Назад | Перейти на главную страницу

IKev2 strongswan получил удаление полуоткрытого IKE_SA с x.x.x.x после тайм-аута с устройством iOS

Я установил vpn-сервер IKEv2 strongswan на ubuntu 18.04, а также использую для этого действующий CA Let's encrypte. Я хочу использовать его в приложении для iOS. Итак, вот IPSec.conf:

config setup
    charondebug="all"
    # keep_alive=24h
    uniqueids=never
conn %default
    auto=route
    type=tunnel
    keyexchange=ikev2
    fragmentation=no
    forceencaps=no
    mobike=yes
    ike=aes256-sha256-modp1024,aes256-sha256-modp2048, aes256-aes128-sha1-modp1024-3des!
    esp=aes256-sha256-sha1-3des!
    dpdaction=clear
    dpddelay=20s
    dpdtimeout=1800s
    rekey=no
    reauth=no
    left=%any
    #leftallowany=yes
    leftcert=cert.crt
    leftca=%same
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any4
    #rightallowany=yes
    rightid=%any
    rightsourceip=172.26.0.0/16
    rightdns=8.8.8.8,8.8.4.4
    eap_identity=%identity
    rightauth=pubkey
    keyingtries=%forever

conn ikev2-mschapv2
    rightauth=eap-mschapv2

conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=@sec.mydomain.com

и вот содержимое IPSec.sercets:


sec.mydomain.com : RSA key.pem
vpnusername %any% : EAP "pass"

проблема в когда я хочу подключиться к серверу, он остается в состоянии подключения, а через 20 секунд он меняется на отключение и отображение тайм-аута на сервере журналов. вот сервер журнала на tail -f /var/log/syslog:

Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Timers.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG network certificate management daemon.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Sockets.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Basic System.
Sep  3 07:25:25 vps-10d57688 systemd[1]: Started User Manager for UID 1000.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Reached target Default.
Sep  3 07:25:25 vps-10d57688 systemd[7908]: Startup finished in 33ms.
Sep  3 07:25:38 vps-10d57688 charon: 13[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep  3 07:25:38 vps-10d57688 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep  3 07:25:38 vps-10d57688 charon: 13[IKE] 151.243.253.166 is initiating an IKE_SA
Sep  3 07:25:38 vps-10d57688 charon: 13[IKE] remote host is behind NAT
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-99-generic, x86_64)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] PKCS11 module '<name>' lacks library path
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] disabling load-tester plugin, not configured
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] dnscert plugin is disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] ipseckey plugin is disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] attr-sql plugin: database URI not set
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded ca certificate "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" from '/etc/ipsec.d/cacerts/chain.pem'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/key.pem'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG]   loaded EAP secret for vpnusername %any%
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] sql plugin: database URI not set
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] eap-simaka-sql database URI missing
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded 0 RADIUS server configurations
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] HA config misses local/remote address
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] no threshold configured for systime-fix, disabled
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] coupling file path unspecified
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 00[JOB] spawning 16 worker threads
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] received stroke: add connection 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] adding virtual IP address pool 172.26.0.0/16
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG]   loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG]   id '%any' not confirmed by certificate, defaulting to 'OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] added configuration 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] received stroke: route 'ikev2-mschapv2'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] installing trap failed, remote address unknown
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] received stroke: add connection 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] reusing virtual IP address pool 172.26.0.0/16
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG]   loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] added configuration 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] received stroke: route 'ikev2-mschapv2-apple'
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] installing trap failed, remote address unknown
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] 151.243.253.166 is initiating an IKE_SA
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] remote host is behind NAT
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] sending packet: from x.x.x.x[500] to 151.243.253.166[500] (473 bytes)
Sep  3 07:25:38 vps-10d57688 ipsec[7723]: 07[JOB] deleting half open IKE_SA with 151.243.253.166 after timeout

больше журнала: Я использовал tcpdump и nc для проверки порта 4500, и он работал, но когда я пытаюсь подключиться к vpn, он не получает и не отправляет никаких пакетов:

вот результат для звонка с NC

ubuntu@vps-10d57688:~$ sudo tcpdump -i ens3 udp port 4500 -vv -X
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:49:46.754565 IP (tos 0x0, ttl 52, id 31208, offset 0, flags [none], proto UDP (17), length 31)
    192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] [|isakmp]
    0x0000:  4500 001f 79e8 0000 3411 f82a c040 5354  E...y...4..*.@ST
    0x0010:  4246 bee0 c855 1194 000b 9ec9 6869 0a    BF...U......hi.
15:50:00.565036 IP (tos 0x0, ttl 52, id 4681, offset 0, flags [none], proto UDP (17), length 33)
    192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] UDP-encap: [|ESP]
    0x0000:  4500 0021 1249 0000 3411 5fc8 c040 5354  E..!.I..4._..@ST
    0x0010:  4246 bee0 c855 1194 000d 1f55 7465 7374  BF...U.....Utest
    0x0020:  0a                                       .