我正在尝试在18.04上安装具有强大功能的IPSEC服务器
我的ipsec.conf是:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2"
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=no
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@domain.com
leftcert=/etc/ssl/certs/domain.com.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=192.168.1.1
rightsourceip=10.11.12.0/24
rightsendcert=never
eap_identity=%identity
我的ipsec.secrets是
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
domain.com : RSA /etc/ssl/private/strongswan.key
user %any% : EAP "pass"
据我所知,我已经设置了ufw来允许流量通过:
administrator@fserver:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
80,443/tcp (Apache Full) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
137,138/udp (Samba) ALLOW IN Anywhere
139,445/tcp (Samba) ALLOW IN Anywhere
3389/tcp ALLOW IN Anywhere
8085/tcp ALLOW IN Anywhere
35000:36000/tcp ALLOW IN Anywhere # deluge
10000:20000/tcp ALLOW IN Anywhere # ftp passive
20:21/tcp ALLOW IN Anywhere # ftp
990/tcp ALLOW IN Anywhere # ftp tls
192.168.1.2/esp ALLOW IN Anywhere
500 ALLOW IN Anywhere # ipsec
4500 ALLOW IN Anywhere # ipsec
192.168.1.2/ah ALLOW IN Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6)
139,445/tcp (Samba (v6)) ALLOW IN Anywhere (v6)
3389/tcp (v6) ALLOW IN Anywhere (v6)
8085/tcp (v6) ALLOW IN Anywhere (v6)
35000:36000/tcp (v6) ALLOW IN Anywhere (v6) # deluge
10000:20000/tcp (v6) ALLOW IN Anywhere (v6) # ftp passive
20:21/tcp (v6) ALLOW IN Anywhere (v6) # ftp
990/tcp (v6) ALLOW IN Anywhere (v6) # ftp tls
500 (v6) ALLOW IN Anywhere (v6) # ipsec
4500 (v6) ALLOW IN Anywhere (v6) # ipsec
不幸的是,我无法在Windows 10上进行连接。当我尝试在Windows上进行连接时,它位于“验证登录信息”上,然后停止,并显示一条错误消息,表明由于服务器停止响应而无法建立连接。
我的系统日志显示:
Jul 3 11:20:51 fserver charon: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 06[ENC] generating INFORMATIONAL_V1 request 3859798652 [ N(NO_PROP) ]
Jul 3 11:20:51 fserver ipsec[4349]: 06[NET] sending packet: from 192.168.1.2[500] to 216.218.206.70[50231] (40 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 08[NET] received packet: from 216.218.206.98[28703] to 192.168.1.2[500] (64 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 08[ENC] parsed ID_PROT request 0 [ SA ]
Jul 3 11:20:51 fserver ipsec[4349]: 08[CFG] looking for an ike config for 192.168.1.2...216.218.206.98
Jul 3 11:20:51 fserver ipsec[4349]: 08[IKE] no IKE config found for 192.168.1.2...216.218.206.98, sending NO_PROPOSAL_CHOSEN
Jul 3 11:20:51 fserver ipsec[4349]: 08[ENC] generating INFORMATIONAL_V1 request 1302012061 [ N(NO_PROP) ]
Jul 3 11:20:51 fserver ipsec[4349]: 08[NET] sending packet: from 192.168.1.2[500] to 216.218.206.98[28703] (40 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 10[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received Vid-Initial-Contact vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] 142.68.61.15 is initiating an IKE_SA
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] proposal matches
Jul 3 11:20:51 fserver charon: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] local host is behind NAT, sending keep alives
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] remote host is behind NAT
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 3 11:20:51 fserver ipsec[4349]: 10[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 11[IKE] sending keep alive to 142.68.61.15[500]
Jul 3 11:20:51 fserver ipsec[4349]: 12[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Jul 3 11:20:51 fserver ipsec[4349]: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver charon: 13[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver charon: 13[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver charon: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver charon: 13[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul 3 11:20:51 fserver charon: 13[IKE] received Vid-Initial-Contact vendor ID
Jul 3 11:20:51 fserver charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 3 11:20:51 fserver charon: 13[IKE] 142.68.61.15 is initiating an IKE_SA
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] proposal matches
Jul 3 11:20:51 fserver charon: 13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 3 11:20:51 fserver charon: 13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver charon: 13[IKE] local host is behind NAT, sending keep alives
Jul 3 11:20:51 fserver charon: 13[IKE] remote host is behind NAT
Jul 3 11:20:51 fserver charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 3 11:20:51 fserver charon: 13[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul 3 11:21:11 fserver charon: 15[IKE] sending keep alive to 142.68.61.15[500]
Jul 3 11:21:21 fserver charon: 01[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Windows似乎不再发送任何数据包。我已经转发了端口500和4500。
也许是因为ufw的设置不正确,我愿意深入研究iptables,但如果不需要的话,宁愿不要。
最佳答案
如果可以排除防火墙阻止请求,则可能的原因是IP碎片(您可以与tcpdump / Wireshark进行检查,以查看是否发送/接收消息)。
如果IKE_AUTH消息太大(例如由于客户端证书较大或证书请求很多),则会将其拆分为多个IP片段。此类碎片通常被防火墙/路由器丢弃。
An option to avoid this is using IKEv2 fragmentation, but not all clients support this extension yet. For instance, Windows 10 did not support it until the 2018 spring update. But if you update your client you should be able to set fragmentation=yes
to use IKEv2 fragmentation.