我在 Ubuntu18 上使用 strongSwan 5.6.2。我可以使用 Android 上的 Strongswan 客户端来连接它,它也可以与 win7 IKEV2 一起使用。
但是我在中国,无法第一次访问 Google Play 来安装 Strongswan 客户端。所以我必须配置服务器以使用没有 CA 文件的 L2TP/IPSEC XAUTH PSK 模式。
这是 ipsec.conf
config setup
charondebug="all"
uniqueids=no
conn android_xauth_psk
type=transport
keyexchange=ike
aggressive = yes
left=%defaultroute
leftauth=psk
leftsubnet=0.0.0.0/0
leftprotoport=17/1701
right=%any
authby=psk
#xauth=server
rightauth=psk
#rightauth2=xauth
#rightauth=pubkey
#rightauth2=xauth
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
#ike = 3des-md5-modp1024!
#esp = 3des-md5-modp1024!
auto=add
并在 strongswan.conf 中
load_modular = yes
load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke
kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
然后,出现以下错误:
May 2 23:11:12 ip-172-31-31-249 charon-custom: 12[IKE] 120.230.79.229 is initiating a Main Mode IKE_SA
May 2 23:11:12 ip-172-31-31-249 charon-custom: 12[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
May 2 23:11:12 ip-172-31-31-249 charon-custom: 12[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/CHACHA20_POLY1305_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
May 2 23:11:12 ip-172-31-31-249 charon-custom: 12[IKE] no proposal found
如果我添加
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024
在 ipsec.conf 中,错误更改为
May 2 23:46:05 ip-172-31-31-249 charon-custom: 13[CFG] looking for XAuthInitPSK peer configs matching 172.31.31.249...183.37.131.20[10.3.130.208]
May 2 23:46:05 ip-172-31-31-249 charon-custom: 13[IKE] found 1 matching config, but none allows XAuthInitPSK authentication using Main Mode
May 2 23:46:05 ip-172-31-31-249 charon-custom: 13[ENC] generating INFORMATIONAL_V1 request 1053446643 [ HASH N(AUTH_FAILED) ]
我不知道下一步该怎么做。有什么帮助吗?非常感谢!