这是一个创建于 1795 天前的主题,其中的信息可能已经有所发展或是发生改变。
大佬们您好,我在 CentOS7 上连接 strongswan 时,分配 IP 地址后,提示 no CHILD_SA built failed to establish CHILD_SA, 连接失败。安卓和 WINDOWS 连接正常,
服务端版本 5.6.2,Centos 端版本是 5.6.2,这是配置文件 http://popcn.net/ipsec.conf
====================服务端配置============================
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# cachecrls=yes
uniqueids=never
# Add connections here.
conn %default
ikelifetime=60m
keylife=120m
rekeymargin=3m
keyingtries=1
# authby=psk/secret
conn ikev2
keyexchange=ikev2
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!
type=tunnel
rekey=no
leftfirewall=no
left=%defaultroute
leftsubnet=0.0.0.0/0,::/0
leftupdown=/usr/local/etc/strongswan.d/proxyndp.updown
leftid=本地对外地址
leftauth=pubkey
leftcert=server.cert.pem
leftsendcert=ifasked
right=%any
rightsourceip=10.10.8.0/24,
rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
# rightsubnet=0.0.0.0/0,::/0
# rightcert=client.cert.pem
# rightsendcert=never
rightauth=eap-mschapv2
eap_identity=%any
dpdaction=clear
fragmentation=yes
compress=yes
auto=add
strongswan restart
strongswan up linux-client
strongswan statusall
====================客户端配置============================
config setup
# strictcrlpolicy=yes
uniqueids =never
conn %default
conn linux-client
keyexchange=ikev2
rekey=no
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!
right=对端地址
rightid=@对端地址
rightsubnet=0.0.0.0/0,::/0
rightauth=pubkey
left=%any
leftsourceip=%config
leftcert=server.cert.pem
leftsendcert=ifasked
leftauth=eap-mschapv2
eap_identity=user
type=tunnel
auto=add
服务端版本 5.6.2,Centos 端版本是 5.6.2,这是配置文件 http://popcn.net/ipsec.conf
====================服务端配置============================
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# cachecrls=yes
uniqueids=never
# Add connections here.
conn %default
ikelifetime=60m
keylife=120m
rekeymargin=3m
keyingtries=1
# authby=psk/secret
conn ikev2
keyexchange=ikev2
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!
type=tunnel
rekey=no
leftfirewall=no
left=%defaultroute
leftsubnet=0.0.0.0/0,::/0
leftupdown=/usr/local/etc/strongswan.d/proxyndp.updown
leftid=本地对外地址
leftauth=pubkey
leftcert=server.cert.pem
leftsendcert=ifasked
right=%any
rightsourceip=10.10.8.0/24,
rightdns=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
# rightsubnet=0.0.0.0/0,::/0
# rightcert=client.cert.pem
# rightsendcert=never
rightauth=eap-mschapv2
eap_identity=%any
dpdaction=clear
fragmentation=yes
compress=yes
auto=add
strongswan restart
strongswan up linux-client
strongswan statusall
====================客户端配置============================
config setup
# strictcrlpolicy=yes
uniqueids =never
conn %default
conn linux-client
keyexchange=ikev2
rekey=no
ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
esp=aes256-sha256,3des-sha1,aes256-sha1!
right=对端地址
rightid=@对端地址
rightsubnet=0.0.0.0/0,::/0
rightauth=pubkey
left=%any
leftsourceip=%config
leftcert=server.cert.pem
leftsendcert=ifasked
leftauth=eap-mschapv2
eap_identity=user
type=tunnel
auto=add
1 条回复 • 2019-12-24 11:48:15 +08:00
 |
1
yisuo OP 大佬,给个诊断证明么
|
Select Language