LINUX.ORG.RU

Strongswan. Не могу подключиться.

 ,


0

1

Всем привет,

Поднял тут vpn-Strongswan на Debian. Но с клиента (роутер) не могу подключиться. Конфиги сервера:

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.10.10.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.10.10.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROPх.
ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-8-amd64, x86_64):
  uptime: 78 minutes, since Aug 16 15:37:57 2019

ipsec.conf

include /var/lib/strongswan/ipsec.conf.inc

config setup
        uniqueids=never
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
        keyexchange=ikev2
        ike=aes128gcm16-sha2_256-prfsha256-ecp256!
        esp=aes128gcm16-sha2_256-ecp256!
        fragmentation=yes
        rekey=no
        compress=yes
        dpdaction=clear
        left=%any
        leftauth=pubkey
        leftsourceip=YOUR_LIGHTSAIL_IP
        leftid=YOUR_LIGHTSAIL_IP
        leftcert=debian.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightauth=pubkey
        rightsourceip=10.10.10.0/24
        rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
        auto=add

Конфиги клиента:

config setup

        uniqueids=never
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
        keyexchange=ikev2
        ike=aes128gcm16-sha2_256-prfsha256-ecp256!
        esp=aes128gcm16-sha2_256-ecp256!
        fragmentation=yes
        rekey=no
        compress=yes
        dpdaction=clear
        right=%any
        rightauth=pubkey
        rightsourceip=%any
        rightid=%any
        rightcert=me.pem
        rightsendcert=always
        left=%any
        leftauth=pubkey
        rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
        auto=add
ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.0, Linux 3.4.113, mips):
  uptime: 57 minutes, since Aug 16 19:06:16 2019

Лог клиента:

ug 16 19:06:16 syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 3.4.113, mips)
Aug 16 19:06:16 syslog: 00[KNL] known interfaces and IP addresses:
Aug 16 19:06:16 syslog: 00[KNL]   lo
Aug 16 19:06:16 syslog: 00[KNL]     127.0.0.1
Aug 16 19:06:16 syslog: 00[KNL]   eth3
Aug 16 19:06:16 syslog: 00[KNL]     inet ip
Aug 16 19:06:16 syslog: 00[KNL]   eth2
Aug 16 19:06:16 syslog: 00[KNL]   ra0
Aug 16 19:06:16 syslog: 00[KNL]   rai0
Aug 16 19:06:16 syslog: 00[KNL]   br0
Aug 16 19:06:16 syslog: 00[KNL]     192.168.1.1
Aug 16 19:06:16 syslog: 00[CFG] loading ca certificates from '/etc/storage/strongswan/ipsec.d/cacerts'
Aug 16 19:06:16 syslog: 00[CFG] loading aa certificates from '/etc/storage/strongswan/ipsec.d/aacerts'
Aug 16 19:06:16 syslog: 00[LIB] opening directory '/etc/storage/strongswan/ipsec.d/aacerts' failed: No such file or directory
Aug 16 19:06:16 syslog: 00[CFG]   reading directory failed
Aug 16 19:06:16 syslog: 00[CFG] loading ocsp signer certificates from '/etc/storage/strongswan/ipsec.d/ocspcerts'
Aug 16 19:06:16 syslog: 00[LIB] opening directory '/etc/storage/strongswan/ipsec.d/ocspcerts' failed: No such file or directory
Aug 16 19:06:16 syslog: 00[CFG]   reading directory failed
Aug 16 19:06:16 syslog: 00[CFG] loading attribute certificates from '/etc/storage/strongswan/ipsec.d/acerts'
Aug 16 19:06:16 syslog: 00[LIB] opening directory '/etc/storage/strongswan/ipsec.d/acerts' failed: No such file or directory
Aug 16 19:06:16 syslog: 00[CFG]   reading directory failed
Aug 16 19:06:16 syslog: 00[CFG] loading crls from '/etc/storage/strongswan/ipsec.d/crls'
Aug 16 19:06:16 syslog: 00[LIB] opening directory '/etc/storage/strongswan/ipsec.d/crls' failed: No such file or directory
Aug 16 19:06:16 syslog: 00[CFG]   reading directory failed
Aug 16 19:06:16 syslog: 00[CFG] loading secrets from '/etc/storage/strongswan/ipsec.secrets'
Aug 16 19:06:16 syslog: 00[LIB]   opening '/etc/storage/strongswan/ipsec.d/private/me.pem' failed: No such file or directory
Aug 16 19:06:16 syslog: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 5 builders
Aug 16 19:06:16 syslog: 00[CFG]   loading private key from '/etc/storage/strongswan/ipsec.d/private/me.pem' failed
Aug 16 19:06:16 syslog: 00[CFG] no threshold configured for systime-fix, disabled
Aug 16 19:06:16 syslog: 00[LIB] loaded plugins: charon nonce x509 pubkey pkcs1 pkcs8 pem openssl curve25519 attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-dynamic eap-tls xauth-generic xauth-eap xauth-noauth dhcp
Aug 16 19:06:16 syslog: 00[JOB] spawning 16 worker threads
Aug 16 19:06:16 syslog: 03[NET] waiting for data on sockets
Aug 16 19:06:16 ipsec_starter[2095]: charon (2096) started after 80 ms
Aug 16 19:06:16 syslog: 05[CFG] received stroke: add connection 'ikev2-pubkey'
Aug 16 19:06:16 syslog: 05[CFG] conn ikev2-pubkey
Aug 16 19:06:16 syslog: 05[CFG]   left=%any
Aug 16 19:06:16 syslog: 05[CFG]   leftauth=pubkey
Aug 16 19:06:16 syslog: 05[CFG]   right=%any
Aug 16 19:06:16 syslog: 05[CFG]   rightsourceip=%any
Aug 16 19:06:16 syslog: 05[CFG]   rightdns=8.8.8.8,8.8.4.4
Aug 16 19:06:16 syslog: 05[CFG]   rightauth=pubkey
Aug 16 19:06:16 syslog: 05[CFG]   rightid=%any
Aug 16 19:06:16 syslog: 05[CFG]   rightcert=me.pem
Aug 16 19:06:16 syslog: 05[CFG]   ike=aes128gcm16-sha2_256-prfsha256-ecp256!
Aug 16 19:06:16 syslog: 05[CFG]   esp=aes128gcm16-sha2_256-ecp256!
Aug 16 19:06:16 syslog: 05[CFG]   dpddelay=30
Aug 16 19:06:16 syslog: 05[CFG]   dpdtimeout=150
Aug 16 19:06:16 syslog: 05[CFG]   dpdaction=1
Aug 16 19:06:16 syslog: 05[CFG]   sha256_96=no
Aug 16 19:06:16 syslog: 05[CFG]   mediation=no
Aug 16 19:06:16 syslog: 05[CFG]   keyexchange=ikev2
Aug 16 19:06:16 syslog: 05[CFG]   loaded certificate "CN=inet ip" from 'me.pem'
Aug 16 19:06:16 syslog: 05[CFG]   id '%any' not confirmed by certificate, defaulting to 'CN=inet ip'
Aug 16 19:06:16 syslog: 05[CFG] added configuration 'ikev2-pubkey'
Aug 16 19:06:21 syslog: 07[CFG] proposing traffic selectors for us:
Aug 16 19:06:21 syslog: 07[CFG]  dynamic
Aug 16 19:06:21 syslog: 07[CFG] proposing traffic selectors for other:
Aug 16 19:06:21 syslog: 07[CFG]  dynamic
Aug 16 19:08:06 syslog: 11[CFG] proposing traffic selectors for us:
Aug 16 19:08:06 syslog: 11[CFG]  dynamic
Aug 16 19:08:06 syslog: 11[CFG] proposing traffic selectors for other:
Aug 16 19:08:06 syslog: 11[CFG]  dynamic
Aug 16 20:03:36 syslog: 06[CFG] proposing traffic selectors for us:
Aug 16 20:03:36 syslog: 06[CFG]  dynamic
Aug 16 20:03:36 syslog: 06[CFG] proposing traffic selectors for other:
Aug 16 20:03:36 syslog: 06[CFG]  dynamic