我已经查看了关于此问题的现有问答,也许有一个我没有看到的钩子,但我不知道还能尝试什么。
当我尝试从 CentOS“客户端”启动 VPN 时,得到以下输出:
[root@hostname etc]# strongswan up casanova_vpn
initiating Main Mode IKE_SA casanova_vpn[1] to <VPN_SERVER_PUBLIC_IP>
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (176 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (244 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (100 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA casanova_vpn[1] established between <CENTOS_7_PUBLIC_IP>[<CENTOS_7_PUBLIC_IP>]...<VPN_SERVER_PUBLIC_IP>[<VPN_SERVER_PUBLIC_IP>]
scheduling reauthentication in 3394s
maximum IKE_SA lifetime 3574s
generating QUICK_MODE request 3035167021 [ HASH SA No KE ID ID ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (300 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (68 bytes)
parsed INFORMATIONAL_V1 request 3361583959 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'casanova_vpn' failed
[root@hostname etc]#
CentOS /etc/ipsec.conf:(我知道 3des-sha1-modp1024 很弱。当我使隧道正常工作时,我会提高级别,并最终迁移到证书...尝试将其保持在最低限度以进行调试...)
[root@hostname etc]# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024!
esp=3des-sha1-modp1024!
conn casanova_vpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=<VPN_SERVER_PUBLIC_IP>
[root@breezeview etc]#
Tik配置:
ppp profile:
name="Vultr_vpn" local-address=172.16.101.1 remote-address=172.16.101.2
use-mpls=default use-compression=default use-encryption=yes
only-one=default change-tcp-mss=default use-upnp=default
address-list="" dns-server=8.8.8.8,8.8.4.4 on-up="" on-down=""
proposal:
2 name="vultr" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h
pfs-group=modp1024
policy:
T * group=default src-address=<CENTOS_7_PUBLIC_IP/32> dst-address=\<VPN_SERVER_PUBLIC_IP/32> protocol=all proposal=vultr template=yes
所以...一切出现理论上是可以排队的。但实际上……并非如此。
非常感谢您的见解!