search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.13k stars 6.31k forks source link

配置IKEv2后连接vpn,可以在电报接受消息,但无法使用浏览器访问网页 #1185

Closed Penguin-Trading closed 2 years ago

Penguin-Trading commented 2 years ago

问题描述 配置IKEv2后连接vpn,可以在电报接受消息,但无法使用浏览器访问网页

重现步骤 重现该 bug 的步骤:

  1. 在aws新加坡地区启用EC2 t3.nano实例
  2. 在aws安全组添加 upd 500 4500端口
  3. 客户端远程连接服务器
  4. 服务器输入wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.sh
  5. 服务器输入sudo ikev2.sh --addclient win
  6. 从服务器导出win.p12到客户端
  7. 客户端管理员身份运行ikev2_config_import.cmd
  8. 客户端连接VPN,显示已连接
  9. 电报、微信能正常收发消息
  10. Xshell无法连接服务器
  11. 使用Chrome,FireFox无法访问网页

期待的正确结果 Xshell可以连接服务器 浏览器可以访问网页

日志

断开VPN连接后 grep pluto /var/log/auth.log:

ubuntu@ip-172-31-24-32:~$ grep pluto /var/log/auth.log
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: FIPS Mode: NO
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: NSS crypto library initialized
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: FIPS mode disabled for pluto daemon
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: FIPS HMAC integrity support [disabled]
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: libcap-ng support [enabled]
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: Linux audit support [disabled]
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: Starting Pluto (Libreswan Version 4.7 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-PRF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:7399
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: core dump dir: /run/pluto
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: secrets file: /etc/ipsec.secrets
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: leak-detective enabled
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: NSS crypto [enabled]
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: XAUTH PAM support [enabled]
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: NAT-Traversal support  [enabled]
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: Encryption algorithms:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP                      
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP                      
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: Hash algorithms:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MD5                               IKEv1: IKE         IKEv2:                  NSS         
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   IDENTITY                          IKEv1:             IKEv2:             FIPS             
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: PRF algorithms:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: Integrity algorithms:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH                   
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: DH algorithms:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: IPCOMP algorithms:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   DEFLATE                           IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS             
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   LZS                               IKEv1:             IKEv2:     ESP AH  FIPS             
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   LZJH                              IKEv1:             IKEv2:     ESP AH  FIPS             
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: testing CAMELLIA_CBC:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Camellia: 16 bytes with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Camellia: 16 bytes with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Camellia: 16 bytes with 256-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Camellia: 16 bytes with 256-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: testing AES_GCM_16:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   empty string
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   one block
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   two blocks
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   two blocks with associated data
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: testing AES_CTR:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 16 octets using AES-CTR with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 32 octets using AES-CTR with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 36 octets using AES-CTR with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 16 octets using AES-CTR with 192-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 32 octets using AES-CTR with 192-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 36 octets using AES-CTR with 192-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 16 octets using AES-CTR with 256-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 32 octets using AES-CTR with 256-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 36 octets using AES-CTR with 256-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: testing AES_CBC:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: testing AES_XCBC:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: testing HMAC_MD5:
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 2104: MD5_HMAC test 1
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 2104: MD5_HMAC test 2
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]:   RFC 2104: MD5_HMAC test 3
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: 2 CPU cores online
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: starting up 2 helper threads
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: started thread for helper 0
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: started thread for helper 1
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: using Linux xfrm kernel support code on #14-Ubuntu SMP Wed Jun 1 20:54:22 UTC 2022
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: helper(1) seccomp security for helper not supported
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: helper(2) seccomp security for helper not supported
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: watchdog: sending probes every 100 secs
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: seccomp security not supported
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: "l2tp-psk": added IKEv1 connection
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: "xauth-psk": added IKEv1 connection
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: listening for IKE messages
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: Kernel supports NIC esp-hw-offload
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: adding UDP interface ens5 172.31.24.32:500
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: adding UDP interface ens5 172.31.24.32:4500
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: adding UDP interface lo 127.0.0.1:500
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: adding UDP interface lo 127.0.0.1:4500
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: adding UDP interface lo [::1]:500
Jun 24 14:26:46 ip-172-31-24-32 pluto[7399]: loading secrets from "/etc/ipsec.secrets"
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: shutting down
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: Pluto is shutting down
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: forgetting secrets
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: shutting down interface lo [::1]:500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: shutting down interface lo 127.0.0.1:4500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: shutting down interface lo 127.0.0.1:500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: shutting down interface ens5 172.31.24.32:4500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: shutting down interface ens5 172.31.24.32:500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7399]: leak detective found no leaks
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: FIPS Mode: NO
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: NSS crypto library initialized
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: FIPS mode disabled for pluto daemon
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: FIPS HMAC integrity support [disabled]
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: libcap-ng support [enabled]
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: Linux audit support [disabled]
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: Starting Pluto (Libreswan Version 4.7 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-PRF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:7808
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: core dump dir: /run/pluto
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: secrets file: /etc/ipsec.secrets
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: leak-detective enabled
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: NSS crypto [enabled]
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: XAUTH PAM support [enabled]
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: NAT-Traversal support  [enabled]
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: Encryption algorithms:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP                      
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP                      
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: Hash algorithms:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MD5                               IKEv1: IKE         IKEv2:                  NSS         
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   IDENTITY                          IKEv1:             IKEv2:             FIPS             
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: PRF algorithms:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: Integrity algorithms:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH                   
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: DH algorithms:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: IPCOMP algorithms:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   DEFLATE                           IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS             
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   LZS                               IKEv1:             IKEv2:     ESP AH  FIPS             
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   LZJH                              IKEv1:             IKEv2:     ESP AH  FIPS             
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: testing CAMELLIA_CBC:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Camellia: 16 bytes with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Camellia: 16 bytes with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Camellia: 16 bytes with 256-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Camellia: 16 bytes with 256-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: testing AES_GCM_16:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   empty string
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   one block
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   two blocks
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   two blocks with associated data
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: testing AES_CTR:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 16 octets using AES-CTR with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 32 octets using AES-CTR with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 36 octets using AES-CTR with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 16 octets using AES-CTR with 192-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 32 octets using AES-CTR with 192-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 36 octets using AES-CTR with 192-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 16 octets using AES-CTR with 256-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 32 octets using AES-CTR with 256-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 36 octets using AES-CTR with 256-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: testing AES_CBC:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: testing AES_XCBC:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: testing HMAC_MD5:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 2104: MD5_HMAC test 1
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 2104: MD5_HMAC test 2
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]:   RFC 2104: MD5_HMAC test 3
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: 2 CPU cores online
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: starting up 2 helper threads
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: started thread for helper 0
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: started thread for helper 1
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: using Linux xfrm kernel support code on #14-Ubuntu SMP Wed Jun 1 20:54:22 UTC 2022
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: watchdog: sending probes every 100 secs
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: seccomp security not supported
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: helper(2) seccomp security for helper not supported
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: helper(1) seccomp security for helper not supported
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "l2tp-psk": added IKEv1 connection
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "xauth-psk": added IKEv1 connection
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp": IKE SA proposals:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp": Child SA proposals:
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp":   5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp": loaded private key matching left certificate '13.229.231.202'
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: "ikev2-cp": added IKEv2 connection
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: listening for IKE messages
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: Kernel supports NIC esp-hw-offload
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: adding UDP interface ens5 172.31.24.32:500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: adding UDP interface ens5 172.31.24.32:4500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: adding UDP interface lo 127.0.0.1:500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: adding UDP interface lo 127.0.0.1:4500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: adding UDP interface lo [::1]:500
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: forgetting secrets
Jun 24 14:26:55 ip-172-31-24-32 pluto[7808]: loading secrets from "/etc/ipsec.secrets"
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: ignoring CERTREQ payload that is not ASN1: content is not binary ASN.1
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: reloaded private key matching left certificate '13.229.231.202'
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: responder established IKE SA; authenticated using PKCS#1 1.5 RSA with SHA1 and peer certificate 'CN=win, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: | pool 192.168.43.10-192.168.43.250: growing address pool from 0 to 1
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #2: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=01cb3c72 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
Jun 24 14:31:59 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #2: responder established Child SA using #1; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x01cb3c72 <0xc0ddd685 xfrm=AES_GCM_16_128-NONE NATD=182.138.240.177:45313 DPD=active}
Jun 24 14:42:39 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #2: ESP traffic information: in=629KB out=616KB
Jun 24 14:42:40 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: INFORMATIONAL request has duplicate Message ID 2; retransmitting response
Jun 24 14:42:40 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177 #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 641.868165s and NOT sending notification
Jun 24 14:42:40 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[1] 182.138.240.177: deleting connection instance with peer 182.138.240.177 {isakmp=#0/ipsec=#0}
Jun 24 14:50:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #3: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jun 24 14:50:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #3: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Jun 24 14:50:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #3: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 24 14:50:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #3: ignoring CERTREQ payload that is not ASN1: content is not binary ASN.1
Jun 24 14:50:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #3: responder established IKE SA; authenticated using PKCS#1 1.5 RSA with SHA1 and peer certificate 'CN=win, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Jun 24 14:50:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #4: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=2b50d0be chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
Jun 24 14:50:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #4: responder established Child SA using #3; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x2b50d0be <0x27304000 xfrm=AES_GCM_16_128-NONE NATD=182.138.240.177:45313 DPD=active}
Jun 24 14:51:39 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #4: ESP traffic information: in=148KB out=182KB
Jun 24 14:51:39 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177 #3: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 82.11871s and NOT sending notification
Jun 24 14:51:39 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[2] 182.138.240.177: deleting connection instance with peer 182.138.240.177 {isakmp=#0/ipsec=#0}
Jun 24 14:52:00 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #5: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jun 24 14:52:00 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #5: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Jun 24 14:52:00 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #5: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 24 14:52:00 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #5: ignoring CERTREQ payload that is not ASN1: content is not binary ASN.1
Jun 24 14:52:00 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #5: responder established IKE SA; authenticated using PKCS#1 1.5 RSA with SHA1 and peer certificate 'CN=win, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Jun 24 14:52:00 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #6: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=7326cabc chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
Jun 24 14:52:00 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #6: responder established Child SA using #5; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x7326cabc <0x847f17c6 xfrm=AES_GCM_16_128-NONE NATD=182.138.240.177:45313 DPD=active}
Jun 24 14:52:57 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #6: ESP traffic information: in=125KB out=189KB
Jun 24 14:52:57 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177 #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 56.835079s and NOT sending notification
Jun 24 14:52:57 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[3] 182.138.240.177: deleting connection instance with peer 182.138.240.177 {isakmp=#0/ipsec=#0}
Jun 24 14:54:44 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #7: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jun 24 14:54:44 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #7: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Jun 24 14:54:44 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #7: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 24 14:54:44 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #7: ignoring CERTREQ payload that is not ASN1: content is not binary ASN.1
Jun 24 14:54:44 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #7: responder established IKE SA; authenticated using PKCS#1 1.5 RSA with SHA1 and peer certificate 'CN=win, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Jun 24 14:54:44 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #8: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=7467d0c8 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
Jun 24 14:54:44 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #8: responder established Child SA using #7; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x7467d0c8 <0xf13166d4 xfrm=AES_GCM_16_128-NONE NATD=182.138.240.177:45313 DPD=active}
Jun 24 14:55:38 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #8: ESP traffic information: in=129KB out=222KB
Jun 24 14:55:38 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177 #7: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 53.745334s and NOT sending notification
Jun 24 14:55:38 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[4] 182.138.240.177: deleting connection instance with peer 182.138.240.177 {isakmp=#0/ipsec=#0}
Jun 24 14:57:27 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jun 24 14:57:27 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Jun 24 14:57:28 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: received duplicate IKE_SA_INIT message request (Message ID 0); retransmitting response
Jun 24 14:57:28 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 24 14:57:28 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: ignoring CERTREQ payload that is not ASN1: content is not binary ASN.1
Jun 24 14:57:28 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: responder established IKE SA; authenticated using PKCS#1 1.5 RSA with SHA1 and peer certificate 'CN=win, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Jun 24 14:57:28 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #10: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=55f982c8 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
Jun 24 14:57:28 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #10: responder established Child SA using #9; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x55f982c8 <0x2a66d819 xfrm=AES_GCM_16_128-NONE NATD=182.138.240.177:45313 DPD=active}
Jun 24 14:57:29 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: IKE_AUTH request fragment 1 of 7 has duplicate Message ID 1; retransmitting response
Jun 24 15:00:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #10: ESP traffic information: in=217KB out=364KB
Jun 24 15:00:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177 #9: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 170.130966s and NOT sending notification
Jun 24 15:00:17 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[5] 182.138.240.177: deleting connection instance with peer 182.138.240.177 {isakmp=#0/ipsec=#0}
Jun 24 15:10:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #11: proposal 2:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP2048[first-match] 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[better-match] 3:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP2048
Jun 24 15:10:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #11: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
Jun 24 15:10:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #11: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 24 15:10:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #11: ignoring CERTREQ payload that is not ASN1: content is not binary ASN.1
Jun 24 15:10:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #11: responder established IKE SA; authenticated using PKCS#1 1.5 RSA with SHA1 and peer certificate 'CN=win, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN'
Jun 24 15:10:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #12: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=15887200 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match]
Jun 24 15:10:18 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #12: responder established Child SA using #11; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x15887200 <0xe004d392 xfrm=AES_GCM_16_128-NONE NATD=182.138.240.177:45313 DPD=active}
Jun 24 15:15:08 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #12: ESP traffic information: in=233KB out=441KB
Jun 24 15:15:08 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177 #11: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 290.361419s and NOT sending notification
Jun 24 15:15:08 ip-172-31-24-32 pluto[7808]: "ikev2-cp"[6] 182.138.240.177: deleting connection instance with peer 182.138.240.177 {isakmp=#0/ipsec=#0}

=============================================== 断开VPN连接后 grep xl2tpd /var/log/syslog:

ubuntu@ip-172-31-24-32:~$ grep xl2tpd /var/log/syslog
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2988]: Not looking for kernel SAref support.
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2988]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2991]: xl2tpd version xl2tpd-1.3.16 started on ip-172-31-24-32 PID:2991
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2983]: Starting xl2tpd: xl2tpd.
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2991]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2991]: Forked by Scott Balmos and David Stipp, (C) 2001
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2991]: Inherited by Jeff McAdams, (C) 2002
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2991]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jun 24 14:25:30 ip-172-31-24-32 xl2tpd[2991]: Listening on IP address 0.0.0.0, port 1701
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7408]: Stopping xl2tpd: xl2tpd.
Jun 24 14:26:46 ip-172-31-24-32 systemd[1]: xl2tpd.service: Deactivated successfully.
Jun 24 14:26:46 ip-172-31-24-32 systemd[1]: xl2tpd.service: Unit process 2991 (xl2tpd) remains running after unit stopped.
Jun 24 14:26:46 ip-172-31-24-32 systemd[1]: xl2tpd.service: Found left-over process 2991 (xl2tpd) in control group while starting unit. Ignoring.
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[2991]: death_handler: Fatal signal 15 received
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7417]: Not looking for kernel SAref support.
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7417]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7413]: Starting xl2tpd: xl2tpd.
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7419]: xl2tpd version xl2tpd-1.3.16 started on ip-172-31-24-32 PID:7419
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7419]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7419]: Forked by Scott Balmos and David Stipp, (C) 2001
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7419]: Inherited by Jeff McAdams, (C) 2002
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7419]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jun 24 14:26:46 ip-172-31-24-32 xl2tpd[7419]: Listening on IP address 0.0.0.0, port 1701

=============================================== ipsec status:

ubuntu@ip-172-31-24-32:~$ ipsec status
whack: no right to communicate with pluto (access("/run/pluto/pluto.ctl"))
ubuntu@ip-172-31-24-32:~$ sudo -i
root@ip-172-31-24-32:~# ipsec status
000 using kernel interface: xfrm
000  
000 interface lo UDP [::1]:500
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface ens5 UDP 172.31.24.32:4500
000 interface ens5 UDP 172.31.24.32:500
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=4.7, pluto_vendorid=OE-Libreswan-4.7, audit-log=yes
000 nhelpers=-1, uniqueids=no, dnssec-enable=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=<unsupported>
000 debug:
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - excluded subnets: 192.168.42.0/24, 192.168.43.0/24
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "ikev2-cp": 0.0.0.0/0===172.31.24.32[13.229.231.202,MS+S=C]---172.31.16.1...%any[%fromcert,+MC+S=C]; unrouted; eroute owner: #0
000 "ikev2-cp":     oriented; my_ip=unset; their_ip=unset; mycert=13.229.231.202; my_updown=ipsec _updown;
000 "ikev2-cp":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "ikev2-cp":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "ikev2-cp":   modecfg info: us:server, them:client, modecfg policy:push, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
000 "ikev2-cp":   sec_label:unset;
000 "ikev2-cp":   CAs: 'CN=IKEv2 VPN CA, O=IKEv2 VPN'...'CN=IKEv2 VPN CA, O=IKEv2 VPN'
000 "ikev2-cp":   ike_life: 86400s; ipsec_life: 86400s; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "ikev2-cp":   retransmit-interval: 500ms; retransmit-timeout: 300s; iketcp:no; iketcp-port:4500;
000 "ikev2-cp":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "ikev2-cp":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+DONT_REKEY+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "ikev2-cp":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "ikev2-cp":   conn_prio: 0,0; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "ikev2-cp":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "ikev2-cp":   our idtype: ID_IPV4_ADDR; our id=13.229.231.202; their idtype: %fromcert; their id=%fromcert
000 "ikev2-cp":   liveness: active; dpdaction:clear; dpddelay:30s; retransmit-timeout:300s
000 "ikev2-cp":   nat-traversal: encaps:yes; keepalive:20s
000 "ikev2-cp":   newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $3;
000 "ikev2-cp":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
000 "ikev2-cp":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "l2tp-psk": 172.31.24.32/32:UDP/1701===172.31.24.32[13.229.231.202]---172.31.16.1...%any===0.0.0.0/0:UDP/0-65535; unrouted; eroute owner: #0
000 "l2tp-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "l2tp-psk":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "l2tp-psk":   our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "l2tp-psk":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "l2tp-psk":   sec_label:unset;
000 "l2tp-psk":   ike_life: 86400s; ipsec_life: 86400s; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "l2tp-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "l2tp-psk":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "l2tp-psk":   policy: IKEv1+PSK+ENCRYPT+DONT_REKEY+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "l2tp-psk":   conn_prio: 32,0; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "l2tp-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "l2tp-psk":   our idtype: ID_IPV4_ADDR; our id=13.229.231.202; their idtype: %none; their id=(none)
000 "l2tp-psk":   dpd: active; action:clear; delay:30s; timeout:300s
000 "l2tp-psk":   nat-traversal: encaps:yes; keepalive:20s; ikev1-method:rfc+drafts
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "l2tp-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "l2tp-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000 "xauth-psk": 0.0.0.0/0===172.31.24.32[13.229.231.202,MS+XS+S=C]---172.31.16.1...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "xauth-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "xauth-psk":   xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "xauth-psk":   our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "xauth-psk":   modecfg info: us:server, them:client, modecfg policy:pull, dns:8.8.8.8, 8.8.4.4, domains:unset, cat:unset;
000 "xauth-psk":   sec_label:unset;
000 "xauth-psk":   ike_life: 86400s; ipsec_life: 86400s; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5;
000 "xauth-psk":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "xauth-psk":   initial-contact:no; cisco-unity:yes; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "xauth-psk":   policy: IKEv1+PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+MODECFG_PULL+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "xauth-psk":   conn_prio: 0,0; interface: ens5; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "xauth-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "xauth-psk":   our idtype: ID_IPV4_ADDR; our id=13.229.231.202; their idtype: %none; their id=(none)
000 "xauth-psk":   dpd: active; action:clear; delay:30s; timeout:300s
000 "xauth-psk":   nat-traversal: encaps:yes; keepalive:20s; ikev1-method:rfc+drafts
000 "xauth-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $2;
000 "xauth-psk":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-MODP2048, AES_CBC_256-HMAC_SHA2_256-MODP1536, AES_CBC_128-HMAC_SHA2_256-MODP2048, AES_CBC_128-HMAC_SHA2_256-MODP1536, AES_CBC_256-HMAC_SHA1-MODP2048, AES_CBC_256-HMAC_SHA1-MODP1536, AES_CBC_128-HMAC_SHA1-MODP2048, AES_CBC_128-HMAC_SHA1-MODP1536, AES_CBC_256-HMAC_SHA2_256-MODP1024, AES_CBC_128-HMAC_SHA1-MODP1024
000 "xauth-psk":   ESP algorithms: AES_GCM_16-NONE, AES_CBC_128-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA1_96, AES_CBC_256-HMAC_SHA2_512_256, AES_CBC_128-HMAC_SHA2_256_128, AES_CBC_256-HMAC_SHA2_256_128
000  
000 Total IPsec connections: loaded 3, active 0
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000  
000 Bare Shunt list:
000

服务器信息(请填写以下信息)

客户端信息(请填写以下信息)

其它信息 使用阿里云的服务器是正常的,这是我的本地DNS: 1656084326902

Penguin-Trading commented 2 years ago

再补充一个问题: 用阿里云的时候win10上使用正常,切换到kali系统后浏览器能打开google.com 但是无法访问https://www.csdn.net/ 这是什么原因呢

hwdsl2 commented 2 years ago

@Penguin-Trading 你好!请尝试以下链接中的三个解决方案。看看是否有帮助? https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#%E8%BF%9E%E6%8E%A5-ikev2-%E5%90%8E%E4%B8%8D%E8%83%BD%E6%89%93%E5%BC%80%E7%BD%91%E7%AB%99

Penguin-Trading commented 2 years ago

@Penguin-Trading 你好!请尝试以下链接中的三个解决方案。看看是否有帮助? https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto-zh.md#%E8%BF%9E%E6%8E%A5-ikev2-%E5%90%8E%E4%B8%8D%E8%83%BD%E6%89%93%E5%BC%80%E7%BD%91%E7%AB%99

root@ip-172-31-24-32:~# ifconfig ens5: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 172.31.24.32 netmask 255.255.240.0 broadcast 172.31.31.255 inet6 fe80::5d:5eff:fe84:b9fa prefixlen 64 scopeid 0x20 ether 02:5d:5e:84:b9:fa txqueuelen 1000 (Ethernet) RX packets 83664 bytes 96287094 (96.2 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 26618 bytes 5316518 (5.3 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 540 bytes 59312 (59.3 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 540 bytes 59312 (59.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@ip-172-31-24-32:~# sudo ifconfig ens5 mtu 1500

更改默认的mtu和service ipsec restart service xl2tpd restart过后还是无法打开网页,是否跟aws的公有dns有关? WD5%(_7W0F49J3Y997BXSSU

hwdsl2 commented 2 years ago

@Penguin-Trading 你可以将 MTU 改回 9001。这个和你说的公有 DNS 应该没有关系,它是你的 AWS 实例的 DNS 名称。你再试一下这个解决方案: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android-mtumss-%E9%97%AE%E9%A2%98

Penguin-Trading commented 2 years ago

@Penguin-Trading 你可以将 MTU 改回 9001。这个和你说的公有 DNS 应该没有关系,它是你的 AWS 实例的 DNS 名称。你再试一下这个解决方案: https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-zh.md#android-mtumss-%E9%97%AE%E9%A2%98

ubuntu@ip-172-31-24-32:~$ sudo -i root@ip-172-31-24-32:~# iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ -j TCPMSS --set-mss 1360 root@ip-172-31-24-32:~# iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \ -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \ -j TCPMSS --set-mss 1360 root@ip-172-31-24-32:~# echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc root@ip-172-31-24-32:~# service ipsec restart root@ip-172-31-24-32:~# service xl2tpd restart root@ip-172-31-24-32:~#

mtu改回了9001 尝试了还是不行

hwdsl2 commented 2 years ago

@Penguin-Trading 你上面说的 切换到kali系统后浏览器能打开google.com 但是无法访问https://www.csdn.net/ 有可能与你的 Kali Linux 的 DNS 服务器有关。Linux 客户端连接 IKEv2 后可能会继续使用本地配置的 DNS 服务器,你可以尝试将本地 /etc/resolv.conf 配置的 DNS 更改为比如 Google Public DNS。

另外你所说的 IKEv2 无法打开网页的问题,我觉得可能与 AWS 的特定配置有关。你上面已经尝试了 MTU 1500(AWS 使用MTU 9001 Jumbo Frames)以及我说的另外的几个解决方案。你的日志看起来正常。至于具体原因或其它的解决方案,我不太清楚。你可以另外尝试一下 OpenVPN 或者 WireGuard