我一直在尝试让它启动并运行,并且取得了比我预期的更多进展,但是我遇到了一个错误, received INVALID_ID_INFORMATION error notify
并且在 strongswan 的日志中显示了一个非常特殊的本地 IP,它不在路由器的 LAN 上(但它是路由器的!)。
我的路由器 TP-Link MR200 使用移动 4G 连接,ISP/移动运营商使用 NAT(路由器的 WAN ip 为 10。。.*),而互联网上可见的远程 IP 也是动态的。我正在尝试为互联网上的一台 Ubuntu 16.04 服务器创建一个 IPSEC VPN,该服务器具有静态 IP 并运行 Strongswan。TP-Link 只知道 IPSEC (...)。
TP-Link 本地子网是192.168.10.0/24
TP-Link 的本地 IP 是192.168.10.1
服务器的 IP 是1.2.3.4/24
(可访问互联网)
链接已创建并启动,然后出现上述错误,然后链接断开。
笔记:日志还显示了一个我无法识别的奇怪的本地 IP 地址:192.168.225.100...这个 IP 实际上似乎也是 TP-Link 的,因为我可以从它的本地 LAN 访问它,并且它打开了相同的 Web GUI!
然后我也尝试了rightsubnet=0.0.0.0/0
......同样的错误:(
下面是日志和配置文件。有谁能帮我弄一下吗?
Strongswan 日志:
Sep 1 21:46:51 ubuntu charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Sep 1 21:46:51 ubuntu charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 1 21:46:51 ubuntu charon: 00[JOB] spawning 16 worker threads
Sep 1 21:46:51 ubuntu charon: 06[CFG] received stroke: add connection 'nat-t'
Sep 1 21:46:51 ubuntu charon: 06[CFG] added configuration 'nat-t'
Sep 1 21:47:05 ubuntu charon: 16[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (104 bytes)
Sep 1 21:47:05 ubuntu charon: 16[ENC] parsed ID_PROT request 0 [ SA V ]
Sep 1 21:47:05 ubuntu charon: 16[IKE] received DPD vendor ID
Sep 1 21:47:05 ubuntu charon: 16[IKE] <REMOTE_IP> is initiating a Main Mode IKE_SA
Sep 1 21:47:05 ubuntu charon: 16[ENC] generating ID_PROT response 0 [ SA V V ]
Sep 1 21:47:05 ubuntu charon: 16[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (116 bytes)
Sep 1 21:47:05 ubuntu charon: 14[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (180 bytes)
Sep 1 21:47:05 ubuntu charon: 14[ENC] parsed ID_PROT request 0 [ KE No ]
Sep 1 21:47:05 ubuntu charon: 14[ENC] generating ID_PROT response 0 [ KE No ]
Sep 1 21:47:05 ubuntu charon: 14[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (196 bytes)
Sep 1 21:47:05 ubuntu charon: 08[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (76 bytes)
Sep 1 21:47:05 ubuntu charon: 08[ENC] parsed ID_PROT request 0 [ ID HASH ]
Sep 1 21:47:05 ubuntu charon: 08[CFG] looking for pre-shared key peer configs matching 1.2.3.4...<REMOTE_IP>[192.168.225.100]
Sep 1 21:47:05 ubuntu charon: 08[CFG] selected peer config "nat-t"
Sep 1 21:47:05 ubuntu charon: 08[IKE] IKE_SA nat-t[1] established between 1.2.3.4[1.2.3.4]...<REMOTE_IP>[192.168.225.100]
Sep 1 21:47:05 ubuntu charon: 08[IKE] scheduling reauthentication in 3370s
Sep 1 21:47:05 ubuntu charon: 08[IKE] maximum IKE_SA lifetime 3550s
Sep 1 21:47:05 ubuntu charon: 08[ENC] generating ID_PROT response 0 [ ID HASH ]
Sep 1 21:47:05 ubuntu charon: 08[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (76 bytes)
Sep 1 21:47:06 ubuntu charon: 07[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (300 bytes)
Sep 1 21:47:06 ubuntu charon: 07[ENC] parsed QUICK_MODE request 3165384805 [ HASH SA No KE ID ID ]
Sep 1 21:47:06 ubuntu charon: 07[IKE] received 3600s lifetime, configured 1200s
Sep 1 21:47:06 ubuntu charon: 07[ENC] generating QUICK_MODE response 3165384805 [ HASH SA No KE ID ID ]
Sep 1 21:47:06 ubuntu charon: 07[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (316 bytes)
Sep 1 21:47:06 ubuntu charon: 06[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (76 bytes)
Sep 1 21:47:06 ubuntu charon: 06[ENC] parsed INFORMATIONAL_V1 request 3226534685 [ HASH N(INVAL_ID) ]
Sep 1 21:47:06 ubuntu charon: 06[IKE] received INVALID_ID_INFORMATION error notify
Strongswan ipsec.conf:
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ike
authby=secret
conn nat-t
left=1.2.3.4
leftsubnet=1.2.3.0/24
leftfirewall=yes
lefthostaccess=yes
right=%any
rightsubnet=192.168.10.0/24
auto=add
esp=aes128-sha1-modp1024
Strongswan 的 ipsec.secrets
1.2.3.4 : PSK "Abracadabra"
TP-Link IPSEC配置(截图):