search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.12k stars 6.3k forks source link

配置了ikev2,但是无法连接VPn服务器 #1312

Closed kevinliukaiwen closed 1 year ago

kevinliukaiwen commented 1 year ago

已经按照排查步骤排查了,没找到问题所在,我用自己的流量ping vps 服务器可以ping通,但是服务器就是连接不上, 8f28ef9de179b0ea2e5cc369950b98c

kevinliukaiwen commented 1 year ago

Jan 5 09:42:22 vultr pluto[140878]: Initializing NSS using read-write database "sql:/etc/ipsec.d" Jan 5 09:42:22 vultr pluto[140878]: FIPS Mode: NO Jan 5 09:42:22 vultr pluto[140878]: NSS crypto library initialized Jan 5 09:42:22 vultr pluto[140878]: FIPS mode disabled for pluto daemon Jan 5 09:42:22 vultr pluto[140878]: FIPS HMAC integrity support [disabled] Jan 5 09:42:22 vultr pluto[140878]: libcap-ng support [enabled] Jan 5 09:42:22 vultr pluto[140878]: Linux audit support [disabled] Jan 5 09:42:22 vultr pluto[140878]: Starting Pluto (Libreswan Version 4.9 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-KDF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:140878 Jan 5 09:42:22 vultr pluto[140878]: core dump dir: /run/pluto Jan 5 09:42:22 vultr pluto[140878]: secrets file: /etc/ipsec.secrets Jan 5 09:42:22 vultr pluto[140878]: leak-detective enabled Jan 5 09:42:22 vultr pluto[140878]: NSS crypto [enabled] Jan 5 09:42:22 vultr pluto[140878]: XAUTH PAM support [enabled] Jan 5 09:42:22 vultr pluto[140878]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) Jan 5 09:42:22 vultr pluto[140878]: NAT-Traversal support [enabled] Jan 5 09:42:22 vultr pluto[140878]: Encryption algorithms: Jan 5 09:42:22 vultr pluto[140878]: AES_CCM_16 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Jan 5 09:42:22 vultr pluto[140878]: AES_CCM_12 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Jan 5 09:42:22 vultr pluto[140878]: AES_CCM_8 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Jan 5 09:42:22 vultr pluto[140878]: 3DES_CBC [192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Jan 5 09:42:22 vultr pluto[140878]: CAMELLIA_CTR {256,192,128} IKEv1: ESP IKEv2: ESP Jan 5 09:42:22 vultr pluto[140878]: CAMELLIA_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Jan 5 09:42:22 vultr pluto[140878]: AES_GCM_16 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Jan 5 09:42:22 vultr pluto[140878]: AES_GCM_12 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Jan 5 09:42:22 vultr pluto[140878]: AES_GCM_8 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Jan 5 09:42:22 vultr pluto[140878]: AES_CTR {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Jan 5 09:42:22 vultr pluto[140878]: AES_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Jan 5 09:42:22 vultr pluto[140878]: NULL_AUTH_AES_GMAC {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Jan 5 09:42:22 vultr pluto[140878]: NULL [] IKEv1: ESP IKEv2: ESP Jan 5 09:42:22 vultr pluto[140878]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Jan 5 09:42:22 vultr pluto[140878]: Hash algorithms: Jan 5 09:42:22 vultr pluto[140878]: MD5 IKEv1: IKE IKEv2: NSS Jan 5 09:42:22 vultr pluto[140878]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Jan 5 09:42:22 vultr pluto[140878]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Jan 5 09:42:22 vultr pluto[140878]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Jan 5 09:42:22 vultr pluto[140878]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Jan 5 09:42:22 vultr pluto[140878]: IDENTITY IKEv1: IKEv2: FIPS Jan 5 09:42:22 vultr pluto[140878]: PRF algorithms: Jan 5 09:42:22 vultr pluto[140878]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Jan 5 09:42:22 vultr pluto[140878]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Jan 5 09:42:22 vultr pluto[140878]: Integrity algorithms: Jan 5 09:42:22 vultr pluto[140878]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Jan 5 09:42:22 vultr pluto[140878]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Jan 5 09:42:22 vultr pluto[140878]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Jan 5 09:42:22 vultr pluto[140878]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Jan 5 09:42:22 vultr pluto[140878]: DH algorithms: Jan 5 09:42:22 vultr pluto[140878]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Jan 5 09:42:22 vultr pluto[140878]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 Jan 5 09:42:22 vultr pluto[140878]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Jan 5 09:42:22 vultr pluto[140878]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Jan 5 09:42:22 vultr pluto[140878]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Jan 5 09:42:22 vultr pluto[140878]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Jan 5 09:42:22 vultr pluto[140878]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Jan 5 09:42:22 vultr pluto[140878]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Jan 5 09:42:22 vultr pluto[140878]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Jan 5 09:42:22 vultr pluto[140878]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Jan 5 09:42:22 vultr pluto[140878]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Jan 5 09:42:22 vultr pluto[140878]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 Jan 5 09:42:22 vultr pluto[140878]: IPCOMP algorithms: Jan 5 09:42:22 vultr pluto[140878]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS Jan 5 09:42:22 vultr pluto[140878]: LZS IKEv1: IKEv2: ESP AH FIPS Jan 5 09:42:22 vultr pluto[140878]: LZJH IKEv1: IKEv2: ESP AH FIPS Jan 5 09:42:22 vultr pluto[140878]: testing CAMELLIA_CBC: Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 256-bit key Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 256-bit key Jan 5 09:42:22 vultr pluto[140878]: testing AES_GCM_16: Jan 5 09:42:22 vultr pluto[140878]: empty string Jan 5 09:42:22 vultr pluto[140878]: one block Jan 5 09:42:22 vultr pluto[140878]: two blocks Jan 5 09:42:22 vultr pluto[140878]: two blocks with associated data Jan 5 09:42:22 vultr pluto[140878]: testing AES_CTR: Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 octets using AES-CTR with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 octets using AES-CTR with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 36 octets using AES-CTR with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 octets using AES-CTR with 192-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 octets using AES-CTR with 192-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 36 octets using AES-CTR with 192-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 octets using AES-CTR with 256-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 octets using AES-CTR with 256-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 36 octets using AES-CTR with 256-bit key Jan 5 09:42:22 vultr pluto[140878]: testing AES_CBC: Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Jan 5 09:42:22 vultr pluto[140878]: testing AES_XCBC: Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Jan 5 09:42:22 vultr pluto[140878]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Jan 5 09:42:22 vultr pluto[140878]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Jan 5 09:42:22 vultr pluto[140878]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Jan 5 09:42:22 vultr pluto[140878]: testing HMAC_MD5: Jan 5 09:42:22 vultr pluto[140878]: RFC 2104: MD5_HMAC test 1 Jan 5 09:42:22 vultr pluto[140878]: RFC 2104: MD5_HMAC test 2 Jan 5 09:42:22 vultr pluto[140878]: RFC 2104: MD5_HMAC test 3 Jan 5 09:42:22 vultr pluto[140878]: testing HMAC_SHA1: Jan 5 09:42:22 vultr pluto[140878]: CAVP: IKEv2 key derivation with HMAC-SHA1 Jan 5 09:42:22 vultr pluto[140878]: 1 CPU cores online Jan 5 09:42:22 vultr pluto[140878]: starting up 1 helper threads Jan 5 09:42:22 vultr pluto[140878]: started thread for helper 0 Jan 5 09:42:22 vultr pluto[140878]: using Linux xfrm kernel support code on #1 SMP Debian 5.10.149-2 (2022-10-21) Jan 5 09:42:22 vultr pluto[140878]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs Jan 5 09:42:22 vultr pluto[140878]: watchdog: sending probes every 100 secs Jan 5 09:42:22 vultr pluto[140878]: helper(1) seccomp security for helper not supported Jan 5 09:42:22 vultr pluto[140878]: seccomp security not supported Jan 5 09:42:22 vultr pluto[140878]: "l2tp-psk": added IKEv1 connection Jan 5 09:42:22 vultr pluto[140878]: "xauth-psk": added IKEv1 connection Jan 5 09:42:22 vultr pluto[140878]: listening for IKE messages Jan 5 09:42:22 vultr pluto[140878]: Kernel supports NIC esp-hw-offload Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 149.28.132.175:500 Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 149.28.132.175:4500 Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo 127.0.0.1:500 Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo 127.0.0.1:4500 Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo [::1]:500 Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo [::1]:4500 Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:500 Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:4500 Jan 5 09:42:22 vultr pluto[140878]: loading secrets from "/etc/ipsec.secrets" Jan 5 09:42:29 vultr pluto[140878]: shutting down Jan 5 09:42:29 vultr pluto[140878]: Pluto is shutting down Jan 5 09:42:29 vultr pluto[140878]: forgetting secrets Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:4500 Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:500 Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo [::1]:4500 Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo [::1]:500 Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo 127.0.0.1:4500 Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo 127.0.0.1:500 Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 149.28.132.175:4500 Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 149.28.132.175:500 Jan 5 09:42:29 vultr pluto[140878]: leak detective found no leaks Jan 5 09:42:29 vultr pluto[141268]: Initializing NSS using read-write database "sql:/etc/ipsec.d" Jan 5 09:42:29 vultr pluto[141268]: FIPS Mode: NO Jan 5 09:42:29 vultr pluto[141268]: NSS crypto library initialized Jan 5 09:42:29 vultr pluto[141268]: FIPS mode disabled for pluto daemon Jan 5 09:42:29 vultr pluto[141268]: FIPS HMAC integrity support [disabled] Jan 5 09:42:29 vultr pluto[141268]: libcap-ng support [enabled] Jan 5 09:42:29 vultr pluto[141268]: Linux audit support [disabled] Jan 5 09:42:29 vultr pluto[141268]: Starting Pluto (Libreswan Version 4.9 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-KDF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:141268 Jan 5 09:42:29 vultr pluto[141268]: core dump dir: /run/pluto Jan 5 09:42:29 vultr pluto[141268]: secrets file: /etc/ipsec.secrets Jan 5 09:42:29 vultr pluto[141268]: leak-detective enabled Jan 5 09:42:29 vultr pluto[141268]: NSS crypto [enabled] Jan 5 09:42:29 vultr pluto[141268]: XAUTH PAM support [enabled] Jan 5 09:42:29 vultr pluto[141268]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00) Jan 5 09:42:29 vultr pluto[141268]: NAT-Traversal support [enabled] Jan 5 09:42:29 vultr pluto[141268]: Encryption algorithms: Jan 5 09:42:29 vultr pluto[141268]: AES_CCM_16 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Jan 5 09:42:29 vultr pluto[141268]: AES_CCM_12 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Jan 5 09:42:29 vultr pluto[141268]: AES_CCM_8 {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Jan 5 09:42:29 vultr pluto[141268]: 3DES_CBC [192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Jan 5 09:42:29 vultr pluto[141268]: CAMELLIA_CTR {256,192,128} IKEv1: ESP IKEv2: ESP Jan 5 09:42:29 vultr pluto[141268]: CAMELLIA_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Jan 5 09:42:29 vultr pluto[141268]: AES_GCM_16 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Jan 5 09:42:29 vultr pluto[141268]: AES_GCM_12 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Jan 5 09:42:29 vultr pluto[141268]: AES_GCM_8 {256,192,128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Jan 5 09:42:29 vultr pluto[141268]: AES_CTR {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Jan 5 09:42:29 vultr pluto[141268]: AES_CBC {256,192,128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Jan 5 09:42:29 vultr pluto[141268]: NULL_AUTH_AES_GMAC {256,192,128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Jan 5 09:42:29 vultr pluto[141268]: NULL [] IKEv1: ESP IKEv2: ESP Jan 5 09:42:29 vultr pluto[141268]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Jan 5 09:42:29 vultr pluto[141268]: Hash algorithms: Jan 5 09:42:29 vultr pluto[141268]: MD5 IKEv1: IKE IKEv2: NSS Jan 5 09:42:29 vultr pluto[141268]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Jan 5 09:42:29 vultr pluto[141268]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Jan 5 09:42:29 vultr pluto[141268]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Jan 5 09:42:29 vultr pluto[141268]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Jan 5 09:42:29 vultr pluto[141268]: IDENTITY IKEv1: IKEv2: FIPS Jan 5 09:42:29 vultr pluto[141268]: PRF algorithms: Jan 5 09:42:29 vultr pluto[141268]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Jan 5 09:42:29 vultr pluto[141268]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Jan 5 09:42:29 vultr pluto[141268]: Integrity algorithms: Jan 5 09:42:29 vultr pluto[141268]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Jan 5 09:42:29 vultr pluto[141268]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Jan 5 09:42:29 vultr pluto[141268]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Jan 5 09:42:29 vultr pluto[141268]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Jan 5 09:42:29 vultr pluto[141268]: DH algorithms: Jan 5 09:42:29 vultr pluto[141268]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Jan 5 09:42:29 vultr pluto[141268]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2 Jan 5 09:42:29 vultr pluto[141268]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Jan 5 09:42:29 vultr pluto[141268]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Jan 5 09:42:29 vultr pluto[141268]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Jan 5 09:42:29 vultr pluto[141268]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Jan 5 09:42:29 vultr pluto[141268]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Jan 5 09:42:29 vultr pluto[141268]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Jan 5 09:42:29 vultr pluto[141268]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Jan 5 09:42:29 vultr pluto[141268]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Jan 5 09:42:29 vultr pluto[141268]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Jan 5 09:42:29 vultr pluto[141268]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 Jan 5 09:42:29 vultr pluto[141268]: IPCOMP algorithms: Jan 5 09:42:29 vultr pluto[141268]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS Jan 5 09:42:29 vultr pluto[141268]: LZS IKEv1: IKEv2: ESP AH FIPS Jan 5 09:42:29 vultr pluto[141268]: LZJH IKEv1: IKEv2: ESP AH FIPS Jan 5 09:42:29 vultr pluto[141268]: testing CAMELLIA_CBC: Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 256-bit key Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 256-bit key Jan 5 09:42:29 vultr pluto[141268]: testing AES_GCM_16: Jan 5 09:42:29 vultr pluto[141268]: empty string Jan 5 09:42:29 vultr pluto[141268]: one block Jan 5 09:42:29 vultr pluto[141268]: two blocks Jan 5 09:42:29 vultr pluto[141268]: two blocks with associated data Jan 5 09:42:29 vultr pluto[141268]: testing AES_CTR: Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 octets using AES-CTR with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 octets using AES-CTR with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 36 octets using AES-CTR with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 octets using AES-CTR with 192-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 octets using AES-CTR with 192-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 36 octets using AES-CTR with 192-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 octets using AES-CTR with 256-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 octets using AES-CTR with 256-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 36 octets using AES-CTR with 256-bit key Jan 5 09:42:29 vultr pluto[141268]: testing AES_CBC: Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Jan 5 09:42:29 vultr pluto[141268]: testing AES_XCBC: Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Jan 5 09:42:29 vultr pluto[141268]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Jan 5 09:42:29 vultr pluto[141268]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Jan 5 09:42:29 vultr pluto[141268]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Jan 5 09:42:29 vultr pluto[141268]: testing HMAC_MD5: Jan 5 09:42:29 vultr pluto[141268]: RFC 2104: MD5_HMAC test 1 Jan 5 09:42:29 vultr pluto[141268]: RFC 2104: MD5_HMAC test 2 Jan 5 09:42:29 vultr pluto[141268]: RFC 2104: MD5_HMAC test 3 Jan 5 09:42:29 vultr pluto[141268]: testing HMAC_SHA1: Jan 5 09:42:29 vultr pluto[141268]: CAVP: IKEv2 key derivation with HMAC-SHA1 Jan 5 09:42:29 vultr pluto[141268]: 1 CPU cores online Jan 5 09:42:29 vultr pluto[141268]: starting up 1 helper threads Jan 5 09:42:29 vultr pluto[141268]: started thread for helper 0 Jan 5 09:42:29 vultr pluto[141268]: using Linux xfrm kernel support code on #1 SMP Debian 5.10.149-2 (2022-10-21) Jan 5 09:42:29 vultr pluto[141268]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs Jan 5 09:42:29 vultr pluto[141268]: watchdog: sending probes every 100 secs Jan 5 09:42:29 vultr pluto[141268]: seccomp security not supported Jan 5 09:42:29 vultr pluto[141268]: helper(1) seccomp security for helper not supported Jan 5 09:42:29 vultr pluto[141268]: "l2tp-psk": added IKEv1 connection Jan 5 09:42:29 vultr pluto[141268]: "xauth-psk": added IKEv1 connection Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": IKE SA proposals (connection add): Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": Child SA proposals (connection add): Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": loaded private key matching left certificate '149.28.132.175' Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": added IKEv2 connection Jan 5 09:42:29 vultr pluto[141268]: listening for IKE messages Jan 5 09:42:29 vultr pluto[141268]: Kernel supports NIC esp-hw-offload Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 149.28.132.175:500 Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 149.28.132.175:4500 Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo 127.0.0.1:500 Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo 127.0.0.1:4500 Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo [::1]:500 Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo [::1]:4500 Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:500 Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:4500 Jan 5 09:42:29 vultr pluto[141268]: forgetting secrets Jan 5 09:42:29 vultr pluto[141268]: loading secrets from "/etc/ipsec.secrets"

kevinliukaiwen commented 1 year ago

Jan 5 09:18:46 vultr xl2tpd[128276]: Not looking for kernel SAref support. Jan 5 09:18:46 vultr xl2tpd[128276]: Using l2tp kernel support. Jan 5 09:18:46 vultr xl2tpd[128272]: Starting xl2tpd: xl2tpd. Jan 5 09:18:46 vultr xl2tpd[128280]: xl2tpd version xl2tpd-1.3.12 started on vultr PID:128280 Jan 5 09:18:46 vultr xl2tpd[128280]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Jan 5 09:18:46 vultr xl2tpd[128280]: Forked by Scott Balmos and David Stipp, (C) 2001 Jan 5 09:18:46 vultr xl2tpd[128280]: Inherited by Jeff McAdams, (C) 2002 Jan 5 09:18:46 vultr xl2tpd[128280]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 Jan 5 09:18:46 vultr xl2tpd[128280]: Listening on IP address 0.0.0.0, port 1701 Jan 5 09:42:22 vultr xl2tpd[128280]: death_handler: Fatal signal 15 received Jan 5 09:42:22 vultr xl2tpd[140885]: Stopping xl2tpd: xl2tpd. Jan 5 09:42:22 vultr systemd[1]: xl2tpd.service: Succeeded. Jan 5 09:42:22 vultr xl2tpd[140893]: Not looking for kernel SAref support. Jan 5 09:42:22 vultr xl2tpd[140893]: Using l2tp kernel support. Jan 5 09:42:22 vultr xl2tpd[140890]: Starting xl2tpd: xl2tpd. Jan 5 09:42:22 vultr xl2tpd[140894]: xl2tpd version xl2tpd-1.3.12 started on vultr PID:140894 Jan 5 09:42:22 vultr xl2tpd[140894]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Jan 5 09:42:22 vultr xl2tpd[140894]: Forked by Scott Balmos and David Stipp, (C) 2001 Jan 5 09:42:22 vultr xl2tpd[140894]: Inherited by Jeff McAdams, (C) 2002 Jan 5 09:42:22 vultr xl2tpd[140894]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 Jan 5 09:42:22 vultr xl2tpd[140894]: Listening on IP address 0.0.0.0, port 1701

hwdsl2 commented 1 year ago

@kevinliukaiwen 你好!你的日志中没有显示 VPN 客户端的连接请求,说明该连接请求没有到达服务器。对于有外部防火墙的服务器(比如 EC2/GCE),你需要为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 #433。

kevinliukaiwen commented 1 year ago

image

kevinliukaiwen commented 1 year ago

500端口和4500端口都打开了,还是连不上

hwdsl2 commented 1 year ago

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

kevinliukaiwen commented 1 year ago

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

换过服务器了还是不行,vultr服务器搭建的,没有开启防火墙

kevinliukaiwen commented 1 year ago

@kevinliukaiwen 你好!你的日志中没有显示 VPN 客户端的连接请求,说明该连接请求没有到达服务器。对于有外部防火墙的服务器(比如 EC2/GCE),你需要为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 #433。

image

kevinliukaiwen commented 1 year ago

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

image

kevinliukaiwen commented 1 year ago

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

image

我自己试了下,是500和4500两个端口都被墙了,这个有办法解决吗

hwdsl2 commented 1 year ago

@kevinliukaiwen 你好!对于该情况,IPsec VPN 较容易被干扰。建议换用其他解决方案比如 Shadowsocks。