Closed geekan closed 9 years ago
ftao
commented
9 years ago 看看进程是否活着?
root@localhost:/var/log# ps aux | grep ipsec
root 1808 0.0 0.0 17236 464 ? Ss Jun09 0:00 /usr/lib/ipsec/starter --daemon charon
root 1811 0.0 0.3 763232 3916 ? Ssl Jun09 0:37 /usr/lib/ipsec/charon --use-syslog如果没有
service strongswan restart 
geekan
commented
9 years ago 似乎是和另外一个ipsec进程冲突了,都绑定了500/4500端口,我把另外的进程杀了就有log了。 不过新出了一个错误,显示AUTH_FAILED
Jul 10 02:12:48 localhost charon: 12[NET] received packet: from 112.97.24.152[8650] to 106.185.28.235[500] (416 bytes)
Jul 10 02:12:48 localhost charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 02:12:48 localhost charon: 12[IKE] 112.97.24.152 is initiating an IKE_SA
Jul 10 02:12:48 localhost charon: 12[IKE] remote host is behind NAT
Jul 10 02:12:48 localhost charon: 12[IKE] sending cert request for "C=CH, O=vpndeploy, CN=VPN DeployPlaybook CA"
Jul 10 02:12:48 localhost charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 10 02:12:48 localhost charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 02:12:48 localhost charon: 12[NET] sending packet: from 106.185.28.235[500] to 112.97.24.152[8650] (485 bytes)
Jul 10 02:12:48 localhost charon: 13[NET] received packet: from 112.97.24.152[11649] to 106.185.28.235[4500] (364 bytes)
Jul 10 02:12:48 localhost charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CERTREQ CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jul 10 02:12:48 localhost charon: 13[IKE] received cert request for "C=CH, O=vpndeploy, CN=VPN DeployPlaybook CA"
Jul 10 02:12:48 localhost charon: 13[CFG] looking for peer configs matching 106.185.28.235[vpn.server_name.com]...112.97.24.152[172.25.128.197]
Jul 10 02:12:48 localhost charon: 13[CFG] no matching peer config found
Jul 10 02:12:48 localhost charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 10 02:12:48 localhost charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 10 02:12:48 localhost charon: 13[NET] sending packet: from 106.185.28.235[4500] to 112.97.24.152[11649] (76 bytes)你是使用 IP 还是 域名连接的? 如果是IP 的话, 可能需要设置一下
ipsec_use_ip_as_domain=true这个参数。 然后重新跑一下。 重新安装一下mobileconfig , 否则证书的CN 会不匹配,导致认证失败。。
geekan
commented
9 years ago 是用域名的。。我贴下详细配置:
#A example of Ansible Invetery
#Some useful parameters:
# - ansible_ssh_port
# - ansible_ssh_user
# - ansible_ssh_private_key_file
#Check out http://www.ansibleworks.com/docs/patterns.html#list-of-reserved-inventory-parameters for all possible parameters
localhost ansible_connection=local
vpn.server_name.com ansible_ssh_host=106.185.28.235 ansible_ssh_user=root ansible_ssh_pass=password
#auth.example.com ansible_ssh_user=root ansible_ssh_private_key_file=~/.ssh/some_key
[l2tp]
vpn.server_name.com
[pptp]
vpn.server_name.com
[ipsec]
vpn.server_name.com
[openconnect]
vpn.server_name.com
[vpn]
vpn.server_name.com
[chinadns]
dns.example.com update_resolvconf=false
[auth]
auth.example.com# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
conn %default
left=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
auto=add
dpdaction=clear
dpddelay=300s
#conn ikev2
# keyexchange=ikev2
# ike=aes256-sha1-modp1024!
# leftid="C=CH, O=vpndeploy, CN=vpn.server_name.com"
# leftcert=/etc/ipsec.d/certs/server_cert.pem
# leftauth=pubkey
# rekey=no
# rightsourceip=10.7.0.0/24
## rightauth=eap-mschapv2
## rightsendcert=never
# eap_identity=%identity
#see https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
conn ikev2
keyexchange=ikev2
ike=aes256-sha1-modp1024,aes256-sha1-modp2048
esp=aes256-sha1,aes128-sha1
left=%any
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=/etc/ipsec.d/certs/server_cert.pem
leftid=@vpn.server_name.com
right=%any
rightsourceip=10.7.0.0/24
rightauth=eap-mschapv2
#rightsendcert=never # see note
eap_identity=%any
auto=add打开下面的选项
ipsec_enable_charondebug: true看看是否有更详细的错误信息吧。
geekan
commented
9 years ago 这是打开之后的syslog:
Jul 10 02:47:24 localhost charon: 10[CFG] looking for an ike config for 106.185.28.235...112.97.24.152
Jul 10 02:47:24 localhost charon: 10[CFG] candidate: %any...%any, prio 28
Jul 10 02:47:24 localhost charon: 10[CFG] found matching ike config: %any...%any with prio 28
Jul 10 02:47:24 localhost charon: 10[IKE] 112.97.24.152 is initiating an IKE_SA
Jul 10 02:47:24 localhost charon: 10[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Jul 10 02:47:24 localhost charon: 10[CFG] selecting proposal:
Jul 10 02:47:24 localhost charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 02:47:24 localhost charon: 10[CFG] selecting proposal:
Jul 10 02:47:24 localhost charon: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 02:47:24 localhost charon: 10[CFG] selecting proposal:
Jul 10 02:47:24 localhost charon: 10[CFG] proposal matches
Jul 10 02:47:24 localhost charon: 10[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jul 10 02:47:24 localhost charon: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jul 10 02:47:24 localhost charon: 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Jul 10 02:47:24 localhost charon: 10[IKE] remote host is behind NAT
Jul 10 02:47:24 localhost charon: 10[IKE] sending cert request for "C=CH, O=vpndeploy, CN=VPN DeployPlaybook CA"
Jul 10 02:47:24 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 10 02:47:24 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 02:47:24 localhost charon: 10[NET] sending packet: from 106.185.28.235[500] to 112.97.24.152[8653] (485 bytes)
Jul 10 02:47:24 localhost charon: 05[NET] sending packet: from 106.185.28.235[500] to 112.97.24.152[8653]
Jul 10 02:47:28 localhost charon: 08[NET] received packet: from 112.97.24.152[11652] to 106.185.28.235[4500]
Jul 10 02:47:28 localhost charon: 08[NET] waiting for data on sockets
Jul 10 02:47:28 localhost charon: 11[NET] received packet: from 112.97.24.152[11652] to 106.185.28.235[4500] (364 bytes)
Jul 10 02:47:28 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CERTREQ CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jul 10 02:47:28 localhost charon: 11[IKE] received cert request for "C=CH, O=vpndeploy, CN=VPN DeployPlaybook CA"
Jul 10 02:47:28 localhost charon: 11[CFG] looking for peer configs matching 106.185.28.235[vpn.server_name.com]...112.97.24.152[172.25.128.197]
Jul 10 02:47:28 localhost charon: 11[CFG] no matching peer config found
Jul 10 02:47:28 localhost charon: 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 10 02:47:28 localhost charon: 11[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 10 02:47:28 localhost charon: 11[IKE] processing INTERNAL_IP4_DNS attribute
Jul 10 02:47:28 localhost charon: 11[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 10 02:47:28 localhost charon: 11[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 10 02:47:28 localhost charon: 11[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 10 02:47:28 localhost charon: 11[IKE] processing INTERNAL_IP6_DNS attribute
Jul 10 02:47:28 localhost charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 10 02:47:28 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 10 02:47:28 localhost charon: 11[NET] sending packet: from 106.185.28.235[4500] to 112.97.24.152[11652] (76 bytes)
Jul 10 02:47:28 localhost charon: 11[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Jul 10 02:47:28 localhost charon: 05[NET] sending packet: from 106.185.28.235[4500] to 112.97.24.152[11652]对了,我下载的是xxx.mobileconfig,而不是xxx.signed.mobileconfig,这个没关系吧?
geekan
commented
9 years ago Jul 10 02:47:28 localhost charon: 11[CFG] looking for peer configs matching 106.185.28.235[vpn.server_name.com]...112.97.24.152[172.25.128.197]
Jul 10 02:47:28 localhost charon: 11[CFG] no matching peer config found看起来这两行是关键,没有匹配上config。 但/etc/ipsec.conf里确实写明了:
leftid=@vpn.server_name.com
right=%any不过执行 root@localhost:/git/vpn-deploy-playbook# ipsec listpubkeys 时是空结果,不知道是不是问题所在。
geekan
commented
9 years ago 仔细看了一遍流程,删除了加密相关的文件,重新生成了一遍,可以连上了 :)
root@localhost:/git/vpn-deploy-playbook# rm /etc/ipsec.d/private/ca_key.pem
root@localhost:/git/vpn-deploy-playbook# rm /etc/ipsec.d/cacerts/ca_cert.pem
root@localhost:/git/vpn-deploy-playbook# rm /etc/ipsec.d/private/server_key.pem
root@localhost:/git/vpn-deploy-playbook# rm /etc/ipsec.d/certs/server_cert.pem
rangeihub
commented
11 months ago 请问一下似乎是和另外一个ipsec进程冲突了,都绑定了500/4500端口,我把另外的进程杀了就有log了。 不过新出了一个错误,显示AUTH_FAILED一共就两个你杀掉谁? 我的日志文件也是没有出现,我的strongswan 是root@OpenWrt:/# ipsec --version Linux strongSwan U5.8.2/K4.19.205 University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. 能发一下你的strongswan.conf 配置吗参考一下吗,
ansible显示全成功了,但iOS无法连接
抓包显示如下:
不知为什么连不上?对应的日志位置是?