问题描述
我正在尝试在我的应用中创建 vpn 连接。在服务器端,在 Ubuntu 16.04 上使用带有 StrongSwan 的 IKEv2 VPN 服务器。通过此 guid (https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04) 构建。
当我尝试连接时。 服务器发送此日志:
- May 5 08:58:21 ip-2 charon: 05[NET] received packet: from 3[500] to 2[500] (432 bytes)
- May 5 08:58:21 ip-2 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
- May 5 08:58:21 ip-2 charon: 05[IKE] 3 is initiating an IKE_SA
- May 5 08:58:21 ip-2 charon: 05[IKE] local host is behind NAT,sending keep alives
- May 5 08:58:21 ip-2 charon: 05[IKE] remote host is behind NAT
- May 5 08:58:21 ip-2 charon: 05[IKE] received proposals inacceptable
- May 5 08:58:21 ip-2 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
- May 5 08:58:21 ip-2 charon: 05[NET] sending packet: from 2[500] to 3[500] (36 bytes)
- May 5 08:58:22 ip-2 charon: 16[NET] received packet: from 3[500] to 2[500] (432 bytes)
- May 5 08:58:22 ip-2 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
- May 5 08:58:22 ip-2 charon: 16[IKE] 3 is initiating an IKE_SA
- May 5 08:58:22 ip-2 charon: 16[IKE] local host is behind NAT,sending keep alives
- May 5 08:58:22 ip-2 charon: 16[IKE] remote host is behind NAT
- May 5 08:58:22 ip-2 charon: 16[IKE] received proposals inacceptable
- May 5 08:58:22 ip-2 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
- May 5 08:58:22 ip-2 charon: 16[NET] sending packet: from 2[500] to 3[500] (36 bytes)
我在服务器上使用这个配置:
config setup
charondebug="ike 1,knl 1,cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
lifetime=8h
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=<IP>
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
在 iOS 上使用此代码:
class VpnManager {
let vpnManager = NEVPNManager.shared()
let info = VPNINFO()
func connectToVPN() {
vpnManager.loadFromPreferences { error in
guard error == nil else {
print(error)
return
}
let IKEv2Protocol = NEVPNProtocolIKEv2()
IKEv2Protocol.serverAddress = self.info.serverAddress
IKEv2Protocol.authenticationMethod = .certificate
let certificate = SecCertificateCreateWithData(nil,Data(base64Encoded: self.info.cert)! as CFData)!
let certificateData = SecCertificatecopyData(certificate) as Data
IKEv2Protocol.identityData = certificateData
self.vpnManager.protocolConfiguration = IKEv2Protocol
self.vpnManager.isEnabled = true
self.vpnManager.savetoPreferences { error in
guard error == nil else {
print(error)
return
}
do {
try self.vpnManager.connection.startVPNTunnel(
options: ([
NEVPNConnectionStartOptionUsername: "username",NEVPNConnectionStartOptionPassword: KeychainWrapper.passwordRefForVPNID("MY_PASSWORD")
] as! [String: NSObject]))
} catch let error {
print(error)
}
}
}
}
}
预期结果: 已连接
实际结果: 连接 -> 断开连接
上次控制台日志:
Jun 4 15:44:51 charon: 06[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun 4 15:44:51 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 4 15:44:51 charon: 06[IKE] <my ip> is initiating an IKE_SA
Jun 4 15:44:51 charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 4 15:44:51 charon: 06[IKE] local host is behind NAT,sending keep alives
Jun 4 15:44:51 charon: 06[IKE] remote host is behind NAT
Jun 4 15:44:51 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 4 15:44:51 charon: 06[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun 4 15:44:51 charon: 05[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun 4 15:44:51 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 4 15:44:51 charon: 05[IKE] <my ip> is initiating an IKE_SA
Jun 4 15:44:51 charon: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun 4 15:44:51 charon: 05[IKE] local host is behind NAT,sending keep alives
Jun 4 15:44:51 charon: 05[IKE] remote host is behind NAT
Jun 4 15:44:51 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun 4 15:44:51 charon: 05[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun 4 15:45:11 charon: 08[IKE] sending keep alive to <my ip>[500]
Jun 4 15:45:11 charon: 09[IKE] sending keep alive to <my ip>[500]
Jun 4 15:45:21 charon: 10[JOB] deleting half open IKE_SA with <my ip> after timeout
Jun 4 15:45:21 charon: 11[JOB] deleting half open IKE_SA with <my ip> after timeout
解决方法
您的 strongswan 服务器配置了以下加密算法。
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
解决方案
需要在VPN Server支持的NEVPNProtocolIKEv2实例中指定Cipher。
IKEv2Protocol.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
IKEv2Protocol.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA96
IKEv2Protocol.ikeSecurityAssociationParameters.diffieHellmanGroup = .group2
IKEv2Protocol.ikeSecurityAssociationParameters.lifetimeMinutes = 480
IKEv2Protocol.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
IKEv2Protocol.childSecurityAssociationParameters.integrityAlgorithm = .SHA96
IKEv2Protocol.childSecurityAssociationParameters.diffieHellmanGroup = .group2
IKEv2Protocol.childSecurityAssociationParameters.lifetimeMinutes = 60