大家好,很抱歉打扰你们,我已经花了 3 天时间,但还是无法让它工作,你能看看吗?提前谢谢你们 <3。
强化信息:
Public ip: 41.223.XX.XX
Internal ip: 172.16.20.25
Subnet : 192.168.0.223/32,192.168.0.219/32
enable nat_traversal
PSK: testpasswd
Phase1: IKE v1 main
3des sha1 DH GROUP 2
86400 seconds
Phase2: 3des sha1
No PFS
3600 seconds
//////////////////////////////////////////////////////
Strongswan ubuntu 服务器(Oracle 云):
Public ip: 141.147.YY.YY
Internal ip: 10.0.0.186
Subnet : 10.0.0.186/32,10.7.0.1/24
ipsec.conf:
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection to Fortigate
conn linux-to-fg
authby=secret
left=10.0.0.186
leftid=141.147.YY.YY
leftsubnet=10.0.0.186/32,10.7.0.1/24
right=41.223.XX.XX
rightid=172.16.20.25
rightsubnet=192.168.0.223/32,192.168.0.219/32
ike=3des-sha1-modp1024!
esp=3des-sha1!
keyexchange=ikev1
keyingtries=0
ikelifetime=24h
lifetime=1h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start
type=tunnel
ipsec.secret
%any %any : PSK "testpasswd"
系统日志:
Sep 4 19:56:54 vpn-server charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.15.0-1041-oracle, aarch64)
Sep 4 19:56:54 vpn-server charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 4 19:56:54 vpn-server charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 4 19:56:54 vpn-server charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 4 19:56:54 vpn-server charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 4 19:56:54 vpn-server charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 4 19:56:54 vpn-server charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 4 19:56:54 vpn-server charon: 00[CFG] loaded IKE secret for %any %any
Sep 4 19:56:54 vpn-server charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Sep 4 19:56:54 vpn-server charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 4 19:56:54 vpn-server charon: 00[JOB] spawning 16 worker threads
Sep 4 19:56:54 vpn-server charon: 05[CFG] received stroke: add connection 'linux-to-fg'
Sep 4 19:56:54 vpn-server charon: 05[CFG] added configuration 'linux-to-fg'
Sep 4 19:56:54 vpn-server charon: 07[CFG] received stroke: initiate 'linux-to-fg'
Sep 4 19:56:54 vpn-server charon: 07[IKE] initiating Main Mode IKE_SA linux-to-fg[1] to 41.223.XX.XX
Sep 4 19:56:54 vpn-server charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep 4 19:56:54 vpn-server charon: 07[NET] sending packet: from 10.0.0.186[500] to 41.223.XX.XX[500] (180 bytes)
Sep 4 19:56:54 vpn-server charon: 09[NET] received packet: from 41.223.XX.XX[500] to 10.0.0.186[500] (188 bytes)
Sep 4 19:56:54 vpn-server charon: 09[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
Sep 4 19:56:54 vpn-server charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Sep 4 19:56:54 vpn-server charon: 09[IKE] received DPD vendor ID
Sep 4 19:56:54 vpn-server charon: 09[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Sep 4 19:56:54 vpn-server charon: 09[IKE] received FRAGMENTATION vendor ID
Sep 4 19:56:54 vpn-server charon: 09[IKE] received FRAGMENTATION vendor ID
Sep 4 19:56:54 vpn-server charon: 09[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 4 19:56:54 vpn-server charon: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 4 19:56:54 vpn-server charon: 09[NET] sending packet: from 10.0.0.186[500] to 41.223.XX.XX[500] (244 bytes)
Sep 4 19:56:55 vpn-server charon: 10[NET] received packet: from 41.223.XX.XX[500] to 10.0.0.186[500] (228 bytes)
Sep 4 19:56:55 vpn-server charon: 10[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 4 19:56:55 vpn-server charon: 10[IKE] local host is behind NAT, sending keep alives
Sep 4 19:56:55 vpn-server charon: 10[IKE] remote host is behind NAT
Sep 4 19:56:55 vpn-server charon: 10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 4 19:56:55 vpn-server charon: 10[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (100 bytes)
Sep 4 19:56:55 vpn-server charon: 11[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (68 bytes)
Sep 4 19:56:55 vpn-server charon: 11[ENC] parsed ID_PROT response 0 [ ID HASH ]
Sep 4 19:56:55 vpn-server charon: 11[IKE] IKE_SA linux-to-fg[1] established between 10.0.0.186[141.147.YY.YY]...41.223.XX.XX[172.16.20.25]
Sep 4 19:56:55 vpn-server charon: 11[IKE] scheduling reauthentication in 85437s
Sep 4 19:56:55 vpn-server charon: 11[IKE] maximum IKE_SA lifetime 85977s
Sep 4 19:56:55 vpn-server charon: 11[ENC] generating QUICK_MODE request 210004719 [ HASH SA No ID ID ]
Sep 4 19:56:55 vpn-server charon: 11[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (164 bytes)
Sep 4 19:56:55 vpn-server charon: 12[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (148 bytes)
Sep 4 19:56:55 vpn-server charon: 12[ENC] parsed QUICK_MODE response 210004719 [ HASH SA No ID ID ]
Sep 4 19:56:55 vpn-server charon: 12[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Sep 4 19:56:55 vpn-server charon: 12[IKE] CHILD_SA linux-to-fg{1} established with SPIs ce44d95c_i e78ec623_o and TS 10.0.0.186/32 === 192.168.0.223/32
Sep 4 19:56:55 vpn-server charon: 12[ENC] generating QUICK_MODE request 210004719 [ HASH ]
Sep 4 19:56:55 vpn-server charon: 12[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (60 bytes)
Sep 4 19:56:59 vpn-server charon: 05[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (148 bytes)
Sep 4 19:56:59 vpn-server charon: 05[ENC] parsed QUICK_MODE request 2995459665 [ HASH SA No ID ID ]
Sep 4 19:56:59 vpn-server charon: 05[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Sep 4 19:56:59 vpn-server charon: 05[ENC] generating QUICK_MODE response 2995459665 [ HASH SA No ID ID ]
Sep 4 19:56:59 vpn-server charon: 05[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (164 bytes)
Sep 4 19:56:59 vpn-server charon: 06[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (156 bytes)
Sep 4 19:56:59 vpn-server charon: 06[ENC] parsed QUICK_MODE request 187159232 [ HASH SA No ID ID ]
Sep 4 19:56:59 vpn-server charon: 06[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Sep 4 19:56:59 vpn-server charon: 06[ENC] generating QUICK_MODE response 187159232 [ HASH SA No ID ID ]
Sep 4 19:56:59 vpn-server charon: 06[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (172 bytes)
Sep 4 19:56:59 vpn-server charon: 07[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (156 bytes)
Sep 4 19:56:59 vpn-server charon: 07[ENC] parsed QUICK_MODE request 1224828342 [ HASH SA No ID ID ]
Sep 4 19:56:59 vpn-server charon: 07[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Sep 4 19:56:59 vpn-server charon: 07[ENC] generating QUICK_MODE response 1224828342 [ HASH SA No ID ID ]
Sep 4 19:56:59 vpn-server charon: 07[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (172 bytes)
Sep 4 19:56:59 vpn-server charon: 09[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (60 bytes)
Sep 4 19:56:59 vpn-server charon: 09[ENC] parsed QUICK_MODE request 2995459665 [ HASH ]
Sep 4 19:56:59 vpn-server charon: 09[IKE] CHILD_SA linux-to-fg{2} established with SPIs cc30dc2d_i e78ec63c_o and TS 10.0.0.186/32 === 192.168.0.219/32
Sep 4 19:56:59 vpn-server charon: 10[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (60 bytes)
Sep 4 19:56:59 vpn-server charon: 10[ENC] parsed QUICK_MODE request 187159232 [ HASH ]
Sep 4 19:56:59 vpn-server charon: 10[IKE] CHILD_SA linux-to-fg{3} established with SPIs ccc8e962_i e78ec63d_o and TS 10.7.0.0/24 === 192.168.0.219/32
Sep 4 19:56:59 vpn-server charon: 11[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (60 bytes)
Sep 4 19:56:59 vpn-server charon: 11[ENC] parsed QUICK_MODE request 1224828342 [ HASH ]
Sep 4 19:56:59 vpn-server charon: 11[IKE] CHILD_SA linux-to-fg{4} established with SPIs c2d794af_i e78ec63e_o and TS 10.7.0.0/24 === 192.168.0.223/32
Sep 4 19:57:00 vpn-server charon: 12[NET] received packet: from 41.223.XX.XX[500] to 10.0.0.186[500] (288 bytes)
Sep 4 19:57:00 vpn-server charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
Sep 4 19:57:00 vpn-server charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Sep 4 19:57:00 vpn-server charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 4 19:57:00 vpn-server charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Sep 4 19:57:00 vpn-server charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 4 19:57:00 vpn-server charon: 12[ENC] received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
Sep 4 19:57:00 vpn-server charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Sep 4 19:57:00 vpn-server charon: 12[IKE] received DPD vendor ID
Sep 4 19:57:00 vpn-server charon: 12[IKE] received FRAGMENTATION vendor ID
Sep 4 19:57:00 vpn-server charon: 12[IKE] received FRAGMENTATION vendor ID
Sep 4 19:57:00 vpn-server charon: 12[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Sep 4 19:57:00 vpn-server charon: 12[IKE] 41.223.XX.XX is initiating a Main Mode IKE_SA
Sep 4 19:57:00 vpn-server charon: 12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 4 19:57:00 vpn-server charon: 12[ENC] generating ID_PROT response 0 [ SA V V V V ]
Sep 4 19:57:00 vpn-server charon: 12[NET] sending packet: from 10.0.0.186[500] to 41.223.XX.XX[500] (160 bytes)
Sep 4 19:57:00 vpn-server charon: 14[NET] received packet: from 41.223.XX.XX[500] to 10.0.0.186[500] (228 bytes)
Sep 4 19:57:00 vpn-server charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 4 19:57:00 vpn-server charon: 14[IKE] local host is behind NAT, sending keep alives
Sep 4 19:57:00 vpn-server charon: 14[IKE] remote host is behind NAT
Sep 4 19:57:00 vpn-server charon: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 4 19:57:00 vpn-server charon: 14[NET] sending packet: from 10.0.0.186[500] to 41.223.XX.XX[500] (244 bytes)
Sep 4 19:57:00 vpn-server charon: 15[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (68 bytes)
Sep 4 19:57:00 vpn-server charon: 15[ENC] parsed ID_PROT request 0 [ ID HASH ]
Sep 4 19:57:00 vpn-server charon: 15[CFG] looking for pre-shared key peer configs matching 10.0.0.186...41.223.XX.XX[172.16.20.25]
Sep 4 19:57:00 vpn-server charon: 15[CFG] selected peer config "linux-to-fg"
Sep 4 19:57:00 vpn-server charon: 15[IKE] detected reauth of existing IKE_SA, adopting 4 children and 0 virtual IPs
Sep 4 19:57:00 vpn-server charon: 15[IKE] schedule delete of duplicate IKE_SA for peer '172.16.20.25' due to uniqueness policy and suspected reauthentication
Sep 4 19:57:00 vpn-server charon: 15[IKE] IKE_SA linux-to-fg[2] established between 10.0.0.186[141.147.YY.YY]...41.223.XX.XX[172.16.20.25]
Sep 4 19:57:00 vpn-server charon: 15[IKE] scheduling reauthentication in 85326s
Sep 4 19:57:00 vpn-server charon: 15[IKE] maximum IKE_SA lifetime 85866s
Sep 4 19:57:00 vpn-server charon: 15[ENC] generating ID_PROT response 0 [ ID HASH ]
Sep 4 19:57:00 vpn-server charon: 15[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (68 bytes)
Sep 4 19:57:10 vpn-server charon: 08[IKE] deleting IKE_SA linux-to-fg[1] between 10.0.0.186[141.147.YY.YY]...41.223.XX.XX[172.16.20.25]
Sep 4 19:57:10 vpn-server charon: 08[IKE] sending DELETE for IKE_SA linux-to-fg[1]
Sep 4 19:57:10 vpn-server charon: 08[ENC] generating INFORMATIONAL_V1 request 1435944686 [ HASH D ]
Sep 4 19:57:10 vpn-server charon: 08[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (84 bytes)
Sep 4 19:57:21 vpn-server charon: 11[IKE] sending keep alive to 41.223.XX.XX[4500]
Sep 4 19:57:30 vpn-server charon: 15[IKE] sending DPD request
Sep 4 19:57:30 vpn-server charon: 15[ENC] generating INFORMATIONAL_V1 request 1320012911 [ HASH N(DPD) ]
Sep 4 19:57:30 vpn-server charon: 15[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (92 bytes)
Sep 4 19:57:30 vpn-server charon: 16[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (92 bytes)
Sep 4 19:57:30 vpn-server charon: 16[ENC] parsed INFORMATIONAL_V1 request 3545732010 [ HASH N(DPD_ACK) ]
Sep 4 19:57:51 vpn-server charon: 06[IKE] sending keep alive to 41.223.XX.XX[4500]
Sep 4 19:58:00 vpn-server charon: 07[IKE] sending DPD request
Sep 4 19:58:00 vpn-server charon: 07[ENC] generating INFORMATIONAL_V1 request 853219907 [ HASH N(DPD) ]
Sep 4 19:58:00 vpn-server charon: 07[NET] sending packet: from 10.0.0.186[4500] to 41.223.XX.XX[4500] (92 bytes)
Sep 4 19:58:00 vpn-server charon: 08[NET] received packet: from 41.223.XX.XX[4500] to 10.0.0.186[4500] (92 bytes)
Sep 4 19:58:00 vpn-server charon: 08[ENC] parsed INFORMATIONAL_V1 request 878772427 [ HASH N(DPD_ACK) ]
Sep 4 19:58:21 vpn-server charon: 09[IKE] sending keep alive to 41.223.XX.XX[4500]
Sep 4 19:58:30 vpn-server charon: 10[IKE] sending DPD request
ipsec 状态全部:
root@vpn-server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.15.0-1041-oracle, aarch64):
uptime: 5 minutes, since Sep 04 19:56:54 2023
malloc: sbrk 2580480, mmap 0, used 746944, free 1833536
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.0.0.186
Connections:
linux-to-fg: 10.0.0.186...41.223.XX.XX IKEv1, dpddelay=30s
linux-to-fg: local: [141.147.YY.YY] uses pre-shared key authentication
linux-to-fg: remote: [172.16.20.25] uses pre-shared key authentication
linux-to-fg: child: 10.0.0.186/32 10.7.0.0/24 === 192.168.0.223/32 192.168.0.219/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
linux-to-fg[2]: ESTABLISHED 5 minutes ago, 10.0.0.186[141.147.YY.YY]...41.223.XX.XX[172.16.20.25]
linux-to-fg[2]: IKEv1 SPIs: a1411fa1ae6a928e_i 0b4214238133dd1c_r*, pre-shared key reauthentication in 23 hours
linux-to-fg[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
linux-to-fg{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce44d95c_i e78ec623_o
linux-to-fg{1}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 39 minutes
linux-to-fg{1}: 10.0.0.186/32 === 192.168.0.223/32
linux-to-fg{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cc30dc2d_i e78ec63c_o
linux-to-fg{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
linux-to-fg{2}: 10.0.0.186/32 === 192.168.0.219/32
linux-to-fg{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: ccc8e962_i e78ec63d_o
linux-to-fg{3}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 39 minutes
linux-to-fg{3}: 10.7.0.0/24 === 192.168.0.219/32
linux-to-fg{4}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c2d794af_i e78ec63e_o
linux-to-fg{4}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
linux-to-fg{4}: 10.7.0.0/24 === 192.168.0.223/32
tcpdump 目标 41.223.XX.XX
root@vpn-server:/etc# tcpdump dst 41.223.XX.XX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s6, link-type EN10MB (Ethernet), capture size 262144 bytes
00:51:53.128740 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: isakmp-nat-keep-alive
00:52:04.307484 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
00:52:24.129341 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: isakmp-nat-keep-alive
00:52:35.308099 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
00:52:55.129863 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: isakmp-nat-keep-alive
00:53:06.308739 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
00:53:26.130433 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: isakmp-nat-keep-alive
00:53:37.309418 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
00:53:57.131073 IP vpn-server.subnet03252117.vcn03252117.oraclevcn.com.ipsec-nat-t > 41.223.XX.XX.ipsec-nat-t: isakmp-nat-keep-alive