forum.opennet.ru - "Настройка strongswan, ipsec, ikev2" (7)

"Настройка strongswan, ipsec, ikev2"

Форум Открытые системы на сервере (VPN / Linux)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"Настройка strongswan, ipsec, ikev2"	+/–
Сообщение от ivandog on 02-Ноя-17, 12:11
Добрый день. Помогите разобраться с ipsec. Настраиваю по этому мануалу https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-.../ ОС Linux ipsec 3.16.0-4-686-pae #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) i686 GNU/Linux версия ipsec root@ipsec:/etc/ipsec.d# ipsec version Linux strongSwan U5.2.1/K3.16.0-4-686-pae Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil, Switzerland See 'ipsec --copyright' for copyright information. ------------------------------------------------------------------------------------- конфиг strongswan root@ipsec:/etc/ipsec.d# cat /etc/strongswan.conf # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/.conf } } include strongswan.d/.conf ------------------------------------------------------------------------------------- конфиг ipsec root@ipsec:/etc/ipsec.d# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file config setup # uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 2" conn чfault keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! dpdaction=clear dpddelay=300s rekey=no left=%any leftsubnet=0.0.0.0/0 leftcert=vpnHostCert.pem right=%any rightdns=8.8.8.8,8.8.4.4 rightsourceip=172.16.16.0/24 conn IPSec-IKEv2 keyexchange=ikev2 auto=add conn IPSec-IKEv2-EAP also="IPSec-IKEv2" rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any conn CiscoIPSec keyexchange=ikev1 # forceencaps=yes rightauth=pubkey rightauth2=xauth auto=add ------------------------------------------------------------------------------------- файл ipsec.secrets root@ipsec:/etc/ipsec.d# cat /etc/ipsec.secrets # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. # this file is managed with debconf and will contain the automatically created private key #include /var/lib/strongswan/ipsec.secrets.inc : RSA vpnHostKey.pem user1 : EAP "Qwerty123" user2 : XAUTH "Qwerty_123" ------------------------------------------------------------------------------------- Сертификаты создал и импортировал в win7, когда подключаюсь система выдает ошибку 13806 Вот лог подключения, не вижу в нем ошибку Nov 2 04:50:26 ipsec charon: 09[NET] received packet: from 192.168.50.5[500] to 192.168.50.51[500] Nov 2 04:50:26 ipsec charon: 09[NET] waiting for data on sockets Nov 2 04:50:26 ipsec charon: 03[NET] received packet: from 192.168.50.5[500] to 192.168.50.51[500] (528 bytes) Nov 2 04:50:26 ipsec charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 2 04:50:26 ipsec charon: 03[CFG] looking for an ike config for 192.168.50.51...192.168.50.5 Nov 2 04:50:26 ipsec charon: 03[CFG] candidate: %any...%any, prio 28 Nov 2 04:50:26 ipsec charon: 03[CFG] candidate: %any...%any, prio 28 Nov 2 04:50:26 ipsec charon: 03[CFG] found matching ike config: %any...%any with prio 28 Nov 2 04:50:26 ipsec charon: 03[IKE] 192.168.50.5 is initiating an IKE_SA Nov 2 04:50:26 ipsec charon: 03[IKE] IKE_SA (unnamed)[9] state change: CREATED => CONNECTING Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable DIFFIE_HELLMAN_GROUP found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] no acceptable ENCRYPTION_ALGORITHM found Nov 2 04:50:26 ipsec charon: 03[CFG] selecting proposal: Nov 2 04:50:26 ipsec charon: 03[CFG] proposal matches Nov 2 04:50:26 ipsec charon: 03[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Nov 2 04:50:26 ipsec charon: 03[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 2 04:50:26 ipsec charon: 03[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Nov 2 04:50:26 ipsec charon: 03[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" Nov 2 04:50:26 ipsec charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Nov 2 04:50:26 ipsec charon: 03[NET] sending packet: from 192.168.50.51[500] to 192.168.50.5[500] (337 bytes) Nov 2 04:50:26 ipsec charon: 10[NET] sending packet: from 192.168.50.51[500] to 192.168.50.5[500] Nov 2 04:50:56 ipsec charon: 02[JOB] deleting half open IKE_SA after timeout Nov 2 04:50:56 ipsec charon: 02[IKE] IKE_SA (unnamed)[9] state change: CONNECTING => DESTROYING Подскажите, в каком направлении искать ошибку?
Ответить \| Правка \| Cообщить модератору

Оглавление

Настройка strongswan, ipsec, ikev2, PavelR, 16:37 , 02-Ноя-17, (1)

Настройка strongswan, ipsec, ikev2, ivandog, 09:58 , 03-Ноя-17, (2)

Настройка strongswan, ipsec, ikev2, ACCA, 05:58 , 08-Ноя-17, (3)

Настройка strongswan, ipsec, ikev2, ivandog, 09:31 , 09-Ноя-17, (4)

Настройка strongswan, ipsec, ikev2, PavelR, 10:21 , 09-Ноя-17, (5) +1

Настройка strongswan, ipsec, ikev2, ACCA, 13:07 , 18-Ноя-17, (6)

Настройка strongswan, ipsec, ikev2, ACCA, 13:08 , 18-Ноя-17, (7)

Сообщения по теме [Сортировка по времени | RSS]

1. "Настройка strongswan, ipsec, ikev2" +/–

Сообщение от PavelR (??) on 02-Ноя-17, 16:37

Файрволлы все пооткрывал ?

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

2. "Настройка strongswan, ipsec, ikev2" +/–

Сообщение от ivandog on 03-Ноя-17, 09:58

> Файрволлы все пооткрывал ?
да, конечно
root@ipsec:/etc/ipsec.d# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
На винде тоже все антивирусы и фаерволлы отключил

Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору

3. "Настройка strongswan, ipsec, ikev2" +/–

Сообщение от ACCA (ok) on 08-Ноя-17, 05:58

> Настраиваю по этому мануалу https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-.../
Когда-то пробился с этим упoротым гусём месяца два.
Linux-Linux работает, а вот Linux-Cisco запустить не удалось, та же байда - "no acceptable ENCRYPTION_ALGORITHM found"
Плюнул, купил за $30 юзаный Cisco PIX 501 и забыл, как кошмарный сон.

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

4. "Настройка strongswan, ipsec, ikev2" +/–

Сообщение от ivandog on 09-Ноя-17, 09:31

Да, да, Linux-Linux работает, а с Windows подружить не смог.
Что же видимо не судьба.
Спасибо.

Ответить | Правка | ^ к родителю #3 | Наверх | Cообщить модератору

5. "Настройка strongswan, ipsec, ikev2" +1 +/–

Сообщение от PavelR (??) on 09-Ноя-17, 10:21

> Да, да, Linux-Linux работает, а с Windows подружить не смог.
> Что же видимо не судьба.
> Спасибо.
Вот с таким конфигом у меня подключался Android и Win7

----------------
/etc/ipsec.conf
conn %default
  keyexchange=ikev2
  dpdaction=clear
  dpddelay=35s
  dpdtimeout=300s
  ike=aes256-sha1-modp1024,3des-sha1-modp1024!
  esp=aes256-sha1,3des-sha1!
conn ikev2-pubkey-vpn
  keyexchange=ike
  auto=add
  type=tunnel
  fragmentation=yes
  forceencaps=yes
  left=ipsec.domain.tld
  leftcert=ipsec.domain.tld.crt
  leftsubnet=1.2.3.4/32,3.4.5.6/24,5.6.7.8/25,8.8.8.8/32
  right=%any
  rightauth=pubkey
  rightsourceip=192.168.192.0/24
  rightdns=8.8.8.8
conn ikev2-eap-tls-vpn
   also="ikev2-pubkey-vpn"
   rightauth=eap-tls
   eap_identity=%identity

----------------
/etc/ipsec.secrets

: RSA ipsec.domain.tld.key
----------------
Документация по настройке винды:
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
Там же и по настройке андроида.

Серты генерировались с добавлением расширения 1.3.6.1.5.5.8.2.2
Изменения в файле openssl.conf
...
[ server ]
...
#1.3.6.1.5.5.8.2.2 - ikeIntermediate flag
extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
...
Это знание было почерпнуто где-то тут:
https://habrahabr.ru/post/250859/
https://github.com/ValdikSS/easy-rsa-ipsec

Ответить | Правка | ^ к родителю #4 | Наверх | Cообщить модератору

6. "Настройка strongswan, ipsec, ikev2" +/–

Сообщение от ACCA (ok) on 18-Ноя-17, 13:07

Ты крут, без под*бов, стукнись на acca(at)cpan.org. Состыкуемся, буду иметь тебя в виду на серьёзные головоломки за серьёзные бабки.
С IPsec я сдался и под такие задачи ставлю tinc. Просто, без затей, и умеет прокалывать firewall.

Ответить | Правка | ^ к родителю #5 | Наверх | Cообщить модератору

7. "Настройка strongswan, ipsec, ikev2" +/–

Сообщение от ACCA (ok) on 18-Ноя-17, 13:08

nuff said

Ответить | Правка | ^ к родителю #6 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "Настройка strongswan, ipsec, ikev2"	+/–
Сообщение от PavelR (??) on 02-Ноя-17, 16:37
Файрволлы все пооткрывал ?
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору


	2. "Настройка strongswan, ipsec, ikev2"	+/–
	Сообщение от ivandog on 03-Ноя-17, 09:58
	> Файрволлы все пооткрывал ? да, конечно root@ipsec:/etc/ipsec.d# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination На винде тоже все антивирусы и фаерволлы отключил
	Ответить \| Правка \| ^ к родителю #1 \| Наверх \| Cообщить модератору

3. "Настройка strongswan, ipsec, ikev2"	+/–
Сообщение от ACCA (ok) on 08-Ноя-17, 05:58
> Настраиваю по этому мануалу https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-.../ Когда-то пробился с этим упoротым гусём месяца два. Linux-Linux работает, а вот Linux-Cisco запустить не удалось, та же байда - "no acceptable ENCRYPTION_ALGORITHM found" Плюнул, купил за $30 юзаный Cisco PIX 501 и забыл, как кошмарный сон.
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору


	4. "Настройка strongswan, ipsec, ikev2"	+/–
	Сообщение от ivandog on 09-Ноя-17, 09:31
	Да, да, Linux-Linux работает, а с Windows подружить не смог. Что же видимо не судьба. Спасибо.
	Ответить \| Правка \| ^ к родителю #3 \| Наверх \| Cообщить модератору


	5. "Настройка strongswan, ipsec, ikev2"	+1 +/–
	Сообщение от PavelR (??) on 09-Ноя-17, 10:21
	> Да, да, Linux-Linux работает, а с Windows подружить не смог. > Что же видимо не судьба. > Спасибо. Вот с таким конфигом у меня подключался Android и Win7 ---------------- /etc/ipsec.conf conn %default keyexchange=ikev2 dpdaction=clear dpddelay=35s dpdtimeout=300s ike=aes256-sha1-modp1024,3des-sha1-modp1024! esp=aes256-sha1,3des-sha1! conn ikev2-pubkey-vpn keyexchange=ike auto=add type=tunnel fragmentation=yes forceencaps=yes left=ipsec.domain.tld leftcert=ipsec.domain.tld.crt leftsubnet=1.2.3.4/32,3.4.5.6/24,5.6.7.8/25,8.8.8.8/32 right=%any rightauth=pubkey rightsourceip=192.168.192.0/24 rightdns=8.8.8.8 conn ikev2-eap-tls-vpn also="ikev2-pubkey-vpn" rightauth=eap-tls eap_identity=%identity ---------------- /etc/ipsec.secrets : RSA ipsec.domain.tld.key ---------------- Документация по настройке винды: https://wiki.strongswan.org/projects/strongswan/wiki/Windows7 https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config Там же и по настройке андроида. Серты генерировались с добавлением расширения 1.3.6.1.5.5.8.2.2 Изменения в файле openssl.conf ... [ server ] ... #1.3.6.1.5.5.8.2.2 - ikeIntermediate flag extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2 ... Это знание было почерпнуто где-то тут: https://habrahabr.ru/post/250859/ https://github.com/ValdikSS/easy-rsa-ipsec
	Ответить \| Правка \| ^ к родителю #4 \| Наверх \| Cообщить модератору


	6. "Настройка strongswan, ipsec, ikev2"	+/–
	Сообщение от ACCA (ok) on 18-Ноя-17, 13:07
	Ты крут, без под*бов, стукнись на acca(at)cpan.org. Состыкуемся, буду иметь тебя в виду на серьёзные головоломки за серьёзные бабки. С IPsec я сдался и под такие задачи ставлю tinc. Просто, без затей, и умеет прокалывать firewall.
	Ответить \| Правка \| ^ к родителю #5 \| Наверх \| Cообщить модератору


	7. "Настройка strongswan, ipsec, ikev2"	+/–
	Сообщение от ACCA (ok) on 18-Ноя-17, 13:08
	nuff said
	Ответить \| Правка \| ^ к родителю #6 \| Наверх \| Cообщить модератору