Vpn

帶有letsencrypt證書的Strongswan (IKEv2-EAP)

  • March 12, 2019

我正在為 VPN 客戶端配置 Strongswan 伺服器以訪問內部網路 (EAP-IKEv2)。我使用自簽名伺服器證書成功設置它,在將 ca.crt 添加到客戶端的根 CA 後,它適用於使用 Mac OS X、Windows 7 和 Windows 10 的客戶端。

現在我想切換到 Letsencrypt 證書,無需任何額外的客戶端配置即可信任該證書,不幸的是,由於某種原因我無法使其正常工作。

伺服器:Ubuntu 18.04 上的 Strongswan 版本 5.6.2。客戶端:Mac OS X 10.14.2 / Ubuntu 18.04 / Windows 7 / Windows 10

我收到的 Mac OS X VPN 錯誤是:The VPN server did not respond. 只是為了與沒有將 ca.crt 添加到 Mac OS 的自簽名證書進行比較,我會收到User Authentication failed.

當我複制server.crt給客戶時,它說This certificate is valid

我還嘗試將 DST ROOT CA X3 證書的 IP 安全性 (IPsec) 設置為Always trustMac OS 中的任何其他 Letsencrypt 相關 CA 證書,但這沒有幫助。

我也嘗試強制執行Always Trust證書server.crt,但仍然沒有運氣。

我測試了所有提到的作業系統(Linux 使用 strongswan 網路管理器小程序),但它沒有工作。

因為我無法從 Mac OS 和 Windows 獲得任何合理的調試日誌,所以我在沒有網路管理器小程序的情況下使用 Ubuntu 在其他伺服器上設置了 Strongswan客戶端。DST_Root_CA_X3.pem它在將證書從客戶端複製到之後開始/etc/ssl/certs工作/etc/ipsec.d/cacerts

我有3個問題:

  1. 如何從 Mac OS 本地 VPN 客戶端獲取任何調試日誌?
  2. Strongswan VPN 甚至可以與 Letsencrypt 證書一起使用嗎?這裡可能是什麼問題?
  3. 您是否推薦任何可能有效的替代方案?浣熊,Openswan?讓我把 OpenVPN 作為 B 計劃。

您可以在下面找到所有詳細資訊。

謝謝你幫助我。我會很感激任何意見。

伺服器

$ certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email info@company.com -d vpn.company.com

$ cp /etc/letsencrypt/live/vpn.company.com/fullchain.pem /etc/ipsec.d/certs/server.crt
$ cp /etc/letsencrypt/live/vpn.company.com/privkey.pem /etc/ipsec.d/private/server.key

我知道 strongswan 只讀取在server.crt. 仍然無法刪除第二個鏈證書。如果我嘗試從 /etc/ssl/certs 添加到 /etc/ipsec.d/cacerts 或任何其他 CA 證書,它也不起作用chain.pem,這是因為伺服器上的 CAcerts 對客戶端身份驗證沒有影響。

我還測試了將證書轉換為 DER 和 PEM 格式。

PKI 驗證

$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt
no issuer certificate found for "CN=vpn.company.com"
 issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
 using trusted certificate "CN=vpn.company.com"
certificate trusted, lifetimes valid

證書詳情

$ openssl x509 -in certs/server.crt -noout -text
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           03:50:51:[...]
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
       Validity
           Not Before: Mar  1 13:40:42 2019 GMT
           Not After : May 30 13:40:42 2019 GMT
       Subject: CN = vpn.company.com
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                   00:e3:a8:ea:8e:[...]
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, TLS Web Client Authentication
           X509v3 Basic Constraints: critical
               CA:FALSE
           X509v3 Subject Key Identifier:
               EC:6A:[...]
           X509v3 Authority Key Identifier:
               keyid:A8:4A:6A:[...]

           Authority Information Access:
               OCSP - URI:http://ocsp.int-x3.letsencrypt.org
               CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

           X509v3 Subject Alternative Name:
               DNS:vpn.company.com
           X509v3 Certificate Policies:
               Policy: 2.23.140.1.2.1
               Policy: 1.3.6.1.4.1.44947.1.1.1
                 CPS: http://cps.letsencrypt.org

           CT Precertificate SCTs:
               Signed Certificate Timestamp:
                   Version   : v1 (0x0)
                   Log ID    : 74:7E:DA:[...]
                   Timestamp : Mar  1 14:40:42.419 2019 GMT
                   Extensions: none
                   Signature : ecdsa-with-SHA256
                               30:45:02:[...]
               Signed Certificate Timestamp:
                   Version   : v1 (0x0)
                   Log ID    : 29:3C:51:[...]
                   Timestamp : Mar  1 14:40:42.499 2019 GMT
                   Extensions: none
                   Signature : ecdsa-with-SHA256
                               30:46:02:[...]
   Signature Algorithm: sha256WithRSAEncryption
        8e:da:a3:[...]

ipsec.conf


config setup
 charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1, tnc 1, imc 1, imv 1, pts 1"
   uniqueids=no

conn ikev2-vpn
   auto=add
   compress=no
   type=tunnel
   keyexchange=ikev2
   ike=aes256-sha1-modp1024
   esp=aes256-sha1
   fragmentation=no
   forceencaps=yes
   dpdaction=clear
   dpddelay=300s
   rekey=no
   left=%any
   leftid=@vpn.company.com
 leftauth=pubkey
   leftcert=server.crt
   leftsendcert=always
   leftsubnet=0.0.0.0/0
 leftfirewall=yes
   right=%any
   rightid=%any
   rightauth=eap-mschapv2
   rightsourceip=10.255.255.0/24
   rightdns=1.1.1.1
   rightsendcert=never
   eap_identity=%identity

ipsec.secrets

vpn.company.com : RSA server.key
user %any% : EAP "user_password"

Strongswan伺服器日誌

ipsec[11918]: Starting strongSwan 5.6.2 IPsec [starter]...
ipsec_starter[11918]: Starting strongSwan 5.6.2 IPsec [starter]...
charon[11943]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64)
charon[11943]: 00[CFG] PKCS11 module '<name>' lacks library path
charon[11943]: 00[CFG] disabling load-tester plugin, not configured
charon[11943]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
charon[11943]: 00[NET] could not open socket: Address family not supported by protocol
charon[11943]: 00[NET] could not open IPv6 socket, IPv6 disabled
charon[11943]: 00[KNL] received netlink error: Address family not supported by protocol (97)
charon[11943]: 00[KNL] unable to create IPv6 routing table rule
charon[11943]: 00[CFG] dnscert plugin is disabled
charon[11943]: 00[CFG] ipseckey plugin is disabled
charon[11943]: 00[CFG] attr-sql plugin: database URI not set
charon[11943]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon[11943]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon[11943]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon[11943]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon[11943]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon[11943]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[11943]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
charon[11943]: 00[CFG]   loaded EAP secret for USERNAME_HERE %any%
charon[11943]: 00[CFG] sql plugin: database URI not set
charon[11943]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
charon[11943]: 00[CFG] eap-simaka-sql database URI missing
charon[11943]: 00[CFG] loaded 0 RADIUS server configurations
charon[11943]: 00[CFG] HA config misses local/remote address
charon[11943]: 00[CFG] no threshold configured for systime-fix, disabled
charon[11943]: 00[CFG] coupling file path unspecified
charon[11943]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
charon[11943]: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon[11943]: 00[JOB] spawning 16 worker threads
ipsec[11918]: charon (11943) started after 40 ms
ipsec_starter[11918]: charon (11943) started after 40 ms
charon[11943]: 06[CFG] received stroke: add connection 'ikev2-vpn'
charon[11943]: 06[CFG] adding virtual IP address pool 10.255.255.0/24
charon[11943]: 06[CFG]   loaded certificate "CN=vpn.company.com" from 'server.crt'
charon[11943]: 06[CFG] added configuration 'ikev2-vpn'
charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
charon[11943]: 08[IKE] remote host is behind NAT
charon[11943]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon[11943]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes)
charon[11943]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 09[ENC] unknown attribute type (25)
charon[11943]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
charon[11943]: 09[CFG] selected peer config 'ikev2-vpn'
charon[11943]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[11943]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
charon[11943]: 09[IKE] peer supports MOBIKE
charon[11943]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful
charon[11943]: 09[IKE] sending end entity cert "CN=vpn.company.com"
charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 10[ENC] unknown attribute type (25)
ipsec[11918]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64)
ipsec[11918]: 00[CFG] PKCS11 module '<name>' lacks library path
ipsec[11918]: 00[CFG] disabling load-tester plugin, not configured
ipsec[11918]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
ipsec[11918]: 00[NET] could not open socket: Address family not supported by protocol
ipsec[11918]: 00[NET] could not open IPv6 socket, IPv6 disabled
ipsec[11918]: 00[KNL] received netlink error: Address family not supported by protocol (97)
ipsec[11918]: 00[KNL] unable to create IPv6 routing table rule
ipsec[11918]: 00[CFG] dnscert plugin is disabled
ipsec[11918]: 00[CFG] ipseckey plugin is disabled
ipsec[11918]: 00[CFG] attr-sql plugin: database URI not set
ipsec[11918]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
ipsec[11918]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
ipsec[11918]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
ipsec[11918]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
ipsec[11918]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
ipsec[11918]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
ipsec[11918]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
ipsec[11918]: 00[CFG]   loaded EAP secret for USERNAME_HERE %any%
ipsec[11918]: 00[CFG] sql plugin: database URI not set
ipsec[11918]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
ipsec[11918]: 00[CFG] eap-simaka-sql database URI missing
ipsec[11918]: 00[CFG] loaded 0 RADIUS server configurations
ipsec[11918]: 00[CFG] HA config misses local/remote address
ipsec[11918]: 00[CFG] no threshold configured for systime-fix, disabled
ipsec[11918]: 00[CFG] coupling file path unspecified
charon[11943]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
ipsec[11918]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
ipsec[11918]: 00[LIB] dropped capabilities, running as uid 0, gid 0
ipsec[11918]: 00[JOB] spawning 16 worker threads
ipsec[11918]: 06[CFG] received stroke: add connection 'ikev2-vpn'
ipsec[11918]: 06[CFG] adding virtual IP address pool 10.255.255.0/24
ipsec[11918]: 06[CFG]   loaded certificate "CN=vpn.company.com" from 'server.crt'
ipsec[11918]: 06[CFG] added configuration 'ikev2-vpn'
ipsec[11918]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
ipsec[11918]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
ipsec[11918]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
ipsec[11918]: 08[IKE] remote host is behind NAT
ipsec[11918]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
ipsec[11918]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes)
ipsec[11918]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
ipsec[11918]: 09[ENC] unknown attribute type (25)
ipsec[11918]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
ipsec[11918]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
ipsec[11918]: 09[CFG] selected peer config 'ikev2-vpn'
ipsec[11918]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[11943]: 10[IKE] received retransmit of request with ID 1, retransmitting response
ipsec[11918]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
ipsec[11918]: 09[IKE] peer supports MOBIKE
ipsec[11918]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful
ipsec[11918]: 09[IKE] sending end entity cert "CN=vpn.company.com"
ipsec[11918]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
ipsec[11918]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
ipsec[11918]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
ipsec[11918]: 10[ENC] unknown attribute type (25)
charon[11943]: 10[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 11[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 11[ENC] unknown attribute type (25)
charon[11943]: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 11[IKE] received retransmit of request with ID 1, retransmitting response
charon[11943]: 11[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 12[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 12[ENC] unknown attribute type (25)
charon[11943]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 12[IKE] received retransmit of request with ID 1, retransmitting response
charon[11943]: 12[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)

編輯:Mac OS 在啟用碎片後開始工作。不幸的是,Windows 10 最終出現錯誤。從 Windows 10 連接時的伺服器日誌:

charon[12236]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
charon[12236]: 06[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44742] (320 bytes)
charon[12236]: 09[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (576 bytes)
charon[12236]: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
charon[12236]: 09[ENC] received fragment #1 of 2, waiting for complete IKE message
charon[12236]: 07[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (368 bytes)
charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
charon[12236]: 07[ENC] received fragment #2 of 2, reassembling fragmented IKE message
charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
charon[12236]: 07[IKE] received 27 cert requests for an unknown ca
charon[12236]: 07[CFG] looking for peer configs matching SERVER_IP_HERE[%any]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
charon[12236]: 07[CFG] selected peer config 'ikev2-vpn'
charon[12236]: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[12236]: 07[IKE] authentication of 'vpn.autouncle.com' (myself) with RSA signature successful
charon[12236]: 07[IKE] sending end entity cert "CN=vpn.autouncle.com"
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[12236]: 07[ENC] splitting IKE message with length of 1740 bytes into 2 fragments
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (1248 bytes)
charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (560 bytes)

可能是 IP 碎片問題。由於證書的原因,IKE_AUTH響應大於 MTU(1744 字節):

charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)

所以這會被分成多個 IP 片段。一些路由器會丟棄這些,客戶端可能不會收到完整的數據包。

幸運的是,客戶端支持 IKEv2 分片(FRAG_SUP通知):

charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

所以請嘗試在伺服器上啟用IKEv2分片,即啟用該fragmentation選項,或者刪除它,因為它預設啟用。

引用自:https://serverfault.com/questions/956674