Strongswan ipsec 站点间配置

tag-icon tag-icon networking encryption tunnel ipsec strongswan
Strongswan ipsec 站点间配置

我正在使用 strongswan 配置站点到站点的 ipsec 隧道,但我不知道如何在远端打开 ipsec 隧道(绝对不能使用 strongswan)
当我尝试连接时 - 我没有得到任何回应

initiating IKE_SA con[8] to 'remote-ip'
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]  

sending packet: from 'my-ip'[500] to 'remote'[500] (592 bytes)
retransmit 1 of request with message ID 0
sending packet: from 'my-ip'[500] to 'remote'[500] (592 bytes)
retransmit 2 of request with message ID 0
sending packet: from 'my-ip'[500] to 'remote'[500] (592 bytes)
retransmit 3 of request with message ID 0
sending packet: from 'my-ip'[500] to 'remote'[500] (592 bytes)
retransmit 4 of request with message ID 0
sending packet: from 'my-ip'[500] to 'remote'[500] (592 bytes)
retransmit 5 of request with message ID 0
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding

然而,我得到的所有细节:

AC USER VPN
Phase 1
IP Address           'remote-ip'
Pre-shared Key 
IKE Version          2


      P1 Proposal  
Encryption               AES256
Authentication           SHA256
Diffie-Hellman Groups    15
Key Life                 28800
Phase 2


       P2 Proposal  
Encryption               AES256
Authentication           SHA256
Diffie-Hellman Groups    15
Key Life                 3600

我的ipsec.conf:

connection setup
conn %default
        ikelifetime=28800s
        keylife=3600s
        lifetime=3600s
        rekey=yes
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no
conn con
        left='my-ip'
        leftsubnet=%dynamic
        leftid=User
        leftfirewall=yes
        esp=aes256-sha256-modp3072!
        ike=aes256-sha256-modp3072!
        right='remote-ip'
        rightsubnet=%dynamic
        rightid=remote
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=add

我的ipsec.secrets:

User remote : PSK this_is_my_psk

当我使用 ipsec statusall 时:

Status of IKE charon daemon (strongSwan 5.8.0, Linux 4.15.0-54-generic, x86_64):
  uptime: 37 minutes, since Sep 04 15:19:18 2019
  malloc: sbrk 1466368, mmap 0, used 496880, free 969488
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes md4 des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  `my-ip`
  2a01:4f8:c2c:c164::1
Connections:
      con:  'my-ip'...'remote-ip'  IKEv2, dpddelay=30s
      con:   local:  [User] uses pre-shared key authentication
      con:   remote: [remote] uses pre-shared key authentication
      con:   child:  dynamic === dynamic TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none

允许端口 500 上的 UDP、协议 50 和 51,
我搞不清楚我的配置错误在哪里,如能得到帮助我将不胜感激

更新:

相关内容