Estou tentando testar um novo servidor VPN IPSec StrongSwan conectando a partir do OS X 10.10 .
Isso é muito frustrante porque os logs mostram uma série de mensagens de "sucesso", mas o sistema é lançado fora. Também estou confuso sobre por que a Associação de Segurança é " (unnamed)[3]
".
Esta página mostra como capturar a configuração racoon
que parece algo assim:
remote myvpc.mydomain.com {
doi ipsec_doi;
situation identity_only;
exchange_mode main;
verify_identifier off;
shared_secret keychain "SOME-HASH.SS";
local_address 10.0.0.149;
nonce_size 16;
dpd_delay 20;
dpd_retry 5;
dpd_maxfail 5;
dpd_algorithm dpd_blackhole_detect;
initial_contact on;
support_proxy on;
proposal_check obey;
xauth_login "staff";
mode_cfg on;
proposal {
authentication_method xauth_psk_client;
hash_algorithm sha1;
encryption_algorithm aes 256;
lifetime time 3600 sec;
dh_group 2;
}
...
}
Minha melhor tentativa de portar isso para /etc/ipsec.conf
no servidor é:
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1536
esp=aes256-sha1
authby=psk
ikelifetime=24h
lifetime=1h
leftid=myvpc.mydomain.com
auto=start
conn osx
keyexchange=ikev1
authby=xauthpsk
xauth=server
ike=aes256-sha1-modp1024
left=10.200.0.32/27
leftsubnet=10.200.0.96/27
right=1.2.3.4
rightid=staff
Quando tento conectar-me a partir do Mac usando o tipo Cisco IPSec
VPN, os logs do servidor:
charon: 16[MGR] checkout IKE_SA by message
charon: 16[MGR] created IKE_SA (unnamed)[3]
charon: 16[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
charon: 16[CFG] looking for an ike config for 10.200.0.50...1.2.3.4
charon: 16[CFG] candidate: 10.200.0.32/27...1.2.3.4, prio 2292
charon: 16[CFG] found matching ike config: 10.200.0.32/27...1.2.3.4 with prio 2292
charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 16[IKE] received XAuth vendor ID
charon: 16[IKE] received Cisco Unity vendor ID
charon: 16[IKE] received FRAGMENTATION vendor ID
charon: 16[IKE] received DPD vendor ID
charon: 16[IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
charon: 16[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
charon: 16[CFG] selecting proposal:
charon: 16[CFG] proposal matches
charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
charon: 16[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
charon: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 16[IKE] sending XAuth vendor ID
charon: 16[IKE] sending DPD vendor ID
charon: 16[IKE] sending NAT-T (RFC 3947) vendor ID
charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 16[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 16[MGR] checkin IKE_SA (unnamed)[3]
charon: 16[MGR] check-in of IKE_SA successful.
charon: 07[MGR] checkout IKE_SA by message
charon: 07[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 07[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 07[IKE] received retransmit of request with ID 0, retransmitting response
charon: 07[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 07[MGR] checkin IKE_SA (unnamed)[3]
charon: 07[MGR] check-in of IKE_SA successful.
charon: 09[MGR] checkout IKE_SA by message
charon: 09[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 09[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
charon: 09[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 09[MGR] checkin IKE_SA (unnamed)[3]
charon: 09[MGR] check-in of IKE_SA successful.
charon: 08[MGR] checkout IKE_SA by message
charon: 08[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 08[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
charon: 08[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 08[MGR] checkin IKE_SA (unnamed)[3]
charon: 08[MGR] check-in of IKE_SA successful.
Os registros locais não são tão úteis para mim, mas no caso de ser útil para outra pessoa:
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: Received a start command from SystemUIServer[503]
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to connecting
nesessionmanager[25701]: IPSec connecting to server myvpc.mydomain.com
nesessionmanager[25701]: IPSec Phase1 starting.
racoon[27001]: accepted connection on vpn control socket.
--- last message repeated 1 time ---
racoon[27001]: IPSec connecting to server myvpc.mydomain.com
--- last message repeated 1 time ---
racoon[27001]: Connecting.
racoon[27001]: IPSec Phase 1 started (Initiated by me).
--- last message repeated 1 time ---
racoon[27001]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
racoon[27001]: >>>>> phase change status = Phase 1 started by us
--- last message repeated 1 time ---
racoon[27001]: IKE Packet: transmit success. (Phase 1 Retransmit).
--- last message repeated 2 times ---
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnecting
nesessionmanager[25701]: IPSec disconnecting from server myvpc.mydomain.com
racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com
--- last message repeated 1 time ---
racoon[27001]: failed to send vpn_control message: Broken pipe
--- last message repeated 1 time ---
racoon[27001]: glob found no matches for path "/var/run/racoon/*.conf"
--- last message repeated 1 time ---
racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com
--- last message repeated 1 time ---
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnected, last stop reason 0
UserNotificationCenter[27003]: *** WARNING: Method userSpaceScaleFactor in class NSWindow is deprecated on 10.7 and later. It should not be used in new applications. Use convertRectToBacking: instead.
Quando executo ipsec statusall
no servidor gateway da VPN enquanto o OS X está tentando se conectar, ele diz:
Listening IP addresses:
10.200.0.50
Connections:
osx: 10.200.0.32/27...<public ip> IKEv1
osx: local: [my-server.my-domain.com] uses pre-shared key authentication
osx: remote: [staff] uses pre-shared key authentication
osx: remote: uses XAuth authentication: any
osx: child: 10.200.0.96/27 === dynamic TUNNEL
Security Associations (0 up, 1 connecting):
(unnamed)[3]: CONNECTING, 10.200.0.50[%any]...1.2.3.4[%any]
(unnamed)[3]: IKEv1 SPIs: HEX_CHARS_i HEX_CHARS_r*
(unnamed)[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(unnamed)[3]: Tasks passive: ISAKMP_VENDOR MAIN_MODE ISAKMP_NATD