我在 Centos 7 上配置 Strongswan 时遇到问题!首先请注意,我只想使用用户名和密码连接,并且不想在手机上导入任何配置文件!我的服务器 IP 是 88.99.45.140 或主机名 ik.xpdns.xyz,我想在其上设置 Ikev2 vpn 服务器!这是我使用的教程:https://www.howtoforge.com/tutorial/how-to-setup-ikev2-vpn-using-strongswan-and-letsencrypt-on-centos-7/
这是我的 ipsec.config 文件:
#global configuration IPsec
#chron logger
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
#define new ipsec connection
conn hakase-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.15.1.0/24
rightdns=1.1.1.1,8.8.8.8
rightsendcert=never
eap_identity=%identity
这是我的 ipsec.secrets 文件:
# ipsec.secrets - strongSwan IPsec secrets file
@ik.xpdns.xyz : RSA "privkey.pem"
alid : EAP "123321"
这是我的 strongswan.conf 文件:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
以下是我输入的防火墙规则:
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --zone=public --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --reload
我完全不知道为什么当我的用户想要连接到服务器时会出现错误,它说远程主机位于 NAT 后面!!
Mar 20 11:19:10 ikev charon: 09[NET] received packet: from 89.165.18.30[500] to 88.99.45.140[500] (604 bytes)
Mar 20 11:19:10 ikev charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 20 11:19:10 ikev charon: 09[IKE] 89.165.18.30 is initiating an IKE_SA
Mar 20 11:19:10 ikev charon: 09[IKE] remote host is behind NAT
Mar 20 11:19:10 ikev charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Mar 20 11:19:10 ikev charon: 09[NET] sending packet: from 88.99.45.140[500] to 89.165.18.30[500] (448 bytes)
Mar 20 11:19:40 ikev charon: 08[JOB] deleting half open IKE_SA with 89.165.18.30 after timeout
Mar 20 11:19:53 ikev systemd-logind: New session 8 of user root.
Mar 20 11:19:53 ikev systemd: Started Session 8 of user root.
Mar 20 11:53:22 ikev charon: 08[NET] received packet: from 89.165.18.30[500] to 88.99.45.140[500] (604 bytes)
Mar 20 11:53:22 ikev charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 20 11:53:22 ikev charon: 08[IKE] 89.165.18.30 is initiating an IKE_SA
Mar 20 11:53:22 ikev charon: 08[IKE] remote host is behind NAT
Mar 20 11:53:22 ikev charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Mar 20 11:53:22 ikev charon: 08[NET] sending packet: from 88.99.45.140[500] to 89.165.18.30[500] (448 bytes)
我已经为此挣扎了好几个星期,我放弃了!我需要大家的帮助来解决这个问题!