Closed SuperCatss closed 1 year ago
以下为使用ikev2 ipsec 链接时的日志,ip 已被替换
2023-02-21T00:47:24.400697+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:24.400750+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:24.400780+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:24.400801+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:24.400949+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1 #1: deleting state (STATE_V2_PARENT_R0) aged 0.000334s and NOT sending notification 2023-02-21T00:47:24.400988+08:00 ipsec-server pluto[422]: "ikev2-cp"[1] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:25.460639+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:25.460679+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:25.460709+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:25.460730+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:25.460825+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1 #2: deleting state (STATE_V2_PARENT_R0) aged 0.000256s and NOT sending notification 2023-02-21T00:47:25.460860+08:00 ipsec-server pluto[422]: "ikev2-cp"[2] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:27.252077+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:27.252137+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:27.252186+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:27.252221+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:27.252364+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1 #3: deleting state (STATE_V2_PARENT_R0) aged 0.000346s and NOT sending notification 2023-02-21T00:47:27.252417+08:00 ipsec-server pluto[422]: "ikev2-cp"[3] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:30.431968+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:30.432008+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:30.432038+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:30.432060+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:30.432170+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1 #4: deleting state (STATE_V2_PARENT_R0) aged 0.000293s and NOT sending notification 2023-02-21T00:47:30.432203+08:00 ipsec-server pluto[422]: "ikev2-cp"[4] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:36.279901+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:36.279972+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:36.280001+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:36.280023+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:36.280138+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1 #5: deleting state (STATE_V2_PARENT_R0) aged 0.0003s and NOT sending notification 2023-02-21T00:47:36.280185+08:00 ipsec-server pluto[422]: "ikev2-cp"[5] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:47:46.799877+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:47:46.799951+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:47:46.800002+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:47:46.800027+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:47:46.800134+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1 #6: deleting state (STATE_V2_PARENT_R0) aged 0.000325s and NOT sending notification 2023-02-21T00:47:46.800170+08:00 ipsec-server pluto[422]: "ikev2-cp"[6] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-21T00:48:21.502681+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536 2023-02-21T00:48:21.502723+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-21T00:48:21.502751+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:41615 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-21T00:48:21.502772+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-21T00:48:21.502876+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1 #7: deleting state (STATE_V2_PARENT_R0) aged 0.000264s and NOT sending notification 2023-02-21T00:48:21.502907+08:00 ipsec-server pluto[422]: "ikev2-cp"[7] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
@SuperCatss 你好!镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持,因为它们安全性较低。参见这里。
从你的日志来看,可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑容器内的 /etc/ipsec.d/ikev2.conf
,并将这一行
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
替换为
ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
保存文件并重启 Docker 容器。如果仍然无法解决,你可以尝试在 Libreswan users mailing list 问一下。
@SuperCatss 你好!镜像的 IKEv2 算法最近并没有更改。IKEv1 算法去掉了 MODP1024 和 MODP1536 支持,因为它们安全性较低。参见这里。
从你的日志来看,可能是客户端 VPN 连接的 IKEv2 算法的问题。你可以尝试编辑容器内的
/etc/ipsec.d/ikev2.conf
,并将这一行ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
替换为
ike=aes_gcm-sha2-modp2048,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
保存文件并重启 Docker 容器。如果仍然无法解决,你可以尝试在 Libreswan users mailing list 问一下。
@hwdsl2 你好,按照建议修改后两种协议仍然无法连接。补上 IPSec/Xauth 模式下链接日志
2023-02-22T14:21:38.381540+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: responding to Main Mode from unknown peer 1.1.1.1:51478 2023-02-22T14:21:38.381663+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required) 2023-02-22T14:21:38.381694+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1024] refused 2023-02-22T14:21:38.381716+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: WARNING: connection xauth-psk PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required) 2023-02-22T14:21:38.381735+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA2_256, MODP1024] refused 2023-02-22T14:21:38.381757+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381777+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381804+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381824+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [AES_CBC (128), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381845+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused 2023-02-22T14:21:38.381869+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused 2023-02-22T14:21:38.381886+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: no acceptable Oakley Transform 2023-02-22T14:21:38.381927+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: sending notification NO_PROPOSAL_CHOSEN to 1.1.1.1:51478 2023-02-22T14:21:39.326165+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:41.134775+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:44.393343+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:21:50.194250+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:22:00.755178+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0 2023-02-22T14:22:19.597606+08:00 ipsec-server pluto[422]: "xauth-psk"[1] 1.1.1.1 #15: discarding initial packet; already STATE_MAIN_R0
补充修改conf 文件后的IPSec/ikev2 的链接日志
2023-02-22T14:34:26.574540+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:26.574582+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:26.574611+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:26.574632+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:26.574775+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1 #16: deleting state (STATE_V2_PARENT_R0) aged 0.000283s and NOT sending notification 2023-02-22T14:34:26.574807+08:00 ipsec-server pluto[422]: "ikev2-cp"[15] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:27.561966+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:27.562024+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:27.562074+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:27.562113+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:27.562272+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1 #17: deleting state (STATE_V2_PARENT_R0) aged 0.000353s and NOT sending notification 2023-02-22T14:34:27.562319+08:00 ipsec-server pluto[422]: "ikev2-cp"[16] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:29.368644+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:29.368686+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:29.368716+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:29.368737+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:29.368850+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1 #18: deleting state (STATE_V2_PARENT_R0) aged 0.000254s and NOT sending notification 2023-02-22T14:34:29.368882+08:00 ipsec-server pluto[422]: "ikev2-cp"[17] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:32.614497+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:32.614541+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:32.614571+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:32.614593+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:32.614715+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1 #19: deleting state (STATE_V2_PARENT_R0) aged 0.000257s and NOT sending notification 2023-02-22T14:34:32.614761+08:00 ipsec-server pluto[422]: "ikev2-cp"[18] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0} 2023-02-22T14:34:38.436052+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_256-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match] 2023-02-22T14:34:38.436094+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting MODP2048 2023-02-22T14:34:38.436123+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: responding to IKE_SA_INIT message (ID 0) from 1.1.1.1:51480 with unencrypted notification INVALID_KE_PAYLOAD 2023-02-22T14:34:38.436145+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: encountered fatal error in state STATE_V2_PARENT_R0 2023-02-22T14:34:38.436256+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1 #20: deleting state (STATE_V2_PARENT_R0) aged 0.000267s and NOT sending notification 2023-02-22T14:34:38.436292+08:00 ipsec-server pluto[422]: "ikev2-cp"[19] 1.1.1.1: deleting connection instance with peer 1.1.1.1 {isakmp=#0/ipsec=#0}
另外想请教一下,是否可以拉取特定版本镜像,进行对比,如果可以建议拉取哪一个版本的镜像。 ikev2和wireguard 流量特征都明显的话,作为ISP,是否能查看流量内部的内容呢?
任务列表
问题描述 使用清楚简明的语言描述这个 bug。
重现步骤 重现该 bug 的步骤:
期待的正确结果 简要地描述你期望的正确结果。
日志 启用日志,检查 VPN 状态,并且添加错误日志以帮助解释该问题(如果适用)。
服务器信息(请填写以下信息)
客户端信息(请填写以下信息)
其它信息 两种vpn模式都无法正常链接。服务器为exsi,虚拟 ubuntu 22.04 server。主要用于连回家查看摄像头使用。 部署很长一段时间都正常工作,现在使用频率减少,今天使用无法正常链接。所有配置,自成功配置以后都没有变动。只有镜像有时会更新镜像并重新使用原有配置,原有脚本重新部署。(不能排除是否是由更新镜像导致。)