我正在尝试将我的 Debian Stretch 盒子连接到运行 Windows 专用机器的网络上。那里有一个节点充当运行 Windows Server 2012R2 的 VPN 服务器。我能够从我的 Windows 和 Mac 机器通过 L2TP VPN 连接到它,所以即使我不喜欢这种设置 - 它似乎正在工作。使用简单的 PSK 无需证书即可轻松配置。但是我花了好几个小时尝试将它连接到 Debian 盒子,但今天失败了 :( 我尝试了在网上找到的所有可能的配置修改...这是我现在尝试的最短的一个,最后总是出现相同的错误(PSK 是正确的):
ipsec.conf:
config setup
conn %default
authby=secret
conn intp
left=%any
leftfirewall=no
right=server_hostname
rightfirewall=yes
type=tunnel
auto=add
ipsec.secrets
include /var/lib/strongswan/ipsec.secrets.inc
: PSK VALID_PSK
ipsec 启动 intp
initiating IKE_SA intp[1] to 194.84.28.242
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1300 bytes)
received packet: from 194.84.28.242[500] to 144.76.196.175[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_3072, it requested MODP_1024
initiating IKE_SA intp[1] to 194.84.28.242
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1044 bytes)
received packet: from 194.84.28.242[500] to 144.76.196.175[500] (360 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
received MS-Negotiation Discovery Capable vendor ID
remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '144.76.196.175' (myself) with pre-shared key
establishing CHILD_SA intp
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]
sending packet: from 144.76.196.175[4500] to 194.84.28.242[4500] (412 bytes)
received packet: from 194.84.28.242[4500] to 144.76.196.175[4500] (68 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'intp' failed
请帮忙 :)