我正在尝试在运行 4.1 的 Android 设备和运行 strongSwan 5.0 的 Fedora 17 Linux 机器之间配置 VPN 隧道。设备报告已连接并strongSwan statusall
返回存在 IKE SA,但不显示隧道。我使用了iOS 说明在 wiki 中生成证书并配置 strongSwan。由于 Android 使用的是 racoon 的修改版本,因此这应该可以工作,并且由于连接已部分建立,我认为我走在正确的轨道上。我没有看到任何关于无法创建隧道的错误。
这是 strongSwan 连接的配置
conn android2
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=96.244.142.28
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
ike=aes256-sha1-modp1024
auto=add
这是输出strongswan statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64):
uptime: 20 minutes, since Oct 31 10:27:31 2012
malloc: sbrk 270336, mmap 0, used 198144, free 72192
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Virtual IP pools (size/online/offline):
android-hybrid: 1/0/0
android2: 1/1/0
Listening IP addresses:
96.244.142.28
Connections:
android-hybrid: %any...%any IKEv1
android-hybrid: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication
android-hybrid: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org"
android-hybrid: remote: [%any] uses XAuth authentication: any
android-hybrid: child: dynamic === dynamic TUNNEL
android2: 96.244.142.28...%any IKEv1
android2: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication
android2: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org"
android2: remote: [C=CH, O=strongSwan, CN=client] uses public key authentication
android2: cert: "C=CH, O=strongSwan, CN=client"
android2: remote: [%any] uses XAuth authentication: any
android2: child: 0.0.0.0/0 === 10.0.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
android2[3]: ESTABLISHED 10 seconds ago, 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client]
android2[3]: Remote XAuth identity: android
android2[3]: IKEv1 SPIs: 4151e371ad46b20d_i 59a56390d74792d2_r*, public key reauthentication in 56 minutes
android2[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
输出 ip -s xfrm policy
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 3819 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:39
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 3812 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:22
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 3803 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:20
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 3796 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:20
因此,即使设备和 strongswan 之间存在 SA,也不会为连接创建 xfrm 策略。ip -s xfrm policy
在 android 设备上执行会产生以下输出:
src 0.0.0.0/0 dst 10.0.0.2/32 uid 0
dir in action allow index 40 priority 2147483648 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:08 use -
tmpl src 96.244.142.28 dst 25.239.33.30
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel
level required share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
src 10.0.0.2/32 dst 0.0.0.0/0 uid 0
dir out action allow index 33 priority 2147483648 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:08 use -
tmpl src 25.239.33.30 dst 96.244.142.28
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel
level required share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
来自 charon 的日志:
00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64)
00[KNL] listening on interfaces:
00[KNL] em1
00[KNL] 96.244.142.28
00[KNL] fe80::224:e8ff:fed2:18b2
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" from '/etc/strongswan/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/clientKey.pem'
00[CFG] loaded IKE secret for %any
00[CFG] loaded EAP secret for android
00[CFG] loaded EAP secret for android
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
08[NET] waiting for data on sockets
16[LIB] created thread 16 [15338]
16[JOB] started worker thread 16
11[CFG] received stroke: add connection 'android-hybrid'
11[CFG] conn android-hybrid
11[CFG] left=%any
11[CFG] leftsubnet=(null)
11[CFG] leftsourceip=(null)
11[CFG] leftauth=pubkey
11[CFG] leftauth2=(null)
11[CFG] leftid=(null)
11[CFG] leftid2=(null)
11[CFG] leftrsakey=(null)
11[CFG] leftcert=serverCert.pem
11[CFG] leftcert2=(null)
11[CFG] leftca=(null)
11[CFG] leftca2=(null)
11[CFG] leftgroups=(null)
11[CFG] leftupdown=ipsec _updown iptables
11[CFG] right=%any
11[CFG] rightsubnet=(null)
11[CFG] rightsourceip=96.244.142.3
11[CFG] rightauth=xauth
11[CFG] rightauth2=(null)
11[CFG] rightid=%any
11[CFG] rightid2=(null)
11[CFG] rightrsakey=(null)
11[CFG] rightcert=(null)
11[CFG] rightcert2=(null)
11[CFG] rightca=(null)
11[CFG] rightca2=(null)
11[CFG] rightgroups=(null)
11[CFG] rightupdown=(null)
11[CFG] eap_identity=(null)
11[CFG] aaa_identity=(null)
11[CFG] xauth_identity=(null)
11[CFG] ike=aes256-sha1-modp1024
11[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536
11[CFG] dpddelay=30
11[CFG] dpdtimeout=150
11[CFG] dpdaction=0
11[CFG] closeaction=0
11[CFG] mediation=no
11[CFG] mediated_by=(null)
11[CFG] me_peerid=(null)
11[CFG] keyexchange=ikev1
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[CFG] left nor right host is our side, assuming left=local
11[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem'
11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org'
11[CFG] added configuration 'android-hybrid'
11[CFG] adding virtual IP address pool 'android-hybrid': 96.244.142.3/32
13[CFG] received stroke: add connection 'android2'
13[CFG] conn android2
13[CFG] left=96.244.142.28
13[CFG] leftsubnet=0.0.0.0/0
13[CFG] leftsourceip=(null)
13[CFG] leftauth=pubkey
13[CFG] leftauth2=(null)
13[CFG] leftid=(null)
13[CFG] leftid2=(null)
13[CFG] leftrsakey=(null)
13[CFG] leftcert=serverCert.pem
13[CFG] leftcert2=(null)
13[CFG] leftca=(null)
13[CFG] leftca2=(null)
13[CFG] leftgroups=(null)
13[CFG] leftupdown=ipsec _updown iptables
13[CFG] right=%any
13[CFG] rightsubnet=10.0.0.0/24
13[CFG] rightsourceip=10.0.0.2
13[CFG] rightauth=pubkey
13[CFG] rightauth2=xauth
13[CFG] rightid=(null)
13[CFG] rightid2=(null)
13[CFG] rightrsakey=(null)
13[CFG] rightcert=clientCert.pem
13[CFG] rightcert2=(null)
13[CFG] rightca=(null)
13[CFG] rightca2=(null)
13[CFG] rightgroups=(null)
13[CFG] rightupdown=(null)
13[CFG] eap_identity=(null)
13[CFG] aaa_identity=(null)
13[CFG] xauth_identity=(null)
13[CFG] ike=aes256-sha1-modp1024
13[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536
13[CFG] dpddelay=30
13[CFG] dpdtimeout=150
13[CFG] dpdaction=0
13[CFG] closeaction=0
13[CFG] mediation=no
13[CFG] mediated_by=(null)
13[CFG] me_peerid=(null)
13[CFG] keyexchange=ikev0
13[KNL] getting interface name for %any
13[KNL] %any is not a local address
13[KNL] getting interface name for 96.244.142.28
13[KNL] 96.244.142.28 is on interface em1
13[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem'
13[CFG] id '96.244.142.28' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org'
13[CFG] loaded certificate "C=CH, O=strongSwan, CN=client" from 'clientCert.pem'
13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=client'
13[CFG] added configuration 'android2'
13[CFG] adding virtual IP address pool 'android2': 10.0.0.2/32
08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
15[CFG] looking for an ike config for 96.244.142.28...208.54.35.241
15[CFG] candidate: %any...%any, prio 2
15[CFG] candidate: 96.244.142.28...%any, prio 5
15[CFG] found matching ike config: 96.244.142.28...%any with prio 5
01[JOB] next event in 29s 999ms, waiting
15[IKE] received NAT-T (RFC 3947) vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
15[IKE] received XAuth vendor ID
15[IKE] received Cisco Unity vendor ID
15[IKE] received DPD vendor ID
15[IKE] 208.54.35.241 is initiating a Main Mode IKE_SA
15[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
15[CFG] selecting proposal:
15[CFG] proposal matches
15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
15[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
15[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
15[MGR] checkin IKE_SA (unnamed)[1]
15[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
08[NET] waiting for data on sockets
07[MGR] checkout IKE_SA by message
07[MGR] IKE_SA (unnamed)[1] successfully checked out
07[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
07[LIB] size of DH secret exponent: 1023 bits
07[IKE] remote host is behind NAT
07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
07[ENC] generating NAT_D_V1 payload finished
07[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
07[MGR] checkin IKE_SA (unnamed)[1]
07[MGR] check-in of IKE_SA successful.
04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
10[IKE] ignoring certificate request without data
10[IKE] received end entity cert "C=CH, O=strongSwan, CN=client"
10[CFG] looking for XAuthInitRSA peer configs matching 96.244.142.28...208.54.35.241[C=CH, O=strongSwan, CN=client]
10[CFG] candidate "android-hybrid", match: 1/1/2/2 (me/other/ike/version)
10[CFG] candidate "android2", match: 1/20/5/1 (me/other/ike/version)
10[CFG] selected peer config "android2"
10[CFG] certificate "C=CH, O=strongSwan, CN=client" key: 2048 bit RSA
10[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA"
10[CFG] checking certificate status of "C=CH, O=strongSwan, CN=client"
10[CFG] ocsp check skipped, no ocsp found
10[CFG] certificate status is not available
10[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 2048 bit RSA
10[CFG] reached self-signed root ca with a path length of 0
10[CFG] using trusted certificate "C=CH, O=strongSwan, CN=client"
10[IKE] authentication of 'C=CH, O=strongSwan, CN=client' with RSA successful
10[ENC] added payload of type ID_V1 to message
10[ENC] added payload of type SIGNATURE_V1 to message
10[IKE] authentication of 'C=CH, O=strongSwan, CN=vpn.strongswan.org' (myself) successful
10[IKE] queueing XAUTH task
10[IKE] sending end entity cert "C=CH, O=strongSwan, CN=vpn.strongswan.org"
10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
10[IKE] activating new tasks
10[IKE] activating XAUTH task
10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
01[JOB] next event in 3s 999ms, waiting
10[MGR] checkin IKE_SA android2[1]
10[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
08[NET] waiting for data on sockets
12[MGR] checkout IKE_SA by message
12[MGR] IKE_SA android2[1] successfully checked out
12[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
12[MGR] checkin IKE_SA android2[1]
12[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
16[MGR] checkout IKE_SA by message
16[MGR] IKE_SA android2[1] successfully checked out
16[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
08[NET] waiting for data on sockets
16[IKE] XAuth authentication of 'android' successful
16[IKE] reinitiating already active tasks
16[IKE] XAUTH task
16[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
16[MGR] checkin IKE_SA android2[1]
01[JOB] next event in 3s 907ms, waiting
16[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
09[MGR] checkout IKE_SA by message
09[MGR] IKE_SA android2[1] successfully checked out
09[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] .8rS
09[IKE] IKE_SA android2[1] established between 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client]
09[IKE] IKE_SA android2[1] state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 3409s
09[IKE] maximum IKE_SA lifetime 3589s
09[IKE] activating new tasks
09[IKE] nothing to initiate
09[MGR] checkin IKE_SA android2[1]
09[MGR] check-in of IKE_SA successful.
09[MGR] checkout IKE_SA
09[MGR] IKE_SA android2[1] successfully checked out
09[MGR] checkin IKE_SA android2[1]
09[MGR] check-in of IKE_SA successful.
01[JOB] next event in 3s 854ms, waiting
08[NET] waiting for data on sockets
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
14[MGR] checkout IKE_SA by message
14[MGR] IKE_SA android2[1] successfully checked out
14[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
14[IKE] processing INTERNAL_IP4_ADDRESS attribute
14[IKE] processing INTERNAL_IP4_NETMASK attribute
14[IKE] processing INTERNAL_IP4_DNS attribute
14[IKE] processing INTERNAL_IP4_NBNS attribute
14[IKE] processing UNITY_BANNER attribute
14[IKE] processing UNITY_DEF_DOMAIN attribute
14[IKE] processing UNITY_SPLITDNS_NAME attribute
14[IKE] processing UNITY_SPLIT_INCLUDE attribute
14[IKE] processing UNITY_LOCAL_LAN attribute
14[IKE] processing APPLICATION_VERSION attribute
14[IKE] peer requested virtual IP %any
14[CFG] assigning new lease to 'android'
14[IKE] assigning virtual IP 10.0.0.2 to peer 'android'
14[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
14[MGR] checkin IKE_SA android2[1]
14[MGR] check-in of IKE_SA successful.
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
08[NET] waiting for data on sockets
01[JOB] got event, queuing job for execution
01[JOB] next event in 91ms, waiting
13[MGR] checkout IKE_SA
13[MGR] IKE_SA android2[1] successfully checked out
13[MGR] checkin IKE_SA android2[1]
13[MGR] check-in of IKE_SA successful.
01[JOB] got event, queuing job for execution
01[JOB] next event in 24s 136ms, waiting
15[MGR] checkout IKE_SA
15[MGR] IKE_SA android2[1] successfully checked out
15[MGR] checkin IKE_SA android2[1]
15[MGR] check-in of IKE_SA successful.
Android 设备:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
09:58:28.990424 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 504) 10.1.12.140.500 > 96.244.142.28.500: isakmp 1.0 msgid : phase 1 I ident: [|sa]
09:58:29.037879 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 164) 96.244.142.28.500 > 10.1.12.140.500: isakmp 1.0 msgid : phase 1 R ident: [|sa]
09:58:29.058692 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 256) 10.1.12.140.500 > 96.244.142.28.500: isakmp 1.0 msgid : phase 1 I ident: [|ke]
09:58:29.111273 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 337) 96.244.142.28.500 > 10.1.12.140.500: isakmp 1.0 msgid : phase 1 R ident: [|ke]
09:58:29.174781 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1212) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
09:58:29.204199 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 1276) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 1 R ident[E]: [encrypted id]
09:58:29.204352 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash]
09:58:29.207953 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I inf[E]: [encrypted hash]
09:58:29.208869 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash]
09:58:29.283637 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 124) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others ? inf[E]: [encrypted hash]
09:58:29.283881 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash]
09:58:29.285498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash]
09:58:29.286658 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 156) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash]
09:58:29.323554 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash]
09:58:48.447272 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.1.12.140.4500 > 96.244.142.28.4500: isakmp-nat-keep-alive
Strongswan机器:
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:58:29.005470 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 504)
96.244.142.3.isakmp > 96.244.142.28.isakmp: isakmp 1.0 msgid 00000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=8
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))
(t: #7 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #8 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=8)
(vid: len=16)
(vid: len=20)
(vid: len=16)
09:58:29.021590 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 164)
96.244.142.28.isakmp > 96.244.142.3.isakmp: isakmp 1.0 msgid 00000000: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=fded)(type=lifetype value=sec)(type=lifeduration value=7080))))
(vid: len=8)
(vid: len=16)
(vid: len=16)
09:58:29.065654 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 256)
96.244.142.3.isakmp > 96.244.142.28.isakmp: isakmp 1.0 msgid 00000000: phase 1 I ident:
(ke: key len=128)
(nonce: n len=16)
(pay20)
(pay20)
09:58:29.073252 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 337)
96.244.142.28.isakmp > 96.244.142.3.isakmp: isakmp 1.0 msgid 00000000: phase 1 R ident:
(ke: key len=128)
(nonce: n len=32)
(cr: len=61 type=x509sign)
(pay20)
(pay20)
09:58:29.172970 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 1212)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id]
09:58:29.182596 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1276)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted id]
09:58:29.183033 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 25eb381b: phase 2/others R #6[E]: [encrypted hash]
09:58:29.250287 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 140)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid bbbe7b6d: phase 2/others I inf[E]: [encrypted hash]
09:58:29.250325 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 140)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 25eb381b: phase 2/others I #6[E]: [encrypted hash]
09:58:29.256037 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid beb336b4: phase 2/others ? inf[E]: [encrypted hash]
09:58:29.257801 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 15d8cae0: phase 2/others R #6[E]: [encrypted hash]
09:58:29.300333 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 124)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 15d8cae0: phase 2/others I #6[E]: [encrypted hash]
09:58:29.300362 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 156)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid b96496f8: phase 2/others I #6[E]: [encrypted hash]
09:58:29.307755 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid b96496f8: phase 2/others R #6[E]: [encrypted hash]
09:58:48.449886 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 29)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: isakmp-nat-keep-alive
09:59:08.488463 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 29)
答案1
您在输出中看到的 SAstrongswan statusall
是 IKE_SA(或者更确切地说是 ISAKMP SA,因为这是 IKEv1),而不是 IPsec SA。因此,主模式完成后一定存在某种问题。
ModeConfig(虚拟 IP 和其他属性的分配)似乎运行良好,这也反映在 Android 设备上安装的 IPsec 策略中。但缺少的是快速模式请求(即协商 IPsec SA 的时间):
14[IKE] assigning virtual IP 10.0.0.2 to peer 'android'
14[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
这是发送给Android设备的ModeConfig响应,但是charon之后没有收到任何消息。
我现在可以重现此情况。此行为是故意的。当 ModeConfig 完成并建立 ISAKMP SA 时,将记录以下内容logcat
:
I/racoon (11096): ISAKMP-SA established [...]
D/VpnJni ( 310): Route added on tun0: 0.0.0.0/0
I/LegacyVpnRunner( 310): Connected!
此外,在 ModeConfig 期间收到的虚拟 IP(在您的情况下10.0.0.2
)被添加到内核中tun0
,并且安装了 IPsec 策略(这也可以在您发布的输出中看到)。10.0.0.2 <=> 0.0.0.0/0
ip xfrm policies
现在,只有流量与出站策略匹配时,才会建立 IPsec SA。因为0.0.0.0/0
用作远程流量选择器(也用于通过的路由tun0
)任何数据包将符合政策,因此扳机快速模式协商。
就我的情况来说,我一打开浏览器就记录了以下内容:
I/racoon (15504): initiate new phase 2 negotiation: [...]
I/racoon (15504): NAT detected -> UDP encapsulation (ENC_MODE 1->3).
W/racoon (15504): attribute has been modified.
I/racoon (15504): Adjusting my encmode UDP-Tunnel->Tunnel
I/racoon (15504): Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
W/racoon (15504): low key length proposed, mine:256 peer:128.
W/racoon (15504): authtype mismatched: my:hmac-md5 peer:hmac-sha
I/racoon (15504): IPsec-SA established: ESP/Tunnel [...]
这也导致了 strongSwan 网关上的预期输出:
android2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cd7ceff0_i 0e7ab2fc_o
android2{1}: AES_CBC_128/HMAC_SHA1_96, 60 bytes_i, 0 bytes_o, rekeying in 41 minutes
android2{1}: 0.0.0.0/0 === 10.0.0.2/32