我已经实现了 StrongSwan VPN 服务器,并希望将其配置为动态分配 IP 给最终客户端。如果我给它一个 IP 范围,VPN 就可以正常工作,但如果我将其设置为 DHCP,则无法正常工作。
这是我的 dhcp.conf 文件:
dhcp {
# Always use the configured server address.
force_server_address = yes
# Derive user-defined MAC address from hash of IKE identity.
# identity_lease = yes
# Interface name the plugin uses for address allocation.
# interface =
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# DHCP server unicast or broadcast IP address.
server = 10.0.0.255
}
我的 ipsec.conf 文件:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=10.0.0.2
leftsubnet=255.255.255.0/24
leftcert=vpnHostCert.pem
right=%any
rightsubnet=255.255.255.0/24
rightdns=10.0.0.2
rightsourceip=10.0.1.0/24
# rightsourceip=%dhcp
compress=yes
conn IPSec-IKEv2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
rightauth=pubkey
rightauth2=xauth
auto=add
目前我已经注释掉 DHCP 功能,因此 VPN 可以正常运行。
以下是尝试连接的日志:(剪切以获取新日志)
Jul 8 16:13:09 dhcp charon: 04[IKE] IKE_SA IPSec-IKEv2-EAP[15] state change: CONNECTING => ESTABLISHED
Jul 8 16:13:09 dhcp charon: 04[IKE] peer requested virtual IP %any
Jul 8 16:13:09 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:10 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:11 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:11 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:11 dhcp charon: 07[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:12 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:14 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:14 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:14 dhcp charon: 13[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:15 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:18 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:18 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:18 dhcp charon: 01[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:19 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:24 dhcp charon: 04[CFG] DHCP DISCOVER timed out
正如您在日志中看到的,StrongSwan 正在尝试从 DHCP 服务器获取租约,但是它从未收到对其 DHCPDiscover 的响应。
VPN 和 DHCP 服务器都在同一台机器上(10.0.0.2)。正如您在 dhcp.conf 文件中看到的,我指定了 10.0.0.255(根据本文底部的注释strongswan 文档)我还尝试过 10.0.0.2、0.0.0.0、127.0.0.1、255.255.255.0、255.255.255.255,但都没有起作用。
DHCP 在内部一切都运行正常,所以我很确定这是 StrongSwan 的问题。
编辑: 我设法从 DHCP 服务器获取了响应,但是 VPN 软件看不到它。以下是我对 VPN 的 DHCP 配置以及日志所做的更改。
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (528 bytes)
Jul 10 09:41:52 dhcp charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 09:41:52 dhcp charon: 08[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:41:52 dhcp charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Jul 10 09:41:52 dhcp charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG] proposal matches
Jul 10 09:41:52 dhcp charon: 08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[IKE] local host is behind NAT, sending keep alives
Jul 10 09:41:52 dhcp charon: 08[IKE] remote host is behind NAT
Jul 10 09:41:52 dhcp charon: 08[IKE] sending cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 09:41:52 dhcp charon: 08[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (337 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (972 bytes)
Jul 10 09:41:52 dhcp charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 07[IKE] received 31 cert requests for an unknown ca
Jul 10 09:41:52 dhcp charon: 07[CFG] looking for peer configs matching 10.0.0.2[%any]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2-EAP", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG] selected peer config 'IPSec-IKEv2'
Jul 10 09:41:52 dhcp charon: 07[IKE] peer requested EAP, config inacceptable
Jul 10 09:41:52 dhcp charon: 07[CFG] switching to peer config 'IPSec-IKEv2-EAP'
Jul 10 09:41:52 dhcp charon: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_NBNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] peer supports MOBIKE
Jul 10 09:41:52 dhcp charon: 07[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with RSA signature successful
Jul 10 09:41:52 dhcp charon: 07[IKE] sending end entity cert "C=AU, O=EXAMPLE, CN=EXAMPLE AU"
Jul 10 09:41:52 dhcp charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 10 09:41:52 dhcp charon: 07[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (1516 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 10[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 10 09:41:52 dhcp charon: 10[IKE] received EAP identity 'shane'
Jul 10 09:41:52 dhcp charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xB2)
Jul 10 09:41:52 dhcp charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 10[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (108 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 09[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[IKE] EAP-MS-CHAPv2 username: 'shane'
Jul 10 09:41:52 dhcp charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 10 09:41:52 dhcp charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 10 09:41:52 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 12[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (92 bytes)
Jul 10 09:41:52 dhcp charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of '10.1.1.5' with EAP successful
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with EAP
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] established between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED
Jul 10 09:41:52 dhcp charon: 12[IKE] peer requested virtual IP %any
Jul 10 09:41:52 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:52 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be via team0
Jul 10 09:41:53 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:53 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:54 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:54 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:54 dhcp charon: 06[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:55 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:55 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:55 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:57 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:57 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:57 dhcp charon: 15[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:58 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:58 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:58 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:00 dhcp chronyd[728]: NTP packet received from unauthorised host 10.0.0.2 port 123
Jul 10 09:42:02 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:02 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:02 dhcp charon: 10[MGR] ignoring request with ID 5, already processing
Jul 10 09:42:02 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:42:02 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:02 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:07 dhcp charon: 12[CFG] DHCP DISCOVER timed out
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] peer requested virtual IP %any6
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any6 requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jul 10 09:42:07 dhcp charon: 12[CFG] looking for a child config for ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for us:
Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for other:
Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG] candidate "IPSec-IKEv2-EAP" with prio 1+1
Jul 10 09:42:07 dhcp charon: 12[CFG] found matching child config "IPSec-IKEv2-EAP" with prio 2
Jul 10 09:42:07 dhcp charon: 12[IKE] configuration payload negotiation failed, no CHILD_SA built
Jul 10 09:42:07 dhcp charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jul 10 09:42:07 dhcp charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
Jul 10 09:42:07 dhcp charon: 12[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (124 bytes)
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:07 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[ENC] parsed INFORMATIONAL request 6 [ D ]
Jul 10 09:42:07 dhcp charon: 11[IKE] received DELETE for IKE_SA IPSec-IKEv2-EAP[1]
Jul 10 09:42:07 dhcp charon: 11[IKE] deleting IKE_SA IPSec-IKEv2-EAP[1] between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: ESTABLISHED => DELETING
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA deleted
Jul 10 09:42:07 dhcp charon: 11[ENC] generating INFORMATIONAL response 6 [ ]
Jul 10 09:42:07 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: DELETING => DESTROYING
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:08 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:42:08 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:08 dhcp charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (384 bytes)
Jul 10 09:42:08 dhcp charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 10 09:42:08 dhcp charon: 14[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:42:08 dhcp charon: 14[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:42:08 dhcp charon: 14[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
Jul 10 09:42:08 dhcp charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Jul 10 09:42:08 dhcp charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jul 10 09:42:08 dhcp charon: 14[IKE] xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[IKE] no proposal found
Jul 10 09:42:08 dhcp charon: 14[IKE] queueing INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[IKE] activating new tasks
Jul 10 09:42:08 dhcp charon: 14[IKE] activating INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[ENC] generating INFORMATIONAL_V1 request 2146740619 [ N(NO_PROP) ]
Jul 10 09:42:08 dhcp charon: 14[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Jul 10 09:42:08 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
新的配置如下:
dhcp {
force_server_address = yes
interface = team0
load = yes
server = 255.255.255.255
}
答案1
我解决了!请参阅页面底部的注释(此处)[1]... 如前所述,我确实尝试过,但没有成功。我在 em1 和 em2 上有一个 NIC 团队,成为 team0。StrongSwan 似乎没有考虑过这个接口。
我将接口更改为 team0,我的服务器是 255.255.255.255 - DHCP 服务器可以看到请求,但 VPN 看不到回复。一旦我将服务器设置为 10.0.0.255 并将接口设置为 team0,一切就开始正常工作了。
因此,诀窍在于,如果您使用 NIC 组合,则需要指定您的组合作为接口,并将服务器指定为您的本地广播地址。您需要将 force_server_address 设置为 yes,而identity_lease 似乎不会影响它。
我希望这可以让其他人免于噩梦。
我的最终配置:
dhcp {
# Always use the configured server address.
force_server_address = yes
# Derive user-defined MAC address from hash of IKE identity.
identity_lease = yes
# Interface name the plugin uses for address allocation.
interface = team0
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# DHCP server unicast or broadcast IP address.
server = 10.0.0.255
}
我的日志的 DHCP 部分现在是什么样的:
Jul 10 10:05:27 dhcp charon: 02[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED
Jul 10 10:05:27 dhcp charon: 02[IKE] peer requested virtual IP %any
Jul 10 10:05:27 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255
Jul 10 10:05:27 dhcp dhcpd: DHCPDISCOVER from 7a:a7:b4:f2:4e:dc via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255
Jul 10 10:05:28 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 07[CFG] received DHCP OFFER 10.0.0.188 from 10.0.0.2
Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP REQUEST for 10.0.0.188 to 10.0.0.2
Jul 10 10:05:28 dhcp dhcpd: DHCPREQUEST for 10.0.0.188 (10.0.0.2) from 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp dhcpd: DHCPACK on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 08[CFG] received DHCP ACK for 10.0.0.188
Jul 10 10:05:28 dhcp charon: 02[IKE] assigning virtual IP 10.0.0.188 to peer 'shane'
请注意,DHCP 守护进程似乎记录它接收请求的速度比 Charon 记录它已请求某些东西的速度要快。
我希望这可以为其他人节省时间和减少挫折。