无法从 Linux(Ubuntu)连接到 SonicWall VPN

tag-icon tag-icon linux vpn sonicwall strongswan
无法从 Linux(Ubuntu)连接到 SonicWall VPN

我正在尝试使用 Linux(Ubuntu)上的 StrongSwan 连接到 SonicWall VPN。我可以使用 SonicWall Global VPN 客户端从 Windows 计算机进行连接,该客户端使用共享密钥。以下是使用该客户端进行连接的说明:新建连接向导预共享密钥配置连接属性mc21-哥伦比亚

在 Linux 中我将使用 StrongSwan:

local> ipsec --version
Linux strongSwan U5.3.5/K4.4.0-72-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland

/etc/ipsec.conf的如下

conn name-for-connection
    right=201.xxx.yyy.zzz,201.aaa.bbb.ccc
    rightsubnet=172.16.0.0/12
    rightid=@place_id
    left=%any
    xauth_identity=myuser
    keyexchange=ikev2
    authby=psk
    ike=aes256-sha1-modp2048
    esp=aes256-sha1-modp2048
    auto=start

并且/etc/ipsec.secret有以下条目:

@place_id : PSK "Sh4r3d53cr37"

myuser : XAUTH "mYp455w0rd"

运行该命令时sudo ipsec up name-for-connection我得到以下输出:

initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1460 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1024
initiating IKE_SA name-for-connection[3] to 201.xxx.yyy.zzz
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.0.eee[500] to 201.xxx.yyy.zzz[500] (1332 bytes)
received packet: from 201.xxx.yyy.zzz[500] to 192.168.0.eee[500] (317 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ N(NATD_S_IP) N(NATD_D_IP) V ]
local host is behind NAT, sending keep alives
sending cert request for "C=NL, O=Example Company, CN=strongSwan Root CA"
no IDi configured, fall back on IP address
authentication of '192.168.0.eee' (myself) with pre-shared key
establishing CHILD_SA name-for-connection
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 4 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
retransmit 5 of request with message ID 1
sending packet: from 192.168.0.eee[4500] to 201.xxx.yyy.zzz[4500] (372 bytes)
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
sending keep alive to 201.xxx.yyy.zzz[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
establishing connection 'name-to-connection' failed

那么,我该如何调试此连接或者如何建立它?

答案1

首先,您的 IKE 设置不匹配。您请求 modp2048,即 DH 组 14,但 SonicWall 请求 modp1024,即 DH 组 2。

您还可能会受到以下错误的影响。StrongSwan 5.3.5 不适用于 SonicWall IKEv1/XAuth 防火墙:

https://wiki.strongswan.org/issues/1434

https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1608302

虽然这个错误是针对 IKEv1 的,但由于您使用的是 XAUTH,它也可能对您产生影响。问题是由于防火墙在请求用户名之后但在请求密码之前发送了一条消息。这个错误已在 StrongSwan 5.5.0 中修复。不幸的是,如果您使用的是 Ubuntu 16.04 LTS,据我所知没有为 Ubuntu 16.04 构建的 5.5.0 版本。您可以通过谷歌搜索找到一份报告,其中有人报告说他们成功地在本地为 Ubuntu 16.04 构建了 5.5.x。

另一种方法是使用 VirtualBox,设置 Windows 客户机,在客户机中安装 SonicWall GVPN 客户端,并将 SonicWall VPN 适配器连接共享回您的 Ubuntu 主机。我现在正在这样做。设置很棘手,但一旦弄清楚,就很容易做到,而且有效。如果感兴趣,我可以发布我的方法。

相关内容