这是我的 ipsec.conf,它正常运行:
conn pelle
left=%defaultroute
leftsourceip=%config
leftauth=eap-mschapv2
eap_identity=min user
right=vpn.mydomain.com
rightsubnet=0.0.0.0/0
rightauth=pubkey
rightid=%vpn.mindomän
rightca=/etc/ipsec.d/cacerts/pelle.cer
keyexchange=ikev2
type=tunnel
mobike=yes
dpdaction=hold
closeaction=hold
dpdtimeout=300s
dpddelay=120s
keylife=20m
rekeymargin=3m
reauth=no
ikelifetime=60m
lifetime=1h
keyingtries=1
auto=start
keyexchange=ikev2
esp=aes128-sha2_256-modp2048!
ike=aes128-sha2_256-modp2048!
我认为它在 swanctl.conf 中翻译成的内容如下,显然我没有理解正确...
connections {
vpn {
version=2
proposals =aes128-sha256-modp2048
rekey_time = 0s
dpd_delay = 300s
local_addrs = %defaultroute
remote_addrs = vpn.mydomain.com
vips=0.0.0.0,::
local {
auth = eap-mschapv2
eap_id = myuser
}
remote {
auth = pubkey
certs=/etc/ipsec.d/cacerts/pelle.cer
id = %any
}
children {
vpn {
mode = tunnel
remote_ts = 0.0.0.0/0,::/0
rekey_time = 0s
dpd_action = clear
start_action = start
esp_proposals =aes128-sha256-modp2048
}
}
}
}
secrets {
eap-vpn {
id = myuser
secret = mypass
}
}
当我尝试启动 swanctl 连接时出现此错误:
swanctl --initiate --child vpn
[IKE] initiating IKE_SA vpn[2] to xx.xxx.xx.xxx
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 0.0.0.0[500] to xx.xxx.xx.xxx[500] (464 bytes)
[NET] received packet: from xx.xxx.xx.xxx[500] to xxx.xxx.x.x[500] (492 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]
[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
[IKE] received MS-Negotiation Discovery Capable vendor ID
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] remote host is behind NAT
[IKE] sending cert request for "C=xx, ST=XXX, L=XXXX, O=XXXXX, CN=XXXXX Root CA"
[IKE] sending cert request for "C=xx, ST=XXX, L=XXXX, O=XXXXX, CN=XXXXX Root CA"
[CFG] no IDi configured, fall back on IP address
[IKE] establishing CHILD_SA vpn{2}
[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from xxx.xxx.x.x[4500] to xx.xxx.xx.xxx[4500] (352 bytes)
[NET] received packet: from xx.xxx.xx.xxx[4500] to xxx.xxx.x.x[4500] (1504 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
[IKE] received end entity cert "C=XX, ST=XXX, L=XXXX, OU=XXX, O=XXXXX, CN=vpn.mydomain.com"
[CFG] using certificate "C=XX, ST=XXX, L=XXX, OU=XXX, O=XXXXX, CN=vpn.mydomain.com"
[CFG] using trusted ca certificate "C=XX, ST=XXXX, L=XXX, O=XXXX, CN=XXXXX Root CA"
[CFG] checking certificate status of "C=XX, ST=XXXX, L=XXX, OU=XXX, O=XXXX, CN=vpn.mydomain.com"
[CFG] certificate status is not available
[CFG] reached self-signed root ca with a path length of 0
[IKE] authentication of 'C=XX, ST=XXXX, L=XXX, OU=XXX, O=XXXXX, CN=vpn.mydomain.com' with RSA signature successful
[CFG] constraint check failed: peer not authenticated with peer cert 'C=XX, ST=XXXX, L=XXXX, O=XXXXX, CN=XXXXX Root CA'
[CFG] selected peer config 'vpn' unacceptable: constraint checking failed
[CFG] no alternative config found
[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
[NET] sending packet: from xxx.xxx.x.x[4500] to xx.xxx.xx.xxx[4500] (80 bytes)
initiate failed: establishing CHILD_SA 'vpn' failed
关于我哪里做错了,有什么建议吗?
答案1
certs 应该是 cacerts