Hi all,<div><br></div><div>I just set up strongSwan server on a KVM VPS, but the connections have problems.</div><div><br></div><div>First, show my ipsec.conf</div><div><br></div><div><div>config setup</div><div> strictcrlpolicy=no</div>
<div> charonstart=yes</div><div> uniqueids=yes</div><div><br></div><div>conn %default</div><div> authby=rsasig</div><div> leftrsasigkey=%cert</div><div> rightrsasigkey=%cert</div><div> left=%defaultroute</div>
<div><br></div><div>conn ikev2</div><div> keyexchange=ikev2</div><div> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> leftcert=strongswan.crt</div><div> rightca=%same</div><div>
right=%any</div><div> rightsourceip=<a href="http://192.168.11.0/24">192.168.11.0/24</a></div><div> auto=add</div></div><div><br></div><div>the client is a roadwarrior and want get a virtual ip, from the log it seems it got the virtual ip, however the ping from server to client does not work. here is the charon.log</div>
<div><br></div><div><div>00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.1)</div><div>00[CFG] attr-sql plugin: database URI not set</div><div>00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL</div>
<div>00[KNL] listening on interfaces:</div><div>00[KNL] eth0</div><div>00[KNL] 64.62.209.183</div><div>00[KNL] fe80::216:3cff:febf:ead9</div><div>00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</div>
<div>00[CFG] loaded ca certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>" from '/etc/ipsec.d/cacerts/ca.crt'</div><div>00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</div>
<div>00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</div><div>00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</div><div>00[CFG] loading crls from '/etc/ipsec.d/crls'</div>
<div>00[CFG] loading secrets from '/etc/ipsec.secrets'</div><div>00[CFG] loaded RSA private key from '/etc/ipsec.d/private/strongswan.key'</div><div>00[CFG] sql plugin: database URI not set</div><div>00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL</div>
<div>00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory</div><div>00[CFG] loaded 0 RADIUS server configurations</div><div>00[CFG] HA config misses local/remote address</div><div>00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL</div>
<div>00[LIB] feature CUSTOM:sim-card in 'eap-sim-file' plugin has unsatisfied dependency: CUSTOM:eap-sim-file-triplets</div><div>00[LIB] feature CUSTOM:sim-provider in 'eap-sim-file' plugin has unsatisfied dependency: CUSTOM:eap-sim-file-triplets</div>
<div>00[DMN] loaded plugins: curl sqlite aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius dhcp</div>
<div>00[JOB] spawning 16 worker threads</div><div>16[CFG] received stroke: add connection 'ikev2'</div><div>16[CFG] loaded certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>" from 'strongswan.crt'</div>
<div>16[CFG] id '64.62.209.183' not confirmed by certificate, defaulting to 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>'</div><div>16[CFG] added configuration 'ikev2'</div>
<div>16[CFG] adding virtual IP address pool 'ikev2': <a href="http://192.168.11.0/24">192.168.11.0/24</a></div><div>06[NET] received packet: from 121.63.63.197[500] to 64.62.209.183[500]</div><div>06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div>
<div>06[IKE] 121.63.63.197 is initiating an IKE_SA</div><div>06[IKE] remote host is behind NAT</div><div>06[IKE] sending cert request for "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>"</div>
<div>06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div>06[NET] sending packet: from 64.62.209.183[500] to 121.63.63.197[500]</div><div>05[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>05[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr ]</div><div>05[IKE] received cert request for "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>"</div>
<div>05[IKE] received end entity cert "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>"</div><div>05[CFG] looking for peer configs matching 64.62.209.183[%any]...121.63.63.197[C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>]</div>
<div>05[CFG] selected peer config 'ikev2'</div><div>05[CFG] using certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>"</div><div>05[CFG] using trusted ca certificate "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=Lauyu.me CA, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>"</div>
<div>05[CFG] checking certificate status of "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>"</div><div>05[CFG] certificate status is not available</div><div>05[CFG] reached self-signed root ca with a path length of 0</div>
<div>05[IKE] authentication of 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>' with RSA signature successful</div><div>05[IKE] authentication of 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>' (myself) with RSA signature successful</div>
<div>05[IKE] IKE_SA ikev2[1] established between 64.62.209.183[C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>]...121.63.63.197[C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>]</div>
<div>05[IKE] scheduling reauthentication in 10122s</div><div>05[IKE] maximum IKE_SA lifetime 10662s</div><div>05[IKE] sending end entity cert "C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=strongswan, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>"</div>
<div>05[IKE] peer requested virtual IP %any</div><div>05[CFG] assigning new lease to 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>'</div><div>05[IKE] assigning virtual IP 192.168.11.1 to peer 'C=TC, ST=YC, L=YiFeng, O=Lauyu.me, CN=e71, E=<a href="mailto:lauyu@lauyu.me">lauyu@lauyu.me</a>'</div>
<div>05[IKE] CHILD_SA ikev2{1} established with SPIs c25dd424_i 1c1e2ef3_o and TS <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://192.168.11.1/32">192.168.11.1/32</a></div><div>05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) SA TSi TSr N(AUTH_LFT) ]</div>
<div>05[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div><div>03[IKE] sending DPD request</div><div>03[ENC] generating INFORMATIONAL request 0 [ ]</div><div>03[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div>
<div>02[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div><div>02[ENC] parsed INFORMATIONAL response 0 [ ]</div><div>01[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>
01[ENC] parsed INFORMATIONAL request 2 [ ]</div><div>01[ENC] generating INFORMATIONAL response 2 [ ]</div><div>01[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div><div>06[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>06[ENC] parsed INFORMATIONAL request 3 [ ]</div><div>06[ENC] generating INFORMATIONAL response 3 [ ]</div><div>06[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div><div>04[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>04[ENC] parsed INFORMATIONAL request 4 [ ]</div><div>04[ENC] generating INFORMATIONAL response 4 [ ]</div><div>04[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div><div>07[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>07[ENC] parsed INFORMATIONAL request 5 [ ]</div><div>07[ENC] generating INFORMATIONAL response 5 [ ]</div><div>07[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div><div>06[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>06[ENC] parsed INFORMATIONAL request 6 [ ]</div><div>06[ENC] generating INFORMATIONAL response 6 [ ]</div><div>06[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div><div>04[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>04[ENC] parsed INFORMATIONAL request 7 [ ]</div><div>04[ENC] generating INFORMATIONAL response 7 [ ]</div><div>04[NET] sending packet: from 64.62.209.183[4500] to 121.63.63.197[4500]</div><div>01[NET] received packet: from 121.63.63.197[4500] to 64.62.209.183[4500]</div>
<div>01[ENC] parsed INFORMATIONAL request 8 [ ]</div><div>01[ENC] generating INFORMATIONAL response 8 [ ]</div></div><div><br></div><div>The above shows that there are a lot of strange message betweent the server and client.</div>
<div><br></div><div>Thanks very much~</div>