Closed Ran-Xing closed 1 year ago
任务列表
问题描述 无法连接,没有被墙,多少按照规范来操作的
重现步骤 重现该 bug 的步骤:
docker run -it -d \ --name myvpn \ --restart=always \ -v /docker/myvpn:/etc/ipsec.d \ --privileged \ -p 500:500/udp \ -p 4500:4500/udp \ -e 'VPN_IPSEC_PSK=passwd' \ -e "VPN_USER=username" \ -e 'VPN_PASSWORD=passwd' \ -e "VPN_DNS_SRV1=8.8.8.8" \ -e "VPN_DNS_SRV2=223.5.5.5" \ -e "VPN_CLIENT_NAME=name" \ hwdsl2/ipsec-vpn-server
x.x.x.x 是服务器IP,a.a.a.a 是我的电脑IP,最后那个我也不知道是谁
以前一切正常,突然有一天就掉线了,我以为是被墙了,但是我能正常访问IP,且我是使用IP的方式连接的
Trying to auto discover IP of this server... Setting DNS servers to 8.8.8.8 and 223.5.5.5... Starting IPsec service... pluto[400]: Initializing NSS using read-write database "sql:/etc/ipsec.d" pluto[400]: FIPS Mode: NO pluto[400]: NSS crypto library initialized pluto[400]: FIPS mode disabled for pluto daemon pluto[400]: FIPS HMAC integrity support [disabled] pluto[400]: libcap-ng support [enabled] pluto[400]: Linux audit support [disabled] pluto[400]: Starting Pluto (Libreswan Version 4.11 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-KDF) LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:400 pluto[400]: core dump dir: /run/pluto pluto[400]: secrets file: /etc/ipsec.secrets pluto[400]: leak-detective disabled pluto[400]: NSS crypto [enabled] pluto[400]: XAUTH PAM support [enabled] pluto[400]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) pluto[400]: NAT-Traversal support [enabled] pluto[400]: Encryption algorithms: pluto[400]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c pluto[400]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b pluto[400]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a pluto[400]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des pluto[400]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP pluto[400]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia pluto[400]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c pluto[400]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b pluto[400]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a pluto[400]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr pluto[400]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes pluto[400]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac pluto[400]: NULL [] IKEv1: ESP IKEv2: ESP pluto[400]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 pluto[400]: Hash algorithms: pluto[400]: MD5 IKEv1: IKE IKEv2: NSS pluto[400]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha pluto[400]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 pluto[400]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 pluto[400]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 pluto[400]: IDENTITY IKEv1: IKEv2: FIPS pluto[400]: PRF algorithms: pluto[400]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 pluto[400]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 pluto[400]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 pluto[400]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 pluto[400]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 pluto[400]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc pluto[400]: Integrity algorithms: pluto[400]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 pluto[400]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 pluto[400]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 pluto[400]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 pluto[400]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 pluto[400]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH pluto[400]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 pluto[400]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac pluto[400]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null pluto[400]: DH algorithms: pluto[400]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 pluto[400]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 pluto[400]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 pluto[400]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 pluto[400]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 pluto[400]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 pluto[400]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 pluto[400]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 pluto[400]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 pluto[400]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 pluto[400]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 pluto[400]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 pluto[400]: IPCOMP algorithms: pluto[400]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS pluto[400]: LZS IKEv1: IKEv2: ESP AH FIPS pluto[400]: LZJH IKEv1: IKEv2: ESP AH FIPS pluto[400]: testing CAMELLIA_CBC: pluto[400]: Camellia: 16 bytes with 128-bit key pluto[400]: Camellia: 16 bytes with 128-bit key pluto[400]: Camellia: 16 bytes with 256-bit key pluto[400]: Camellia: 16 bytes with 256-bit key pluto[400]: testing AES_GCM_16: pluto[400]: empty string pluto[400]: one block pluto[400]: two blocks pluto[400]: two blocks with associated data pluto[400]: testing AES_CTR: pluto[400]: Encrypting 16 octets using AES-CTR with 128-bit key pluto[400]: Encrypting 32 octets using AES-CTR with 128-bit key pluto[400]: Encrypting 36 octets using AES-CTR with 128-bit key pluto[400]: Encrypting 16 octets using AES-CTR with 192-bit key pluto[400]: Encrypting 32 octets using AES-CTR with 192-bit key pluto[400]: Encrypting 36 octets using AES-CTR with 192-bit key pluto[400]: Encrypting 16 octets using AES-CTR with 256-bit key pluto[400]: Encrypting 32 octets using AES-CTR with 256-bit key pluto[400]: Encrypting 36 octets using AES-CTR with 256-bit key pluto[400]: testing AES_CBC: pluto[400]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key pluto[400]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key pluto[400]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key pluto[400]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key pluto[400]: testing AES_XCBC: pluto[400]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input pluto[400]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input pluto[400]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input pluto[400]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input pluto[400]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input pluto[400]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input pluto[400]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input pluto[400]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) pluto[400]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) pluto[400]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) pluto[400]: testing HMAC_MD5: pluto[400]: RFC 2104: MD5_HMAC test 1 pluto[400]: RFC 2104: MD5_HMAC test 2 pluto[400]: RFC 2104: MD5_HMAC test 3 pluto[400]: testing HMAC_SHA1: pluto[400]: CAVP: IKEv2 key derivation with HMAC-SHA1 pluto[400]: 8 CPU cores online pluto[400]: starting up 7 helper threads pluto[400]: started thread for helper 0 pluto[400]: helper(1) seccomp security for helper not supported pluto[400]: started thread for helper 1 pluto[400]: helper(2) seccomp security for helper not supported pluto[400]: started thread for helper 2 pluto[400]: helper(3) seccomp security for helper not supported pluto[400]: started thread for helper 3 pluto[400]: helper(4) seccomp security for helper not supported pluto[400]: started thread for helper 4 pluto[400]: helper(5) seccomp security for helper not supported pluto[400]: started thread for helper 5 pluto[400]: helper(6) seccomp security for helper not supported pluto[400]: started thread for helper 6 pluto[400]: helper(7) seccomp security for helper not supported pluto[400]: using Linux xfrm kernel support code on #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 pluto[400]: kernel: /proc/sys/net/ipv6/conf/all/disable_ipv6=1 ignore ipv6 holes pluto[400]: seccomp security not supported ================================================ IPsec VPN server is now ready for use! Connect to your new VPN with these details: Server IP: x.x.x.x IPsec PSK: password Username: username Password: password pluto[400]: "l2tp-psk": added IKEv1 connection pluto[400]: "xauth-psk": added IKEv1 connection pluto[400]: listening for IKE messages Write these down. You'll need them to connect! VPN client setup: https://vpnsetup.net/clients2 ================================================ pluto[400]: Kernel supports NIC esp-hw-offload pluto[400]: adding UDP interface eth0 172.17.0.6:500 pluto[400]: adding UDP interface eth0 172.17.0.6:4500 pluto[400]: adding UDP interface lo 127.0.0.1:500 pluto[400]: adding UDP interface lo 127.0.0.1:4500 Setting up IKEv2. This may take a few moments... pluto[400]: loading secrets from "/etc/ipsec.secrets" pluto[400]: "ikev2-cp": IKE SA proposals (connection add): pluto[400]: "ikev2-cp": 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[400]: "ikev2-cp": 2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[400]: "ikev2-cp": 3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[400]: "ikev2-cp": 4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 pluto[400]: "ikev2-cp": Child SA proposals (connection add): pluto[400]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED pluto[400]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED pluto[400]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED pluto[400]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED pluto[400]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED pluto[400]: "ikev2-cp": loaded private key matching left certificate 'x.x.x.x' pluto[400]: "ikev2-cp": added IKEv2 connection ================================================ IKEv2 setup successful. Details for IKEv2 mode: VPN server address: x.x.x.x VPN client name: name Client configuration is available inside the Docker container at: /etc/ipsec.d/name.p12 (for Windows & Linux) /etc/ipsec.d/name.sswan (for Android) /etc/ipsec.d/name.mobileconfig (for iOS & macOS) Next steps: Configure IKEv2 clients. See: https://vpnsetup.net/clients2 ================================================ xl2tpd[1]: Not looking for kernel SAref support. xl2tpd[1]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp) xl2tpd[1]: xl2tpd version xl2tpd-1.3.18 started on 52a2b1bb5042 PID:1 xl2tpd[1]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[1]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[1]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[1]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[1]: Listening on IP address 0.0.0.0, port 1701 pluto[400]: "xauth-psk"[1] a.a.a.a #1: responding to Main Mode from unknown peer a.a.a.a:500 pluto[400]: "xauth-psk"[1] a.a.a.a #1: sent Main Mode R1 pluto[400]: "xauth-psk"[1] a.a.a.a #1: sent Main Mode R2 pluto[400]: "xauth-psk"[1] a.a.a.a #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 pluto[400]: "xauth-psk"[1] a.a.a.a #1: Peer ID is ID_IPV4_ADDR: '192.168.2.10' pluto[400]: "xauth-psk"[1] a.a.a.a #1: switched to "xauth-psk"[2] a.a.a.a pluto[400]: "xauth-psk"[1] a.a.a.a: deleting connection instance with peer a.a.a.a {isakmp=#0/ipsec=#0} pluto[400]: "xauth-psk"[2] a.a.a.a #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: retransmission; will wait 0.5 seconds for response pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: retransmission; will wait 1 seconds for response pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: retransmission; will wait 2 seconds for response pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: retransmission; will wait 4 seconds for response pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: retransmission; will wait 8 seconds for response pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: retransmission; will wait 16 seconds for response pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: retransmission; will wait 32 seconds for response pluto[400]: "xauth-psk"[2] a.a.a.a #1: XAUTH: Sending Username/Password request (XAUTH_R0->XAUTH_R0) pluto[400]: "xauth-psk"[2] a.a.a.a #1: STATE_XAUTH_R0: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our IKEv1 message pluto[400]: "xauth-psk"[2] a.a.a.a #1: deleting state (STATE_XAUTH_R0) aged 64.340082s and sending notification pluto[400]: "xauth-psk"[2] a.a.a.a: deleting connection instance with peer a.a.a.a {isakmp=#0/ipsec=#0} pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: responding to Main Mode from unknown peer 192.155.80.45:500 pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP1024] refused pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: OAKLEY_DES_CBC(UNUSED) is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: OAKLEY_DES_CBC(UNUSED) is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: OAKLEY_GROUP 1 not supported. Attribute OAKLEY_GROUP_DESCRIPTION pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: OAKLEY_GROUP 1 not supported. Attribute OAKLEY_GROUP_DESCRIPTION pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: OAKLEY_DES_CBC(UNUSED) is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: OAKLEY_DES_CBC(UNUSED) is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: no acceptable Oakley Transform pluto[400]: packet from 192.155.80.45:500: sending notification NO_PROPOSAL_CHOSEN to 192.155.80.45:500 pluto[400]: "l2tp-psk"[1] 192.155.80.45 #2: deleting state (STATE_MAIN_R0) aged 0.001114s and NOT sending notification pluto[400]: "l2tp-psk"[1] 192.155.80.45: deleting connection instance with peer 192.155.80.45 {isakmp=#0/ipsec=#0}
期待的正确结果 我想知道是哪里出了问题,咋解决
日志 启用日志,检查 VPN 状态,并且添加错误日志以帮助解释该问题(如果适用)。
服务器信息(请填写以下信息)
客户端信息(请填写以下信息)
其它信息 其他的服务器正常连接
@Ran-Xing 你好!你的日志中的retransmission字样说明可能是连接被GFW屏蔽或干扰了。能正常连接IP并不能反映GFW屏蔽的情况。对于此用例,建议换用其他解决方案比如Shadowsocks。
任务列表
问题描述 无法连接,没有被墙,多少按照规范来操作的
重现步骤 重现该 bug 的步骤:
x.x.x.x 是服务器IP,a.a.a.a 是我的电脑IP,最后那个我也不知道是谁
以前一切正常,突然有一天就掉线了,我以为是被墙了,但是我能正常访问IP,且我是使用IP的方式连接的
期待的正确结果 我想知道是哪里出了问题,咋解决
日志 启用日志,检查 VPN 状态,并且添加错误日志以帮助解释该问题(如果适用)。
服务器信息(请填写以下信息)
客户端信息(请填写以下信息)
其它信息 其他的服务器正常连接