ipsec 连接问题

cheng3900 · 发表于 2016-11-29 17:00:15

A 端的日志如下
Nov 29 16:52:41 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.3.8, i686)
Nov 29 16:52:41 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 16:52:41 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 16:52:41 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 16:52:41 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 16:52:41 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 16:52:41 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 16:52:41 00[CFG] loading secrets from '/etc/ipsec.secrets.d/vpn-1'
Nov 29 16:52:41 00[CFG] loaded IKE secret for %any 114.222.144.138
Nov 29 16:52:41 00[LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Nov 29 16:52:41 00[JOB] spawning 16 worker threads
Nov 29 16:52:41 07[CFG] received stroke: add connection 'ipsec_vpn_1_0'
Nov 29 16:52:41 07[CFG] left nor right host is our side, assuming left=local
Nov 29 16:52:41 07[CFG] added configuration 'ipsec_vpn_1_0'
Nov 29 16:52:41 05[CFG] received stroke: initiate 'ipsec_vpn_1_0'
Nov 29 16:52:41 05[IKE] initiating IKE_SA ipsec_vpn_1_0[1] to 114.222.144.138
Nov 29 16:52:42 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 29 16:52:42 05[NET] sending packet: from 117.88.54.198[500] to 114.222.144.138[500] (708 bytes)
Nov 29 16:52:42 12[NET] received packet: from 114.222.144.138[500] to 117.88.54.198[500] (36 bytes)
Nov 29 16:52:42 12[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 29 16:52:42 12[IKE] received NO_PROPOSAL_CHOSEN notify error
Nov 29 16:53:42 14[NET] received packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:53:42 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 29 16:53:42 14[IKE] 114.222.144.138 is initiating an IKE_SA
Nov 29 16:53:43 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 29 16:53:43 14[NET] sending packet: from 180.109.159.205[500] to 114.222.144.138[500] (456 bytes)
Nov 29 16:53:43 16[NET] received packet: from 114.222.144.138[4500] to 180.109.159.205[4500] (428 bytes)
Nov 29 16:53:43 16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 29 16:53:43 16[CFG] looking for peer configs matching 180.109.159.205[180.109.159.205]...114.222.144.138[114.222.144.138]
Nov 29 16:53:43 16[CFG] selected peer config 'ipsec_vpn_1_0'
Nov 29 16:53:43 16[IKE] authentication of '114.222.144.138' with pre-shared key successful
Nov 29 16:53:43 16[IKE] peer supports MOBIKE
Nov 29 16:53:43 16[IKE] authentication of '180.109.159.205' (myself) with pre-shared key
Nov 29 16:53:43 16[IKE] IKE_SA ipsec_vpn_1_0[2] established between 180.109.159.205[180.109.159.205]...114.222.144.138[114.222.144.138]
Nov 29 16:53:43 16[IKE] scheduling reauthentication in 10085s
Nov 29 16:53:43 16[IKE] maximum IKE_SA lifetime 10625s
Nov 29 16:53:43 16[IKE] CHILD_SA ipsec_vpn_1_0{1} established with SPIs c6cc5e04_i c04efe74_o and TS 192.168.1.0/24 === 10.3.17.0/24
Nov 29 16:53:43 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Nov 29 16:53:43 16[NET] sending packet: from 180.109.159.205[4500] to 114.222.144.138[4500] (252 bytes)

B端的日志如下
Nov 29 16:50:56 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.3.8, i686)
Nov 29 16:50:56 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 29 16:50:56 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 29 16:50:56 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 29 16:50:56 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 29 16:50:56 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 29 16:50:56 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 29 16:50:56 00[CFG] loading secrets from '/etc/ipsec.secrets.d/vpn-1'
Nov 29 16:50:56 00[CFG] loaded IKE secret for %any 180.109.159.205
Nov 29 16:50:56 00[LIB] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Nov 29 16:50:56 00[JOB] spawning 16 worker threads
Nov 29 16:50:56 04[CFG] received stroke: add connection 'ipsec_vpn_1_0'
Nov 29 16:50:56 04[CFG] left nor right host is our side, assuming left=local
Nov 29 16:50:56 04[CFG] added configuration 'ipsec_vpn_1_0'
Nov 29 16:50:56 08[CFG] received stroke: initiate 'ipsec_vpn_1_0'
Nov 29 16:50:56 08[IKE] initiating IKE_SA ipsec_vpn_1_0[1] to 180.109.159.205
Nov 29 16:50:56 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 29 16:50:56 08[NET] sending packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:51:00 09[IKE] retransmit 1 of request with message ID 0
Nov 29 16:51:00 09[NET] sending packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:51:07 10[IKE] retransmit 2 of request with message ID 0
Nov 29 16:51:07 10[NET] sending packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:51:20 11[IKE] retransmit 3 of request with message ID 0
Nov 29 16:51:20 11[NET] sending packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:51:43 12[IKE] retransmit 4 of request with message ID 0
Nov 29 16:51:43 12[NET] sending packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:52:25 13[IKE] retransmit 5 of request with message ID 0
Nov 29 16:52:25 13[NET] sending packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:52:40 14[NET] received packet: from 117.88.54.198[500] to 114.222.144.138[500] (708 bytes)
Nov 29 16:52:40 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 29 16:52:40 14[IKE] no IKE config found for 114.222.144.138...117.88.54.198, sending NO_PROPOSAL_CHOSEN
Nov 29 16:52:40 14[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 29 16:52:40 14[NET] sending packet: from 114.222.144.138[500] to 117.88.54.198[500] (36 bytes)
Nov 29 16:53:41 15[IKE] giving up after 5 retransmits
Nov 29 16:53:41 15[IKE] peer not responding, trying again (2/0)
Nov 29 16:53:41 15[IKE] initiating IKE_SA ipsec_vpn_1_0[1] to 180.109.159.205
Nov 29 16:53:41 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Nov 29 16:53:41 15[NET] sending packet: from 114.222.144.138[500] to 180.109.159.205[500] (708 bytes)
Nov 29 16:53:42 07[NET] received packet: from 180.109.159.205[500] to 114.222.144.138[500] (456 bytes)
Nov 29 16:53:42 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Nov 29 16:53:42 07[CFG] no IDi configured, fall back on IP address
Nov 29 16:53:42 07[IKE] authentication of '114.222.144.138' (myself) with pre-shared key
Nov 29 16:53:42 07[IKE] establishing CHILD_SA ipsec_vpn_1_0
Nov 29 16:53:42 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 29 16:53:42 07[NET] sending packet: from 114.222.144.138[4500] to 180.109.159.205[4500] (428 bytes)
Nov 29 16:53:42 05[NET] received packet: from 180.109.159.205[4500] to 114.222.144.138[4500] (252 bytes)
Nov 29 16:53:42 05[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Nov 29 16:53:42 05[IKE] authentication of '180.109.159.205' with pre-shared key successful
Nov 29 16:53:42 05[IKE] IKE_SA ipsec_vpn_1_0[1] established between 114.222.144.138[114.222.144.138]...180.109.159.205[180.109.159.205]
Nov 29 16:53:42 05[IKE] scheduling reauthentication in 9801s
Nov 29 16:53:42 05[IKE] maximum IKE_SA lifetime 10341s
Nov 29 16:53:42 05[IKE] CHILD_SA ipsec_vpn_1_0{1} established with SPIs c04efe74_i c6cc5e04_o and TS 10.3.17.0/24 === 192.168.1.0/24
Nov 29 16:53:42 05[IKE] received AUTH_LIFETIME of 10085s, scheduling reauthentication in 9545s
Nov 29 16:53:42 05[IKE] peer supports MOBIKE

都能相互拼通对方的域名，确定设置正确
现就是连接不了