IKev2 strongswan 在 iOS 设备超时后删除了半开的 IKE_SA xxxx

IKev2 strongswan 在 iOS 设备超时后删除了半开的 IKE_SA xxxx

我在 ubuntu 18.04 上安装了 IKEv2 strongswan vpn 服务器,并且为此使用了有效的 Let's encrypte CA。我想在 iOS 应用程序上使用它。因此,这是 IPSec.conf:

config setup
    charondebug="all"
    # keep_alive=24h
    uniqueids=never
conn %default
    auto=route
    type=tunnel
    keyexchange=ikev2
    fragmentation=no
    forceencaps=no
    mobike=yes
    ike=aes256-sha256-modp1024,aes256-sha256-modp2048, aes256-aes128-sha1-modp1024-3des!
    esp=aes256-sha256-sha1-3des!
    dpdaction=clear
    dpddelay=20s
    dpdtimeout=1800s
    rekey=no
    reauth=no
    left=%any
    #leftallowany=yes
    leftcert=cert.crt
    leftca=%same
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any4
    #rightallowany=yes
    rightid=%any
    rightsourceip=172.26.0.0/16
    rightdns=8.8.8.8,8.8.4.4
    eap_identity=%identity
    rightauth=pubkey
    keyingtries=%forever

conn ikev2-mschapv2
    rightauth=eap-mschapv2

conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    [email protected]

以下是IPSec.sercets的内容:


sec.mydomain.com : RSA key.pem
vpnusername %any% : EAP "pass"

问题是当我想连接到服务器时,它仍然保持连接状态,20 秒后它变为断开连接并在日志服务器上显示超时. 这里是日志服务器tail -f /var/log/syslog

Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Timers.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG network certificate management daemon.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Sockets.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Basic System.
Sep  3 07:25:25 vps-10d57688 systemd[1]: Started User Manager for UID 1000.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Default.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Startup finished in 33ms.
Sep  3 07:25:38 vps-10d57688 charon: 13[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep  3 07:25:38 vps-10d57688 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep  3 07:25:38 vps-10d57688 charon: 13[IKE] 151.243.253.166 is initiating an IKE_SA
Sep  3 07:25:38 vps-10d57688 charon: 13[IKE] remote host is behind NAT
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-99-generic, x86_64)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] PKCS11 module '<name>' lacks library path
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] disabling load-tester plugin, not configured
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] dnscert plugin is disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] ipseckey plugin is disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] attr-sql plugin: database URI not set
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded ca certificate "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" from '/etc/ipsec.d/cacerts/chain.pem'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/key.pem'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded EAP secret for vpnusername %any%
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] sql plugin: database URI not set
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] eap-simaka-sql database URI missing
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded 0 RADIUS server configurations
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] HA config misses local/remote address
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] no threshold configured for systime-fix, disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] coupling file path unspecified
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[JOB] spawning 16 worker threads
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] received stroke: add connection 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] adding virtual IP address pool 172.26.0.0/16
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG]   loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG]   id '%any' not confirmed by certificate, defaulting to 'OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] added configuration 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] received stroke: route 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] installing trap failed, remote address unknown
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] received stroke: add connection 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] reusing virtual IP address pool 172.26.0.0/16
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG]   loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] added configuration 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] received stroke: route 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] installing trap failed, remote address unknown
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] 151.243.253.166 is initiating an IKE_SA
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] remote host is behind NAT
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] sending packet: from x.x.x.x[500] to 151.243.253.166[500] (473 bytes)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[JOB] deleting half open IKE_SA with 151.243.253.166 after timeout

更多日志: 我使用 tcpdump 和 nc 检查 4500 端口并且成功了,但是当我尝试连接到 vpn 时它没有接收或发送任何包:

这是使用 nc 调用的结果

ubuntu@vps-10d57688:~$ sudo tcpdump -i ens3 udp port 4500 -vv -X
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:49:46.754565 IP (tos 0x0, ttl 52, id 31208, offset 0, flags [none], proto UDP (17), length 31)
    192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] [|isakmp]
    0x0000:  4500 001f 79e8 0000 3411 f82a c040 5354  E...y...4..*.@ST
    0x0010:  4246 bee0 c855 1194 000b 9ec9 6869 0a    BF...U......hi.
15:50:00.565036 IP (tos 0x0, ttl 52, id 4681, offset 0, flags [none], proto UDP (17), length 33)
    192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] UDP-encap: [|ESP]
    0x0000:  4500 0021 1249 0000 3411 5fc8 c040 5354  E..!.I..4._..@ST
    0x0010:  4246 bee0 c855 1194 000d 1f55 7465 7374  BF...U.....Utest
    0x0020:  0a                                       .

笔记:iOS 手机没有在 XCode 中的 LLDB 控制台中显示任何错误,但我检查了 iOS 设备日志,以下是设备日志:

nesessionmanager    NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[inactive]): Sending start command
nesessionmanager    com.apple.NetworkExtension.IKEv2Provider[inactive]: starting
NEIKEv2Provider Hello, I'm launching as euid = 501, uid = 501, personaid = 1000, type = DEFAULT, name = <private>
NEIKEv2Provider Initializing connection
NEIKEv2Provider Removing all cached process handles
NEIKEv2Provider Sending handshake request attempt #1 to server
NEIKEv2Provider Creating connection to com.apple.runningboard
runningboardd   Resolved XPC Service com.apple.NetworkExtension.IKEv2Provider (NEIKEv2Provider.appex) with host pid 264, variant 2, scope 1, pid 1045, and euid 501
runningboardd   Resolved pid 1045 to [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045]
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] This process will be managed.
runningboardd   Now tracking process: [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045]
runningboardd   Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-suspended (role: None)
runningboardd   Acquiring assertion targeting xpcservice<com.apple.NetworkExtension.IKEv2Provider> from originator [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] with description <RBSAssertionDescriptor; "plug-in checkin"; ID: 28-1045-18758; target: 1045> attributes = {
    <RBSDomainAttribute: 0x10047ea00; domain: com.apple.pluginkit; name: checkin; sourceEnvironment: 0x0>;
}
NEIKEv2Provider Handshake succeeded
NEIKEv2Provider Identity resolved as xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045
NEIKEv2Provider Bootstrapping; Bootstrap complete. Ready for handshake from host.
runningboardd   Assertion 28-1045-18758 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>) will be created as active
NEIKEv2Provider [u FDD88F03-7FCC-4C2F-8607-B2E2513A2C0B] [(null)((null))] Prepare received as euid = 501, uid = 501, personaid = 1000, type = DEFAULT, name = <private>
NEIKEv2Provider [u 9081918D-B18E-4049-9763-411C314D8A08] [<private>(<private>)] Set sole personality.
NEIKEv2Provider [u 9081918D-B18E-4049-9763-411C314D8A08] [<private>(<private>)] Begin using received as euid = 501, uid = 501, personaid = 1000, type = DEFAULT, name = <private>
runningboardd   Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-active (role: UserInteractiveNonFocal)
runningboardd   Acquiring assertion targeting xpcservice<com.apple.NetworkExtension.IKEv2Provider> from originator [daemon<com.apple.neagent-ios>:264] with description <RBSAssertionDescriptor; com.apple.extension.session; ID: 28-264-18759; target: 1045> attributes = {
    <RBSLegacyAttribute: 0x1001dfd70; requestedReason: ViewService; reason: ViewService; flags: AllowIdleSleep | PreventTaskSuspend | PreventTaskThrottleDown | WantsForegroundResourcePriority>;
    <RBSAcquisitionCompletionAttribute: 0x10014baa0; policy: 0>;
}
runningboardd   Assertion 28-264-18759 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>) will be created as active
runningboardd   Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-active (role: UserInteractiveNonFocal)
kernel  memorystatus: set assertion priority(3) target NEIKEv2Provider:1045
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set jetsam priority to 3 [0] flag[1]
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Resuming task.
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Error 45 setting darwin role to UserInteractiveNonFocal: Operation not supported, falling back to setting priority
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set darwin priority to: PRIO_DEFAULT
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set GPU priority to "deny"
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set jetsam priority to 14 [0] flag[1]
kernel  memorystatus: set assertion priority(14) target NEIKEv2Provider:1045
runningboardd   [xpcservice<com.apple.NetworkExtension.IKEv2Provider>:1045] Set GPU priority to "allow"
mediaserverd    -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client com.apple.NetworkExtension.IKEv2Provider with pid '1045' is now Background Suspended. Background entitlement: NO ActiveLongFormVideoSession: NO WhitelistedLongFormVideoApp NO
mediaserverd    -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Sending stop command to com.apple.NetworkExtension.IKEv2Provider with pid '1045' because client is background suspended and there is no AirPlay video session for it
mediaserverd    SSServerImp.cpp:1179:SystemSoundServerKillSoundsForPID: pid 1045(NEIKEv2Provider)
runningboardd   Finished acquiring assertion 28-1045-18758 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>)
runningboardd   Finished acquiring assertion 28-264-18759 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>)
NEIKEv2Provider Invalidating plugin handshake assertion id 28-1045-18758
NEIKEv2Provider networkd_settings_read_from_file initialized networkd settings by reading plist directly
NEIKEv2Provider nw_path_evaluator_start [7D30D23D-E7DF-4288-825E-99AC5A26D94E <NULL> generic, indefinite]
    path: satisfied (Path is satisfied), interface: en0, ipv4, ipv6, dns
NEIKEv2Provider <NEIKEv2Provider:  (ifIndex 0)>: : New scoped interface (null) (0) (SATISFIED: 0)
NEIKEv2Provider <NEIKEv2Provider:  (ifIndex 0)>: : New scoped interface en0 (8) (SATISFIED: 1)
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) initialized with Mach-O UUIDs (
    "A2F09822-6D48-317E-9449-F3E2BAD89E46"
)
NEIKEv2Provider <NEIKEv2Provider:  (ifIndex 8)>: : Starting tunnel on scoped interface UP (8)
NEIKEv2Provider [Extension com.apple.NetworkExtension.IKEv2Provider]: Calling startTunnelWithOptions with options 0x1029115c0
NEIKEv2Provider <NEIKEv2Provider:  (ifIndex 8)>: : startTunnelWithOptions Invoked
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : Starting IKEv2 Tunnel on scoped ifindex 8
NEIKEv2Provider NEIKEv2Transport: Adding client IKEv2Session[1, 0000000000000000-0000000000000000] with SPI CFA46EDC190B0782 on <NEIKEv2Transport> UDP 0.0.0.0:500 -> 66.70.190.224:500
NEIKEv2Provider [C1 44DF13F4-C4D3-4145-A044-CE0954EBD4EA IPv4#986e6b65:500 udp, interface: en0, local: IPv4#f480cbb5:500, prohibit joining] start
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>:  tunnel bringup requested
NEIKEv2Provider Connect IKEv2Session[1, CFA46EDC190B0782-0000000000000000]
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state preparing
NEIKEv2Provider nw_flow_connected [C1 IPv4#986e6b65:500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns)] Output protocol connected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state ready
NEIKEv2Provider IKEv2Session[1, CFA46EDC190B0782-0000000000000000] Initiating IKEv2 connection
NEIKEv2Provider IKEv2IKESA[1.1, CFA46EDC190B0782-0000000000000000] state Disconnected -> Connecting
NEIKEv2Provider ChildSA[1, (null)-(null)] state Disconnected -> Connecting
mediaserverd    -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Client com.apple.NetworkExtension.IKEv2Provider with pid '1045' is now Background Running. Background entitlement: NO ActiveLongFormVideoSession: NO WhitelistedLongFormVideoApp NO
mediaserverd    -CMSessionMgr- CMSessionMgrHandleApplicationStateChange: CMSession: Sending stop command to com.apple.NetworkExtension.IKEv2Provider with pid '1045' because client is not allowed to play in the background AND does not continue AirPlaying video when device locks
mediaserverd    SSServerImp.cpp:1179:SystemSoundServerKillSoundsForPID: pid 1045(NEIKEv2Provider)
runningboardd   Invalidating assertion 28-1045-18758 (target:xpcservice<com.apple.NetworkExtension.IKEv2Provider>) from originator 1045
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) started with PID 1045 error (null)
runningboardd   Calculated state for xpcservice<com.apple.NetworkExtension.IKEv2Provider>: running-active (role: UserInteractiveNonFocal)
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : New scoped interface en0 (8) (SATISFIED: 1)
NEIKEv2Provider Disabling wildcard for client [NEIKEv2TransportClient CFA46EDC190B0782 IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA]] on <NEIKEv2Transport> UDP 192.168.1.35:500 -> 66.70.190.224:500
NEIKEv2Provider [C2 ACEA609A-76B1-4A6D-BBBB-1028C4D262A2 IPv4#986e6b65:4500 udp, interface: en0, local: IPv4#f480cbb5:4500, prohibit joining] start
NEIKEv2Provider NEIKEv2Transport: Adding client IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA] with SPI CFA46EDC190B0782 on <NEIKEv2Transport> UDP NAT-T 192.168.1.35:4500 -> 66.70.190.224:4500
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state preparing
NEIKEv2Provider nw_flow_connected [C2 IPv4#986e6b65:4500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns)] Transport protocol connected
NEIKEv2Provider nw_flow_connected [C2 IPv4#986e6b65:4500 in_progress socket-flow (satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns)] Output protocol connected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state ready
apsd    <private> wifi is historically cheap? NO  awakePercentage = 0.008911,  wifiGrowAttemptDelta 24  wifiKeepAliveInterval 600.000000
NEIKEv2Provider IKEv2IKESA[1.1, CFA46EDC190B0782-C458DCA64125D8AA] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond}
NEIKEv2Provider IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA] Failed to receive IKE Auth packet (connect)
NEIKEv2Provider IKEv2IKESA[1.1, CFA46EDC190B0782-C458DCA64125D8AA] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to receive IKE Auth packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to receive IKE Auth packet (connect)}
NEIKEv2Provider ChildSA[1, (null)-(null)] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond}
NEIKEv2Provider Resetting IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA]
NEIKEv2Provider Aborting session IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA]
NEIKEv2Provider IKEv2Session[1, CFA46EDC190B0782-C458DCA64125D8AA] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs
NEIKEv2Provider Invalidating transports for IKEv2IKESA[1.1, CFA46EDC190B0782-C458DCA64125D8AA]
NEIKEv2Provider Cancelling client CFA46EDC190B0782 for <NEIKEv2Transport> UDP 192.168.1.35:500 -> 66.70.190.224:500
NEIKEv2Provider <NEIKEv2Transport> UDP 192.168.1.35:500 -> 66.70.190.224:500 out of clients, invalidating
NEIKEv2Provider Cancelling client CFA46EDC190B0782 for <NEIKEv2Transport> UDP NAT-T 192.168.1.35:4500 -> 66.70.190.224:4500
NEIKEv2Provider <NEIKEv2Transport> UDP NAT-T 192.168.1.35:4500 -> 66.70.190.224:4500 out of clients, invalidating
NEIKEv2Provider [C1 44DF13F4-C4D3-4145-A044-CE0954EBD4EA IPv4#986e6b65:500 udp, interface: en0, local: IPv4#f480cbb5:500, prohibit joining] cancel
NEIKEv2Provider [C1 44DF13F4-C4D3-4145-A044-CE0954EBD4EA IPv4#986e6b65:500 udp, interface: en0, local: IPv4#f480cbb5:500, prohibit joining] cancelled
    [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500]
    Connected Path: satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns
    Duration: 31.454s, , UDP @0.000s took 0.001s
NEIKEv2Provider 0.000s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:start
NEIKEv2Provider 0.000s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:satisfied
NEIKEv2Provider 0.000s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:start_connect
NEIKEv2Provider 0.001s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:finish_connect
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : stopping tunnel since IKE disconnected 14
NEIKEv2Provider Invalidating IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider <NEIKEv2Provider: Primary Tunnel (ifIndex 8)>: : Invalidated session (IKEv2Session[1, 256FD287653EA863-0000000000000000])
NEIKEv2Provider 0.001s [C1 DC1F3C3E-FC2F-45E2-8E72-2CB4DB542E88 192.168.1.35:500<->IPv4#986e6b65:500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:changed_viability
NEIKEv2Provider 31.454s [C1] path:cancel
NEIKEv2Provider [Extension com.apple.NetworkExtension.IKEv2Provider]: IPC detached
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) did detach from IPC
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) disconnected with reason Server is not responding
NEIKEv2Provider Aborting session IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider Resetting IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider Aborting session IKEv2Session[1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider IKEv2Session[1, 256FD287653EA863-0000000000000000] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs
NEIKEv2Provider Invalidating transports for IKEv2IKESA[1.1, 256FD287653EA863-0000000000000000]
NEIKEv2Provider IKEv2IKESA[1.1, 256FD287653EA863-0000000000000000] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=3 "PeerDidNotRespond" UserInfo={NSLocalizedDescription=PeerDidNotRespond} -> (null)
NEIKEv2Provider <NEIPSecDB 0x102832b00 [0x1ee0bf728]> {UniqueIndex = 1} invalidating
NEIKEv2Provider IKEv2Session[1, 256FD287653EA863-0000000000000000] (null) Uninstalling all child SAs
error   00:23:49.541604+0430    NEIKEv2Provider IKE received error Operation canceled
NEIKEv2Provider nw_flow_disconnected [C1 IPv4#986e6b65:500 cancelled socket-flow ((null))] Output protocol disconnected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state cancelled
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Leaving state NESMVPNSessionStateStarting
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
nesessionmanager    <NESMServer: 0x102b04530>: Request to uninstall session: NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: status changed to disconnecting
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
NEIKEv2Provider [C2 ACEA609A-76B1-4A6D-BBBB-1028C4D262A2 IPv4#986e6b65:4500 udp, interface: en0, local: IPv4#f480cbb5:4500, prohibit joining] cancel
NEIKEv2Provider [C2 ACEA609A-76B1-4A6D-BBBB-1028C4D262A2 IPv4#986e6b65:4500 udp, interface: en0, local: IPv4#f480cbb5:4500, prohibit joining] cancelled
    [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500]
    Connected Path: satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns
    Duration: 31.064s, , UDP @0.004s took 0.000s

NEIKEv2Provider 0.000s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:start
NEIKEv2Provider 0.000s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] path:satisfied
NEIKEv2Provider 0.004s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:start_connect
NEIKEv2Provider 0.004s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:finish_transport
NEIKEv2Provider 0.005s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:finish_connect
NEIKEv2Provider 0.005s [C2 266C8052-AA5C-4EB8-8C2E-AC40CC1393D2 192.168.1.35:4500<->IPv4#986e6b65:4500 socket-flow path=satisfied (Path is satisfied), interface: en0, scoped, ipv4, ipv6, dns] flow:changed_viability
NEIKEv2Provider 31.064s [C2] path:cancel
NEIKEv2Provider nw_flow_disconnected [C2 IPv4#986e6b65:4500 cancelled socket-flow ((null))] Output protocol disconnected
NEIKEv2Provider IKE received error Operation canceled
NEIKEv2Provider nw_flow_disconnected [C2 IPv4#986e6b65:4500 cancelled socket-flow ((null))] Output protocol disconnected
NEIKEv2Provider nw_connection_report_state_with_handler_on_nw_queue [C2] reporting state cancelled
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Leaving state NESMVPNSessionStateStopping
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds
nesessionmanager    com.apple.NetworkExtension.IKEv2Provider[264]: disposing
nesessionmanager    com.apple.NetworkExtension.IKEv2Provider[264]: Tearing down agent connection
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateDisposing: plugin NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]) dispose complete
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)] in state NESMVPNSessionStateDisposing: all plugins have disposed
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Leaving state NESMVPNSessionStateDisposing
nesessionmanager    com.apple.NetworkExtension.IKEv2Provider[264]: XPC connection went away
nesessionmanager    NEVPNTunnelPlugin(com.apple.NetworkExtension.IKEv2Provider[264]): Tearing down plugin connection
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: Entering state NESMVPNSessionStateIdle
nesessionmanager    NESMIKEv2VPNSession[Primary Tunnel:testVpn:2A64C821-848C-4475-9228-C55B0EC945C1:(null)]: status changed to disconnected, last stop reason Server is not responding

答案1

关注端口 4500/udp 是正确的,但 IKE SA init 响应被发送到发起连接的对等方的端口(通常为 500/udp)。请参阅上面日志文件中的倒数第二行。

相关内容