
Jun 19 16:53:59 server-2 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 19 16:53:59 server-2 charon: 07[NET] sending packet: from rrr.rrr.rrr.rrr[500] to lll.lll.lll.lll[500] (904 bytes)
Jun 19 16:54:03 server-2 charon: 16[IKE] retransmit 1 of request with message ID 0
Jun 19 16:54:03 server-2 charon: 16[NET] sending packet: from rrr.rrr.rrr.rrr[500] to lll.lll.lll.lll[500] (904 bytes)
Jun 19 16:54:10 server-2 charon: 07[IKE] retransmit 2 of request with message ID 0
以下是有关服务器的信息:
crypto ikev2 policy 4
encryption aes-256
integrity sha256
group 2
lifetime seconds 86400
tunnel-group rrr.rrr.rrr.rrr type ipsec-l2l
tunnel-group rrr.rrr.rrr.rrr general-attributes
tunnel-group rrr.rrr.rrr.rrr ipsec-attributes
ikev2 remote-authentication pre-shared-key pskpskpskpskpskpsk
ikev2 local-authentication pre-shared-key pskpskpskpskpskpsk
access-list 166 extended permit ip host lll.lll.lll.lll host rrr.rrr.rrr.rrr
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto map gtvpn-rules 166 set peer rrr.rrr.rrr.rrr
crypto map gtvpn-rules 166 match address 166
crypto map gtvpn-rules 166 set pfs group14
crypto map gtvpn-rules 166 set ikev2 ipsec-proposal AES-256
crypto map gtvpn-rules 166 set security-association lifetime seconds 3600