The OpenNET Project / Index page

[ новости/++ | форум | wiki | теги ]



"Настройка strongswan, ipsec, ikev2"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Открытые системы на сервере (VPN / Linux)
Изначальное сообщение [ Отслеживать ]

"Настройка strongswan, ipsec, ikev2"  +/
Сообщение от ivandog on 02-Ноя-17, 12:11 
Добрый день.
Помогите разобраться с ipsec.

Настраиваю по этому мануалу https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-.../

ОС
Linux ipsec 3.16.0-4-686-pae #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) i686 GNU/Linux

версия ipsec
root@ipsec:/etc/ipsec.d# ipsec version
Linux strongSwan U5.2.1/K3.16.0-4-686-pae
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

-------------------------------------------------------------------------------------

конфиг strongswan

root@ipsec:/etc/ipsec.d# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

-------------------------------------------------------------------------------------


конфиг ipsec

root@ipsec:/etc/ipsec.d# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup
    # uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 2"

conn чfault
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=172.16.16.0/24

conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add

conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any

conn CiscoIPSec
    keyexchange=ikev1
    # forceencaps=yes
    rightauth=pubkey
    rightauth2=xauth
    auto=add


-------------------------------------------------------------------------------------

файл ipsec.secrets


root@ipsec:/etc/ipsec.d# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc

: RSA vpnHostKey.pem
user1 : EAP "Qwerty123"
user2 : XAUTH "Qwerty_123"

-------------------------------------------------------------------------------------

Сертификаты создал и импортировал в win7, когда подключаюсь система выдает ошибку 13806


Вот лог подключения, не вижу в нем ошибку

Nov  2 04:50:26 ipsec charon: 09[NET] received packet: from 192.168.50.5[500] to 192.168.50.51[500]
Nov  2 04:50:26 ipsec charon: 09[NET] waiting for data on sockets
Nov  2 04:50:26 ipsec charon: 03[NET] received packet: from 192.168.50.5[500] to 192.168.50.51[500] (528 bytes)
Nov  2 04:50:26 ipsec charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov  2 04:50:26 ipsec charon: 03[CFG] looking for an ike config for 192.168.50.51...192.168.50.5
Nov  2 04:50:26 ipsec charon: 03[CFG]   candidate: %any...%any, prio 28
Nov  2 04:50:26 ipsec charon: 03[CFG]   candidate: %any...%any, prio 28
Nov  2 04:50:26 ipsec charon: 03[CFG] found matching ike config: %any...%any with prio 28
Nov  2 04:50:26 ipsec charon: 03[IKE] 192.168.50.5 is initiating an IKE_SA
Nov  2 04:50:26 ipsec charon: 03[IKE] IKE_SA (unnamed)[9] state change: CREATED => CONNECTING
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   proposal matches
Nov  2 04:50:26 ipsec charon: 03[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Nov  2 04:50:26 ipsec charon: 03[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov  2 04:50:26 ipsec charon: 03[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Nov  2 04:50:26 ipsec charon: 03[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Nov  2 04:50:26 ipsec charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov  2 04:50:26 ipsec charon: 03[NET] sending packet: from 192.168.50.51[500] to 192.168.50.5[500] (337 bytes)
Nov  2 04:50:26 ipsec charon: 10[NET] sending packet: from 192.168.50.51[500] to 192.168.50.5[500]
Nov  2 04:50:56 ipsec charon: 02[JOB] deleting half open IKE_SA after timeout
Nov  2 04:50:56 ipsec charon: 02[IKE] IKE_SA (unnamed)[9] state change: CONNECTING => DESTROYING


Подскажите, в каком направлении искать ошибку?

Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "Настройка strongswan, ipsec, ikev2"  +/
Сообщение от PavelR (??) on 02-Ноя-17, 16:37 
Файрволлы все пооткрывал ?
Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

2. "Настройка strongswan, ipsec, ikev2"  +/
Сообщение от ivandog on 03-Ноя-17, 09:58 
> Файрволлы все пооткрывал ?

да, конечно

root@ipsec:/etc/ipsec.d# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

На винде тоже все антивирусы и фаерволлы отключил

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

3. "Настройка strongswan, ipsec, ikev2"  +/
Сообщение от ACCA (ok) on 08-Ноя-17, 05:58 
> Настраиваю по этому мануалу https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-.../

Когда-то пробился с этим упoротым гусём месяца два.

Linux-Linux работает, а вот Linux-Cisco запустить не удалось, та же байда - "no acceptable ENCRYPTION_ALGORITHM found"

Плюнул, купил за $30 юзаный Cisco PIX 501 и забыл, как кошмарный сон.

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

4. "Настройка strongswan, ipsec, ikev2"  +/
Сообщение от ivandog on 09-Ноя-17, 09:31 
Да, да, Linux-Linux работает, а с Windows подружить не смог.
Что же видимо не судьба.
Спасибо.


Ответить | Правка | ^ к родителю #3 | Наверх | Cообщить модератору

5. "Настройка strongswan, ipsec, ikev2"  +1 +/
Сообщение от PavelR (??) on 09-Ноя-17, 10:21 
> Да, да, Linux-Linux работает, а с Windows подружить не смог.
> Что же видимо не судьба.
> Спасибо.

Вот с таким конфигом у меня подключался Android и Win7


----------------

/etc/ipsec.conf

conn %default
  keyexchange=ikev2
  dpdaction=clear
  dpddelay=35s
  dpdtimeout=300s
  ike=aes256-sha1-modp1024,3des-sha1-modp1024!
  esp=aes256-sha1,3des-sha1!

conn ikev2-pubkey-vpn
  keyexchange=ike
  auto=add
  type=tunnel
  fragmentation=yes
  forceencaps=yes

  left=ipsec.domain.tld
  leftcert=ipsec.domain.tld.crt
  leftsubnet=1.2.3.4/32,3.4.5.6/24,5.6.7.8/25,8.8.8.8/32

  right=%any
  rightauth=pubkey
  rightsourceip=192.168.192.0/24
  rightdns=8.8.8.8

conn ikev2-eap-tls-vpn
   also="ikev2-pubkey-vpn"
   rightauth=eap-tls
   eap_identity=%identity


----------------

/etc/ipsec.secrets


: RSA ipsec.domain.tld.key

----------------

Документация по настройке винды:

https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config

Там же и по настройке андроида.


Серты генерировались с добавлением расширения 1.3.6.1.5.5.8.2.2

Изменения в файле openssl.conf

...

[ server ]
...
#1.3.6.1.5.5.8.2.2 - ikeIntermediate flag
extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
...

Это знание было почерпнуто где-то тут:

https://habrahabr.ru/post/250859/
https://github.com/ValdikSS/easy-rsa-ipsec

Ответить | Правка | ^ к родителю #4 | Наверх | Cообщить модератору

6. "Настройка strongswan, ipsec, ikev2"  +/
Сообщение от ACCA (ok) on 18-Ноя-17, 13:07 
Ты крут, без под*бов, стукнись на acca(at)cpan.org. Состыкуемся, буду иметь тебя в виду на серьёзные головоломки за серьёзные бабки.

С IPsec я сдался и под такие задачи ставлю tinc. Просто, без затей, и умеет прокалывать firewall.

Ответить | Правка | ^ к родителю #5 | Наверх | Cообщить модератору

7. "Настройка strongswan, ipsec, ikev2"  +/
Сообщение от ACCA (ok) on 18-Ноя-17, 13:08 
nuff said
Ответить | Правка | ^ к родителю #6 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема


  Закладки на сайте
  Проследить за страницей
Created 1996-2017 by Maxim Chirkov  
ДобавитьРекламаВебмастеруГИД  
Hosting by Ihor