我正在尝试使用 Cisco IPsec VPN 连接将 iPhone 连接到我的 LAN。我可以连接到 VPN,但无法访问任何 LAN 设备。
硬件软件:
- Strongswan 5.0.4,在路由器上运行 - Asus RT-AC66U 固件:3.0.0.4.374.34_2(Merlin 版本),asuswrt optware
- iPhone (客户端)
网络信息:
- 路由器(=服务器)公网IP:86.xxx,私网IP:192.168.2.1
- iPhone 公网 IP:46.xxx
网络方案见图:https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png (我已将虚拟 IP 更改为 10.11.0.0/24)
ipsec.conf:
conn %default
keyexchange=ikev1
authby=xauthrsasig
xauth=server
conn ios
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=serverLupoCert.pem
leftfirewall=yes
right=%any
rightsubnet=10.11.0.0/24
rightsourceip=10.11.0.0/24
auto=add
rightcert=clientLupoCert.pem
ip -4 为:
1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436 qdisc noqueue
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
inet 86.x.x.x/24 brd 86.x.x.255 scope global eth0
6: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
inet 192.168.2.1/24 brd 192.168.2.255 scope global br0
7: tun21: <POINTOPOINT,MULTICAST,NOARP,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
inet 10.8.2.1 peer 10.8.2.2/32 scope global tun21
8: tun11: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun11
(tun21、tun11 来自 OpenVPN 服务器,它也在路由器上运行 - 一旦我让 IPsec 工作起来,就会将其删除)
iptables-保存:
# Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013
*nat
:PREROUTING ACCEPT [17927:1127507]
:POSTROUTING ACCEPT [704:67870]
:OUTPUT ACCEPT [703:67443]
:LOCALSRV - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
:YADNS - [0:0]
-A PREROUTING -p tcp -m tcp --dport 1194 -j ACCEPT
-A PREROUTING -d 86.x.x.x -j VSERVER
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -o tun11 -j MASQUERADE
-A POSTROUTING -s ! 86.x.x.x -o eth0 -j MASQUERADE
-A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 1184 -j DNAT --to-destination 192.168.2.100:1194
-A VSERVER -p udp -m udp --dport 1184 -j DNAT --to-destination 192.168.2.100:1194
-A VSERVER -j VUPNP
-A VUPNP -p udp -m udp --dport 49691 -j DNAT --to-destination 192.168.2.11:16402
COMMIT
# Completed on Fri Nov 15 20:55:26 2013
# Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013
*mangle
:PREROUTING ACCEPT [26923:1984100]
:INPUT ACCEPT [7606:841647]
:FORWARD ACCEPT [18118:1006712]
:OUTPUT ACCEPT [5967:2717306]
:POSTROUTING ACCEPT [8396:2870974]
-A PREROUTING -d 86.x.x.x -i ! eth0 -j MARK --set-mark 0xd001
COMMIT
# Completed on Fri Nov 15 20:55:26 2013
# Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5912:2703854]
:FUPNP - [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i tun11 -j ACCEPT
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -i tun11 -j ACCEPT
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o eth0 -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -p icmp -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d 192.168.2.11 -p udp -m udp --dport 16402 -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Fri Nov 15 20:55:26 2013
Strongswan 日志(日志级别 1):
Nov 15 20:38:38 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips)
Nov 15 20:38:38 00[LIB] openssl FIPS mode(0) unavailable
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[CFG] attr-sql plugin: database URI not set
Nov 15 20:38:38 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] disabling load-tester plugin, not configured
Nov 15 20:38:38 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] sql plugin: database URI not set
Nov 15 20:38:38 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] loaded 0 RADIUS server configurations
Nov 15 20:38:38 00[CFG] HA config misses local/remote address
Nov 15 20:38:38 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] coupling file path unspecified
Nov 15 20:38:38 00[LIB] plugin 'coupling': failed to load - coupling_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] loading ca certificates from '/opt/etc/ipsec.d/cacerts'
Nov 15 20:38:38 00[CFG] loaded ca certificate "C=SI, O=Lupo, CN=86.x.x.x" from '/opt/etc/ipsec.d/cacerts/caLupoCert.pem'
Nov 15 20:38:38 00[CFG] loading aa certificates from '/opt/etc/ipsec.d/aacerts'
Nov 15 20:38:38 00[CFG] loading ocsp signer certificates from '/opt/etc/ipsec.d/ocspcerts'
Nov 15 20:38:38 00[CFG] loading attribute certificates from '/opt/etc/ipsec.d/acerts'
Nov 15 20:38:38 00[CFG] loading crls from '/opt/etc/ipsec.d/crls'
Nov 15 20:38:38 00[CFG] loading secrets from '/opt/etc/ipsec.secrets'
Nov 15 20:38:39 00[CFG] loaded RSA private key from '/opt/etc/ipsec.d/private/serverLupoKey.pem'
Nov 15 20:38:39 00[CFG] loaded EAP secret for lupo
Nov 15 20:38:39 00[DMN] loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Nov 15 20:38:39 00[JOB] spawning 16 worker threads
Nov 15 20:38:39 11[CFG] received stroke: add connection 'ios'
Nov 15 20:38:39 11[CFG] left nor right host is our side, assuming left=local
Nov 15 20:38:39 11[CFG] adding virtual IP address pool 10.11.0.0/24
Nov 15 20:38:39 11[CFG] loaded certificate "C=SI, O=Lupo, CN=86.x.x.x" from 'serverLupoCert.pem'
Nov 15 20:38:39 11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Lupo, CN=86.x.x.x'
Nov 15 20:38:39 11[CFG] loaded certificate "C=SI, O=Lupo, CN=clientLupo" from 'clientLupoCert.pem'
Nov 15 20:38:39 11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Lupo, CN=clientLupo'
Nov 15 20:38:39 11[CFG] added configuration 'ios'
Nov 15 20:38:41 13[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (668 bytes)
Nov 15 20:38:41 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Nov 15 20:38:41 13[IKE] received NAT-T (RFC 3947) vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 15 20:38:41 13[IKE] received XAuth vendor ID
Nov 15 20:38:41 13[IKE] received Cisco Unity vendor ID
Nov 15 20:38:41 13[IKE] received FRAGMENTATION vendor ID
Nov 15 20:38:41 13[IKE] received DPD vendor ID
Nov 15 20:38:41 13[IKE] 46.x.x.x is initiating a Main Mode IKE_SA
Nov 15 20:38:41 13[ENC] generating ID_PROT response 0 [ SA V V V ]
Nov 15 20:38:41 13[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (136 bytes)
Nov 15 20:38:41 14[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (292 bytes)
Nov 15 20:38:41 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Nov 15 20:38:41 14[IKE] sending cert request for "C=SI, O=Lupo, CN=86.x.x.x"
Nov 15 20:38:41 14[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Nov 15 20:38:41 14[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (371 bytes)
Nov 15 20:38:42 12[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (1180 bytes)
Nov 15 20:38:42 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Nov 15 20:38:42 12[IKE] ignoring certificate request without data
Nov 15 20:38:42 12[IKE] received end entity cert "C=SI, O=Lupo, CN=clientLupo"
Nov 15 20:38:42 12[CFG] looking for XAuthInitRSA peer configs matching 86.x.x.x...46.x.x.x[C=SI, O=Lupo, CN=clientLupo]
Nov 15 20:38:42 12[CFG] selected peer config "ios"
Nov 15 20:38:42 12[CFG] using trusted ca certificate "C=SI, O=Lupo, CN=86.x.x.x"
Nov 15 20:38:42 12[CFG] checking certificate status of "C=SI, O=Lupo, CN=clientLupo"
Nov 15 20:38:42 12[CFG] certificate status is not available
Nov 15 20:38:42 12[CFG] reached self-signed root ca with a path length of 0
Nov 15 20:38:42 12[CFG] using trusted certificate "C=SI, O=Lupo, CN=clientLupo"
Nov 15 20:38:42 12[IKE] authentication of 'C=SI, O=Lupo, CN=clientLupo' with RSA successful
Nov 15 20:38:42 12[IKE] authentication of 'C=SI, O=Lupo, CN=86.x.x.x' (myself) successful
Nov 15 20:38:42 12[IKE] sending end entity cert "C=SI, O=Lupo, CN=86.x.x.x"
Nov 15 20:38:42 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Nov 15 20:38:42 12[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (1212 bytes)
Nov 15 20:38:42 12[ENC] generating TRANSACTION request 561743567 [ HASH CP ]
Nov 15 20:38:42 12[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (76 bytes)
Nov 15 20:38:42 11[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (92 bytes)
Nov 15 20:38:42 11[ENC] parsed TRANSACTION response 561743567 [ HASH CP ]
Nov 15 20:38:42 11[IKE] XAuth authentication of 'lupo' successful
Nov 15 20:38:42 11[ENC] generating TRANSACTION request 274787051 [ HASH CP ]
Nov 15 20:38:42 11[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (76 bytes)
Nov 15 20:38:42 13[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (76 bytes)
Nov 15 20:38:42 13[ENC] parsed TRANSACTION response 274787051 [ HASH CP ]
Nov 15 20:38:42 13[IKE] IKE_SA ios[1] established between 86.x.x.x[C=SI, O=Lupo, CN=86.x.x.x]...46.x.x.x[C=SI, O=Lupo, CN=clientLupo]
Nov 15 20:38:42 13[IKE] scheduling reauthentication in 10255s
Nov 15 20:38:42 13[IKE] maximum IKE_SA lifetime 10795s
Nov 15 20:38:42 12[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (172 bytes)
Nov 15 20:38:42 12[ENC] unknown attribute type (28683)
Nov 15 20:38:42 12[ENC] parsed TRANSACTION request 3928555748 [ HASH CP ]
Nov 15 20:38:42 12[IKE] peer requested virtual IP %any
Nov 15 20:38:42 12[CFG] assigning new lease to 'lupo'
Nov 15 20:38:42 12[IKE] assigning virtual IP 10.11.0.1 to peer 'lupo'
Nov 15 20:38:42 12[ENC] generating TRANSACTION response 3928555748 [ HASH CP ]
Nov 15 20:38:42 12[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (76 bytes)
Nov 15 20:38:43 11[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (300 bytes)
Nov 15 20:38:43 11[ENC] parsed QUICK_MODE request 1285665545 [ HASH SA No ID ID ]
Nov 15 20:38:43 11[ENC] generating QUICK_MODE response 1285665545 [ HASH SA No ID ID ]
Nov 15 20:38:43 11[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (172 bytes)
Nov 15 20:38:43 12[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (60 bytes)
Nov 15 20:38:43 12[ENC] parsed QUICK_MODE request 1285665545 [ HASH ]
Nov 15 20:38:43 12[IKE] CHILD_SA ios{1} established with SPIs cc71b640_i 052f82c7_o and TS 0.0.0.0/0 === 10.11.0.1/32
Nov 15 20:39:05 13[CFG] received stroke: initiate 'ios'
Nov 15 20:39:05 14[ENC] generating QUICK_MODE request 814387936 [ HASH SA No ID ID ]
Nov 15 20:39:05 14[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (236 bytes)
Nov 15 20:39:06 11[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (172 bytes)
Nov 15 20:39:06 11[ENC] parsed QUICK_MODE response 814387936 [ HASH SA No ID ID ]
Nov 15 20:39:06 11[IKE] CHILD_SA ios{2} established with SPIs c32955c0_i 0a682529_o and TS 0.0.0.0/0 === 0.0.0.0/0
Nov 15 20:39:06 11[ENC] generating QUICK_MODE request 814387936 [ HASH ]
Nov 15 20:39:06 11[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (60 bytes)
Nov 15 20:39:06 16[KNL] creating acquire job for policy 86.x.x.x/32 === 46.x.x.x/32 with reqid {2}
Nov 15 20:39:06 12[CFG] trap not found, unable to acquire reqid 2
Nov 15 20:39:36 16[KNL] creating acquire job for policy 86.x.x.x/32 === 46.x.x.x/32 with reqid {2}
Nov 15 20:39:36 11[CFG] trap not found, unable to acquire reqid 2
这是路由问题还是 Strongswan 可能没有正确编译或者其他问题?
ipsec 状态全部:
Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
uptime: 15 seconds, since Nov 16 11:57:57 2013
malloc: sbrk 180224, mmap 0, used 176472, free 3752
worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
10.11.0.0/24: 254/0/0
Listening IP addresses:
86.x.x.x
192.168.2.1
10.8.2.1
10.8.0.6
Connections:
ios: %any...%any IKEv1
ios: local: [C=SI, O=HisaLupo, CN=86.x.x.x] uses public key authentication
ios: cert: "C=SI, O=HisaLupo, CN=86.x.x.x"
ios: remote: [C=SI, O=HisaLupo, CN=clientLupo] uses public key authentication
ios: cert: "C=SI, O=HisaLupo, CN=clientLupo"
ios: remote: uses XAuth authentication: any
ios: child: 0.0.0.0/0 === 10.11.0.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none