我在连接 GCP 上的 Ubuntu VM 上运行的 IKEv2 VPN 时遇到问题。我尝试连接 MacOS 和 Windows。我按照此操作教程在 Ubuntu VM 上安装 VPN。我需要 VPN,这样我就可以为多个人提供静态 IP,并连接到 GCP 上运行的非公开应用程序。我读到客户端/服务器 VPN 是我需要的解决方案,这就是我尝试本教程的原因。配置的问题可能是只有 Ubuntu OS 才能连接到 VPN?
与教程的唯一区别是,我将教程中的域名更改为 GCP VM 的 IP 地址。MacOS 上的错误消息是“用户身份验证失败”,我已将ca.cert.pem
VPN 服务器中的加载到 MacOS 上的 Key chain Access 中。从 Windows 10 连接时也存在类似问题。我将 pem 文件放入受信任的根证书颁发机构,但无法使用用户名和密码进行连接。
var/log/syslog
尝试连接 MacOS 内置 IKEv2 客户端时在 Ubuntu 服务器中发现以下日志:
Jun 13 12:54:14 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.152.0.2[500]
Jun 13 12:54:14 vpn-instance charon: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance charon: 09[MGR] checkout IKEv2 SA by message with SPIs e2706de3b7c70401_i 0000000000000000_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (740 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkout IKEv2 SA by message with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500] (80 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[IKE] initiating EAP_MSCHAPV2 method (id 0x9C)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (112 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jun 13 12:54:14 vpn-instance charon: 09[MGR] created IKE_SA (unnamed)[7]
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[5]
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => DESTROYING
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[IKE] IKE_SA ipsec-ikev2-vpn[6] state change: CONNECTING => DESTROYING
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 06[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 06[MGR] IKE_SA checkout not successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 05[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 05[MGR] IKE_SA checkout not successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.152.0.2[500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance ipsec[540]: 09[MGR] checkout IKEv2 SA by message with SPIs e2706de3b7c70401_i 0000000000000000_r
Jun 13 12:54:14 vpn-instance charon: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkout IKEv2 SA by message with SPIs 25159daea9f11f1d_i 64799938fac7
977c_r
Jun 13 12:54:14 vpn-instance charon: 14[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:14 vpn-instance charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500] (80 by
tes)
Jun 13 12:54:14 vpn-instance charon: 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 13 12:54:14 vpn-instance charon: 14[IKE] initiating EAP_MSCHAPV2 method (id 0x4A)
Jun 13 12:54:14 vpn-instance charon: 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 13 12:54:14 vpn-instance charon: 14[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (112 by
tes)
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:34 vpn-instance charon: 16[MGR] IKE_SA ipsec-ikev2-vpn[7] successfully checked out
Jun 13 12:54:34 vpn-instance charon: 16[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkin IKE_SA ipsec-ikev2-vpn[7]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkin of IKE_SA successful
Jun 13 12:54:34 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:34 vpn-instance charon: 06[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:34 vpn-instance charon: 06[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkin IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkin of IKE_SA successful
Jun 13 12:54:34 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:44 vpn-instance charon: 05[MGR] IKE_SA ipsec-ikev2-vpn[7] successfully checked out
Jun 13 12:54:44 vpn-instance charon: 05[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[7]
Jun 13 12:54:44 vpn-instance charon: 05[IKE] IKE_SA ipsec-ikev2-vpn[7] state change: CONNECTING => DESTROYING
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:44 vpn-instance charon: 07[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:44 vpn-instance charon: 07[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:44 vpn-instance charon: 07[IKE] IKE_SA ipsec-ikev2-vpn[8] state change: CONNECTING => DESTROYING
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:54 vpn-instance charon: 08[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:54 vpn-instance charon: 08[MGR] IKE_SA checkout not successful
Jun 13 12:54:54 vpn-instance charon: 09[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:54 vpn-instance charon: 09[MGR] IKE_SA checkout not successful
请告诉我可能出了什么问题?
编辑 当我尝试从我的日志连接时,我添加了上面的更多系统日志输出。
配置如下/etc/ipsec.conf
:
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=no
uniqueids=yes
cachecrls=no
conn ipsec-ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=xx.xxx.xxx.219
leftcert=server.cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=192.168.0.0/24
rightdns=8.8.8.8 # DNS to be assigned to clients
rightsendcert=never
eap_identity=%identity
MacOS VPN 配置只是服务器地址和远程 ID(即 Ubuntu 服务器的 IP 地址)以及相关的身份验证设置(即我设置的用户名和密码)/etc/ipsec.secrets
。
我在 Macbook 的日志中看不到任何与 vpn 相关的事件,例如racoon.log
或ppp.log
。在网上也很难找到有关 MacOS VPN 日志的信息,这就是为什么解决这个问题很棘手的原因。IKEv2 VPN 日志可能在 BigSur 的其他地方吗?
解决了 必须确保用户名和密码在 mac IKEv2 身份验证设置中正确应用。