我正在尝试将 Linux(Debian 10.10)客户端通过 VPN 连接到 Fortigate 服务器。
显然这一点还没有得到很好的探索。
有这样一个文档:https://kb.fortinet.com/kb/documentLink.do?externalID=11835 ...我的工作一直以此为基础,但我仍然得到:
STATE_PARENT_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv2 message
或者更具体地说:
002 "officelan": deleting non-instance connection
002 "officelan" #10: deleting state (STATE_PARENT_I1) and NOT sending notification
002 added connection description "officelan"
002 "officelan" #11: initiating v2 parent SA
133 "officelan" #11: initiate
002 "officelan" #11: constructed local IKE proposals for officelan (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_256;INTEG=NONE;DH=MODP2048
133 "officelan" #11: STATE_PARENT_I1: sent v2I1, expected v2R1
010 "officelan" #11: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response
010 "officelan" #11: STATE_PARENT_I1: retransmission; will wait 1 seconds for response
010 "officelan" #11: STATE_PARENT_I1: retransmission; will wait 2 seconds for response
010 "officelan" #11: STATE_PARENT_I1: retransmission; will wait 4 seconds for response
010 "officelan" #11: STATE_PARENT_I1: retransmission; will wait 8 seconds for response
010 "officelan" #11: STATE_PARENT_I1: retransmission; will wait 16 seconds for response
010 "officelan" #11: STATE_PARENT_I1: retransmission; will wait 32 seconds for response
031 "officelan" #11: STATE_PARENT_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv2 message
000 "officelan" #11: starting keying attempt 2 of an unlimited number, but releasing whack
我正在使用这些命令来获得上述内容:
systemctl start ipsec.service
/usr/sbin/ipsec auto --add officelan
/usr/sbin/ipsec auto --up officelan
我的 /etc/ipsec.d/officelan.conf 看起来像:
conn officelan
rekey=yes
rightid=officelan
left=192.168.1.101
leftsubnet=192.168.1.0/24
right=<redacted-ip-address>
rightsubnet=172.40.0.0/24
ikelifetime=28800s
authby=secret
type=tunnel
auto=start
ike=aes_gcm256-sha2
esp=aes_gcm256-null
ikev2=insist
fragmentation=yes
#perfect forward secrecy (default yes)
#pfs=no
#optionally enable compression
compress=yes
我的 /etc/ipsec.d/officelan.secrets 看起来像:
host.example.com %any : PSK "bigrandomsecret"
我真的不知道这是否相关,但是 ike-scan 不喜欢该服务器:
$ ike-scan ip-of-server.example.com
below cmd output started 2021 Wed Jul 07 03:50:45 PM PDT
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.443 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
这是服务器的 nmap(1.1.1.1 不是真实 IP 地址):
$ nmap -P0 -sU -p 500 1.1.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-07-08 07:25 PDT
Nmap scan report for 1.1.1.1
Host is up.
PORT STATE SERVICE
500/udp open|filtered isakmp
Nmap done: 1 IP address (1 host up) scanned in 4.16 seconds
输出如下ip route show
:
default via 192.168.1.254 dev eno1 proto dhcp metric 100
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.101 metric 100
我已经在 Google 上搜索了几个小时,但仍然遇到超时问题。
我有 3 个相关问题:
- 如何使用 LibreSwan 3.27-6+deb10u1 从 Debian 10.10 到 Fortigate(未知版本,我无法控制服务器)建立有效的 VPN?
- 为什么 LibreSwan 不要求我输入密码和 2fa 数据?当我尝试 vpnc 时,每次我尝试发起连接时它都会要求输入这些数据。
- 只有当它听起来相关时:为什么 ike-scan 不像 Fortigate 服务器?
谢谢!