strongSwan - недопустимая ошибка селектора передачи TS_UNACCEPTABLE
У меня есть сервер за статическим IP-адресом 135.61.29.123. И он имеет IP-адрес локальной сети, как показано ниже.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq state UNKNOWN group default qlen 1000
link/ether 00:16:3e:0a:ea:4c brd ff:ff:ff:ff:ff:ff
inet 172.18.227.8/20 brd 172.18.239.255 scope global dynamic eth0
valid_lft 314748113sec preferred_lft 314748113sec
inet6 fe80::216:3eff:fe0a:ea4c/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:80:a9:46:70 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:80ff:fea9:4670/64 scope link
valid_lft forever preferred_lft forever
Я следую примеру Roadwarrior, чтобы настроить VPN-клиент для подключения к этому серверу, чтобы я мог получить прямой доступ к 172.18.227.8.
StrongSwan версия 5.5.1
конфигурация
Вот /etc/swanctl/swanctl.conf на стороне сервера
connections {
rw {
local {
auth = pubkey
certs = serverCert.pem
id = 135.61.29.123
}
remote {
auth = pubkey
}
children {
net-net {
local_ts = 172.18.227.8/20
}
}
}
}
Вот /etc/swanctl/swanctl.conf на стороне клиента
connections {
home {
remote_addrs = 135.61.29.123
local {
auth = pubkey
certs = clientCert.pem
id = carol@strongswan.org
}
remote {
auth = pubkey
id = 135.61.29.123
}
children {
home {
local_ts = 172.18.227.8/20
start_action = start
}
}
}
}
бревна
Вот логи со стороны сервера
12[NET] received packet: from 175.10.39.196[500] to 172.18.227.8[500] (936 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
12[IKE] 175.10.39.196 is initiating an IKE_SA
12[IKE] local host is behind NAT, sending keep alives
12[IKE] remote host is behind NAT
12[IKE] sending cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
12[NET] sending packet: from 172.18.227.8[500] to 175.10.39.196[500] (297 bytes)
10[NET] received packet: from 175.10.39.196[4500] to 172.18.227.8[4500] (1236 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
10[ENC] received fragment #1 of 2, waiting for complete IKE message
10[NET] received packet: from 175.10.39.196[4500] to 172.18.227.8[4500] (308 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
10[ENC] received fragment #2 of 2, reassembling fragmented IKE message
10[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
10[IKE] received cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
10[IKE] received end entity cert "C=CN, O=StrongSwan, CN=carol@strongswan.org"
10[CFG] looking for peer configs matching 172.18.227.8[135.61.29.123]...175.10.39.196[carol@strongswan.org]
10[CFG] selected peer config 'rw'
10[CFG] using trusted ca certificate "C=CN, O=StrongSwan, CN=strongswan.org"
10[CFG] checking certificate status of "C=CN, O=StrongSwan, CN=carol@strongswan.org"
10[CFG] certificate status is not available
10[CFG] reached self-signed root ca with a path length of 0
10[CFG] using trusted certificate "C=CN, O=StrongSwan, CN=carol@strongswan.org"
10[IKE] authentication of 'carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] peer supports MOBIKE
10[IKE] authentication of '135.61.29.123' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] IKE_SA rw[1] established between 172.18.227.8[135.61.29.123]...175.10.39.196[carol@strongswan.org]
10[IKE] scheduling rekeying in 13146s
10[IKE] maximum IKE_SA lifetime 14586s
10[IKE] sending end entity cert "C=CN, O=StrongSwan, CN=135.61.29.123"
10[IKE] traffic selectors 135.61.29.123/32 === 172.18.224.0/20 inacceptable
10[IKE] failed to establish CHILD_SA, keeping IKE_SA
10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
10[NET] sending packet: from 172.18.227.8[4500] to 175.10.39.196[4500] (1248 bytes)
05[IKE] sending keep alive to 175.10.39.196[4500]
08[IKE] sending keep alive to 175.10.39.196[4500]
10[IKE] sending keep alive to 175.10.39.196[4500]
09[IKE] sending keep alive to 175.10.39.196[4500]
13[IKE] sending keep alive to 175.10.39.196[4500]
Вот логи со стороны клиента
08[CFG] loaded certificate 'C=CN, O=StrongSwan, CN=carol@strongswan.org'
12[CFG] loaded certificate 'C=CN, O=StrongSwan, CN=135.61.29.123'
05[CFG] loaded certificate 'C=CN, O=StrongSwan, CN=strongswan.org'
10[CFG] loaded RSA private key
05[CFG] loaded RSA private key
12[CFG] loaded RSA private key
16[CFG] added vici connection: home
16[CFG] initiating 'home'
16[IKE] initiating IKE_SA home[1] to 135.61.29.123
16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
16[NET] sending packet: from 192.168.2.104[500] to 135.61.29.123[500] (936 bytes)
14[NET] received packet: from 135.61.29.123[500] to 192.168.2.104[500] (297 bytes)
14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] received cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
14[IKE] sending cert request for "C=CN, O=StrongSwan, CN=strongswan.org"
14[IKE] authentication of 'carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
14[IKE] sending end entity cert "C=CN, O=StrongSwan, CN=carol@strongswan.org"
14[IKE] establishing CHILD_SA home
14[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
14[ENC] splitting IKE message with length of 1472 bytes into 2 fragments
14[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
14[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
14[NET] sending packet: from 192.168.2.104[4500] to 135.61.29.123[4500] (1236 bytes)
14[NET] sending packet: from 192.168.2.104[4500] to 135.61.29.123[4500] (308 bytes)
08[NET] received packet: from 135.61.29.123[4500] to 192.168.2.104[4500] (1248 bytes)
08[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
08[IKE] received end entity cert "C=CN, O=StrongSwan, CN=135.61.29.123"
08[CFG] using trusted ca certificate "C=CN, O=StrongSwan, CN=strongswan.org"
08[CFG] checking certificate status of "C=CN, O=StrongSwan, CN=135.61.29.123"
08[CFG] certificate status is not available
08[CFG] reached self-signed root ca with a path length of 0
08[CFG] using trusted certificate "C=CN, O=StrongSwan, CN=135.61.29.123"
08[IKE] authentication of '135.61.29.123' with RSA_EMSA_PKCS1_SHA2_256 successful
08[IKE] IKE_SA home[1] established between 192.168.2.104[carol@strongswan.org]...135.61.29.123[135.61.29.123]
08[IKE] scheduling rekeying in 14287s
08[IKE] maximum IKE_SA lifetime 15727s
08[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
08[IKE] failed to establish CHILD_SA, keeping IKE_SA
08[IKE] peer supports MOBIKE
11[IKE] sending keep alive to 135.61.29.123[4500]
10[IKE] sending keep alive to 135.61.29.123[4500]
07[IKE] sending keep alive to 135.61.29.123[4500]
08[IKE] sending keep alive to 135.61.29.123[4500]
Как вы можете видеть из журналов выше, соединение установлено, и даже обе стороны отправляют пакет поддержки. Но возникает ошибка TS_UNACCEPTABLE, и я не могу получить доступ к 172.18.227.8 со стороны клиента.
В чем проблема? Спасибо