strongswan ikv2 加载 EAP_RADIUS 方法失败

tag-icon tag-icon linux vpn strongswan
strongswan ikv2 加载 EAP_RADIUS 方法失败

我的环境是 Windows Radius 服务器和 Active Directory,Linux Strongswan 服务器。我的配置是针对 ikv2 vpn 设置的,以便通过 Windows Radius 服务器接受 Active Directory 用户。我不断收到此错误:

Jan 21 18:52:36 coniston ipsec[1769]: 16[IKE] received EAP identity 'raytest'
Jan 21 18:52:36 coniston ipsec[1769]: 16[IKE] loading EAP_RADIUS method failed
Jan 21 18:52:36 coniston ipsec[1769]: 16[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]

请您帮忙找出我做错了什么。

配置文件如下:

ipsec.conf:

config setup
        charondebug="ike 2, cfg 2"
        strictcrlpolicy=no
        uniqueids = no

conn %default
        mobike=yes
        dpdaction=restart
        closeaction=restart
        dpddelay=40s
        dpdtimeout=160s
        fragmentation=yes
        rekey=no
        reauth=yes
        keyexchange=ikev2
        auto=add
        esp=aes256-sha1,3des-sha1-modp1024!
        ike=aes256-sha256-modp1024,aes256-sha256-modp2048

conn window
        forceencaps=yes
        left=%any
        left=coniston.x.x.x
        leftsubnet=X.X.240.0/24
        leftauth=pubkey
        leftcert=server-cert.pem
        leftsendcert=always
        right=%any
        rightsourceip=X.X.115.0/24
        rightauth=eap-radius
        rightsendcert=never
        rightdns=X.X.6.19,X.X.5.31
        eap_identity=%identity


conn ios
        left=%any
        leftsubnet=X.X.240.0/24
        leftauth=psk
        leftid=coniston.x.x.x
        right=%any
        rightsourceip=X.X.115.0/24
        rightauth=eap-radius
        rightid=%any
        eap_identity=%any

strongswan.conf:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
      plugins {
                include strongswan.d/charon/*.conf

                eap-radius {
                         accounting = yes
                         #class_group = yes
                         eap_start = no
                         servers {
                                 primary {
                                         address = x.x.2.229
                                         secret = #hyteok#
                                       #  nas_identifer = ipsec-gateway
                                       #  sockets = 20
                                         preference = 99
                                         auth_port = 1812
                                         acct_port = 1813
                                 }
                           }
                }

        }

}

include strongswan.d/*.conf

错误日志:

Jan 21 18:49:32 coniston systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
Jan 21 18:49:32 coniston charon[1729]: 00[DMN] SIGINT received, shutting down
Jan 21 18:49:32 coniston ipsec[1723]: 07[CFG] looking for peer configs matching x.x.3.161[%any]...x.x.5.164[x.x.5.164]
Jan 21 18:49:32 coniston ipsec[1723]: 07[CFG]   candidate "window", match: 1/1/1052 (me/other/ike)
Jan 21 18:49:32 coniston ipsec[1723]: 07[CFG]   candidate "ios", match: 1/1/28 (me/other/ike)
Jan 21 18:49:32 coniston ipsec[1723]: 07[CFG] selected peer config 'window'
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] processing INTERNAL_IP4_DNS attribute
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] processing INTERNAL_IP4_NBNS attribute
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] processing INTERNAL_IP4_SERVER attribute
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] peer supports MOBIKE
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] authentication of 'coniston.x.x.x' (myself) with RSA signature successful
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] sending end entity cert "CN=coniston.x.x.x"
Jan 21 18:49:32 coniston ipsec[1723]: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 21 18:49:32 coniston ipsec[1723]: 07[ENC] splitting IKE message (1952 bytes) into 2 fragments
Jan 21 18:49:32 coniston ipsec[1723]: 07[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jan 21 18:49:32 coniston ipsec[1723]: 07[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jan 21 18:49:32 coniston ipsec[1723]: 07[NET] sending packet: from x.x.3.161[4500] to x.x.4.165[4500] (1236 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 07[NET] sending packet: from x.x.3.161[4500] to x.x.4.165[4500] (788 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 11[NET] received packet: from x.x.4.165[4500] to x.x.3.161[4500] (96 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 11[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jan 21 18:49:32 coniston ipsec[1723]: 11[IKE] received EAP identity 'raytest'
Jan 21 18:49:32 coniston ipsec[1723]: 11[IKE] loading EAP_RADIUS method failed
Jan 21 18:49:32 coniston ipsec[1723]: 11[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
Jan 21 18:49:32 coniston ipsec[1723]: 11[NET] sending packet: from x.x.3.161[4500] to x.x.4.165[4500] (80 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 11[IKE] IKE_SA window[5] state change: CONNECTING => DESTROYING
Jan 21 18:49:32 coniston ipsec[1723]: 08[NET] received packet: from x.x.4.165[500] to x.x.3.161[500] (408 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 21 18:49:32 coniston ipsec[1723]: 08[CFG] looking for an IKEv1 config for x.x.3.161...x.x.4.165
Jan 21 18:49:32 coniston ipsec[1723]: 08[IKE] no IKE config found for x.x.3.161...x.x.4.165, sending NO_PROPOSAL_CHOSEN
Jan 21 18:49:32 coniston ipsec[1723]: 08[ENC] generating INFORMATIONAL_V1 request 2055984794 [ N(NO_PROP) ]
Jan 21 18:49:32 coniston ipsec[1723]: 08[NET] sending packet: from x.x.3.161[500] to x.x.4.165[500] (40 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 08[IKE] IKE_SA (unnamed)[6] state change: CREATED => DESTROYING
Jan 21 18:49:32 coniston ipsec[1723]: 09[NET] received packet: from x.x.4.165[500] to x.x.3.161[500] (408 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 21 18:49:32 coniston ipsec[1723]: 09[CFG] looking for an IKEv1 config for x.x.3.161...x.x.4.165
Jan 21 18:49:32 coniston ipsec[1723]: 09[IKE] no IKE config found for x.x.3.161...x.x.4.165, sending NO_PROPOSAL_CHOSEN
Jan 21 18:49:32 coniston ipsec[1723]: 09[ENC] generating INFORMATIONAL_V1 request 974257482 [ N(NO_PROP) ]
Jan 21 18:49:32 coniston ipsec[1723]: 09[NET] sending packet: from x.x.3.161[500] to x.x.4.165[500] (40 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 09[IKE] IKE_SA (unnamed)[7] state change: CREATED => DESTROYING
Jan 21 18:49:32 coniston ipsec[1723]: 10[NET] received packet: from x.x.4.165[500] to x.x.3.161[500] (408 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 21 18:49:32 coniston ipsec[1723]: 10[CFG] looking for an IKEv1 config for x.x.3.161...x.x.4.165
Jan 21 18:49:32 coniston ipsec[1723]: 10[IKE] no IKE config found for x.x.3.161...x.x.4.165, sending NO_PROPOSAL_CHOSEN
Jan 21 18:49:32 coniston ipsec[1723]: 10[ENC] generating INFORMATIONAL_V1 request 3615072223 [ N(NO_PROP) ]
Jan 21 18:49:32 coniston ipsec[1723]: 10[NET] sending packet: from x.x.3.161[500] to x.x.4.165[500] (40 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 10[IKE] IKE_SA (unnamed)[8] state change: CREATED => DESTROYING
Jan 21 18:49:32 coniston ipsec[1723]: 07[NET] received packet: from x.x.4.165[500] to x.x.3.161[500] (408 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Jan 21 18:49:32 coniston ipsec[1723]: 07[CFG] looking for an IKEv1 config for x.x.3.161...x.x.4.165
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] no IKE config found for x.x.3.161...x.x.4.165, sending NO_PROPOSAL_CHOSEN
Jan 21 18:49:32 coniston ipsec[1723]: 07[ENC] generating INFORMATIONAL_V1 request 3570586454 [ N(NO_PROP) ]
Jan 21 18:49:32 coniston ipsec[1723]: 07[NET] sending packet: from x.x.3.161[500] to x.x.4.165[500] (40 bytes)
Jan 21 18:49:32 coniston ipsec[1723]: 07[IKE] IKE_SA (unnamed)[9] state change: CREATED => DESTROYING
Jan 21 18:49:32 coniston ipsec[1723]: 00[DMN] SIGINT received, shutting down
Jan 21 18:49:32 coniston systemd[1]: strongswan-starter.service: Succeeded.
Jan 21 18:49:32 coniston ipsec[1723]: charon stopped after 200 ms
Jan 21 18:49:32 coniston ipsec[1723]: ipsec starter stopped
Jan 21 18:49:32 coniston systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 21 18:49:32 coniston systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jan 21 18:49:32 coniston ipsec[1769]: Starting strongSwan 5.9.1 IPsec [starter]...
Jan 21 18:49:32 coniston charon[1774]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 4.18.0-240.1.1.el8_3.x86_64, x86_64)
Jan 21 18:49:32 coniston charon[1774]: 00[LIB] openssl FIPS mode(0) - disabled
Jan 21 18:49:32 coniston charon[1774]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG]   loaded ca certificate "CN=VPN root CA" from '/etc/ipsec.d/cacerts/ca-cert.pem'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG]   loaded IKE secret for %any %any
Jan 21 18:49:32 coniston charon[1774]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server-key.pem'
Jan 21 18:49:32 coniston charon[1774]: 00[CFG]   loaded EAP secret for ray
Jan 21 18:49:32 coniston charon[1774]: 00[CFG] no RADIUS secret defined
Jan 21 18:49:32 coniston charon[1774]: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp certexpire radattr addrblock unity counters
Jan 21 18:49:32 coniston charon[1774]: 00[JOB] spawning 16 worker threads
Jan 21 18:49:32 coniston ipsec[1769]: charon (1774) started after 140 ms
Jan 21 18:49:32 coniston charon[1774]: 05[CFG] received stroke: add connection 'window'
Jan 21 18:49:32 coniston charon[1774]: 05[CFG] conn window
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   left=coniston.x.x.x
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   leftsubnet=255.255.240.0/24
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   leftauth=pubkey
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   leftcert=server-cert.pem
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   right=%any
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   rightsourceip=x.x.115.0/24
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   rightdns=x.x.6.19,x.x.5.31
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   rightauth=eap-radius
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   eap_identity=%identity
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   ike=aes256-sha256-modp1024,aes256-sha256-modp2048
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   esp=aes256-sha1,3des-sha1-modp1024!
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   dpddelay=40
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   dpdtimeout=160
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   dpdaction=3
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   closeaction=3
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   sha256_96=no
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   mediation=no
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   keyexchange=ikev2
Jan 21 18:49:32 coniston charon[1774]: 05[CFG] adding virtual IP address pool x.x.115.0/24
Jan 21 18:49:32 coniston charon[1774]: 05[CFG]   loaded certificate "CN=coniston.x.x.x" from 'server-cert.pem'
Jan 21 18:49:32 coniston charon[1774]: 05[CFG] added configuration 'window'
Jan 21 18:49:32 coniston charon[1774]: 07[CFG] received stroke: add connection 'ios'
Jan 21 18:49:32 coniston charon[1774]: 07[CFG] conn ios
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   left=%any
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   leftsubnet=255.255.240.0/24
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   leftauth=psk
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   leftid=coniston.x.x.x
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   right=%any
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   rightsourceip=x.x.115.0/24
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   rightauth=eap-radius
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   rightid=%any
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   eap_identity=%any
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   ike=aes256-sha256-modp1024,aes256-sha256-modp2048
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   esp=aes256-sha1,3des-sha1-modp1024!
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   dpddelay=40
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   dpdtimeout=160
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   dpdaction=3
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   closeaction=3
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   sha256_96=no
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   mediation=no
Jan 21 18:49:32 coniston charon[1774]: 07[CFG]   keyexchange=ikev2
Jan 21 18:49:32 coniston charon[1774]: 07[CFG] reusing virtual IP address pool x.x.115.0/24
Jan 21 18:49:32 coniston charon[1774]: 07[CFG] added configuration 'ios'
Jan 21 18:50:13 coniston charon[1774]: 11[NET] received packet: from x.x.4.165[500] to x.x.3.161[500] (1104 bytes)
Jan 21 18:50:13 coniston charon[1774]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jan 21 18:50:13 coniston charon[1774]: 11[CFG] looking for an IKEv2 config for x.x.3.161...x.x.4.165
Jan 21 18:50:13 coniston charon[1774]: 11[CFG]   candidate: coniston.x.x.x...%any, prio 1052
Jan 21 18:50:13 coniston charon[1774]: 11[CFG]   candidate: %any...%any, prio 28
Jan 21 18:50:13 coniston charon[1774]: 11[CFG] found matching ike config: coniston.x.x.x...%any with prio 1052
Jan 21 18:50:13 coniston charon[1774]: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jan 21 18:50:13 coniston charon[1774]: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
Jan 21 18:50:13 coniston charon[1774]: 11[IKE] received Vid-Initial-Contact vendor ID
Jan 21 18:50:13 coniston ipsec[1769]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 4.18.0-240.1.1.el8_3.x86_64, x86_64)
Jan 21 18:50:13 coniston ipsec[1769]: 00[LIB] openssl FIPS mode(0) - disabled
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG]   loaded ca certificate "CN=VPN root CA" from '/etc/ipsec.d/cacerts/ca-cert.pem'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG]   loaded IKE secret for %any %any
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server-key.pem'
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG]   loaded EAP secret for ray
Jan 21 18:50:13 coniston ipsec[1769]: 00[CFG] no RADIUS secret defined
Jan 21 18:50:13 coniston ipsec[1769]: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp certexpire radattr addrblock unity counters
Jan 21 18:50:13 coniston ipsec[1769]: 00[JOB] spawning 16 worker threads
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG] received stroke: add connection 'window'
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG] conn window
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   left=coniston.x.x.x
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   leftsubnet=255.255.240.0/24
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   leftauth=pubkey
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   leftcert=server-cert.pem
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   right=%any
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   rightsourceip=x.x.115.0/24
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   rightdns=128.16.6.19,128.16.5.31
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   rightauth=eap-radius
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   eap_identity=%identity
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   ike=aes256-sha256-modp1024,aes256-sha256-modp2048
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   esp=aes256-sha1,3des-sha1-modp1024!
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   dpddelay=40
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   dpdtimeout=160
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   dpdaction=3
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   closeaction=3
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   sha256_96=no
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   mediation=no
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   keyexchange=ikev2
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG] adding virtual IP address pool x.x.115.0/24
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG]   loaded certificate "CN=coniston.x.x.x" from 'server-cert.pem'
Jan 21 18:50:13 coniston charon[1774]: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jan 21 18:50:13 coniston ipsec[1769]: 05[CFG] added configuration 'window'
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG] received stroke: add connection 'ios'
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG] conn ios
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   left=%any
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   leftsubnet=255.255.240.0/24
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   leftauth=psk
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   leftid=coniston.x.x.x
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   right=%any
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   rightsourceip=x.x.115.0/24
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   rightauth=eap-radius
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   rightid=%any
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   eap_identity=%any
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   ike=aes256-sha256-modp1024,aes256-sha256-modp2048
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   esp=aes256-sha1,3des-sha1-modp1024!
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   dpddelay=40
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   dpdtimeout=160
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   dpdaction=3
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   closeaction=3
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   sha256_96=no
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   mediation=no
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG]   keyexchange=ikev2
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG] reusing virtual IP address pool x.x.115.0/24
Jan 21 18:50:13 coniston ipsec[1769]: 07[CFG] added configuration 'ios'
Jan 21 18:50:13 coniston ipsec[1769]: 11[NET] received packet: from x.x.4.165[500] to x.x.3.161[500] (1104 bytes)
Jan 21 18:50:13 coniston ipsec[1769]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jan 21 18:50:13 coniston ipsec[1769]: 11[CFG] looking for an IKEv2 config for x.x.3.161...x.x.4.165
Jan 21 18:50:13 coniston ipsec[1769]: 11[CFG]   candidate: coniston.x.x.x...%any, prio 1052
Jan 21 18:50:13 coniston ipsec[1769]: 11[CFG]   candidate: %any...%any, prio 28
Jan 21 18:50:13 coniston ipsec[1769]: 11[CFG] found matching ike config: coniston.x.x.x...%any with prio 1052
Jan 21 18:50:13 coniston ipsec[1769]: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jan 21 18:50:13 coniston ipsec[1769]: 11[IKE] received MS-Negotiation Discovery Capable vendor ID

答案1

您定义的 RADIUS 机密包含#字符,这些字符用于 strongSwan 配置文件中的注释。因此

secret = #hyteok#

您实际上并没有定义秘密,因为第一个秘密之后的所有内容#都被视为注释。要使用这样的秘密,请将其放在引号中:

secret = "#hyteok#"

相关内容