URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 97038
[ Назад ]

Исходное сообщение
"Настройка strongswan, ipsec, ikev2"
Отправлено ivandog , 02-Ноя-17 12:11

Добрый день.
Помогите разобраться с ipsec.
Настраиваю по этому мануалу https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-.../
ОС
Linux ipsec 3.16.0-4-686-pae #1 SMP Debian 3.16.43-2+deb8u5 (2017-09-19) i686 GNU/Linux
версия ipsec
root@ipsec:/etc/ipsec.d# ipsec version
Linux strongSwan U5.2.1/K3.16.0-4-686-pae
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
-------------------------------------------------------------------------------------
конфиг strongswan
root@ipsec:/etc/ipsec.d# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}
include strongswan.d/*.conf
-------------------------------------------------------------------------------------

конфиг ipsec
root@ipsec:/etc/ipsec.d# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
    # uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 2"
conn чfault
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=172.16.16.0/24
conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add
conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
conn CiscoIPSec
    keyexchange=ikev1
    # forceencaps=yes
    rightauth=pubkey
    rightauth2=xauth
    auto=add

-------------------------------------------------------------------------------------
файл ipsec.secrets

root@ipsec:/etc/ipsec.d# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA vpnHostKey.pem
user1 : EAP "Qwerty123"
user2 : XAUTH "Qwerty_123"
-------------------------------------------------------------------------------------
Сертификаты создал и импортировал в win7, когда подключаюсь система выдает ошибку 13806

Вот лог подключения, не вижу в нем ошибку
Nov  2 04:50:26 ipsec charon: 09[NET] received packet: from 192.168.50.5[500] to 192.168.50.51[500]
Nov  2 04:50:26 ipsec charon: 09[NET] waiting for data on sockets
Nov  2 04:50:26 ipsec charon: 03[NET] received packet: from 192.168.50.5[500] to 192.168.50.51[500] (528 bytes)
Nov  2 04:50:26 ipsec charon: 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov  2 04:50:26 ipsec charon: 03[CFG] looking for an ike config for 192.168.50.51...192.168.50.5
Nov  2 04:50:26 ipsec charon: 03[CFG]   candidate: %any...%any, prio 28
Nov  2 04:50:26 ipsec charon: 03[CFG]   candidate: %any...%any, prio 28
Nov  2 04:50:26 ipsec charon: 03[CFG] found matching ike config: %any...%any with prio 28
Nov  2 04:50:26 ipsec charon: 03[IKE] 192.168.50.5 is initiating an IKE_SA
Nov  2 04:50:26 ipsec charon: 03[IKE] IKE_SA (unnamed)[9] state change: CREATED => CONNECTING
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Nov  2 04:50:26 ipsec charon: 03[CFG] selecting proposal:
Nov  2 04:50:26 ipsec charon: 03[CFG]   proposal matches
Nov  2 04:50:26 ipsec charon: 03[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Nov  2 04:50:26 ipsec charon: 03[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov  2 04:50:26 ipsec charon: 03[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Nov  2 04:50:26 ipsec charon: 03[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Nov  2 04:50:26 ipsec charon: 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov  2 04:50:26 ipsec charon: 03[NET] sending packet: from 192.168.50.51[500] to 192.168.50.5[500] (337 bytes)
Nov  2 04:50:26 ipsec charon: 10[NET] sending packet: from 192.168.50.51[500] to 192.168.50.5[500]
Nov  2 04:50:56 ipsec charon: 02[JOB] deleting half open IKE_SA after timeout
Nov  2 04:50:56 ipsec charon: 02[IKE] IKE_SA (unnamed)[9] state change: CONNECTING => DESTROYING

Подскажите, в каком направлении искать ошибку?

Содержание

Настройка strongswan, ipsec, ikev2,PavelR, 16:37 , 02-Ноя-17
- Настройка strongswan, ipsec, ikev2,ivandog, 09:58 , 03-Ноя-17
Настройка strongswan, ipsec, ikev2,ACCA, 05:58 , 08-Ноя-17
- Настройка strongswan, ipsec, ikev2,ivandog, 09:31 , 09-Ноя-17
  - Настройка strongswan, ipsec, ikev2,PavelR, 10:21 , 09-Ноя-17
    - Настройка strongswan, ipsec, ikev2,ACCA, 13:07 , 18-Ноя-17
      - Настройка strongswan, ipsec, ikev2,ACCA, 13:08 , 18-Ноя-17

Сообщения в этом обсуждении

"Настройка strongswan, ipsec, ikev2"
Отправлено PavelR , 02-Ноя-17 16:37

Файрволлы все пооткрывал ?

"Настройка strongswan, ipsec, ikev2"
Отправлено ivandog , 03-Ноя-17 09:58

> Файрволлы все пооткрывал ?
да, конечно
root@ipsec:/etc/ipsec.d# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
На винде тоже все антивирусы и фаерволлы отключил

"Настройка strongswan, ipsec, ikev2"
Отправлено ACCA , 08-Ноя-17 05:58

> Настраиваю по этому мануалу https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-.../
Когда-то пробился с этим упoротым гусём месяца два.
Linux-Linux работает, а вот Linux-Cisco запустить не удалось, та же байда - "no acceptable ENCRYPTION_ALGORITHM found"
Плюнул, купил за $30 юзаный Cisco PIX 501 и забыл, как кошмарный сон.

"Настройка strongswan, ipsec, ikev2"
Отправлено ivandog , 09-Ноя-17 09:31

Да, да, Linux-Linux работает, а с Windows подружить не смог.
Что же видимо не судьба.
Спасибо.

"Настройка strongswan, ipsec, ikev2"
Отправлено PavelR , 09-Ноя-17 10:21

> Да, да, Linux-Linux работает, а с Windows подружить не смог.
> Что же видимо не судьба.
> Спасибо.
Вот с таким конфигом у меня подключался Android и Win7

----------------
/etc/ipsec.conf
conn %default
  keyexchange=ikev2
  dpdaction=clear
  dpddelay=35s
  dpdtimeout=300s
  ike=aes256-sha1-modp1024,3des-sha1-modp1024!
  esp=aes256-sha1,3des-sha1!
conn ikev2-pubkey-vpn
  keyexchange=ike
  auto=add
  type=tunnel
  fragmentation=yes
  forceencaps=yes
  left=ipsec.domain.tld
  leftcert=ipsec.domain.tld.crt
  leftsubnet=1.2.3.4/32,3.4.5.6/24,5.6.7.8/25,8.8.8.8/32
  right=%any
  rightauth=pubkey
  rightsourceip=192.168.192.0/24
  rightdns=8.8.8.8
conn ikev2-eap-tls-vpn
   also="ikev2-pubkey-vpn"
   rightauth=eap-tls
   eap_identity=%identity

----------------
/etc/ipsec.secrets

: RSA ipsec.domain.tld.key
----------------
Документация по настройке винды:
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Config
Там же и по настройке андроида.

Серты генерировались с добавлением расширения 1.3.6.1.5.5.8.2.2
Изменения в файле openssl.conf
...
[ server ]
...
#1.3.6.1.5.5.8.2.2 - ikeIntermediate flag
extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
...
Это знание было почерпнуто где-то тут:
https://habrahabr.ru/post/250859/
https://github.com/ValdikSS/easy-rsa-ipsec

"Настройка strongswan, ipsec, ikev2"
Отправлено ACCA , 18-Ноя-17 13:07

Ты крут, без под*бов, стукнись на acca(at)cpan.org. Состыкуемся, буду иметь тебя в виду на серьёзные головоломки за серьёзные бабки.
С IPsec я сдался и под такие задачи ставлю tinc. Просто, без затей, и умеет прокалывать firewall.

"Настройка strongswan, ipsec, ikev2"
Отправлено ACCA , 18-Ноя-17 13:08

nuff said