weiyu99

我幫你寫一個，把郵箱給我

@wzxjohn sorry, 漏了一部分：

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
uniqueids = no
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

conn %default
keyexchange=ikev2
dpdaction=clear
dpddelay=6s
dpdtimeout = 5s
rekey=no
leftcert=xxxServerCert.pem
leftsendcert=always
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=192.168.2.0/24


conn IPSec-IKEv2
keyexchange=ikev2
[email protected]
#your servr name in cert "server.pem"
[email protected]
#define a suffix for user account
auto=add

conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
#define auth type to EAP
rightsendcert=never
#do not need client cert
eap_identity=%any
#any user can login successfully

@wzxjohn 这是我 ipsec.conf 里面的设置：

config setup
# strictcrlpolicy=yes
uniqueids = no
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

conn %default
keyexchange=ikev2
dpdaction=clear
dpddelay=6s
rekey=no
leftcert=xxxServerCert.pem
leftsendcert=always
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=192.168.2.0/24


conn IPSec-IKEv2
keyexchange=ikev2
[email protected]
#your servr name in cert "server.pem"
[email protected]
#define a suffix for user account
auto=add


这是我的 log file: 有点长，把前面可能不重要的地方都删了

Sat Jan 24 13:07:32 2015 daemon.info syslog: 16[IKE] remote host is behind NAT
Sat Jan 24 13:07:32 2015 daemon.info syslog: 16[IKE] sending cert request for "C=CH, O=TheBelle, CN=strongSwan Root CA"
Sat Jan 24 13:07:32 2015 daemon.info syslog: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 16[NET] sending packet: from 220.134.xxx.xxx[500] to 116.192.26.218[500] (333 bytes)
Sat Jan 24 13:07:32 2015 daemon.info syslog: 06[NET] sending packet: from 220.134.xxx.xxx[500] to 116.192.26.218[500]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 16[MGR] checkin IKE_SA (unnamed)[2]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 16[MGR] check-in of IKE_SA successful.
Sat Jan 24 13:07:32 2015 daemon.info syslog: 05[NET] received packet: from 116.192.26.218[4500] to 220.134.xxx.xxx[4500]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 05[NET] waiting for data on sockets
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[MGR] checkout IKE_SA by message
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[MGR] IKE_SA (unnamed)[2] successfully checked out
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[NET] received packet: from 116.192.26.218[4500] to 220.134.xxx.xxx[4500] (340 bytes)
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[CFG] looking for peer configs matching 220.134.224.251[xxx.xxx.xxx]...116.192.26.218[[email protected]]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[CFG] candidate "IPSec-IKEv2", match: 20/20/28 (me/other/ike)
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[CFG] candidate "IPSec-IKEv2-EAP", match: 20/20/28 (me/other/ike)
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[CFG] selected peer config 'IPSec-IKEv2'
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] peer requested EAP, config inacceptable
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[CFG] switching to peer config 'IPSec-IKEv2-EAP'
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] initiating EAP_IDENTITY method (id 0x00)
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] processing INTERNAL_IP4_DHCP attribute
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] processing INTERNAL_IP4_DNS attribute
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] processing INTERNAL_IP4_NETMASK attribute
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] processing INTERNAL_IP6_DHCP attribute
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] processing INTERNAL_IP6_DNS attribute
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] authentication of 'xxx.xxx.xxx' (myself) with RSA signature successful
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[IKE] sending end entity cert "C=CH, O=TheBelle, CN=220.134.xxx.xxx"
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[NET] sending packet: from 220.134.xxx.xxx[4500] to 116.192.26.218[4500] (1244 bytes)
Sat Jan 24 13:07:32 2015 daemon.info syslog: 06[NET] sending packet: from 220.134.xxx.xxx[4500] to 116.192.26.218[4500]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[MGR] checkin IKE_SA IPSec-IKEv2-EAP[2]
Sat Jan 24 13:07:32 2015 daemon.info syslog: 13[MGR] check-in of IKE_SA successful.
Sat Jan 24 13:08:02 2015 daemon.info syslog: 15[MGR] checkout IKE_SA
Sat Jan 24 13:08:02 2015 daemon.info syslog: 15[MGR] IKE_SA IPSec-IKEv2-EAP[2] successfully checked out
Sat Jan 24 13:08:02 2015 daemon.info syslog: 15[JOB] deleting half open IKE_SA after timeout
Sat Jan 24 13:08:02 2015 daemon.info syslog: 15[MGR] checkin and destroy IKE_SA IPSec-IKEv2-EAP[2]
Sat Jan 24 13:08:02 2015 daemon.info syslog: 15[IKE] IKE_SA IPSec-IKEv2-EAP[2] state change: CONNECTING => DESTROYING
Sat Jan 24 13:08:02 2015 daemon.info syslog: 15[MGR] check-in and destroy of IKE_SA successful

帮我看看问题出在哪了...谢谢！

@wzxjohn

Sat Jan 24 11:22:39 2015 daemon.info syslog: 07[IKE] authentication of '220.134.xxx.xxx' (myself) with RSA signature successful

这段 log 是指server认证成功是吧？

@wzxjohn

Sat Jan 24 11:22:39 2015 daemon.info syslog: 07[IKE] authentication of '220.134.xxx.xxx' (myself) with RSA signature successful
Sat Jan 24 11:22:39 2015 daemon.info syslog: 07[IKE] sending end entity cert "C=CH, O=TheBelle, CN=220.134.xxx.xxx"
Sat Jan 24 11:22:39 2015 daemon.info syslog: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Sat Jan 24 11:22:39 2015 daemon.info syslog: 07[NET] sending packet: from 220.134.xxx.xxx[4500] to 116.192.26.218[1025] (1228 bytes)
Sat Jan 24 11:22:39 2015 daemon.info syslog: 09[NET] sending packet: from 220.134.xxx.xx[4500] to 116.192.26.218[1025]
Sat Jan 24 11:22:39 2015 daemon.info syslog: 07[MGR] checkin IKE_SA IPSec-IKEv2-EAP[1]
Sat Jan 24 11:22:39 2015 daemon.info syslog: 07[MGR] check-in of IKE_SA successful.
Sat Jan 24 11:23:09 2015 daemon.info syslog: 13[MGR] checkout IKE_SA
Sat Jan 24 11:23:09 2015 daemon.info syslog: 13[MGR] IKE_SA IPSec-IKEv2-EAP[1] successfully checked out
Sat Jan 24 11:23:09 2015 daemon.info syslog: 13[JOB] deleting half open IKE_SA after timeout
Sat Jan 24 11:23:09 2015 daemon.info syslog: 13[MGR] checkin and destroy IKE_SA IPSec-IKEv2-EAP[1]
Sat Jan 24 11:23:09 2015 daemon.info syslog: 13[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => DESTROYING
Sat Jan 24 11:23:09 2015 daemon.info syslog: 13[MGR] check-in and destroy of IKE_SA successful

@Caixiaopig 能把你成功的ipsec.con 关于 ikev2 这部份发给我参考一下吗？照著楼主教程过了 server 端认证就停了....