希望你一切顺利。
我正在尝试将 Mikrotik RB2011RM 连接到在云服务器上运行的 Strongswan。我无法通过第 1 阶段。
我搜索了谷歌,找到了一些很好的例子,但仍然无法找出问题所在。现在我有一个来自 Strongswan 设置的示例,但仍然没有找到。
希望有人能帮助我找出我做错的事情。
具体如下:
RB2011 在我的家庭网络上,Strongswan 在第三方提供商的 VPS 上。我已尝试使用简单的 PSK 身份验证来尝试使其正常工作。
StrongSwan ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="all"
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn tower-vpn
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
left=107.161.22.19
leftsubnet=107.161.22.19/32
leftid=@vpnsvr.*******.org
right=206.83.248.2
rightid=206.83.248.2
rightsubnet=10.232.70.0/24
auto=add
ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA vpn-server.key.pem # VPN server key generated above
# <user id> : EAP <secret>
10.232.70.1 : PSK "***********"
206.83.248.2 : PSK "***********"
Mikrotik 配置:
Mike Myers <[email protected]>
4:55 PM (0 minutes ago)
to me
# may/17/2022 16:54:00 by RouterOS 6.49.6
# software id = YFGT-A2YC
#
# model = 2011UiAS
# serial number = 6089057B8541
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
profile_1 nat-traversal=yes
/ip ipsec peer
add address=107.161.22.19/32 name=CloudVPN profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip ipsec identity
add my-id=address:206.83.248.2 peer=CloudVPN secret=**********
/ip ipsec policy
add dst-address=10.232.0.0/23 level=use peer=CloudVPN src-address=\
10.232.70.0/24 tunnel=yes
Strongswan 日志:
received packet: from 206.83.248.2[500] to 107.161.22.19[500] (128 bytes)
May 17 20:52:49 hamsocial charon: 06[ENC] parsed ID_PROT request 0 [ SA V V ]
May 17 20:52:49 hamsocial charon: 06[IKE] no IKE config found for 107.161.22.19...206.83.248.2, sending NO_PROPOSAL_CHOSEN
May 17 20:52:49 hamsocial charon: 06[ENC] generating INFORMATIONAL_V1 request 1363442209 [ N(NO_PROP) ]
May 17 20:52:49 hamsocial charon: 06[NET] sending packet: from 107.161.22.19[500] to 206.83.248.2[500] (40 bytes)
May 17 20:52:59 hamsocial charon: 14[NET] received packet: from 206.83.248.2[500] to 107.161.22.19[500] (128 bytes)
May 17 20:52:59 hamsocial charon: 14[ENC] parsed ID_PROT request 0 [ SA V V ]
May 17 20:52:59 hamsocial charon: 14[IKE] no IKE config found for 107.161.22.19...206.83.248.2, sending NO_PROPOSAL_CHOSEN
May 17 20:52:59 hamsocial charon: 14[ENC] generating INFORMATIONAL_V1 request 1065270688 [ N(NO_PROP) ]
May 17 20:52:59 hamsocial charon: 14[NET] sending packet: from 107.161.22.19[500] to 206.83.248.2[500] (40 bytes)
May 17 20:53:09 hamsocial charon: 07[NET] received packet: from 206.83.248.2[500] to 107.161.22.19[500] (128 bytes)
May 17 20:53:09 hamsocial charon: 07[ENC] parsed ID_PROT request 0 [ SA V V ]
May 17 20:53:09 hamsocial charon: 07[IKE] no IKE config found for 107.161.22.19...206.83.248.2, sending NO_PROPOSAL_CHOSEN
May 17 20:53:09 hamsocial charon: 07[ENC] generating INFORMATIONAL_V1 request 3707957538 [ N(NO_PROP) ]
May 17 20:53:09 hamsocial charon: 07[NET] sending packet: from 107.161.22.19[500] to 206.83.248.2[500] (40 bytes)
Mikrotik 日志:
16:53:49 ipsec,error phase1 negotiation failed due to time up 10.0.0.254[500]<=>107.161.22.19[500] be65b4bf51adec2d:0000000000000000
16:53:57 ipsec,info initiate new phase 1 (Identity Protection): 10.0.0.254[500]<=>107.161.22.19[500]