V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
yisuo
V2EX  ›  问与答

CentOS7 上连接 strongswan 的故障

  •  
  •   yisuo · 2019-12-24 00:06:47 +08:00 · 1307 次点击
    这是一个创建于 1797 天前的主题,其中的信息可能已经有所发展或是发生改变。
    大佬们您好,我在 CentOS7 上连接 strongswan 时,分配 IP 地址后,提示 no CHILD_SA built failed to establish CHILD_SA, 连接失败。安卓和 WINDOWS 连接正常,

    服务端版本 5.6.2,Centos 端版本是 5.6.2,这是配置文件 http://popcn.net/ipsec.conf


    ====================服务端配置============================


    # ipsec.conf - strongSwan IPsec configuration file

    # basic configuration

    config setup
    # strictcrlpolicy=yes
    # cachecrls=yes
    uniqueids=never

    # Add connections here.

    conn %default
    ikelifetime=60m
    keylife=120m
    rekeymargin=3m
    keyingtries=1
    # authby=psk/secret

    conn ikev2
    keyexchange=ikev2
    ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
    esp=aes256-sha256,3des-sha1,aes256-sha1!

    type=tunnel
    rekey=no
    leftfirewall=no
    left=%defaultroute
    leftsubnet=0.0.0.0/0,::/0
    leftupdown=/usr/local/etc/strongswan.d/proxyndp.updown
    leftid=本地对外地址
    leftauth=pubkey
    leftcert=server.cert.pem
    leftsendcert=ifasked

    right=%any
    rightsourceip=10.10.8.0/24,
    rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844

    # rightsubnet=0.0.0.0/0,::/0
    # rightcert=client.cert.pem
    # rightsendcert=never
    rightauth=eap-mschapv2
    eap_identity=%any

    dpdaction=clear
    fragmentation=yes
    compress=yes

    auto=add



    strongswan restart
    strongswan up linux-client
    strongswan statusall


    ====================客户端配置============================


    config setup
    # strictcrlpolicy=yes
    uniqueids =never

    conn %default
    conn linux-client
    keyexchange=ikev2
    rekey=no
    ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
    esp=aes256-sha256,3des-sha1,aes256-sha1!

    right=对端地址
    rightid=@对端地址
    rightsubnet=0.0.0.0/0,::/0
    rightauth=pubkey

    left=%any
    leftsourceip=%config
    leftcert=server.cert.pem
    leftsendcert=ifasked
    leftauth=eap-mschapv2
    eap_identity=user

    type=tunnel
    auto=add
    1 条回复    2019-12-24 11:48:15 +08:00
    yisuo
        1
    yisuo  
    OP
       2019-12-24 11:48:15 +08:00 via Android
    大佬,给个诊断证明么
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2814 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 09:30 · PVG 17:30 · LAX 01:30 · JFK 04:30
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.