Vpn
StrongSwan 和 Zyxel NSG200 之間的站點到站點 IPSec
我正在嘗試在具有 StrongSwan 的 Debian 10 伺服器和 Nebula NSG200 之間啟動 IPSec 連接(站點到站點)。
讓我們假設:
Debian 伺服器:
- 公共 IP : 50.50.50.45
- 專用網路:10.1.0.0/16
星雲 NSG200:
- 公共IP:100.100.100.123
- 專用網路:10.40.0.0/24
但是每次都認證失敗。我在 debian 的日誌中收到以下消息。
我不明白為什麼認證失敗!
... charon: 13[NET] received packet: from 100.100.100.123[500] to 50.50.50.45[500] (480 bytes) charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ] charon: 13[ENC] received unknown vendor ID: xx:xx:xx:xx:xx:... charon: 13[ENC] received unknown vendor ID: yy:yy:yy:yy:yy:... charon: 13[ENC] received unknown vendor ID: zz:zz:zz:zz:zz:... charon: 13[IKE] 100.100.100.123 is initiating an IKE_SA charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024 charon: 13[IKE] remote host is behind NAT charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] charon: 13[NET] sending packet: from 50.50.50.45[500] to 100.100.100.123[500] (312 bytes) charon: 14[NET] received packet: from 100.100.100.123[4500] to 50.50.50.45[4500] (320 bytes) charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] charon: 14[IKE] received 1 cert requests for an unknown ca charon: 14[CFG] looking for peer configs matching 50.50.50.45[%any]...100.100.100.123[10.0.1.250] charon: 14[CFG] no matching peer config found charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] charon: 14[NET] sending packet: from 50.50.50.45[4500] to 100.100.100.123[4500] (96 bytes) ...強天鵝側
/etc/ipsec.conf:config setup charondebug="all" uniqueids=yes conn deb-to-neb type=tunnel auto=start keyexchange=ikev2 authby=secret left=100.100.100.123 leftsubnet=10.40.0.1/24 right=50.50.50.45 rightsubnet=10.1.0.1/16 ike=aes256-sha512-modp1024! esp=aes256-sha512! aggressive=yes keyingtries=%forever ikelifetime=86400s lifetime=3600s dpdaction=restart
/etc/ipsec.secrets:100.100.100.123 50.50.50.45 : PSK "MySuperSecret" 50.50.50.45 100.100.100.123 : PSK "MySuperSecret"星雲側
階段1
- IKE 版本:IKEv2
- 加密:AES256
- 身份驗證:SHA512
- 迪菲-赫爾曼集團:DH2
- 壽命(秒):86400
第 2 階段(第 1 組)
- 加密:AES256
- 身份驗證:SHA512
- PFS 組 : DH2
- 壽命(秒):3600
這不是身份驗證錯誤,問題是您的配置不匹配:
charon: 14[CFG] looking for peer configs matching 50.50.50.45[%any]...100.100.100.123[10.0.1.250] charon: 14[CFG] no matching peer config found特別是遠端身份。因為您沒有配置rightid,所以它預設為遠端 IP 地址 (
100.100.100.123),但這與對等方發送的身份 ( ) 不匹配10.0.1.250。由於更改對等方的身份似乎不是一個選項(基於該螢幕截圖),請嘗試配置rightid=10.0.1.250.