我正在尝试使用 Linux(Ubuntu)上的 StrongSwan 连接到 SonicWall VPN。我可以使用 SonicWall Global VPN 客户端从 Windows 计算机进行连接,该客户端使用共享密钥。以下是使用该客户端进行连接的说明:mc21-哥伦比亚
在 Linux 中我将使用 StrongSwan:
local> ipsec --version
Linux strongSwan U5.3.5/K4.4.0-72-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
我/etc/ipsec.conf
的如下
conn name-for-connection
right=201.xxx.yyy.zzz,201.aaa.bbb.ccc
rightsubnet=172.16.0.0/12
rightid=@place_id
left=%any
xauth_identity=myuser
keyexchange=ikev2
authby=psk
ike=aes256-sha1-modp2048
esp=aes256-sha1-modp2048
auto=start
并且/etc/ipsec.secret
有以下条目:
@place_id : PSK "Sh4r3d53cr37"
myuser : XAUTH "mYp455w0rd"
运行该命令时sudo ipsec up name-for-connection
我得到以下输出:
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1460 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1332 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (317 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
sending cert request for "C=NL, O=Example Company, CN=strongSwan Root CA"
no IDi configured, fall back on IP address
authentication of '192.168.0.eee' (myself) with pre-shared key
establishing CHILD_SA name-for-connection
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 4 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 5 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
establishing connection 'name-to-connection' failed
那么,我该如何调试此连接或者如何建立它?
答案1
首先,您的 IKE 设置不匹配。您请求 modp2048,即 DH 组 14,但 SonicWall 请求 modp1024,即 DH 组 2。
您还可能会受到以下错误的影响。StrongSwan 5.3.5 不适用于 SonicWall IKEv1/XAuth 防火墙:
https://wiki.strongswan.org/issues/1434
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1608302
虽然这个错误是针对 IKEv1 的,但由于您使用的是 XAUTH,它也可能对您产生影响。问题是由于防火墙在请求用户名之后但在请求密码之前发送了一条消息。这个错误已在 StrongSwan 5.5.0 中修复。不幸的是,如果您使用的是 Ubuntu 16.04 LTS,据我所知没有为 Ubuntu 16.04 构建的 5.5.0 版本。您可以通过谷歌搜索找到一份报告,其中有人报告说他们成功地在本地为 Ubuntu 16.04 构建了 5.5.x。
另一种方法是使用 VirtualBox,设置 Windows 客户机,在客户机中安装 SonicWall GVPN 客户端,并将 SonicWall VPN 适配器连接共享回您的 Ubuntu 主机。我现在正在这样做。设置很棘手,但一旦弄清楚,就很容易做到,而且有效。如果感兴趣,我可以发布我的方法。