前几天 ss 几乎没法用,而之前搭的 l2tp 家中 wifi 和手机 4G 都无法使用,正好就想着重搞一下,于是发现了 strongswan 。使用了
https://quericy.me/blog/699/上的( https://raw.githubusercontent.com/quericy/one-key-ikev2-vpn/master/one-key-ikev2.sh )这个一键脚本。
很顺利的安装完成了。
后面顺便给服务器加固的时候想不起来我动了哪个地方,总之刚开始都能用的 IKEv2 (手机 4G+wifi 、 PCwin7 ),都不能用了。
今天干脆重装了,并先加固再安装 strongswan (安装过程和昨天一样,除证书外其它配置一样),但测试总有问题。
IKEv2:手机 4G+wifi 不行, win7 可以。
因为是 ios 的问题,只能在服务端看日志,将问题日志拿出来,用 google 居然没找着。
在尝试各种解决方案都不行的情况下,我换上了昨天生成的证书,发现 IKEv2:手机 4G 不行,手机 wifi+PCwin7 可以。
这有点意思了,成功和失败的日志如下。重点关注失败的就可以了,从“ 14[LIB] MAC verification failed ”这行开始关注。
备注:我是中国电信 4G 用户。
使用同事的中国移动 4G 测试,手机 4G 上 IKEv2 是没有问题的。
成功日志
13[NET] received packet: from 手机 wifi_IP[500] to VPS_IP[500] (604 bytes)
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
13[IKE] 手机 wifi_IP is initiating an IKE_SA
13[IKE] remote host is behind NAT
13[IKE] sending cert request for "C=com, O=vpn, CN=V CA"
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
13[NET] sending packet: from VPS_IP[500] to 手机 wifi_IP[500] (473 bytes)
14[NET] received packet: from 手机 wifi_IP[4500] to VPS_IP[4500] (496 bytes)
14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
14[CFG] looking for peer configs matching VPS_IP[VPS_IP]...手机 wifi_IP[192.168.1.77]
14[CFG] selected peer config 'ios_ikev2'
14[IKE] initiating EAP_IDENTITY method (id 0x00)
14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
14[IKE] peer supports MOBIKE
14[IKE] authentication of 'VPS_IP' (myself) with RSA signature successful
14[IKE] sending end entity cert "C=com, O=vpn, CN=VPS_IP"
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
14[NET] sending packet: from VPS_IP[4500] to 手机 wifi_IP[4500] (1200 bytes)
14[NET] received packet: from 手机 wifi_IP[4500] to VPS_IP[4500] (80 bytes)
14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
14[IKE] received EAP identity 'testuser'
14[IKE] initiating EAP_MSCHAPV2 method (id 0xCC)
14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
14[NET] sending packet: from VPS_IP[4500] to 手机 wifi_IP[4500] (112 bytes)
13[NET] received packet: from 手机 wifi_IP[4500] to VPS_IP[4500] (80 bytes)
13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
13[IKE] received retransmit of request with ID 2, retransmitting response
13[NET] sending packet: from VPS_IP[4500] to 手机 wifi_IP[4500] (112 bytes)
15[NET] received packet: from 手机 wifi_IP[4500] to VPS_IP[4500] (80 bytes)
15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
15[IKE] received retransmit of request with ID 2, retransmitting response
15[NET] sending packet: from VPS_IP[4500] to 手机 wifi_IP[4500] (112 bytes)
10[NET] received packet: from 手机 wifi_IP[4500] to VPS_IP[4500] (144 bytes)
10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
10[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
10[NET] sending packet: from VPS_IP[4500] to 手机 wifi_IP[4500] (144 bytes)
15[NET] received packet: from 手机 wifi_IP[4500] to VPS_IP[4500] (80 bytes)
15[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
15[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
15[NET] sending packet: from VPS_IP[4500] to 手机 wifi_IP[4500] (80 bytes)
14[NET] received packet: from 手机 wifi_IP[4500] to VPS_IP[4500] (112 bytes)
14[ENC] parsed IKE_AUTH request 5 [ AUTH ]
14[IKE] authentication of '192.168.1.77' with EAP successful
14[IKE] authentication of 'VPS_IP' (myself) with EAP
14[IKE] IKE_SA ios_ikev2[1] established between VPS_IP[VPS_IP]...手机 wifi_IP[192.168.1.77]
14[IKE] peer requested virtual IP %any
14[CFG] assigning new lease to 'testuser'
14[IKE] assigning virtual IP 10.31.2.1 to peer 'testuser'
14[IKE] peer requested virtual IP %any6
14[IKE] no virtual IP found for %any6 requested by 'testuser'
14[IKE] CHILD_SA ios_ikev2{1} established with SPIs 88888888_i 88888888_o and TS 0.0.0.0/0 === 10.31.2.1/32
14[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS NBNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
14[NET] sending packet: from VPS_IP[4500] to 手机 wifi_IP[4500] (272 bytes)
失败日志
12[NET] received packet: from 手机 4G_IP[22048] to VPS_IP[500] (604 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
12[IKE] 手机 4G_IP is initiating an IKE_SA
12[IKE] remote host is behind NAT
12[IKE] sending cert request for "C=com, O=vpn, CN=V CA"
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
12[NET] sending packet: from VPS_IP[500] to 手机 4G_IP[22048] (473 bytes)
14[NET] received packet: from 手机 4G_IP[22049] to VPS_IP[4500] (496 bytes)
14[LIB] MAC verification failed
14[ENC] verifying encrypted payload integrity failed
14[ENC] could not decrypt payloads
14[IKE] integrity check failed
14[IKE] IKE_AUTH request with message ID 1 processing failed
13[NET] received packet: from 手机 4G_IP[22049] to VPS_IP[4500] (496 bytes)
13[LIB] MAC verification failed
13[ENC] verifying encrypted payload integrity failed
13[ENC] could not decrypt payloads
13[IKE] integrity check failed
13[IKE] IKE_AUTH request with message ID 1 processing failed
12[NET] received packet: from 手机 4G_IP[22049] to VPS_IP[4500] (496 bytes)
12[LIB] MAC verification failed
12[ENC] verifying encrypted payload integrity failed
12[ENC] could not decrypt payloads
12[IKE] integrity check failed
12[IKE] IKE_AUTH request with message ID 1 processing failed
16[NET] received packet: from 手机 4G_IP[22049] to VPS_IP[4500] (496 bytes)
16[LIB] MAC verification failed
16[ENC] verifying encrypted payload integrity failed
16[ENC] could not decrypt payloads
16[IKE] integrity check failed
16[IKE] IKE_AUTH request with message ID 1 processing failed
12[JOB] deleting half open IKE_SA after timeout