Strongswan ipsec iPhone,无法访问 LAN

tag-icon tag-icon vpn cisco ipsec ios strongswan
Strongswan ipsec iPhone,无法访问 LAN

我正在尝试使用 Cisco IPsec VPN 连接将 iPhone 连接到我的 LAN。我可以连接到 VPN,但无法访问任何 LAN 设备。

硬件软件:

  • Strongswan 5.0.4,在路由器上运行 - Asus RT-AC66U 固件:3.0.0.4.374.34_2(Merlin 版本),asuswrt optware
  • iPhone (客户端)

网络信息:

  • 路由器(=服务器)公网IP:86.xxx,私网IP:192.168.2.1
  • iPhone 公网 IP:46.xxx

网络方案见图:https://dl.dropboxusercontent.com/u/2261256/forums/ipsec/IPsec_diagram.png (我已将虚拟 IP 更改为 10.11.0.0/24)

ipsec.conf:

conn %default    
        keyexchange=ikev1
        authby=xauthrsasig   
        xauth=server

conn ios                                   
       left=%defaultroute                  
       leftsubnet=0.0.0.0/0                
       leftcert=serverLupoCert.pem         
       leftfirewall=yes                    
       right=%any             
       rightsubnet=10.11.0.0/24            
       rightsourceip=10.11.0.0/24          
       auto=add                            
       rightcert=clientLupoCert.pem

ip -4 为:

1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 16436 qdisc noqueue 
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 86.x.x.x/24 brd 86.x.x.255 scope global eth0
6: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue 
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br0
7: tun21: <POINTOPOINT,MULTICAST,NOARP,PROMISC,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
    inet 10.8.2.1 peer 10.8.2.2/32 scope global tun21
8: tun11: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 100
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun11

(tun21、tun11 来自 OpenVPN 服务器,它也在路由器上运行 - 一旦我让 IPsec 工作起来,就会将其删除)

iptables-保存:

# Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013
*nat
:PREROUTING ACCEPT [17927:1127507]
:POSTROUTING ACCEPT [704:67870]
:OUTPUT ACCEPT [703:67443]
:LOCALSRV - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
:YADNS - [0:0]
-A PREROUTING -p tcp -m tcp --dport 1194 -j ACCEPT 
-A PREROUTING -d 86.x.x.x -j VSERVER 
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -o tun11 -j MASQUERADE 
-A POSTROUTING -s ! 86.x.x.x -o eth0 -j MASQUERADE 
-A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE 
-A VSERVER -p tcp -m tcp --dport 1184 -j DNAT --to-destination 192.168.2.100:1194 
-A VSERVER -p udp -m udp --dport 1184 -j DNAT --to-destination 192.168.2.100:1194 
-A VSERVER -j VUPNP 
-A VUPNP -p udp -m udp --dport 49691 -j DNAT --to-destination 192.168.2.11:16402 
COMMIT
# Completed on Fri Nov 15 20:55:26 2013
# Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013
*mangle
:PREROUTING ACCEPT [26923:1984100]
:INPUT ACCEPT [7606:841647]
:FORWARD ACCEPT [18118:1006712]
:OUTPUT ACCEPT [5967:2717306]
:POSTROUTING ACCEPT [8396:2870974]
-A PREROUTING -d 86.x.x.x -i ! eth0 -j MARK --set-mark 0xd001 
COMMIT
# Completed on Fri Nov 15 20:55:26 2013
# Generated by iptables-save v1.3.8 on Fri Nov 15 20:55:26 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5912:2703854]
:FUPNP - [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT 
-A INPUT -p udp -m udp --dport 500 -j ACCEPT 
-A INPUT -i tun11 -j ACCEPT 
-A INPUT -i tun21 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT 
-A INPUT -m state --state INVALID -j logdrop 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -i br0 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8082 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -j logdrop 
-A FORWARD -i tun11 -j ACCEPT 
-A FORWARD -i tun21 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i ! br0 -o eth0 -j logdrop 
-A FORWARD -m state --state INVALID -j logdrop 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -i eth0 -p icmp -j DROP 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -i br0 -j ACCEPT 
-A FUPNP -d 192.168.2.11 -p udp -m udp --dport 16402 -j ACCEPT 
-A PControls -j ACCEPT 
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logaccept -j ACCEPT 
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP" --log-tcp-sequence --log-tcp-options --log-ip-options 
-A logdrop -j DROP 
COMMIT
# Completed on Fri Nov 15 20:55:26 2013

Strongswan 日志(日志级别 1):

Nov 15 20:38:38 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips)
Nov 15 20:38:38 00[LIB] openssl FIPS mode(0) unavailable
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
Nov 15 20:38:38 00[CFG] attr-sql plugin: database URI not set
Nov 15 20:38:38 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] disabling load-tester plugin, not configured
Nov 15 20:38:38 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] sql plugin: database URI not set
Nov 15 20:38:38 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] loaded 0 RADIUS server configurations
Nov 15 20:38:38 00[CFG] HA config misses local/remote address
Nov 15 20:38:38 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] coupling file path unspecified
Nov 15 20:38:38 00[LIB] plugin 'coupling': failed to load - coupling_plugin_create returned NULL
Nov 15 20:38:38 00[CFG] loading ca certificates from '/opt/etc/ipsec.d/cacerts'
Nov 15 20:38:38 00[CFG]   loaded ca certificate "C=SI, O=Lupo, CN=86.x.x.x" from '/opt/etc/ipsec.d/cacerts/caLupoCert.pem'
Nov 15 20:38:38 00[CFG] loading aa certificates from '/opt/etc/ipsec.d/aacerts'
Nov 15 20:38:38 00[CFG] loading ocsp signer certificates from '/opt/etc/ipsec.d/ocspcerts'
Nov 15 20:38:38 00[CFG] loading attribute certificates from '/opt/etc/ipsec.d/acerts'
Nov 15 20:38:38 00[CFG] loading crls from '/opt/etc/ipsec.d/crls'
Nov 15 20:38:38 00[CFG] loading secrets from '/opt/etc/ipsec.secrets'
Nov 15 20:38:39 00[CFG]   loaded RSA private key from '/opt/etc/ipsec.d/private/serverLupoKey.pem'
Nov 15 20:38:39 00[CFG]   loaded EAP secret for lupo
Nov 15 20:38:39 00[DMN] loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Nov 15 20:38:39 00[JOB] spawning 16 worker threads
Nov 15 20:38:39 11[CFG] received stroke: add connection 'ios'
Nov 15 20:38:39 11[CFG] left nor right host is our side, assuming left=local
Nov 15 20:38:39 11[CFG] adding virtual IP address pool 10.11.0.0/24
Nov 15 20:38:39 11[CFG]   loaded certificate "C=SI, O=Lupo, CN=86.x.x.x" from 'serverLupoCert.pem'
Nov 15 20:38:39 11[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Lupo, CN=86.x.x.x'
Nov 15 20:38:39 11[CFG]   loaded certificate "C=SI, O=Lupo, CN=clientLupo" from 'clientLupoCert.pem'
Nov 15 20:38:39 11[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=SI, O=Lupo, CN=clientLupo'
Nov 15 20:38:39 11[CFG] added configuration 'ios'
Nov 15 20:38:41 13[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (668 bytes)
Nov 15 20:38:41 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Nov 15 20:38:41 13[IKE] received NAT-T (RFC 3947) vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Nov 15 20:38:41 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 15 20:38:41 13[IKE] received XAuth vendor ID
Nov 15 20:38:41 13[IKE] received Cisco Unity vendor ID
Nov 15 20:38:41 13[IKE] received FRAGMENTATION vendor ID
Nov 15 20:38:41 13[IKE] received DPD vendor ID
Nov 15 20:38:41 13[IKE] 46.x.x.x is initiating a Main Mode IKE_SA
Nov 15 20:38:41 13[ENC] generating ID_PROT response 0 [ SA V V V ]
Nov 15 20:38:41 13[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (136 bytes)
Nov 15 20:38:41 14[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (292 bytes)
Nov 15 20:38:41 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Nov 15 20:38:41 14[IKE] sending cert request for "C=SI, O=Lupo, CN=86.x.x.x"
Nov 15 20:38:41 14[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Nov 15 20:38:41 14[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (371 bytes)
Nov 15 20:38:42 12[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (1180 bytes)
Nov 15 20:38:42 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Nov 15 20:38:42 12[IKE] ignoring certificate request without data
Nov 15 20:38:42 12[IKE] received end entity cert "C=SI, O=Lupo, CN=clientLupo"
Nov 15 20:38:42 12[CFG] looking for XAuthInitRSA peer configs matching 86.x.x.x...46.x.x.x[C=SI, O=Lupo, CN=clientLupo]
Nov 15 20:38:42 12[CFG] selected peer config "ios"
Nov 15 20:38:42 12[CFG]   using trusted ca certificate "C=SI, O=Lupo, CN=86.x.x.x"
Nov 15 20:38:42 12[CFG] checking certificate status of "C=SI, O=Lupo, CN=clientLupo"
Nov 15 20:38:42 12[CFG] certificate status is not available
Nov 15 20:38:42 12[CFG]   reached self-signed root ca with a path length of 0
Nov 15 20:38:42 12[CFG]   using trusted certificate "C=SI, O=Lupo, CN=clientLupo"
Nov 15 20:38:42 12[IKE] authentication of 'C=SI, O=Lupo, CN=clientLupo' with RSA successful
Nov 15 20:38:42 12[IKE] authentication of 'C=SI, O=Lupo, CN=86.x.x.x' (myself) successful
Nov 15 20:38:42 12[IKE] sending end entity cert "C=SI, O=Lupo, CN=86.x.x.x"
Nov 15 20:38:42 12[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Nov 15 20:38:42 12[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (1212 bytes)
Nov 15 20:38:42 12[ENC] generating TRANSACTION request 561743567 [ HASH CP ]
Nov 15 20:38:42 12[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (76 bytes)
Nov 15 20:38:42 11[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (92 bytes)
Nov 15 20:38:42 11[ENC] parsed TRANSACTION response 561743567 [ HASH CP ]
Nov 15 20:38:42 11[IKE] XAuth authentication of 'lupo' successful
Nov 15 20:38:42 11[ENC] generating TRANSACTION request 274787051 [ HASH CP ]
Nov 15 20:38:42 11[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (76 bytes)
Nov 15 20:38:42 13[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (76 bytes)
Nov 15 20:38:42 13[ENC] parsed TRANSACTION response 274787051 [ HASH CP ]
Nov 15 20:38:42 13[IKE] IKE_SA ios[1] established between 86.x.x.x[C=SI, O=Lupo, CN=86.x.x.x]...46.x.x.x[C=SI, O=Lupo, CN=clientLupo]
Nov 15 20:38:42 13[IKE] scheduling reauthentication in 10255s
Nov 15 20:38:42 13[IKE] maximum IKE_SA lifetime 10795s
Nov 15 20:38:42 12[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (172 bytes)
Nov 15 20:38:42 12[ENC] unknown attribute type (28683)
Nov 15 20:38:42 12[ENC] parsed TRANSACTION request 3928555748 [ HASH CP ]
Nov 15 20:38:42 12[IKE] peer requested virtual IP %any
Nov 15 20:38:42 12[CFG] assigning new lease to 'lupo'
Nov 15 20:38:42 12[IKE] assigning virtual IP 10.11.0.1 to peer 'lupo'
Nov 15 20:38:42 12[ENC] generating TRANSACTION response 3928555748 [ HASH CP ]
Nov 15 20:38:42 12[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (76 bytes)
Nov 15 20:38:43 11[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (300 bytes)
Nov 15 20:38:43 11[ENC] parsed QUICK_MODE request 1285665545 [ HASH SA No ID ID ]
Nov 15 20:38:43 11[ENC] generating QUICK_MODE response 1285665545 [ HASH SA No ID ID ]
Nov 15 20:38:43 11[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (172 bytes)
Nov 15 20:38:43 12[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (60 bytes)
Nov 15 20:38:43 12[ENC] parsed QUICK_MODE request 1285665545 [ HASH ]
Nov 15 20:38:43 12[IKE] CHILD_SA ios{1} established with SPIs cc71b640_i 052f82c7_o and TS 0.0.0.0/0 === 10.11.0.1/32 
Nov 15 20:39:05 13[CFG] received stroke: initiate 'ios'
Nov 15 20:39:05 14[ENC] generating QUICK_MODE request 814387936 [ HASH SA No ID ID ]
Nov 15 20:39:05 14[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (236 bytes)
Nov 15 20:39:06 11[NET] received packet: from 46.x.x.x[500] to 86.x.x.x[500] (172 bytes)
Nov 15 20:39:06 11[ENC] parsed QUICK_MODE response 814387936 [ HASH SA No ID ID ]
Nov 15 20:39:06 11[IKE] CHILD_SA ios{2} established with SPIs c32955c0_i 0a682529_o and TS 0.0.0.0/0 === 0.0.0.0/0 
Nov 15 20:39:06 11[ENC] generating QUICK_MODE request 814387936 [ HASH ]
Nov 15 20:39:06 11[NET] sending packet: from 86.x.x.x[500] to 46.x.x.x[500] (60 bytes)
Nov 15 20:39:06 16[KNL] creating acquire job for policy 86.x.x.x/32 === 46.x.x.x/32 with reqid {2}
Nov 15 20:39:06 12[CFG] trap not found, unable to acquire reqid 2
Nov 15 20:39:36 16[KNL] creating acquire job for policy 86.x.x.x/32 === 46.x.x.x/32 with reqid {2}
Nov 15 20:39:36 11[CFG] trap not found, unable to acquire reqid 2

这是路由问题还是 Strongswan 可能没有正确编译或者其他问题?

ipsec 状态全部

Status of IKE charon daemon (strongSwan 5.0.4, Linux 2.6.22.19, mips):
  uptime: 15 seconds, since Nov 16 11:57:57 2013
  malloc: sbrk 180224, mmap 0, used 176472, free 3752
  worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default socket-dynamic farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline):
  10.11.0.0/24: 254/0/0
Listening IP addresses:
  86.x.x.x
  192.168.2.1
  10.8.2.1
  10.8.0.6
Connections:
         ios:  %any...%any  IKEv1
         ios:   local:  [C=SI, O=HisaLupo, CN=86.x.x.x] uses public key authentication
         ios:    cert:  "C=SI, O=HisaLupo, CN=86.x.x.x"
         ios:   remote: [C=SI, O=HisaLupo, CN=clientLupo] uses public key authentication
         ios:    cert:  "C=SI, O=HisaLupo, CN=clientLupo"
         ios:   remote: uses XAuth authentication: any
         ios:   child:  0.0.0.0/0 === 10.11.0.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
  none

相关内容