Я просмотрел существующие вопросы и ответы по этой проблеме и, возможно, я не вижу зацепки, но я не знаю, что еще попробовать.
Я получаю этот вывод при попытке запустить VPN из «клиента» CentOS:
[root@hostname etc]# strongswan up casanova_vpn
initiating Main Mode IKE_SA casanova_vpn[1] to <VPN_SERVER_PUBLIC_IP>
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (176 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (244 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (100 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA casanova_vpn[1] established between <CENTOS_7_PUBLIC_IP>[<CENTOS_7_PUBLIC_IP>]...<VPN_SERVER_PUBLIC_IP>[<VPN_SERVER_PUBLIC_IP>]
scheduling reauthentication in 3394s
maximum IKE_SA lifetime 3574s
generating QUICK_MODE request 3035167021 [ HASH SA No KE ID ID ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (300 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (68 bytes)
parsed INFORMATIONAL_V1 request 3361583959 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'casanova_vpn' failed
[root@hostname etc]#
CentOS /etc/ipsec.conf: (Я понимаю, что 3des-sha1-modp1024 слабые. Я подниму уровни, когда туннель заработает, и в конечном итоге перейду на сертификаты ... пытаясь сохранить минимальное количество для отладки ...)
[root@hostname etc]# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-sha1-modp1024!
esp=3des-sha1-modp1024!
conn casanova_vpn
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=<VPN_SERVER_PUBLIC_IP>
[root@breezeview etc]#
Конфигурация тика:
ppp profile:
name="Vultr_vpn" local-address=172.16.101.1 remote-address=172.16.101.2
use-mpls=default use-compression=default use-encryption=yes
only-one=default change-tcp-mss=default use-upnp=default
address-list="" dns-server=8.8.8.8,8.8.4.4 on-up="" on-down=""
proposal:
2 name="vultr" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h
pfs-group=modp1024
policy:
T * group=default src-address=<CENTOS_7_PUBLIC_IP/32> dst-address=\<VPN_SERVER_PUBLIC_IP/32> protocol=all proposal=vultr template=yes
Итак ... все появляется в линию, теоретически. На практике ... не очень.
Любые идеи очень ценятся!