使用用户证书安装 StrongSwan

tag-icon tag-icon vpn ipsec strongswan ikev2
使用用户证书安装 StrongSwan

我将设置 strongswan,但在配置时遇到了一些问题。我可以使用 user/pass 登录,但我会将其替换为 user.p12 证书。当我添加 rightauth2=pubkey 时,使用 user/pass 登录不再有效,使用 user.p12 的身份验证也不起作用。

我可能无法创建所有证书:

ipsec pki --gen --type rsa --size 4096 --outform pem > server-root-key.pem chmod 600 server-root-key.pem

ipsec pki --self --ca --lifetime 3650 \
--in server-root-key.pem \
--type rsa --dn "C=DE, O=VPN Server, CN=VPN Server Root CA" \
--outform pem > server-root-ca.pem

ipsec pki --gen --type rsa --size 4096 --outform pem > vpn-server-key.pem

ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert server-root-ca.pem \
--cakey server-root-key.pem \
--dn "C=US, O=VPN Server, CN=strongswan" \
--san strongswan \
--san vpn.example.com --san vpn.example.net \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem

sudo cp ./vpn-server-cert.pem /etc/ipsec.d/certs/vpn-server-cert.pem
sudo cp ./vpn-server-key.pem /etc/ipsec.d/private/vpn-server-key.pem

sudo chown root /etc/ipsec.d/private/vpn-server-key.pem
sudo chgrp root /etc/ipsec.d/private/vpn-server-key.pem
sudo chmod 600 /etc/ipsec.d/private/vpn-server-key.pem



ipsec pki --gen --type rsa --size 2048 --outform pem > JohnKey.pem

ipsec pki --pub --in JohnKey.pem --type rsa | ipsec pki --issue --        lifetime 730 --cacert server-root-ca.pem --cakey server-root-key.pem --dn             "C=DE, O=VPN Server, [email protected]" --san "[email protected]" --san     "[email protected]" --outform pem > JohnCert.pem


openssl pkcs12 -export  -inkey JohnKey.pem -in JohnCert.pem -name "John's VPN Certificate"  -certfile server-root-ca.pem -caname "strongSwan Root CA" -out John.p12
->password : password


cp JohnKey.pem /etc/ipsec.d/private/JohnKey.pem
chmod 600 /etc/ipsec.d/private/JohnKey.pem

cp JohnCert.pem /etc/ipsec.d/certs/JohnCert.pem

ipsec.conf 配置设置 charondebug="ike 1,knl 1,cfg 0" uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@strongswan
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity

ipsec.secrets

: RSA "/etc/ipsec.d/private/vpn-server-key.pem"
admin : EAP "password"

通过用户/密码授权登录:

Apr 26 11:19:01 strongswan charon: 14[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (604 bytes)
Apr 26 11:19:01 strongswan charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:19:01 strongswan charon: 14[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:19:01 strongswan charon: 14[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:19:01 strongswan charon: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Apr 26 11:19:01 strongswan charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 26 11:19:01 strongswan charon: 14[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (38 bytes)
Apr 26 11:19:01 strongswan charon: 15[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (476 bytes)
Apr 26 11:19:01 strongswan charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:19:01 strongswan charon: 15[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:19:01 strongswan charon: 15[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:19:01 strongswan charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 11:19:01 strongswan charon: 15[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 11:19:01 strongswan charon: 13[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 11:19:01 strongswan charon: 13[ENC] unknown attribute type (25)
Apr 26 11:19:01 strongswan charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 11:19:01 strongswan charon: 13[IKE] initiating EAP_IDENTITY method (id 0x00)
Apr 26 11:19:01 strongswan charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 11:19:01 strongswan charon: 13[IKE] peer supports MOBIKE
Apr 26 11:19:01 strongswan charon: 13[IKE] authentication of 'strongswan' (myself) with RSA signature successful
Apr 26 11:19:01 strongswan charon: 13[IKE] sending end entity cert "C=US, O=VPN Server, CN=strongswan"
Apr 26 11:19:01 strongswan charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 26 11:19:01 strongswan charon: 13[ENC] splitting IKE message with length of 2004 bytes into 2 fragments
Apr 26 11:19:01 strongswan charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 26 11:19:01 strongswan charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 26 11:19:01 strongswan charon: 13[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (1248 bytes)
Apr 26 11:19:01 strongswan charon: 13[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (824 bytes)
Apr 26 11:19:01 strongswan charon: 06[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (68 bytes)
Apr 26 11:19:01 strongswan charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 26 11:19:01 strongswan charon: 06[IKE] received EAP identity 'admin'
Apr 26 11:19:01 strongswan charon: 06[IKE] initiating EAP_MSCHAPV2 method (id 0x57)
Apr 26 11:19:01 strongswan charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 06[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (100 bytes)
Apr 26 11:19:01 strongswan charon: 07[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (124 bytes)
Apr 26 11:19:01 strongswan charon: 07[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 07[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 07[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (132 bytes)
Apr 26 11:19:01 strongswan charon: 08[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (68 bytes)
Apr 26 11:19:01 strongswan charon: 08[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Apr 26 11:19:01 strongswan charon: 08[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Apr 26 11:19:01 strongswan charon: 08[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Apr 26 11:19:01 strongswan charon: 08[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)
Apr 26 11:19:01 strongswan charon: 09[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (84 bytes)
Apr 26 11:19:01 strongswan charon: 09[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Apr 26 11:19:01 strongswan charon: 09[IKE] authentication of '192.168.178.42' with EAP successful
Apr 26 11:19:01 strongswan charon: 09[IKE] authentication of 'strongswan' (myself) with EAP
Apr 26 11:19:01 strongswan charon: 09[IKE] IKE_SA ikev2-vpn[6] established between 192.168.178.83[strongswan]...192.168.178.42[192.168.178.42]
Apr 26 11:19:01 strongswan charon: 09[IKE] peer requested virtual IP %any
Apr 26 11:19:01 strongswan charon: 09[IKE] assigning virtual IP 10.10.10.1 to peer 'admin'
Apr 26 11:19:01 strongswan charon: 09[IKE] peer requested virtual IP %any6
Apr 26 11:19:01 strongswan charon: 09[IKE] no virtual IP found for %any6 requested by 'admin'
Apr 26 11:19:01 strongswan charon: 09[IKE] CHILD_SA ikev2-vpn{3} established with SPIs cf64b56a_i 0554cc0e_o and TS 0.0.0.0/0 === 10.10.10.1/32
Apr 26 11:19:01 strongswan charon: 09[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Apr 26 11:19:01 strongswan charon: 09[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (260 bytes)

通过证书授权登录:

Apr 26 11:22:56 strongswan charon: 09[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (604 bytes)
Apr 26 11:22:56 strongswan charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:22:56 strongswan charon: 09[CFG] looking for an ike config for 192.168.178.83...192.168.178.42
Apr 26 11:22:56 strongswan charon: 09[CFG]   candidate: %any...%any, prio 28
Apr 26 11:22:56 strongswan charon: 09[CFG] found matching ike config: %any...%any with prio 28
Apr 26 11:22:56 strongswan charon: 09[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:22:56 strongswan charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 09[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 09[CFG]   proposal matches
Apr 26 11:22:56 strongswan charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:56 strongswan charon: 09[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:56 strongswan charon: 09[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:56 strongswan charon: 09[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:22:56 strongswan charon: 09[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Apr 26 11:22:56 strongswan charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 26 11:22:56 strongswan charon: 09[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (38 bytes)
Apr 26 11:22:56 strongswan charon: 09[MGR] checkin and destroy IKE_SA (unnamed)[1]
Apr 26 11:22:56 strongswan charon: 09[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Apr 26 11:22:56 strongswan charon: 09[MGR] checkin and destroy of IKE_SA successful
Apr 26 11:22:56 strongswan charon: 04[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500]
Apr 26 11:22:56 strongswan charon: 03[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500]
Apr 26 11:22:56 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:56 strongswan charon: 10[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 0000000000000000_r
Apr 26 11:22:56 strongswan charon: 10[MGR] created IKE_SA (unnamed)[2]
Apr 26 11:22:56 strongswan charon: 10[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (476 bytes)
Apr 26 11:22:56 strongswan charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 11:22:56 strongswan charon: 10[CFG] looking for an ike config for 192.168.178.83...192.168.178.42
Apr 26 11:22:56 strongswan charon: 10[CFG]   candidate: %any...%any, prio 28
Apr 26 11:22:56 strongswan charon: 10[CFG] found matching ike config: %any...%any with prio 28
Apr 26 11:22:56 strongswan charon: 10[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 11:22:56 strongswan charon: 10[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:56 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:56 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:57 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:57 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Apr 26 11:22:57 strongswan charon: 10[CFG] selecting proposal:
Apr 26 11:22:57 strongswan charon: 10[CFG]   proposal matches
Apr 26 11:22:57 strongswan charon: 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:57 strongswan charon: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:57 strongswan charon: 10[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 26 11:22:57 strongswan charon: 10[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 11:22:57 strongswan charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 11:22:57 strongswan charon: 10[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500]
Apr 26 11:22:57 strongswan charon: 10[MGR] checkin IKE_SA (unnamed)[2]
Apr 26 11:22:57 strongswan charon: 10[MGR] checkin of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 03[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:57 strongswan charon: 11[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 3b484cfd473d268b_r
Apr 26 11:22:57 strongswan charon: 11[MGR] IKE_SA (unnamed)[2] successfully checked out
Apr 26 11:22:57 strongswan charon: 11[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 11:22:57 strongswan charon: 11[ENC] unknown attribute type (25)
Apr 26 11:22:57 strongswan charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 11:22:57 strongswan charon: 11[CFG] looking for peer configs matching 192.168.178.83[strongswan]...192.168.178.42[192.168.178.42]
Apr 26 11:22:57 strongswan charon: 11[CFG]   candidate "ikev2-vpn", match: 20/1/28 (me/other/ike)
Apr 26 11:22:57 strongswan charon: 11[CFG] selected peer config 'ikev2-vpn'
Apr 26 11:22:57 strongswan charon: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_DHCP attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_DNS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP4_NETMASK attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP6_ADDRESS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP6_DHCP attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing INTERNAL_IP6_DNS attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] processing (25) attribute
Apr 26 11:22:57 strongswan charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 11:22:57 strongswan charon: 11[IKE] peer supports MOBIKE
Apr 26 11:22:57 strongswan charon: 11[IKE] authentication of 'strongswan' (myself) with RSA signature successful
Apr 26 11:22:57 strongswan charon: 11[IKE] sending end entity cert "C=US, O=VPN Server, CN=strongswan"
Apr 26 11:22:57 strongswan charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 26 11:22:57 strongswan charon: 11[ENC] splitting IKE message with length of 2004 bytes into 2 fragments
Apr 26 11:22:57 strongswan charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Apr 26 11:22:57 strongswan charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Apr 26 11:22:57 strongswan charon: 11[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (1248 bytes)
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]
Apr 26 11:22:57 strongswan charon: 11[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (824 bytes)
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]
Apr 26 11:22:57 strongswan charon: 11[MGR] checkin IKE_SA ikev2-vpn[2]
Apr 26 11:22:57 strongswan charon: 11[MGR] checkin of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 03[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:57 strongswan charon: 12[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 3b484cfd473d268b_r
Apr 26 11:22:57 strongswan charon: 12[MGR] IKE_SA ikev2-vpn[2] successfully checked out
Apr 26 11:22:57 strongswan charon: 12[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (84 bytes)
Apr 26 11:22:57 strongswan charon: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 26 11:22:57 strongswan charon: 12[IKE] received EAP identity '192.168.178.42'
Apr 26 11:22:57 strongswan charon: 12[IKE] initiating EAP_MSCHAPV2 method (id 0xF8)
Apr 26 11:22:57 strongswan charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 26 11:22:57 strongswan charon: 12[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (100 bytes)
Apr 26 11:22:57 strongswan charon: 12[MGR] checkin IKE_SA ikev2-vpn[2]
Apr 26 11:22:57 strongswan charon: 12[MGR] checkin of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500]
Apr 26 11:22:57 strongswan charon: 03[NET] waiting for data on sockets
Apr 26 11:22:57 strongswan charon: 13[MGR] checkout IKEv2 SA by message with SPIs 46305c6dd06fc413_i 3b484cfd473d268b_r
Apr 26 11:22:57 strongswan charon: 13[MGR] IKE_SA ikev2-vpn[2] successfully checked out
Apr 26 11:22:57 strongswan charon: 13[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (68 bytes)
Apr 26 11:22:57 strongswan charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/NAK ]
Apr 26 11:22:57 strongswan charon: 13[IKE] received EAP_NAK, sending EAP_FAILURE
Apr 26 11:22:57 strongswan charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/FAIL ]
Apr 26 11:22:57 strongswan charon: 13[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)
Apr 26 11:22:57 strongswan charon: 13[MGR] checkin and destroy IKE_SA ikev2-vpn[2]
Apr 26 11:22:57 strongswan charon: 13[IKE] IKE_SA ikev2-vpn[2] state change: CONNECTING => DESTROYING
Apr 26 11:22:57 strongswan charon: 13[MGR] checkin and destroy of IKE_SA successful
Apr 26 11:22:57 strongswan charon: 04[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500]

请帮我! :/

编辑:当我将 rightauth 更改为 pubkey 时无法连接(客户端是具有 ikev2 vpn 设置和用于身份验证的用户证书的 mac):

Apr 26 13:07:59 strongswan charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 13:07:59 strongswan charon: 08[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 13:07:59 strongswan charon: 09[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 13:07:59 strongswan charon: 09[ENC] unknown attribute type (25)
Apr 26 13:07:59 strongswan charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 13:07:59 strongswan charon: 09[IKE] peer requested EAP, config inacceptable
Apr 26 13:07:59 strongswan charon: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 13:07:59 strongswan charon: 09[IKE] peer supports MOBIKE
Apr 26 13:07:59 strongswan charon: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 26 13:07:59 strongswan charon: 09[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)
Apr 26 13:08:26 strongswan charon: 05[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (604 bytes)
Apr 26 13:08:26 strongswan charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 13:08:26 strongswan charon: 05[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 13:08:26 strongswan charon: 05[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 13:08:26 strongswan charon: 05[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Apr 26 13:08:26 strongswan charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 26 13:08:26 strongswan charon: 05[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (38 bytes)
Apr 26 13:08:26 strongswan charon: 06[NET] received packet: from 192.168.178.42[500] to 192.168.178.83[500] (476 bytes)
Apr 26 13:08:26 strongswan charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Apr 26 13:08:26 strongswan charon: 06[IKE] 192.168.178.42 is initiating an IKE_SA
Apr 26 13:08:26 strongswan charon: 06[IKE] faking NAT situation to enforce UDP encapsulation
Apr 26 13:08:26 strongswan charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Apr 26 13:08:26 strongswan charon: 06[NET] sending packet: from 192.168.178.83[500] to 192.168.178.42[500] (316 bytes)
Apr 26 13:08:26 strongswan charon: 07[NET] received packet: from 192.168.178.42[4500] to 192.168.178.83[4500] (484 bytes)
Apr 26 13:08:26 strongswan charon: 07[ENC] unknown attribute type (25)
Apr 26 13:08:26 strongswan charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Apr 26 13:08:26 strongswan charon: 07[IKE] peer requested EAP, config inacceptable
Apr 26 13:08:26 strongswan charon: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 26 13:08:26 strongswan charon: 07[IKE] peer supports MOBIKE
Apr 26 13:08:26 strongswan charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 26 13:08:26 strongswan charon: 07[NET] sending packet: from 192.168.178.83[4500] to 192.168.178.42[4500] (68 bytes)

相关内容