想自己编译 strongswan 做 ikev2 梯子,不想用现成的方法(比如 playbook 之类的),在 mac 上使用 strongswan 客户端可以连上,但是 10.11 自带的连不上,提示 received proposals inacceptable ; ios9 也连不上,但是有 authentication of 'vps' (myself) with RSA signature successful 字样。
求测试过可以使用的 strongswan 配置,看看自己哪写的不对。参考过很多配置,也按官方 wiki 改了,就是不行。
我的 ipsec.conf
config setup
uniqueids=no
plutostart=no
strictcrlpolicy=no
conn ikev2
keyexchange=ikev2
ike=aes256-aes128-sha1-modp1024!
esp=aes256-sha256-sha1!
dpdaction=clear
dpddelay=300s
leftauth=pubkey
rekey=no
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=server.cert.pem
leftsendcert=always
leftid=xxx
right=%any
rightauth=eap-mschapv2
rightsourceip=10.0.1.0/24
rightsendcert=always
eap_identity=%any
auto=add
1
onion83 2015-10-12 11:03:14 +08:00
同问:
Server 侧日志: ------------------------ 08[CFG] received stroke: add connection 'windows7' 08[CFG] adding virtual IP address pool 172.17.17.0/24 08[CFG] loaded certificate "C=CN, O=strongSwan, CN=x.x.x.x" from 'serverCert.pem' 08[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CN, O=strongSwan, CN=x.x.x.x' 08[CFG] added configuration 'windows7' 10[NET] received packet: from 210.51.19.2[17553] to x.x.x.x[500] (388 bytes) 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] 10[IKE] 210.51.19.2 is initiating an IKE_SA 10[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 10[IKE] remote host is behind NAT 10[IKE] received proposals inacceptable 10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] 10[NET] sending packet: from x.x.x.x[500] to *.*.*.* [17553] (36 bytes) Client 侧日志: ------------------------ Oct 12 11:02:36 Onion-iPhone-6S nesessionmanager[247] <Notice>: NESMIKEv2VPNSession[x.x.x.x:1FECCA55-2070-44C8-8214-E62DF31F6E0B]: status changed to connecting Oct 12 11:02:36 Onion-iPhone-6S locationd[70] <Notice>: need a scan, count, 0, 0, lwatchdog, 0.0, interval, 60.0, needWatchdog, 0 Oct 12 11:02:36 Onion-iPhone-6S configd[38] <Notice>: network changed Oct 12 11:02:36 Onion-iPhone-6S neagent[291] <Error>: Failed to process IKE SA Init packet Oct 12 11:02:36 Onion-iPhone-6S neagent[291] <Notice>: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9 官方文档,不明觉厉 ------------------------ https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)#IKEv2-on-iOS-9-OS-X-1011-and-newer |
2
sholiver 2015-11-07 15:49:54 +08:00 via iPhone
我的 iphone 6 是测试通过的, 6s 死活也不行。不知道啥原因。
|
3
yisuo 2018-02-22 21:58:03 +08:00
@onion83
这份日志中,客户机和服务器的 IKE 协议使用的密钥交换算法有所差异,即服务器的 IKE 配置算法(configured proposals)不是客户机( received proposals )的子集,或者是顺序不一致,导致密钥生产无效,所以认证失败,链接中断。 客户端发送的 IKE(received proposals)有三组: 第一组: AES_CBC_128/ HMAC_SHA1_96/ PRF_HMAC_SHA1/ MODP_1024, 第二组: AES_CBC_256/ HMAC_SHA2_256_128/ PRF_HMAC_SHA2_256/ MODP_1536, 第三组: 3DES_CBC/ HMAC_SHA1_96/ PRF_HMAC_SHA1/ MODP_1024 服务器应答的 IKE(configured proposals): AES_CBC_256/ HMAC_SHA1_96/ PRF_HMAC_SHA1/ MODP_1024 |