Vpn
帶有letsencrypt證書的Strongswan (IKEv2-EAP)
我正在為 VPN 客戶端配置 Strongswan 伺服器以訪問內部網路 (EAP-IKEv2)。我使用自簽名伺服器證書成功設置它,在將 ca.crt 添加到客戶端的根 CA 後,它適用於使用 Mac OS X、Windows 7 和 Windows 10 的客戶端。
現在我想切換到 Letsencrypt 證書,無需任何額外的客戶端配置即可信任該證書,不幸的是,由於某種原因我無法使其正常工作。
伺服器:Ubuntu 18.04 上的 Strongswan 版本 5.6.2。客戶端:Mac OS X 10.14.2 / Ubuntu 18.04 / Windows 7 / Windows 10
我收到的 Mac OS X VPN 錯誤是:
The VPN server did not respond. 只是為了與沒有將 ca.crt 添加到 Mac OS 的自簽名證書進行比較,我會收到User Authentication failed.當我複制
server.crt給客戶時,它說This certificate is valid。我還嘗試將 DST ROOT CA X3 證書的 IP 安全性 (IPsec) 設置為
Always trustMac OS 中的任何其他 Letsencrypt 相關 CA 證書,但這沒有幫助。我也嘗試強制執行
Always Trust證書server.crt,但仍然沒有運氣。我測試了所有提到的作業系統(Linux 使用 strongswan 網路管理器小程序),但它沒有工作。
因為我無法從 Mac OS 和 Windows 獲得任何合理的調試日誌,所以我在沒有網路管理器小程序的情況下使用 Ubuntu 在其他伺服器上設置了 Strongswan客戶端。
DST_Root_CA_X3.pem它在將證書從客戶端複製到之後開始/etc/ssl/certs工作/etc/ipsec.d/cacerts。我有3個問題:
- 如何從 Mac OS 本地 VPN 客戶端獲取任何調試日誌?
- Strongswan VPN 甚至可以與 Letsencrypt 證書一起使用嗎?這裡可能是什麼問題?
- 您是否推薦任何可能有效的替代方案?浣熊,Openswan?讓我把 OpenVPN 作為 B 計劃。
您可以在下面找到所有詳細資訊。
謝謝你幫助我。我會很感激任何意見。
伺服器
$ certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email info@company.com -d vpn.company.com $ cp /etc/letsencrypt/live/vpn.company.com/fullchain.pem /etc/ipsec.d/certs/server.crt $ cp /etc/letsencrypt/live/vpn.company.com/privkey.pem /etc/ipsec.d/private/server.key我知道 strongswan 只讀取在
server.crt. 仍然無法刪除第二個鏈證書。如果我嘗試從 /etc/ssl/certs 添加到 /etc/ipsec.d/cacerts 或任何其他 CA 證書,它也不起作用chain.pem,這是因為伺服器上的 CAcerts 對客戶端身份驗證沒有影響。我還測試了將證書轉換為 DER 和 PEM 格式。
PKI 驗證
$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt no issuer certificate found for "CN=vpn.company.com" issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" using trusted certificate "CN=vpn.company.com" certificate trusted, lifetimes valid證書詳情
$ openssl x509 -in certs/server.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 03:50:51:[...] Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: Mar 1 13:40:42 2019 GMT Not After : May 30 13:40:42 2019 GMT Subject: CN = vpn.company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e3:a8:ea:8e:[...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: EC:6A:[...] X509v3 Authority Key Identifier: keyid:A8:4A:6A:[...] Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:vpn.company.com X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 74:7E:DA:[...] Timestamp : Mar 1 14:40:42.419 2019 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:[...] Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 29:3C:51:[...] Timestamp : Mar 1 14:40:42.499 2019 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:[...] Signature Algorithm: sha256WithRSAEncryption 8e:da:a3:[...]ipsec.conf
config setup charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1, tnc 1, imc 1, imv 1, pts 1" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 ike=aes256-sha1-modp1024 esp=aes256-sha1 fragmentation=no forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@vpn.company.com leftauth=pubkey leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 leftfirewall=yes right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.255.255.0/24 rightdns=1.1.1.1 rightsendcert=never eap_identity=%identityipsec.secrets
vpn.company.com : RSA server.key user %any% : EAP "user_password"Strongswan伺服器日誌
ipsec[11918]: Starting strongSwan 5.6.2 IPsec [starter]... ipsec_starter[11918]: Starting strongSwan 5.6.2 IPsec [starter]... charon[11943]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64) charon[11943]: 00[CFG] PKCS11 module '<name>' lacks library path charon[11943]: 00[CFG] disabling load-tester plugin, not configured charon[11943]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL charon[11943]: 00[NET] could not open socket: Address family not supported by protocol charon[11943]: 00[NET] could not open IPv6 socket, IPv6 disabled charon[11943]: 00[KNL] received netlink error: Address family not supported by protocol (97) charon[11943]: 00[KNL] unable to create IPv6 routing table rule charon[11943]: 00[CFG] dnscert plugin is disabled charon[11943]: 00[CFG] ipseckey plugin is disabled charon[11943]: 00[CFG] attr-sql plugin: database URI not set charon[11943]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' charon[11943]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' charon[11943]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' charon[11943]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' charon[11943]: 00[CFG] loading crls from '/etc/ipsec.d/crls' charon[11943]: 00[CFG] loading secrets from '/etc/ipsec.secrets' charon[11943]: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key' charon[11943]: 00[CFG] loaded EAP secret for USERNAME_HERE %any% charon[11943]: 00[CFG] sql plugin: database URI not set charon[11943]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory charon[11943]: 00[CFG] eap-simaka-sql database URI missing charon[11943]: 00[CFG] loaded 0 RADIUS server configurations charon[11943]: 00[CFG] HA config misses local/remote address charon[11943]: 00[CFG] no threshold configured for systime-fix, disabled charon[11943]: 00[CFG] coupling file path unspecified charon[11943]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters charon[11943]: 00[LIB] dropped capabilities, running as uid 0, gid 0 charon[11943]: 00[JOB] spawning 16 worker threads ipsec[11918]: charon (11943) started after 40 ms ipsec_starter[11918]: charon (11943) started after 40 ms charon[11943]: 06[CFG] received stroke: add connection 'ikev2-vpn' charon[11943]: 06[CFG] adding virtual IP address pool 10.255.255.0/24 charon[11943]: 06[CFG] loaded certificate "CN=vpn.company.com" from 'server.crt' charon[11943]: 06[CFG] added configuration 'ikev2-vpn' charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes) charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA charon[11943]: 08[IKE] remote host is behind NAT charon[11943]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] charon[11943]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes) charon[11943]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes) charon[11943]: 09[ENC] unknown attribute type (25) charon[11943]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] charon[11943]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE] charon[11943]: 09[CFG] selected peer config 'ikev2-vpn' charon[11943]: 09[IKE] initiating EAP_IDENTITY method (id 0x00) charon[11943]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding charon[11943]: 09[IKE] peer supports MOBIKE charon[11943]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful charon[11943]: 09[IKE] sending end entity cert "CN=vpn.company.com" charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes) charon[11943]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes) charon[11943]: 10[ENC] unknown attribute type (25) ipsec[11918]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64) ipsec[11918]: 00[CFG] PKCS11 module '<name>' lacks library path ipsec[11918]: 00[CFG] disabling load-tester plugin, not configured ipsec[11918]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL ipsec[11918]: 00[NET] could not open socket: Address family not supported by protocol ipsec[11918]: 00[NET] could not open IPv6 socket, IPv6 disabled ipsec[11918]: 00[KNL] received netlink error: Address family not supported by protocol (97) ipsec[11918]: 00[KNL] unable to create IPv6 routing table rule ipsec[11918]: 00[CFG] dnscert plugin is disabled ipsec[11918]: 00[CFG] ipseckey plugin is disabled ipsec[11918]: 00[CFG] attr-sql plugin: database URI not set ipsec[11918]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' ipsec[11918]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' ipsec[11918]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' ipsec[11918]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' ipsec[11918]: 00[CFG] loading crls from '/etc/ipsec.d/crls' ipsec[11918]: 00[CFG] loading secrets from '/etc/ipsec.secrets' ipsec[11918]: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server.key' ipsec[11918]: 00[CFG] loaded EAP secret for USERNAME_HERE %any% ipsec[11918]: 00[CFG] sql plugin: database URI not set ipsec[11918]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory ipsec[11918]: 00[CFG] eap-simaka-sql database URI missing ipsec[11918]: 00[CFG] loaded 0 RADIUS server configurations ipsec[11918]: 00[CFG] HA config misses local/remote address ipsec[11918]: 00[CFG] no threshold configured for systime-fix, disabled ipsec[11918]: 00[CFG] coupling file path unspecified charon[11943]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] ipsec[11918]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters ipsec[11918]: 00[LIB] dropped capabilities, running as uid 0, gid 0 ipsec[11918]: 00[JOB] spawning 16 worker threads ipsec[11918]: 06[CFG] received stroke: add connection 'ikev2-vpn' ipsec[11918]: 06[CFG] adding virtual IP address pool 10.255.255.0/24 ipsec[11918]: 06[CFG] loaded certificate "CN=vpn.company.com" from 'server.crt' ipsec[11918]: 06[CFG] added configuration 'ikev2-vpn' ipsec[11918]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes) ipsec[11918]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] ipsec[11918]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA ipsec[11918]: 08[IKE] remote host is behind NAT ipsec[11918]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] ipsec[11918]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes) ipsec[11918]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes) ipsec[11918]: 09[ENC] unknown attribute type (25) ipsec[11918]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] ipsec[11918]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE] ipsec[11918]: 09[CFG] selected peer config 'ikev2-vpn' ipsec[11918]: 09[IKE] initiating EAP_IDENTITY method (id 0x00) charon[11943]: 10[IKE] received retransmit of request with ID 1, retransmitting response ipsec[11918]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding ipsec[11918]: 09[IKE] peer supports MOBIKE ipsec[11918]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful ipsec[11918]: 09[IKE] sending end entity cert "CN=vpn.company.com" ipsec[11918]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] ipsec[11918]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes) ipsec[11918]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes) ipsec[11918]: 10[ENC] unknown attribute type (25) charon[11943]: 10[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes) charon[11943]: 11[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes) charon[11943]: 11[ENC] unknown attribute type (25) charon[11943]: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] charon[11943]: 11[IKE] received retransmit of request with ID 1, retransmitting response charon[11943]: 11[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes) charon[11943]: 12[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes) charon[11943]: 12[ENC] unknown attribute type (25) charon[11943]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] charon[11943]: 12[IKE] received retransmit of request with ID 1, retransmitting response charon[11943]: 12[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)編輯:Mac OS 在啟用碎片後開始工作。不幸的是,Windows 10 最終出現錯誤。從 Windows 10 連接時的伺服器日誌:
charon[12236]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ] charon[12236]: 06[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44742] (320 bytes) charon[12236]: 09[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (576 bytes) charon[12236]: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ] charon[12236]: 09[ENC] received fragment #1 of 2, waiting for complete IKE message charon[12236]: 07[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (368 bytes) charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ] charon[12236]: 07[ENC] received fragment #2 of 2, reassembling fragmented IKE message charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ] charon[12236]: 07[IKE] received 27 cert requests for an unknown ca charon[12236]: 07[CFG] looking for peer configs matching SERVER_IP_HERE[%any]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE] charon[12236]: 07[CFG] selected peer config 'ikev2-vpn' charon[12236]: 07[IKE] initiating EAP_IDENTITY method (id 0x00) charon[12236]: 07[IKE] authentication of 'vpn.autouncle.com' (myself) with RSA signature successful charon[12236]: 07[IKE] sending end entity cert "CN=vpn.autouncle.com" charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] charon[12236]: 07[ENC] splitting IKE message with length of 1740 bytes into 2 fragments charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(1/2) ] charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(2/2) ] charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (1248 bytes) charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (560 bytes)
可能是 IP 碎片問題。由於證書的原因,
IKE_AUTH響應大於 MTU(1744 字節):charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)所以這會被分成多個 IP 片段。一些路由器會丟棄這些,客戶端可能不會收到完整的數據包。
幸運的是,客戶端支持 IKEv2 分片(
FRAG_SUP通知):charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes) charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]所以請嘗試在伺服器上啟用IKEv2分片,即啟用該
fragmentation選項,或者刪除它,因為它預設啟用。