我有这个适用于 IKEv2 的 strongswan 配置,其中包含 PSK 和 USER_FQDN
connections {
IKEv2PSK {
remote_addrs = 81.81.81.81
vips = 0.0.0.0
version = 2
dpd_delay = 30
dpd_timeout = 90
proposals = aes256-sha256-modp2048
local {
auth = psk
id = @@[email protected]
}
remote {
auth = psk
id = @@[email protected]
}
children {
work {
remote_ts = 192.168.0.0/24
inactivity = 3600s
updown = /usr/lib/ipsec _updown iptables
esp_proposals = aes256-sha256-modp2048
}
}
}
}
并希望使用 libreswan 做同样的事情。但是,我被卡住了,VPN 端点对我的秘密不满意。这是我的 ipsec.conf
conn work
ikev2=insist
left=%defaultroute
leftsubnet=0.0.0.0/0
leftid=@[email protected]
leftmodecfgclient=yes
right=81.81.81.81
rightid=@[email protected]
rightsubnet=192.168.0.0/24
authby=secret
mobike=yes
narrowing=yes
auto=add
dpddelay=30
dpdtimeout=90
dpdaction=restart
ipsec.secrets
%any : PSK "thepsk" <-- tried base64 encoding as well here
输出
$ sudo ipsec auto --up work
181 "work"[1] 81.81.81.81 #1: initiating IKEv2 IKE SA
181 "work"[1] 81.81.81.81 #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "work"[1] 81.81.81.81 #1: Received unauthenticated INVALID_KE_PAYLOAD response to DH DH19; resending with suggested DH MODP2048
181 "work"[1] 81.81.81.81 #1: STATE_PARENT_I1: sent v2I1, expected v2R1
182 "work"[1] 81.81.81.81 #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
002 "work"[1] 81.81.81.81 #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "work"[1] 81.81.81.81 #2: scheduling retry attempt 1 of an unlimited number, but releasing whac