CentOS7 上连接 strongswan 的故障

2019-12-24 00:06:47 +08:00
 yisuo
大佬们您好,我在 CentOS7 上连接 strongswan 时,分配 IP 地址后,提示 no CHILD_SA built failed to establish CHILD_SA, 连接失败。安卓和 WINDOWS 连接正常,

服务端版本 5.6.2,Centos 端版本是 5.6.2,这是配置文件 http://popcn.net/ipsec.conf


====================服务端配置============================


# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# cachecrls=yes
uniqueids=never

# Add connections here.

conn %default
ikelifetime=60m
keylife=120m
rekeymargin=3m
keyingtries=1
# authby=psk/secret

conn ikev2
keyexchange=ikev2
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!

type=tunnel
rekey=no
leftfirewall=no
left=%defaultroute
leftsubnet=0.0.0.0/0,::/0
leftupdown=/usr/local/etc/strongswan.d/proxyndp.updown
leftid=本地对外地址
leftauth=pubkey
leftcert=server.cert.pem
leftsendcert=ifasked

right=%any
rightsourceip=10.10.8.0/24,
rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844

# rightsubnet=0.0.0.0/0,::/0
# rightcert=client.cert.pem
# rightsendcert=never
rightauth=eap-mschapv2
eap_identity=%any

dpdaction=clear
fragmentation=yes
compress=yes

auto=add



strongswan restart
strongswan up linux-client
strongswan statusall


====================客户端配置============================


config setup
# strictcrlpolicy=yes
uniqueids =never

conn %default
conn linux-client
keyexchange=ikev2
rekey=no
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!

right=对端地址
rightid=@对端地址
rightsubnet=0.0.0.0/0,::/0
rightauth=pubkey

left=%any
leftsourceip=%config
leftcert=server.cert.pem
leftsendcert=ifasked
leftauth=eap-mschapv2
eap_identity=user

type=tunnel
auto=add
1325 次点击
所在节点    问与答
1 条回复
yisuo
2019-12-24 11:48:15 +08:00
大佬,给个诊断证明么

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/631694

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX