search

zhangke5959 / strongswan

支持国密sm1,sm2,sm3,sm4算法的ipsec vpn。
Other
99 stars 74 forks source link

哥哥们求助!host-host无法建立链接!请帮我看看问题 #21

Open bin-wang1 opened 1 year ago

bin-wang1 commented 1 year ago

host-host无法建立链接!请帮我看看问题 配置: server: connections { host-host { proposals = sm4cbc-sm3-sm2dh local_addrs=192.168.133.128 remote_addrs=192.168.133.129 local { auth = pubkey id = "Alt name for server" certs = server.cert.pem } remote { auth = pubkey id = "Alt name for end entity" } children { host-host { local_ts = dynamic[udp/8887-8888] remote_ts = 192.168.133.0/24[udp/81-65535] esp_proposals = sm4cbc-sm3-sm2dh updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables } } } } client : connections { host-host { proposals = sm4cbc-sm3-sm2dh local_addrs=192.168.133.129 remote_addrs=192.168.133.128

    local {
        auth = pubkey
        id = "Alt name for end entity"
        certs = client.cert.pem
    }
    remote {
        auth = pubkey
        id = "Alt name for server"
    }
    children {
        host-host {
            remote_ts  = 192.168.133.0/24[udp/8887-8888]
            local_ts =dynamic[udp/81-65535] 
            esp_proposals = sm4cbc-sm3-sm2dh
            updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables
        }
    }
}

}

问题:

server:

06[NET] received packet: from 192.168.133.129[500] to 192.168.133.128[500] (274 bytes) 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 06[IKE] 192.168.133.129 is initiating an IKE_SA 06[CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2 06[IKE] remote host is behind NAT 06[IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name" 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] 06[NET] sending packet: from 192.168.133.128[500] to 192.168.133.129[500] (307 bytes) 16[NET] received packet: from 192.168.133.129[4500] to 192.168.133.128[4500] (864 bytes) 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 16[IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name" 16[IKE] received end entity cert "C=Country, O=Company Name, CN=End Entity Name" 16[CFG] looking for peer configs matching 192.168.133.128[Alt name for server]...192.168.133.129[Alt name for end entity] 16[CFG] selected peer config 'host-host' 16[CFG] using certificate "C=Country, O=Company Name, CN=End Entity Name" 16[CFG] using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name" 16[CFG] checking certificate status of "C=Country, O=Company Name, CN=End Entity Name" 16[CFG] certificate status is not available 16[CFG] reached self-signed root ca with a path length of 0 16[IKE] authentication of 'Alt name for end entity' with SM2_WITH_SM3 successful 16[IKE] peer supports MOBIKE 16[IKE] authentication of 'Alt name for server' (myself) with SM2_WITH_SM3 successful 16[IKE] IKE_SA host-host[6] established between 192.168.133.128[Alt name for server]...192.168.133.129[Alt name for end entity] 16[IKE] scheduling rekeying in 13810s 16[IKE] maximum IKE_SA lifetime 15250s 16[IKE] sending end entity cert "C=Country, O=Company Name, CN=Unit Name" 16[CFG] selected proposal: ESP:SM4_CBC_128/HMAC_SM3/NO_EXT_SEQ 16[KNL] can't install route for 192.168.133.128/32[udp/8887-8888] === 192.168.133.129/32[udp/81-65535] out, conflicts with IKE traffic 16[IKE] unable to install IPsec policies (SPD) in kernel 16[IKE] failed to establish CHILD_SA, keeping IKE_SA 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] 16[NET] sending packet: from 192.168.133.128[4500] to 192.168.133.129[4500] (704 bytes) ^Cdisconnecting...

client:

[IKE] initiating IKE_SA host-host[7] to 192.168.133.128 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from 192.168.133.129[500] to 192.168.133.128[500] (274 bytes) [NET] received packet: from 192.168.133.128[500] to 192.168.133.129[500] (307 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2 [IKE] remote host is behind NAT [IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name" [IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name" [IKE] authentication of 'Alt name for end entity' (myself) with SM2_WITH_SM3 successful [IKE] sending end entity cert "C=Country, O=Company Name, CN=End Entity Name" [IKE] establishing CHILD_SA host-host{7} [ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 192.168.133.129[4500] to 192.168.133.128[4500] (864 bytes) [NET] received packet: from 192.168.133.128[4500] to 192.168.133.129[4500] (704 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ] [IKE] received end entity cert "C=Country, O=Company Name, CN=Unit Name" [CFG] using certificate "C=Country, O=Company Name, CN=Unit Name" [CFG] using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name" [CFG] checking certificate status of "C=Country, O=Company Name, CN=Unit Name" [CFG] certificate status is not available [CFG] reached self-signed root ca with a path length of 0 [IKE] authentication of 'Alt name for server' with SM2_WITH_SM3 successful [IKE] IKE_SA host-host[7] established between 192.168.133.129[Alt name for end entity]...192.168.133.128[Alt name for server] [IKE] scheduling rekeying in 13122s [IKE] maximum IKE_SA lifetime 14562s [IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE] failed to establish CHILD_SA, keeping IKE_SA [IKE] peer supports MOBIKE initiate failed: establishing CHILD_SA 'host-host' failed