VPN 连接失败

tag-icon tag-icon networking macos router vpn
VPN 连接失败

我最近更换了互联网提供商,之后我就无法再连接到我工作使用的 VPN。我将路由器换成了 TP-Link WR840N,但没用。路由器中启用了 IPSec 直通。在此之前,一切都运行正常。

我正在使用 OS X El Captain (10.11.6),尝试连接时收到的日志是:

Aug  8 21:07:59 my-machine nesessionmanager[1553]: IPSec connecting to server <server - secret>
Aug  8 21:07:59 my-machine nesessionmanager[1553]: IPSec Phase1 starting.
Aug  8 21:07:59 my-machine racoon[2139]: accepted connection on vpn control socket.
Aug  8 21:07:59 --- last message repeated 1 time ---
Aug  8 21:07:59 my-machine racoon[2139]: IPSec connecting to server ***.***.***.*
Aug  8 21:07:59 --- last message repeated 1 time ---
Aug  8 21:07:59 my-machine racoon[2139]: Connecting.
Aug  8 21:07:59 my-machine racoon[2139]: IPSec Phase 1 started (Initiated by me).
Aug  8 21:07:59 --- last message repeated 1 time ---
Aug  8 21:07:59 my-machine racoon[2139]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Aug  8 21:07:59 my-machine racoon[2139]: >>>>> phase change status = Phase 1 started by us
Aug  8 21:08:02 --- last message repeated 1 time ---
Aug  8 21:08:02 my-machine racoon[2139]: IKE Packet: transmit success. (Phase 1 Retransmit).
Aug  8 21:08:09 --- last message repeated 2 times ---
Aug  8 21:08:09 my-machine nesessionmanager[1553]: IPSec Controller: retry IPSec aggressive mode with DH Group 2
Aug  8 21:08:09 my-machine nesessionmanager[1553]: IPSec Phase1 starting.
Aug  8 21:08:09 my-machine racoon[2139]: IPSec connecting to server ***.***.***.*
Aug  8 21:08:09 --- last message repeated 1 time ---
Aug  8 21:08:09 my-machine racoon[2139]: Connecting.
Aug  8 21:08:09 my-machine racoon[2139]: IPSec Phase 1 started (Initiated by me).
Aug  8 21:08:09 --- last message repeated 1 time ---
Aug  8 21:08:09 my-machine racoon[2139]: IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
Aug  8 21:08:09 my-machine racoon[2139]: >>>>> phase change status = Phase 1 started by us
Aug  8 21:08:12 --- last message repeated 1 time ---
Aug  8 21:08:12 my-machine racoon[2139]: IKE Packet: transmit success. (Phase 1 Retransmit).
Aug  8 21:08:19 --- last message repeated 2 times ---
Aug  8 21:08:19 my-machine nesessionmanager[1553]: NESMLegacySession[<secret>]: status changed to disconnecting
Aug  8 21:08:19 my-machine nesessionmanager[1553]: IPSec disconnecting from server ***.***.***.*
Aug  8 21:08:19 my-machine racoon[2139]: IPSec disconnecting from server ***.***.***.*
Aug  8 21:08:19 --- last message repeated 3 times ---
Aug  8 21:08:19 my-machine nesessionmanager[1553]: NESMLegacySession[<secret>]: status changed to disconnected, last stop reason None
Aug  8 21:08:19 my-machine racoon[2139]: glob found no matches for path "/var/run/racoon/*.conf"
A

有人知道发生了什么或如何调试这个问题吗?

谢谢!

答案1

看起来您的新提供商正在阻止 UDP 端口 500 的出站和/或入站。

即您的日志显示您正在发送 IKE AM 的消息 1:

8 月 8 日 21:07:59 my-machine racoon[2139]: IKE 数据包:传输成功。(发起方,攻击模式消息 1)。

但是没有回应,所以过一段时间后你重新传输第一个数据包:

8 月 8 日 21:08:02 my-machine racoon[2139]: IKE 数据包:传输成功。(第 1 阶段重新传输)。

由于仍然没有回应,我们又尝试了几次,最后只好放弃。

那么为什么我们没有收到回复?

  • 路径上的某些东西阻塞了数据包
  • VPN 前端正在放弃它
  • VPN 头端响应,但路径中的某些因素导致响应丢失

鉴于这曾经正常工作并且仅在更换 ISP 后才失败,因此最有可能的是 ISP 阻止了出站或入站数据包。

我建议询问您工作的 VPN 管理员是否有其他连接方式,例如使用 TCP 上的 IPsec 或使用 TLS。

相关内容