Vpn

配置 StrongSwan 以使用 DHCP

  • February 10, 2018

我已經實現了一個 StrongSwan VPN 伺服器,並希望將其配置為動態地將 IP 分配給最終客戶端。如果我給它一個 IP 範圍,VPN 就可以工作,但如果我將它設置為 DHCP,它就不行。

這是我的 dhcp.conf 文件:

dhcp {

   # Always use the configured server address.
   force_server_address = yes

   # Derive user-defined MAC address from hash of IKE identity.
   # identity_lease = yes

   # Interface name the plugin uses for address allocation.
   # interface =

   # Whether to load the plugin. Can also be an integer to increase the
   # priority of this plugin.
   load = yes

   # DHCP server unicast or broadcast IP address.
   server = 10.0.0.255

}

還有我的 ipsec.conf 文件:

# ipsec.conf - strongSwan IPsec configuration file

config setup
   charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
   keyexchange=ikev2
       ike=aes256-sha1-modp1024!
       esp=aes256-sha1!
       dpdaction=clear
       dpddelay=300s
       rekey=no
       left=10.0.0.2
       leftsubnet=255.255.255.0/24
       leftcert=vpnHostCert.pem
       right=%any
       rightsubnet=255.255.255.0/24
       rightdns=10.0.0.2
       rightsourceip=10.0.1.0/24
   #   rightsourceip=%dhcp
       compress=yes

conn IPSec-IKEv2
       auto=add

conn IPSec-IKEv2-EAP
       also="IPSec-IKEv2"
       rightauth=eap-mschapv2
       rightsendcert=never
       eap_identity=%any

conn CiscoIPSec
       keyexchange=ikev1
       rightauth=pubkey
       rightauth2=xauth
       auto=add

目前我已經註釋掉了 DHCP 功能,所以 VPN 可以正常工作。

以下是來自嘗試連接的日誌:(剪切為新日誌)

Jul  8 16:13:09 dhcp charon: 04[IKE] IKE_SA IPSec-IKEv2-EAP[15] state change: CONNECTING => ESTABLISHED
Jul  8 16:13:09 dhcp charon: 04[IKE] peer requested virtual IP %any
Jul  8 16:13:09 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul  8 16:13:10 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul  8 16:13:11 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul  8 16:13:11 dhcp charon: 15[NET] waiting for data on sockets
Jul  8 16:13:11 dhcp charon: 07[MGR] ignoring request with ID 5, already processing
Jul  8 16:13:12 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul  8 16:13:14 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul  8 16:13:14 dhcp charon: 15[NET] waiting for data on sockets
Jul  8 16:13:14 dhcp charon: 13[MGR] ignoring request with ID 5, already processing
Jul  8 16:13:15 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul  8 16:13:18 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul  8 16:13:18 dhcp charon: 15[NET] waiting for data on sockets
Jul  8 16:13:18 dhcp charon: 01[MGR] ignoring request with ID 5, already processing
Jul  8 16:13:19 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul  8 16:13:24 dhcp charon: 04[CFG] DHCP DISCOVER timed out

正如您在日誌中看到的,StrongSwan 正在嘗試從 DHCP 伺服器獲取租約,但它從未收到對其 DHCPDiscover 的響應。

VPN 和 DHCP 伺服器都在同一台機器上 (10.0.0.2)。正如您將在 dhcp.conf 文件中看到的,我指定了 10.0.0.255(根據此strongswan 文件底部的註釋)。我也嘗試過 10.0.0.2、0.0.0.0、127.0.0.1、255.255.255.0、255.255.255.255,但都沒有奏效。

DHCP 對內部的一切工作都非常好,所以我很確定這是一個 StrongSwan 問題。

編輯: 我已經設法從 DHCP 伺服器獲得響應,但是 VPN 軟體看不到它。這是我對 VPN 的 DHCP 配置以及日誌所做的更改。

Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (528 bytes)
Jul 10 09:41:52 dhcp charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 09:41:52 dhcp charon: 08[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:41:52 dhcp charon: 08[CFG]   candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG]   candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:41:52 dhcp charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Jul 10 09:41:52 dhcp charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG]   proposal matches
Jul 10 09:41:52 dhcp charon: 08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[IKE] local host is behind NAT, sending keep alives
Jul 10 09:41:52 dhcp charon: 08[IKE] remote host is behind NAT
Jul 10 09:41:52 dhcp charon: 08[IKE] sending cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 09:41:52 dhcp charon: 08[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (337 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (972 bytes)
Jul 10 09:41:52 dhcp charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 07[IKE] received 31 cert requests for an unknown ca
Jul 10 09:41:52 dhcp charon: 07[CFG] looking for peer configs matching 10.0.0.2[%any]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 07[CFG]   candidate "IPSec-IKEv2", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG] selected peer config 'IPSec-IKEv2'
Jul 10 09:41:52 dhcp charon: 07[IKE] peer requested EAP, config inacceptable
Jul 10 09:41:52 dhcp charon: 07[CFG] switching to peer config 'IPSec-IKEv2-EAP'
Jul 10 09:41:52 dhcp charon: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_NBNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] peer supports MOBIKE
Jul 10 09:41:52 dhcp charon: 07[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with RSA signature successful
Jul 10 09:41:52 dhcp charon: 07[IKE] sending end entity cert "C=AU, O=EXAMPLE, CN=EXAMPLE AU"
Jul 10 09:41:52 dhcp charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 10 09:41:52 dhcp charon: 07[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (1516 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 10[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 10 09:41:52 dhcp charon: 10[IKE] received EAP identity 'shane'
Jul 10 09:41:52 dhcp charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xB2)
Jul 10 09:41:52 dhcp charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 10[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (108 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 09[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[IKE] EAP-MS-CHAPv2 username: 'shane'
Jul 10 09:41:52 dhcp charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 10 09:41:52 dhcp charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 10 09:41:52 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 12[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (92 bytes)
Jul 10 09:41:52 dhcp charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of '10.1.1.5' with EAP successful
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with EAP
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] established between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED
Jul 10 09:41:52 dhcp charon: 12[IKE] peer requested virtual IP %any
Jul 10 09:41:52 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:52 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be via team0
Jul 10 09:41:53 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:53 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:54 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:54 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:54 dhcp charon: 06[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:55 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:55 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:55 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:57 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:57 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:57 dhcp charon: 15[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:58 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:58 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:58 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:00 dhcp chronyd[728]: NTP packet received from unauthorised host 10.0.0.2 port 123
Jul 10 09:42:02 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:02 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:02 dhcp charon: 10[MGR] ignoring request with ID 5, already processing
Jul 10 09:42:02 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:42:02 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:02 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:07 dhcp charon: 12[CFG] DHCP DISCOVER timed out
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] peer requested virtual IP %any6
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any6 requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jul 10 09:42:07 dhcp charon: 12[CFG] looking for a child config for ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for us:
Jul 10 09:42:07 dhcp charon: 12[CFG]  255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for other:
Jul 10 09:42:07 dhcp charon: 12[CFG]  255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG]   candidate "IPSec-IKEv2-EAP" with prio 1+1
Jul 10 09:42:07 dhcp charon: 12[CFG] found matching child config "IPSec-IKEv2-EAP" with prio 2
Jul 10 09:42:07 dhcp charon: 12[IKE] configuration payload negotiation failed, no CHILD_SA built
Jul 10 09:42:07 dhcp charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jul 10 09:42:07 dhcp charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
Jul 10 09:42:07 dhcp charon: 12[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (124 bytes)
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:07 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[ENC] parsed INFORMATIONAL request 6 [ D ]
Jul 10 09:42:07 dhcp charon: 11[IKE] received DELETE for IKE_SA IPSec-IKEv2-EAP[1]
Jul 10 09:42:07 dhcp charon: 11[IKE] deleting IKE_SA IPSec-IKEv2-EAP[1] between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: ESTABLISHED => DELETING
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA deleted
Jul 10 09:42:07 dhcp charon: 11[ENC] generating INFORMATIONAL response 6 [ ]
Jul 10 09:42:07 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: DELETING => DESTROYING
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:08 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:42:08 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:08 dhcp charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (384 bytes)
Jul 10 09:42:08 dhcp charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 10 09:42:08 dhcp charon: 14[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:42:08 dhcp charon: 14[CFG]   candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:42:08 dhcp charon: 14[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
Jul 10 09:42:08 dhcp charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Jul 10 09:42:08 dhcp charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jul 10 09:42:08 dhcp charon: 14[IKE] xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[IKE] no proposal found
Jul 10 09:42:08 dhcp charon: 14[IKE] queueing INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[IKE] activating new tasks
Jul 10 09:42:08 dhcp charon: 14[IKE]   activating INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[ENC] generating INFORMATIONAL_V1 request 2146740619 [ N(NO_PROP) ]
Jul 10 09:42:08 dhcp charon: 14[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Jul 10 09:42:08 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]

以及新的配置:

dhcp {
   force_server_address = yes
   interface = team0
   load = yes
   server = 255.255.255.255
}

我已經解決了!請參閱頁面底部的註釋(此處)

$$ 1 $$…如前所述,我確實嘗試過,但沒有運氣。我在 em1 和 em2 上有一個 NIC 團隊,成為 team0。StrongSwan 好像沒有考慮過這個介面。 我將介面更改為 team0,我的伺服器是 255.255.255.255 - DHCP 伺服器可以看到請求,但 VPN 看不到回复。一旦我將伺服器設置為 10.0.0.255,介面設置為 team0,一切都開始工作了。

所以訣竅是,如果您使用 NIC 分組,則需要將您的組指定為介面,並將伺服器指定為您的本地廣播地址。您需要將 force_server_address 設置為 yes,並且 identity_lease 似乎不會影響它。

我希望這可以將其他人從噩夢中拯救出來。

我的最終配置:

dhcp {

   # Always use the configured server address.
   force_server_address = yes

   # Derive user-defined MAC address from hash of IKE identity.
   identity_lease = yes

   # Interface name the plugin uses for address allocation.
   interface = team0

   # Whether to load the plugin. Can also be an integer to increase the
   # priority of this plugin.
   load = yes

   # DHCP server unicast or broadcast IP address.
   server = 10.0.0.255

}

我的日誌的 DHCP 部分現在看起來像什麼:

Jul 10 10:05:27 dhcp charon: 02[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED
Jul 10 10:05:27 dhcp charon: 02[IKE] peer requested virtual IP %any
Jul 10 10:05:27 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255
Jul 10 10:05:27 dhcp dhcpd: DHCPDISCOVER from 7a:a7:b4:f2:4e:dc via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255
Jul 10 10:05:28 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 07[CFG] received DHCP OFFER 10.0.0.188 from 10.0.0.2
Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP REQUEST for 10.0.0.188 to 10.0.0.2
Jul 10 10:05:28 dhcp dhcpd: DHCPREQUEST for 10.0.0.188 (10.0.0.2) from 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp dhcpd: DHCPACK on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 08[CFG] received DHCP ACK for 10.0.0.188
Jul 10 10:05:28 dhcp charon: 02[IKE] assigning virtual IP 10.0.0.188 to peer 'shane'

請注意,DHCP 守護程序似乎記錄它接收請求的速度比 Charon 似乎記錄它已請求某些東西的速度要快。

我希望這可以節省其他人的時間和挫敗感。

引用自:https://serverfault.com/questions/704516