我有一个非常简单的带有 PSK 身份验证的主机到主机连接设置。我在两个 centos 虚拟机和两个 ubuntu 服务器虚拟机上设置了相同的配置,并且该配置在 ubuntu 上完美运行,而在 centos 上,我在 Strongswan 启动时找不到与“/etc/strongswan/swanctl/conf.d/*.conf”消息匹配的文件随后是“未找到连接,0 个已卸载”消息。
这是centos上主机1的ipsec.conf和ipsec.secrets文件(主机2仅更改公共IP地址)
ipsec.conf:
config setup
charondebug="all"
uniqueids=yes
conn jerry-to-tom
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=192.168.0.197
right=192.168.0.176
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
ipsec.秘密:
/public ip of host1/ /public ip of host2/ : PSK "mysharedkey"
通过这些配置,我运行以下命令并得到以下结果
$ systemctl restart strongswan
$ systemctl status strongswan
strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2023-07-14 11:15:19 +03; 1min 22s ago
Process: 2141 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 2113 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.9.10, Linux 4.18.0-500.el8.x86_64, x86_64"
Tasks: 17 (limit: 11144)
Memory: 3.9M
CGroup: /system.slice/strongswan.service
└─2113 /usr/sbin/charon-systemd
Jul 14 11:15:19 host charon-systemd[2113]: HA config misses local/remote address
Jul 14 11:15:19 host charon-systemd[2113]: no script for ext-auth script defined, disabled
Jul 14 11:15:19 host charon-systemd[2113]: loaded plugins: charon-systemd pkcs11 aesni aes des rc2 sha2 sha1 >
Jul 14 11:15:19 host charon-systemd[2113]: dropped capabilities, running as uid 0, gid 0
Jul 14 11:15:19 host charon-systemd[2113]: spawning 16 worker threads
Jul 14 11:15:19 host swanctl[2141]: no files found matching '/etc/strongswan/swanctl/conf.d/*.conf'
Jul 14 11:15:19 host swanctl[2141]: no authorities found, 0 unloaded
Jul 14 11:15:19 host swanctl[2141]: no pools found, 0 unloaded
Jul 14 11:15:19 host swanctl[2141]: no connections found, 0 unloaded
Jul 14 11:15:19 host systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
启动strongswan.service后,我尝试启动并运行隧道连接:
$ strongswan restart
$ strongswan statusall
Status of IKE charon daemon (strongSwan 5.9.10, Linux 4.18.0-500.el8.x86_64, x86_64):
uptime: 18 seconds, since Jul 14 11:18:36 2023
malloc: sbrk 1867776, mmap 0, used 812016, free 1055760
worker threads: 12 of 16 idle, 4/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon pkcs11 aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg newhope curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
192.168.0.197
Connections:
jerry-to-tom: 192.168.0.197...192.168.0.176 IKEv2, dpddelay=30s
jerry-to-tom: local: [192.168.0.197] uses pre-shared key authentication
jerry-to-tom: remote: [192.168.0.176] uses pre-shared key authentication
jerry-to-tom: child: dynamic === dynamic TUNNEL, dpdaction=start
Security Associations (0 up, 1 connecting):
jerry-to-tom[1]: CONNECTING, 192.168.0.197[%any]...192.168.0.176[%any]
jerry-to-tom[1]: IKEv2 SPIs: b2344e1cc1a4f13b_i* 0000000000000000_r
jerry-to-tom[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG IKE_AUTH_LIFETIME IKE_MOBIKE IKE_ESTABLISH CHILD_CREATE
$ strongswan up jerry-to-tom
retransmit 4 of request with message ID 0
sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
retransmit 5 of request with message ID 0
sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
由于隧道未启动,数据包永远不会到达对等方。以下是 /var/log/messages 文件以获取更多信息:
Jul 14 11:18:36 host charon[2244]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.10, Linux 4.18.0-500.el8.x86_64, x86_64)
Jul 14 11:18:36 host charon[2244]: 00[CFG] PKCS11 module '<name>' lacks library path
Jul 14 11:18:36 host charon[2244]: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
Jul 14 11:18:36 host charon[2244]: 00[LIB] OpenSSL FIPS mode(0) - disabled
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[CFG] using '/sbin/resolvconf' to install DNS servers
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'eap-tnc': failed to load - eap_tnc_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnc-ifmap': failed to load - tnc_ifmap_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnc-pdp': failed to load - tnc_pdp_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnc-imc': failed to load - tnc_imc_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnc-imv': failed to load - tnc_imv_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnc-tnccs': failed to load - tnc_tnccs_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnccs-20': failed to load - tnccs_20_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnccs-11': failed to load - tnccs_11_plugin_create not found and no plugin file available
Jul 14 11:18:36 host charon[2244]: 00[LIB] plugin 'tnccs-dynamic': failed to load - tnccs_dynamic_plugin_create not found and no plugin file available
Jul 14 11:18:36 host NetworkManager[776]: <info> [1689322716.5835] manager: (xfrmi-test-1885): new Generic device (/org/freedesktop/NetworkManager/Devices/3)
Jul 14 11:18:36 host charon-systemd[2113]: interface xfrmi-test-1885 activated
Jul 14 11:18:36 host charon-systemd[2113]: fe80::705c:3467:8edf:8d87 appeared on xfrmi-test-1885
Jul 14 11:18:36 host charon-systemd[2113]: interface xfrmi-test-1885 deactivated
Jul 14 11:18:36 host charon-systemd[2113]: fe80::705c:3467:8edf:8d87 disappeared from xfrmi-test-1885
Jul 14 11:18:36 host charon-systemd[2113]: interface xfrmi-test-1885 deleted
Jul 14 11:18:36 host systemd-udevd[2245]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jul 14 11:18:36 host systemd-udevd[2245]: link_config: could not get ethtool features for xfrmi-test-1885
Jul 14 11:18:36 host systemd-udevd[2245]: Could not set offload features of xfrmi-test-1885: No such device
Jul 14 11:18:36 host charon[2244]: 00[NET] unable to bind socket: Address already in use
Jul 14 11:18:36 host charon[2244]: 00[NET] could not open IPv6 socket, IPv6 disabled
Jul 14 11:18:36 host charon[2244]: 00[NET] unable to bind socket: Address already in use
Jul 14 11:18:36 host charon[2244]: 00[NET] could not open IPv4 socket, IPv4 disabled
Jul 14 11:18:36 host charon[2244]: 00[NET] could not create any sockets
Jul 14 11:18:36 host charon[2244]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Jul 14 11:18:36 host charon[2244]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Jul 14 11:18:36 host charon[2244]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Jul 14 11:18:36 host charon[2244]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Jul 14 11:18:36 host charon[2244]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Jul 14 11:18:36 host charon[2244]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Jul 14 11:18:36 host charon[2244]: 00[CFG] loaded IKE secret for 192.168.0.197 192.168.0.176
Jul 14 11:18:36 host charon[2244]: 00[CFG] sql plugin: database URI not set
Jul 14 11:18:36 host charon[2244]: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Jul 14 11:18:36 host charon[2244]: 00[CFG] loaded 0 RADIUS server configurations
Jul 14 11:18:36 host charon[2244]: 00[CFG] HA config misses local/remote address
Jul 14 11:18:36 host charon[2244]: 00[CFG] no script for ext-auth script defined, disabled
Jul 14 11:18:36 host charon[2244]: 00[LIB] loaded plugins: charon pkcs11 aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg newhope curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Jul 14 11:18:36 host charon[2244]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jul 14 11:18:36 host charon[2244]: 00[JOB] spawning 16 worker threads
Jul 14 11:18:36 host charon[2244]: 04[NET] no socket implementation registered, receiving failed
Jul 14 11:18:36 host charon[2244]: 08[CFG] received stroke: add connection 'jerry-to-tom'
Jul 14 11:18:36 host charon[2244]: 08[CFG] added configuration 'jerry-to-tom'
Jul 14 11:18:36 host charon[2244]: 10[CFG] received stroke: initiate 'jerry-to-tom'
Jul 14 11:18:36 host charon[2244]: 10[IKE] initiating IKE_SA jerry-to-tom[1] to 192.168.0.176
Jul 14 11:18:36 host charon[2244]: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 14 11:18:36 host charon[2244]: 10[NET] sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
Jul 14 11:18:36 host charon[2244]: 04[NET] no socket implementation registered, sending failed
Jul 14 11:18:40 host charon[2244]: 14[IKE] retransmit 1 of request with message ID 0
Jul 14 11:18:40 host charon[2244]: 14[NET] sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
Jul 14 11:18:40 host charon[2244]: 04[NET] no socket implementation registered, sending failed
Jul 14 11:18:47 host charon[2244]: 08[IKE] retransmit 2 of request with message ID 0
Jul 14 11:18:47 host charon[2244]: 08[NET] sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
Jul 14 11:18:47 host charon[2244]: 04[NET] no socket implementation registered, sending failed
Jul 14 11:19:00 host charon[2244]: 13[IKE] retransmit 3 of request with message ID 0
Jul 14 11:19:00 host charon[2244]: 13[NET] sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
Jul 14 11:19:00 host charon[2244]: 04[NET] no socket implementation registered, sending failed
Jul 14 11:19:24 host charon[2244]: 10[IKE] retransmit 4 of request with message ID 0
Jul 14 11:19:24 host charon[2244]: 10[NET] sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
Jul 14 11:19:24 host charon[2244]: 04[NET] no socket implementation registered, sending failed
Jul 14 11:20:06 host charon[2244]: 15[IKE] retransmit 5 of request with message ID 0
Jul 14 11:20:06 host charon[2244]: 15[NET] sending packet: from 192.168.0.197 to 192.168.0.176[500] (336 bytes)
Jul 14 11:20:06 host charon[2244]: 04[NET] no socket implementation registered, sending failed
Jul 14 11:20:27 host charon[2244]: 15[CFG] received stroke: initiate 'jerry-to-tom'
Jul 14 11:21:21 host charon[2244]: 10[IKE] giving up after 5 retransmits
我假设conf文件没有错误,因为我尝试了与两个ubuntu服务器完全相同的连接,并且能够启动并运行隧道,并且可以观察与tcpdump的连接。我怀疑该错误与 centos 上的 Strongswan 安装有关,但我找不到有关此特定问题的任何文档、资源或问题。我注意到的一件有趣的事情是 /etc/swanctl/conf.d 目录在 ubuntu 设置中也是空的,但我在那里没有得到相同的错误。
任何帮助表示赞赏!