我使用传输模式和NAT-T环境来协商SA,并且验证对端的方法是PSK。
当我使用主模式,IKE协商即可完成通常情况下,PSK 的对数为:
Jan 6 01:24:06 09[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan 6 01:24:06 09[CFG] <1> candidate "trap-a", match: 1/20/3100 (me/other/ike)
Jan 6 01:24:06 09[CFG] <1> selected peer config "trap-a"
但是当我使用攻击模式,strongswan 提示错误处理第一条收到的消息时:
Jan 6 01:45:38 05[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan 6 01:45:38 05[IKE] <1> no peer config found
我检查了初始化日志,看起来没有问题,因为ID被加载为:
Jan 6 01:23:45 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Jan 6 01:23:45 00[CFG] loaded IKE secret for %any
Jan 6 01:23:45 00[CFG] loaded IKE secret for %any
Jan 6 01:23:45 00[CFG] loaded IKE secret for 10.1.1.10
我的配置如下:
ipsec配置文件
conn %default
ikelifetime=6m
keylife=5m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
ike=aes256-sha256-modp1024
esp=aes256-sha256-modp1024
authby=psk
type=transport
auto=route
fragmentation=no
rekey=no
forceencaps=yes
conn trap-a
aggressive=yes # it will set to aggressive=no when using main mode
left=192.168.163.130
leftsubnet=192.168.163.0/24
right=10.1.1.10
rightsubnet=10.1.1.0/24
auto=add
ipsec.secrets
: PSK "123456"
%any : PSK "123456"
10.1.1.10 : PSK "123456"
strongswan.conf
charon {
load_modular = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
plugins {
include strongswan.d/charon/*.conf
}
install_routes = no
filelog {
charon {
path = /etc/strongswan/logs/strongswan.log
time_format = %b %e %T
ike_name = yes
append = no
default = 2
flush_line = yes
}
stderr {
ike = 4
knl = 4
}
}
}
include strongswan.d/*.conf
我的配置有问题吗?
网络拓扑图如下:
Public network initiator --- Public network NAT --- Intranet responder
10.1.1.10-----------------10.1.1.11--192.168.163.1------192.168.163.130
感谢帮助!