
我在 ubuntu 16.04 上使用strongswan
連接到第三方 L2TP/IPSec VPN。
他們給我提供了一個這樣的設定檔:
VPN connection IP : X.X.X.X
IPSEC Authentication : ---------------------
IPSEC Preshared key : SOME^"TH!NG$
L2TP authentication :
username : USER
password : PASS
IPSEC Phase 1 Proposal----------------------
encryption 3DES Authentication SHA1
encryption AES192 Authentication SHA1
encryption AES256 Authentication MD5
Diffie-Hellman Group 2
Key lifetime (seconds) 86400
IPSEC Phase 2 Proposal----------------------
Local Address 0.0.0.0/0.0.0.0
Remote Address 0.0.0.0/0.0.0.0
encryption 3DES Authentication SHA1
encryption AES192 Authentication SHA1
encryption AES256 Authentication MD5
Key lifetime (seconds) 86400
我建立了 /etc/ipsec.conf,如下所示:
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-sha1,AES192-sha1,aes256-md5,modp1024!
esp=3des-sha1,AES192-sha1,aes256-md5!
conn myvpn
keyexchange=ikev1
left=MY.IP.ADD.RESS
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=X.X.X.X
和 /etc/ipsec.secrets 類似:
# empty line
MY.IP.ADD.RES X.X.X.X : PSK 'SOME^"TH!NG$'
(我的IP位址:MY.IP.ADD.RES和遠端伺服器:XXXX)
$ sudo ipsec up myvpn
結果如下:
initiating Main Mode IKE_SA myvpn[2] to X.X.X.X
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from MY.IP.ADD.RES[500] to X.X.X.X[500] (204 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY.IP.ADD.RES[500] to X.X.X.X[500] (204 bytes)
sending retransmit 2 of request message ID 0, seq 1
我應該如何找出我的設定檔有什麼問題?
與給定的個人資料是否錯誤ike
或esp
不符?
我是本節的新手,除了我的問題之外,任何文件說明、有用的部落格或有關給定個人資料的資訊都可能對我有幫助。
答案1
我的錯誤是我沒有將ike
(with IPSEC Phase 1 Proposal
) 和esp
(with IPSEC Phase 2 Proposal
) 與給定的 VPN 設定檔完全匹配:
可用於 Strongswan IKEv2 的密碼套件的完整清單可在此處找到。
我的更正/etc/ipsec.conf
是:
config setup
conn %default
ikelifetime=86400s
keylife=86400s
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-sha1,AES192-sha1,aes256-md5,modp1024!
esp=3des-sha1,AES192-sha1,aes256-md5!
conn myvpn
# our public ip
left=MY.IP.ADD.RES
auto=add
authby=secret
# phase 1
ike=3des-sha1-modp1024,aes192-sha1-modp1024,aes256-md5-modp1024
# phase 2
esp=3des-sha1,aes192-sha1,aes256-md5
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
# remote VPN ip
right=X.X.X.X