配置 StrongSwan 以使用 DHCP
我已經實現了一個 StrongSwan VPN 伺服器,並希望將其配置為動態地將 IP 分配給最終客戶端。如果我給它一個 IP 範圍,VPN 就可以工作,但如果我將它設置為 DHCP,它就不行。
這是我的 dhcp.conf 文件:
dhcp { # Always use the configured server address. force_server_address = yes # Derive user-defined MAC address from hash of IKE identity. # identity_lease = yes # Interface name the plugin uses for address allocation. # interface = # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # DHCP server unicast or broadcast IP address. server = 10.0.0.255 }
還有我的 ipsec.conf 文件:
# ipsec.conf - strongSwan IPsec configuration file config setup charondebug="cfg 2, dmn 2, ike 2, net 2" conn %default keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no left=10.0.0.2 leftsubnet=255.255.255.0/24 leftcert=vpnHostCert.pem right=%any rightsubnet=255.255.255.0/24 rightdns=10.0.0.2 rightsourceip=10.0.1.0/24 # rightsourceip=%dhcp compress=yes conn IPSec-IKEv2 auto=add conn IPSec-IKEv2-EAP also="IPSec-IKEv2" rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any conn CiscoIPSec keyexchange=ikev1 rightauth=pubkey rightauth2=xauth auto=add
目前我已經註釋掉了 DHCP 功能,所以 VPN 可以正常工作。
以下是來自嘗試連接的日誌:(剪切為新日誌)
Jul 8 16:13:09 dhcp charon: 04[IKE] IKE_SA IPSec-IKEv2-EAP[15] state change: CONNECTING => ESTABLISHED Jul 8 16:13:09 dhcp charon: 04[IKE] peer requested virtual IP %any Jul 8 16:13:09 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2 Jul 8 16:13:10 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2 Jul 8 16:13:11 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 8 16:13:11 dhcp charon: 15[NET] waiting for data on sockets Jul 8 16:13:11 dhcp charon: 07[MGR] ignoring request with ID 5, already processing Jul 8 16:13:12 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2 Jul 8 16:13:14 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 8 16:13:14 dhcp charon: 15[NET] waiting for data on sockets Jul 8 16:13:14 dhcp charon: 13[MGR] ignoring request with ID 5, already processing Jul 8 16:13:15 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2 Jul 8 16:13:18 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 8 16:13:18 dhcp charon: 15[NET] waiting for data on sockets Jul 8 16:13:18 dhcp charon: 01[MGR] ignoring request with ID 5, already processing Jul 8 16:13:19 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2 Jul 8 16:13:24 dhcp charon: 04[CFG] DHCP DISCOVER timed out
正如您在日誌中看到的,StrongSwan 正在嘗試從 DHCP 伺服器獲取租約,但它從未收到對其 DHCPDiscover 的響應。
VPN 和 DHCP 伺服器都在同一台機器上 (10.0.0.2)。正如您將在 dhcp.conf 文件中看到的,我指定了 10.0.0.255(根據此strongswan 文件底部的註釋)。我也嘗試過 10.0.0.2、0.0.0.0、127.0.0.1、255.255.255.0、255.255.255.255,但都沒有奏效。
DHCP 對內部的一切工作都非常好,所以我很確定這是一個 StrongSwan 問題。
編輯: 我已經設法從 DHCP 伺服器獲得響應,但是 VPN 軟體看不到它。這是我對 VPN 的 DHCP 配置以及日誌所做的更改。
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:52 dhcp charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (528 bytes) Jul 10 09:41:52 dhcp charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 10 09:41:52 dhcp charon: 08[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052 Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052 Jul 10 09:41:52 dhcp charon: 08[CFG] found matching ike config: 10.0.0.2...%any with prio 1052 Jul 10 09:41:52 dhcp charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA Jul 10 09:41:52 dhcp charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal: Jul 10 09:41:52 dhcp charon: 08[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal: Jul 10 09:41:52 dhcp charon: 08[CFG] proposal matches Jul 10 09:41:52 dhcp charon: 08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Jul 10 09:41:52 dhcp charon: 08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jul 10 09:41:52 dhcp charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jul 10 09:41:52 dhcp charon: 08[IKE] local host is behind NAT, sending keep alives Jul 10 09:41:52 dhcp charon: 08[IKE] remote host is behind NAT Jul 10 09:41:52 dhcp charon: 08[IKE] sending cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA" Jul 10 09:41:52 dhcp charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jul 10 09:41:52 dhcp charon: 08[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (337 bytes) Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:52 dhcp charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (972 bytes) Jul 10 09:41:52 dhcp charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4 Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA" Jul 10 09:41:52 dhcp charon: 07[IKE] received 31 cert requests for an unknown ca Jul 10 09:41:52 dhcp charon: 07[CFG] looking for peer configs matching 10.0.0.2[%any]...xxx.xxx.xxx.xxx[10.1.1.5] Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2", match: 1/1/1052 (me/other/ike) Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2-EAP", match: 1/1/1052 (me/other/ike) Jul 10 09:41:52 dhcp charon: 07[CFG] selected peer config 'IPSec-IKEv2' Jul 10 09:41:52 dhcp charon: 07[IKE] peer requested EAP, config inacceptable Jul 10 09:41:52 dhcp charon: 07[CFG] switching to peer config 'IPSec-IKEv2-EAP' Jul 10 09:41:52 dhcp charon: 07[IKE] initiating EAP_IDENTITY method (id 0x00) Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_ADDRESS attribute Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_DNS attribute Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_NBNS attribute Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_SERVER attribute Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_ADDRESS attribute Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_DNS attribute Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_SERVER attribute Jul 10 09:41:52 dhcp charon: 07[IKE] peer supports MOBIKE Jul 10 09:41:52 dhcp charon: 07[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with RSA signature successful Jul 10 09:41:52 dhcp charon: 07[IKE] sending end entity cert "C=AU, O=EXAMPLE, CN=EXAMPLE AU" Jul 10 09:41:52 dhcp charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Jul 10 09:41:52 dhcp charon: 07[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (1516 bytes) Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:52 dhcp charon: 10[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes) Jul 10 09:41:52 dhcp charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jul 10 09:41:52 dhcp charon: 10[IKE] received EAP identity 'shane' Jul 10 09:41:52 dhcp charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xB2) Jul 10 09:41:52 dhcp charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Jul 10 09:41:52 dhcp charon: 10[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (108 bytes) Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:52 dhcp charon: 09[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (140 bytes) Jul 10 09:41:52 dhcp charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Jul 10 09:41:52 dhcp charon: 09[IKE] EAP-MS-CHAPv2 username: 'shane' Jul 10 09:41:52 dhcp charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Jul 10 09:41:52 dhcp charon: 09[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes) Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:52 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes) Jul 10 09:41:52 dhcp charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Jul 10 09:41:52 dhcp charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Jul 10 09:41:52 dhcp charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ] Jul 10 09:41:52 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes) Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:52 dhcp charon: 12[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (92 bytes) Jul 10 09:41:52 dhcp charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ] Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of '10.1.1.5' with EAP successful Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with EAP Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] established between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5] Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED Jul 10 09:41:52 dhcp charon: 12[IKE] peer requested virtual IP %any Jul 10 09:41:52 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255 Jul 10 09:41:52 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be via team0 Jul 10 09:41:53 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255 Jul 10 09:41:53 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0 Jul 10 09:41:54 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:41:54 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:54 dhcp charon: 06[MGR] ignoring request with ID 5, already processing Jul 10 09:41:55 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255 Jul 10 09:41:55 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0 Jul 10 09:41:55 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0 Jul 10 09:41:57 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:41:57 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:41:57 dhcp charon: 15[MGR] ignoring request with ID 5, already processing Jul 10 09:41:58 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255 Jul 10 09:41:58 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0 Jul 10 09:41:58 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0 Jul 10 09:42:00 dhcp chronyd[728]: NTP packet received from unauthorised host 10.0.0.2 port 123 Jul 10 09:42:02 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:42:02 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:42:02 dhcp charon: 10[MGR] ignoring request with ID 5, already processing Jul 10 09:42:02 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255 Jul 10 09:42:02 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0 Jul 10 09:42:02 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0 Jul 10 09:42:07 dhcp charon: 12[CFG] DHCP DISCOVER timed out Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any requested by 'shane' Jul 10 09:42:07 dhcp charon: 12[IKE] peer requested virtual IP %any6 Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any6 requested by 'shane' Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Jul 10 09:42:07 dhcp charon: 12[CFG] looking for a child config for ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0 Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for us: Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24 Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for other: Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24 Jul 10 09:42:07 dhcp charon: 12[CFG] candidate "IPSec-IKEv2-EAP" with prio 1+1 Jul 10 09:42:07 dhcp charon: 12[CFG] found matching child config "IPSec-IKEv2-EAP" with prio 2 Jul 10 09:42:07 dhcp charon: 12[IKE] configuration payload negotiation failed, no CHILD_SA built Jul 10 09:42:07 dhcp charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA Jul 10 09:42:07 dhcp charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ] Jul 10 09:42:07 dhcp charon: 12[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (124 bytes) Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] Jul 10 09:42:07 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] Jul 10 09:42:07 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:42:07 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes) Jul 10 09:42:07 dhcp charon: 11[ENC] parsed INFORMATIONAL request 6 [ D ] Jul 10 09:42:07 dhcp charon: 11[IKE] received DELETE for IKE_SA IPSec-IKEv2-EAP[1] Jul 10 09:42:07 dhcp charon: 11[IKE] deleting IKE_SA IPSec-IKEv2-EAP[1] between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5] Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: ESTABLISHED => DELETING Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA deleted Jul 10 09:42:07 dhcp charon: 11[ENC] generating INFORMATIONAL response 6 [ ] Jul 10 09:42:07 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes) Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: DELETING => DESTROYING Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] Jul 10 09:42:08 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] Jul 10 09:42:08 dhcp charon: 01[NET] waiting for data on sockets Jul 10 09:42:08 dhcp charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (384 bytes) Jul 10 09:42:08 dhcp charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ] Jul 10 09:42:08 dhcp charon: 14[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx Jul 10 09:42:08 dhcp charon: 14[CFG] candidate: 10.0.0.2...%any, prio 1052 Jul 10 09:42:08 dhcp charon: 14[CFG] found matching ike config: 10.0.0.2...%any with prio 1052 Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08 Jul 10 09:42:08 dhcp charon: 14[IKE] received NAT-T (RFC 3947) vendor ID Jul 10 09:42:08 dhcp charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3 Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52 Jul 10 09:42:08 dhcp charon: 14[IKE] xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal: Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal: Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal: Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal: Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal: Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Jul 10 09:42:08 dhcp charon: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jul 10 09:42:08 dhcp charon: 14[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jul 10 09:42:08 dhcp charon: 14[IKE] no proposal found Jul 10 09:42:08 dhcp charon: 14[IKE] queueing INFORMATIONAL task Jul 10 09:42:08 dhcp charon: 14[IKE] activating new tasks Jul 10 09:42:08 dhcp charon: 14[IKE] activating INFORMATIONAL task Jul 10 09:42:08 dhcp charon: 14[ENC] generating INFORMATIONAL_V1 request 2146740619 [ N(NO_PROP) ] Jul 10 09:42:08 dhcp charon: 14[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (56 bytes) Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING Jul 10 09:42:08 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
以及新的配置:
dhcp { force_server_address = yes interface = team0 load = yes server = 255.255.255.255 }
我已經解決了!請參閱頁面底部的註釋(此處)
$$ 1 $$…如前所述,我確實嘗試過,但沒有運氣。我在 em1 和 em2 上有一個 NIC 團隊,成為 team0。StrongSwan 好像沒有考慮過這個介面。 我將介面更改為 team0,我的伺服器是 255.255.255.255 - DHCP 伺服器可以看到請求,但 VPN 看不到回复。一旦我將伺服器設置為 10.0.0.255,介面設置為 team0,一切都開始工作了。
所以訣竅是,如果您使用 NIC 分組,則需要將您的組指定為介面,並將伺服器指定為您的本地廣播地址。您需要將 force_server_address 設置為 yes,並且 identity_lease 似乎不會影響它。
我希望這可以將其他人從噩夢中拯救出來。
我的最終配置:
dhcp { # Always use the configured server address. force_server_address = yes # Derive user-defined MAC address from hash of IKE identity. identity_lease = yes # Interface name the plugin uses for address allocation. interface = team0 # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes # DHCP server unicast or broadcast IP address. server = 10.0.0.255 }
我的日誌的 DHCP 部分現在看起來像什麼:
Jul 10 10:05:27 dhcp charon: 02[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED Jul 10 10:05:27 dhcp charon: 02[IKE] peer requested virtual IP %any Jul 10 10:05:27 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255 Jul 10 10:05:27 dhcp dhcpd: DHCPDISCOVER from 7a:a7:b4:f2:4e:dc via 10.0.0.2 Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255 Jul 10 10:05:28 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2 Jul 10 10:05:28 dhcp charon: 07[CFG] received DHCP OFFER 10.0.0.188 from 10.0.0.2 Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP REQUEST for 10.0.0.188 to 10.0.0.2 Jul 10 10:05:28 dhcp dhcpd: DHCPREQUEST for 10.0.0.188 (10.0.0.2) from 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2 Jul 10 10:05:28 dhcp dhcpd: DHCPACK on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2 Jul 10 10:05:28 dhcp charon: 08[CFG] received DHCP ACK for 10.0.0.188 Jul 10 10:05:28 dhcp charon: 02[IKE] assigning virtual IP 10.0.0.188 to peer 'shane'
請注意,DHCP 守護程序似乎記錄它接收請求的速度比 Charon 似乎記錄它已請求某些東西的速度要快。
我希望這可以節省其他人的時間和挫敗感。