IpSec StrongSwan HA 配置未命中/无连接

tag-icon tag-icon vpn raspberry-pi pfsense ipsec strongswan
IpSec StrongSwan HA 配置未命中/无连接

我正在使用 rasberian 12 上的 strongswan 通过 /etc/ipsec.conf 从外部网络连接到 PFsense 到 PfSense:

config setup

conn %default
        keyexchange=ikev1


conn peer-ipsec.xxx.de-tunnel-1
        left=%any
        leftid="xx.zapto.org"
        right=ipsec.xx.de
        rightid="%any"
        leftsubnet=10.130.117.0/24
        rightsubnet=10.128.0.0/16
        ike=aes128-sha256-modp2048,aes128-sha256-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes128-sha256-modp2048,aes128-sha256-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever

在 pfsense 上:
密钥交换版本:IKEv2
InternetProtocol:IPv4
远程网关:xx.zapto.org
身份验证方法:相互 PSK
我的标识符:我的 IP 地址
对等标识符:完全合格域名 xx.zapto.org
加密算法:AES 128 位 SHA256 DH 组 14(我稍后会改进这一点)

第 2 阶段:
本地网络:网络 10.128.0.0/0
NAT:无
远程网络:网络 10.130.117.0/24
协议:ESP
加密算法:AES 128、AES12-GCM 128 SHA256 PFS 密钥组 14

  • ip a->192.168.2.117
  • ipsec.xx.de可以 ping 通。
  • nftables:未定义

结果:

sudo /usr/sbin/ipsec start --nofork --debug --debug-more
Starting strongSwan 5.9.8 IPsec [starter]...
Loading config setup
Loading conn 'peer-ipsec.xx.de-tunnel-1'
  authby=secret
  auto=route
  compress=no
  esp=aes128-sha256-modp2048,aes128-sha256-modp2048!
  ike=aes128-sha256-modp2048,aes128-sha256-modp2048!
  ikelifetime=28800s
  keyexchange=ikev2
  keyingtries=%forever
  keylife=3600s
  left=%any
  leftid=xx.zapto.org
  leftsubnet=10.130.117.0/24
  reauth=no
  rekeymargin=540s
  right=ipsec.xx.de
  rightid=%any
  rightsubnet=10.128.0.0/16
  type=tunnel
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-rpi7-rpi-v8, aarch64)
00[LIB] providers loaded by OpenSSL: legacy default
00[NET] using forecast interface eth1
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for %any %any
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (14801) started after 140 ms
04[CFG] received stroke: add connection 'peer-ipsec.xx.de-tunnel-1'
04[CFG] added configuration 'peer-ipsec.xx.de-tunnel-1'
05[CFG] received stroke: route 'peer-ipsec.xx.de-tunnel-1'
'peer-ipsec.xx.de-tunnel-1' routed

没有建立连接-为什么?

这是什么HA config misses意思?

相同的配置在 EdgeRouter ER-X(ubiquity)上运行,它也使用 StrongSwan。

我也尝试过自由天鹅

答案1

auto=start的工作原理-见文档

相关内容