如何在使用 Strongswan 设置的 IKEv2 站点到站点 PSK vpn 中正确发送响应者身份?

tag-icon tag-icon vpn strongswan
如何在使用 Strongswan 设置的 IKEv2 站点到站点 PSK vpn 中正确发送响应者身份?

我正在尝试使用旧版 Strongswan 设置 IKEv2 站点到站点 PSK VPN

/etc/ipsec.conf

config setup
    charondebug="all"
    uniqueids=no
    strictcrlpolicy=no
conn ikev2-vpn
    auto=add
    dpdaction=restart
    compress=no
    type=tunnel
    keyexchange=ikev2
    rekey=no
    authby=secret
    leftauth=psk
    left=<PRIVATE_IP>
    leftid=<PUBLIC_IP>
    leftsubnet=<OUR_SUBNET>
    rightauth=psk
    right=<THEIR_PUBLIC_IP>
    rightid=<THEIR_PUBLIC_IP>
    rightsubnet=<THEIR_SUBNET>

我得到了一个响应者身份失败的信息,在远程端是一个 Checkpoint 服务器,它给出了一个错误“身份验证交换:向对等方发送通知:流量选择器不可接受”

root@hostname:/home/sarajarjoura# ipsec up ikev2-vpn
initiating IKE_SA ikev2-vpn[1] to <THEIR_PUBLIC_IP>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from <PRIVATE_IP>[500] to <THEIR_PUBLIC_IP>[500] (464 bytes)
received packet: from <THEIR_PUBLIC_IP>[500] to <PRIVATE_IP>[500] (540 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
local host is behind NAT, sending keep alives
authentication of '<PUBLIC_IP>' (myself) with pre-shared key
establishing CHILD_SA ikev2-vpn{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from <PRIVATE_IP>[4500] to <THEIR_PUBLIC_IP>[4500] (272 bytes)
received packet: from <THEIR_PUBLIC_IP>[4500] to <PRIVATE_IP>[4500] (96 bytes)
parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) N(TS_UNACCEPT) ]
IDr payload missing
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from <PRIVATE_IP>[4500] to <THEIR_PUBLIC_IP>[4500] (80 bytes)
establishing connection 'ikev2-vpn' failed

/etc/ipsec.secrets

<PUBLIC_IP> <THEIR_PUBLIC_IP> : PSK "<SUPER_STRONG_PSK>"

我如何更改 conf 文件以发送响应者身份?这是我第一次配置 vpn 客户端,所以我的知识是基于谷歌搜索并试图理解有关 IKEv2 主题的摘录。

我发现的资源可能会对遇到同样问题的人有所帮助:

IKE v2 https://www.rfc-editor.org/rfc/rfc7296

VPN 故障排除 https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html

使用 StrongSwan 进行站点到站点配置 https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/

如何使用 PSK(预共享密钥)配置 StrongSwan IKEv2 VPN?

顺便说一句,我也尝试过使用 libreswan,我并不反对更换客户端。同时,我也在我控制的服务器上测试了这一点,我相信我离成功并不远了。

相关内容