我在配置 strongSwan 4.5.2 以与 iOS 7 和 OS X Mavericks 配合使用时遇到了问题。我已遵循这两个指南,但仍然遇到问题。 http://teebeenator.blogspot.com/2013/06/strongswan-for-raspberry-pi.html http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(苹果)
我怀疑该问题与旧版本的 strongSwan 有关;不幸的是,我的服务器是 Raspberry Pi,我认为没有简单的方法可以在 Pi 上获取 strongSwan 5.x。
这可能是一个转移注意力的借口,但我怀疑 /var/log/auth.log 中的以下错误消息与我的问题有关:
message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
我在网上找不到有关该错误消息的任何有用信息(至少没有任何英文资料;我看到过一些德文版的提及)。
以下是 /etc/strongswan.conf 的内容
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
dhcp {
identity_lease = yes
}
}
# ...
}
pluto {
dns1 = 192.168.0.1
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
接下来是 /etc/ipsec.conf 的内容
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
#charonstart=yes
plutostart=yes
# Add connections here.
conn %default
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
pfs=no
auto=add
conn rw-eap
dpdaction=clear
dpddelay=300s
leftauth=pubkey
leftcert=serverCert.pem
rightauth=eap-mschapv2
rightsendcert=never
include /var/lib/strongswan/ipsec.conf.inc
我已经按照指南的指示复制了以下文件:
cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/
cp clientCert.pem /etc/ipsec.d/certs/
cp clientKey.pem /etc/ipsec.d/private/
在生成这些证书之前,我还编辑了 /usr/lib/ssl/openssl.cnf 文件以包含适当的 subjectAltName。
任何帮助都将不胜感激,即使只是建议如何在我的 Pi 上获取新版本的 strongSwan!谢谢!
以下是一些更完整的 auth.log 输出,删除了日期。
启动服务器
sudo: pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/sbin/ipsec start
sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0)
ipsec_starter[22013]: Starting strongSwan 4.5.2 IPsec [starter]...
sudo: pam_unix(sudo:session): session closed for user root
pluto[22027]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
ipsec_starter[22026]: pluto (22027) started after 20 ms
pluto[22027]: listening on interfaces:
pluto[22027]: eth0
pluto[22027]: 192.168.1.9
pluto[22027]: received netlink error: Address family not supported by protocol (97)
pluto[22027]: unable to create IPv6 routing table rule
pluto[22027]: loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink
pluto[22027]: including NAT-Traversal patch (Version 0.6c)
pluto[22027]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
ipsec_starter[22026]: charon (22028) started after 740 ms
pluto[22027]: loading ca certificates from '/etc/ipsec.d/cacerts'
pluto[22027]: loaded ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
pluto[22027]: loading aa certificates from '/etc/ipsec.d/aacerts'
pluto[22027]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
pluto[22027]: Changing to directory '/etc/ipsec.d/crls'
pluto[22027]: loading attribute certificates from '/etc/ipsec.d/acerts'
pluto[22027]: spawning 4 worker threads
pluto[22027]: listening for IKE messages
pluto[22027]: adding interface eth0/eth0 192.168.1.9:500
pluto[22027]: adding interface eth0/eth0 192.168.1.9:4500
pluto[22027]: adding interface lo/lo 127.0.0.1:500
pluto[22027]: adding interface lo/lo 127.0.0.1:4500
pluto[22027]: loading secrets from "/etc/ipsec.secrets"
pluto[22027]: no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc"
pluto[22027]: loaded private key from 'serverKey.pem'
pluto[22027]: loaded XAUTH secret for peter.story
pluto[22027]: loaded host certificate from '/etc/ipsec.d/certs/serverCert.pem'
pluto[22027]: id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=storyzone.us.to'
pluto[22027]: loaded host certificate from '/etc/ipsec.d/certs/clientCert.pem'
pluto[22027]: id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=piclient'
pluto[22027]: added connection description "rw-eap"
来自 iOS 的连接尝试
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE