我正在尝试为 Android strongswan “IKEv2 证书”连接配置 strongswan 5.7.1。我使用的是自签名用户证书和 godaddy 通配符服务器证书。我无法连接,在日志中我看到“本地 ID 匹配:0”和“未找到匹配的对等配置”
ipsec.conf:
conn android
fragmentation=yes
keyexchange=ikev2
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
leftsendcert=always
right=%any
rightauth=pubkey
rightsubnet=10.1.0.0/16
rightsourceip=10.1.0.0/16
auto=add
ipsec statusall 输出:
Virtual IP pools (size/online/offline):
10.0.0.0/16: 65534/0/0
10.1.0.0/16: 65534/0/0
Listening IP addresses:
172.30.3.123
Connections:
ios: %any...%any IKEv1
ios: local: [OU=Domain Control Validated, CN=*.vpntest.com] uses public key authentication
ios: cert: "OU=Domain Control Validated, CN=*.vpntest.com"
ios: remote: uses public key authentication
ios: remote: uses XAuth authentication: any
ios: child: 0.0.0.0/0 === 10.0.0.0/16 TUNNEL
android: %any...%any IKEv2
android: local: [OU=Domain Control Validated, CN=*.vpntest.com] uses public key authentication
android: cert: "OU=Domain Control Validated, CN=*.vpntest.com"
android: remote: uses public key authentication
android: child: 0.0.0.0/0 === 10.1.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
/var/log/syslog:
Dec 10 21:25:11 vpn-server charon: 07[CFG] rightauth=pubkey
Dec 10 21:25:11 vpn-server charon: 07[CFG] dpddelay=30
Dec 10 21:25:11 vpn-server charon: 07[CFG] dpdtimeout=150
Dec 10 21:25:11 vpn-server charon: 07[CFG] sha256_96=no
Dec 10 21:25:11 vpn-server charon: 07[CFG] mediation=no
Dec 10 21:25:11 vpn-server charon: 07[CFG] keyexchange=ikev2
Dec 10 21:25:11 vpn-server charon: 07[CFG] adding virtual IP address pool 10.1.0.0/16
Dec 10 21:25:11 vpn-server charon: 07[CFG] loaded certificate "OU=Domain Control Validated, CN=*.vpntest.com" from 'serverCert.pem'
Dec 10 21:25:11 vpn-server charon: 07[CFG] id '%any' not confirmed by certificate, defaulting to 'OU=Domain Control Validated, CN=*.vpntest.com'
Dec 10 21:25:11 vpn-server charon: 07[CFG] added configuration 'android'
Dec 10 21:27:26 vpn-server charon: 09[CFG] looking for an IKEv2 config for 172.30.3.123...181.171.184.17
Dec 10 21:27:26 vpn-server charon: 09[CFG] ike config match: 0 (%any...%any IKEv1)
Dec 10 21:27:26 vpn-server charon: 09[CFG] ike config match: 28 (%any...%any IKEv2)
Dec 10 21:27:26 vpn-server charon: 09[CFG] candidate: %any...%any, prio 28
Dec 10 21:27:26 vpn-server charon: 09[CFG] found matching ike config: %any...%any with prio 28
Dec 10 21:27:26 vpn-server charon: 09[IKE] 181.171.184.17 is initiating an IKE_SA
Dec 10 21:27:26 vpn-server charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Dec 10 21:27:26 vpn-server charon: 09[CFG] selecting proposal:
Dec 10 21:27:26 vpn-server charon: 09[CFG] proposal matches
Dec 10 21:27:26 vpn-server charon: 09[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/P
RF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_819
2/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_H
MAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/
HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
Dec 10 21:27:26 vpn-server charon: 09[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 10 21:27:26 vpn-server charon: 09[IKE] local host is behind NAT, sending keep alives
Dec 10 21:27:26 vpn-server charon: 09[IKE] remote host is behind NAT
Dec 10 21:27:26 vpn-server charon: 09[IKE] DH group ECP_256 unacceptable, requesting CURVE_25519
Dec 10 21:27:26 vpn-server charon: 09[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Dec 10 21:27:26 vpn-server charon: 10[CFG] looking for an IKEv2 config for 172.30.3.123...181.171.184.17
Dec 10 21:27:26 vpn-server charon: 10[CFG] ike config match: 0 (%any...%any IKEv1)
Dec 10 21:27:26 vpn-server charon: 10[CFG] ike config match: 28 (%any...%any IKEv2)
Dec 10 21:27:26 vpn-server charon: 10[CFG] candidate: %any...%any, prio 28
Dec 10 21:27:26 vpn-server charon: 10[IKE] 181.171.184.17 is initiating an IKE_SA
Dec 10 21:27:26 vpn-server charon: 10[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Dec 10 21:27:26 vpn-server charon: 10[CFG] selecting proposal:
Dec 10 21:27:26 vpn-server charon: 10[CFG] proposal matches
Dec 10 21:27:26 vpn-server charon: 10[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/P
RF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_819
2/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_H
MAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 10[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/
HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
Dec 10 21:27:26 vpn-server charon: 10[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 10 21:27:26 vpn-server charon: 10[IKE] local host is behind NAT, sending keep alives
Dec 10 21:27:26 vpn-server charon: 10[IKE] remote host is behind NAT
Dec 10 21:27:26 vpn-server charon: 10[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=CN, O=strongSwan, CN=strongSwan CA"
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=CN, O=VpnTest, CN=VpnTest CA"
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certifica$
e Authority - G2"
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Cer$
ification Authority, SN=07969287"
Dec 10 21:27:26 vpn-server charon: 11[IKE] received cert request for "C=CN, O=VpnTest, CN=VpnTest CA"
Dec 10 21:27:26 vpn-server charon: 11[IKE] received cert request for "C=CN, O=VpnTest, CN=VpnTest CA"
Dec 10 21:27:26 vpn-server charon: 11[IKE] received end entity cert "CN=user1, O=VpnTest"
Dec 10 21:27:26 vpn-server charon: 11[CFG] looking for peer configs matching 172.30.3.123["OU=Domain Control Validated, CN=*.vpntest.com"]...181.171.184.17[CN=user1, O=VpnTest]
Dec 10 21:27:26 vpn-server charon: 11[CFG] peer config "ios", ike match: 0 (%any...%any IKEv1)
Dec 10 21:27:26 vpn-server charon: 11[CFG] peer config "android", ike match: 28 (%any...%any IKEv2)
Dec 10 21:27:26 vpn-server charon: 11[CFG] local id match: 0 (ID_KEY_ID: 22:4f:55:3d:44:6f:6d:61:69:6e:20:43:6f:6e:74:72:6f:6c:20:56:61:6c:69:64:61:74:65:64:2c:20:43:4e:3d:2a:2e:70:75:72:65$
73:69:67:68:74:2e:63:6f:6d:22)
Dec 10 21:27:26 vpn-server charon: 11[CFG] no matching peer config found
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP6_ADDRESS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP4_DNS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP6_DNS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 10 21:27:26 vpn-server charon: 11[IKE] peer supports MOBIKE
Dec 10 21:27:26 vpn-server charon: 11[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
答案1
我在 Android 客户端上用引号配置了服务器标识。删除引号后,我能够连接