Установлено соединение с StrongSwan VPN, работающим на Ubuntu, но не могу подключиться к Интернету
У меня проблема с подключением к Интернету, хотя я установил подключение к IKEv2 VPN, работающей на виртуальной машине Ubuntu на GCP. Я подключился к VPN со своего Macbook. Я следовал этому руководству , чтобы установить VPN на виртуальную машину Ubuntu. Единственное отличие от учебника состоит в том, что я изменил доменные имена в руководстве на IP-адрес виртуальной машины GCP.
Вот конфигурация /etc/ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=no
uniqueids=yes
cachecrls=no
conn ipsec-ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=xx.xxx.xxx.219
leftcert=server.cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=192.168.0.0/24
rightdns=8.8.8.8 # DNS to be assigned to clients
rightsendcert=never
eap_identity=%identity
Вот iptables:
$ iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 751 packets, 119K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 7 packets, 3808 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35 packets, 2840 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 767 packets, 116K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
/etc/sysctl.conf :
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Если я подключусь по ssh к серверу ubuntu, я могу скрутить любой общедоступный Веб-сайт. Это заставляет меня думать, что это как-то связано с конфигурацией strongswan. У меня есть несколько фотографий конфигурации сети на GCP для виртуальной машины, если это необходимо.
Какую конфигурацию мне нужно изменить для доступа в Интернет через IKEv2 VPN?
Изменить: Ниже приведены некоторые журналы из системного журнала
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 000000000000
0000_r
Jul 18 07:09:41 vpn-instance charon: 09[MGR] created IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance charon: 09[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500] (604 byt
es)
Jul 18 07:09:41 vpn-instance charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NA
TD_D_IP) N(FRAG_SUP) ]
Jul 18 07:09:41 vpn-instance charon: 09[CFG] looking for an IKEv2 config for 10.152.0.2...xxx.xxx.xxx.112
Jul 18 07:09:41 vpn-instance charon: 09[CFG] candidate: %any...%any, prio 28
Jul 18 07:09:41 vpn-instance charon: 09[CFG] found matching ike config: %any...%any with prio 28
Jul 18 07:09:41 vpn-instance charon: 09[IKE] xxx.xxx.xxx.112 is initiating an IKE_SA
Jul 18 07:09:41 vpn-instance charon: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Jul 18 07:09:41 vpn-instance charon: 09[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance charon: 09[CFG] proposal matches
Jul 18 07:09:41 vpn-instance charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_25
6/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMA
C_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1
/MODP_1024
Jul 18 07:09:41 vpn-instance charon: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_
128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2
_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/P
RF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_255
19/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AE
S_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_1
28/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12
_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/EC
P_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2
048
Jul 18 07:09:41 vpn-instance charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256
/MODP_2048
Jul 18 07:09:41 vpn-instance charon: 09[IKE] local host is behind NAT, sending keep alives
Jul 18 07:09:41 vpn-instance charon: 09[IKE] remote host is behind NAT
Jul 18 07:09:41 vpn-instance charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 18 07:09:41 vpn-instance charon: 09[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500] (456 byte
s)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500]
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkin IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 10[MGR] IKE_SA (unnamed)[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 0.0.0.0/0 === 192.168.0.1/32 out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] getting iface index for ens4
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 192.168.0.1/32 === 0.0.0.0/0 in
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 192.168.0.1/32 === 0.0.0.0/0 fwd
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting SAD entry with SPI cf6c6551
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleted SAD entry with SPI cf6c6551
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting SAD entry with SPI 08f90a8f
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleted SAD entry with SPI 08f90a8f
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[CFG] lease 192.168.0.1 by 'users-name' went offline
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[MGR] checkin and destroy of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 07[MGR] checkout IKEv2 SA with SPIs 0bb3c1942e27aa5a_i 154ee3eb7c30364c_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 07[MGR] IKE_SA checkout not successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 0000000
000000000_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] created IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500] (60
4 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] looking for an IKEv2 config for 10.152.0.2...xxx.xxx.xxx.112
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] candidate: %any...%any, prio 28
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] found matching ike config: %any...%any with prio 28
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] xxx.xxx.xxx.112 is initiating an IKE_SA
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] proposal matches
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SH
A2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PR
F_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC
_SHA1/MODP_1024
Jul 18 07:09:41 vpn-instance charon: 10[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (496 b
ytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES
_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC
_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_
256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURV
E_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_2
56/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM
_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_G
CM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_2
56/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/M
ODP_2048
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA
2_256/MODP_2048
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] local host is behind NAT, sending keep alives
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] remote host is behind NAT
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_
D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500] (456
bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkin IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] IKE_SA (unnamed)[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
496 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Jul 18 07:09:41 vpn-instance charon: 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MAS
K DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG] looking for peer configs matching 10.152.0.2[xxx.xxx.xxx.219]...12
5.168.239.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG] candidate "ipsec-ikev2-vpn", match: 20/1/28 (me/other/ike)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG] selected peer config 'ipsec-ikev2-vpn'
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 18 07:09:41 vpn-instance charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHC
P DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Jul 18 07:09:41 vpn-instance charon: 10[CFG] looking for peer configs matching 10.152.0.2[xxx.xxx.xxx.219]...125.168
.239.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 10[CFG] candidate "ipsec-ikev2-vpn", match: 20/1/28 (me/other/ike)
Jul 18 07:09:41 vpn-instance charon: 10[CFG] selected peer config 'ipsec-ikev2-vpn'
Jul 18 07:09:41 vpn-instance charon: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_DNS_DOMAIN attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 18 07:09:41 vpn-instance charon: 10[IKE] peer supports MOBIKE
Jul 18 07:09:41 vpn-instance charon: 10[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with RSA signature success
ful
Jul 18 07:09:41 vpn-instance charon: 10[IKE] sending end entity cert "CN=xxx.xxx.xxx.219"
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 18 07:09:41 vpn-instance charon: 10[ENC] splitting IKE message (1904 bytes) into 2 fragments
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jul 18 07:09:41 vpn-instance charon: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1236 b
ytes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (740 by
tes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 01[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 01[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (80 by
tes)
Jul 18 07:09:41 vpn-instance charon: 01[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 18 07:09:41 vpn-instance charon: 01[IKE] received EAP identity 'users-name'
Jul 18 07:09:41 vpn-instance charon: 01[IKE] initiating EAP_MSCHAPV2 method (id 0x4D)
Jul 18 07:09:41 vpn-instance charon: 01[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 01[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (112 by
tes)
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 11[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 11[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (144 b
ytes)
Jul 18 07:09:41 vpn-instance charon: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (144 by
tes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 13[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 13[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (80 by
tes)
Jul 18 07:09:41 vpn-instance charon: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 18 07:09:41 vpn-instance charon: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 18 07:09:41 vpn-instance charon: 13[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (80 byt
es)
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 12[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_DNS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_DNS_DOMAIN attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddi
ng
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] peer supports MOBIKE
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with RSA signature su
ccessful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] sending end entity cert "CN=xxx.xxx.xxx.219"
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] splitting IKE message (1904 bytes) into 2 fragments
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
236 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (7
40 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
80 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[IKE] received EAP identity 'users-name'
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[IKE] initiating EAP_MSCHAPV2 method (id 0x4D)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
12 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
144 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
44 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
80 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (8
0 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
112 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] authentication of '192.168.1.2' with EAP successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with EAP
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] established between 10.152.0.2[35.244.1
21.219]...xxx.xxx.xxx.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 12[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (112 b
ytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => ESTABLISHED
Jul 18 07:09:41 vpn-instance charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 18 07:09:41 vpn-instance charon: 12[IKE] authentication of '192.168.1.2' with EAP successful
Jul 18 07:09:41 vpn-instance charon: 12[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with EAP
Jul 18 07:09:41 vpn-instance charon: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] established between 10.152.0.2[xx.xxx.xxx.21
9]...xxx.xxx.xxx.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => ESTABLISHED
Jul 18 07:09:41 vpn-instance charon: 12[IKE] peer requested virtual IP %any
Jul 18 07:09:41 vpn-instance charon: 12[CFG] reassigning offline lease to 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] assigning virtual IP 192.168.0.1 to peer 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] peer requested virtual IP %any6
Jul 18 07:09:41 vpn-instance charon: 12[IKE] no virtual IP found for %any6 requested by 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] building INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Jul 18 07:09:41 vpn-instance charon: 12[CFG] proposing traffic selectors for us:
Jul 18 07:09:41 vpn-instance charon: 12[CFG] 0.0.0.0/0
Jul 18 07:09:41 vpn-instance charon: 12[CFG] proposing traffic selectors for other:
Jul 18 07:09:41 vpn-instance charon: 12[CFG] 192.168.0.1/32
Jul 18 07:09:41 vpn-instance charon: 12[CFG] candidate "ipsec-ikev2-vpn" with prio 10+2
Jul 18 07:09:41 vpn-instance charon: 12[CFG] found matching child config "ipsec-ikev2-vpn" with prio 12
Jul 18 07:09:41 vpn-instance charon: 12[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance charon: 12[CFG] proposal matches
Jul 18 07:09:41 vpn-instance charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:
AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_9
6/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA
2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[KNL] got SPI c37cf9e4
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[KNL] querying policy 0.0.0.0/0 === 192.168.0.1/32 out
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[KNL] querying SAD entry with SPI 079bf039
Jul 18 07:10:21 vpn-instance charon: 08[KNL] querying SAD entry with SPI 079bf039
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[IKE] sending keep alive to xxx.xxx.xxx.112[4500]
Jul 18 07:10:21 vpn-instance charon: 08[IKE] sending keep alive to xxx.xxx.xxx.112[4500]
Jul 18 07:10:21 vpn-instance charon: 08[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:10:21 vpn-instance charon: 08[MGR] checkin of IKE_SA successful
0
задан nealous3
18 July 2021 в 10:25
Ссылка
1 ответ
Со стороны брандмауэра GCP ваша конфигурация выглядит нормально.Однако установка и настройка StrongSwan — не простой процесс, и есть много шагов, которые определяют, будет ли он успешным или нет.
Вы можете попробовать повторить этот процесс на другой ВМ (создать ее с нуля) и повторить шаги еще раз, но...
Если вы можете использовать другие решения, я бы порекомендовал выбрать решение из Marketplace — развертывание их намного проще, и вы получаете работающее решение из коробки, например OpenVPN. И он сертифицирован для работы с GCP.
Вы также можете попробовать SoftEther VPN, но для этого еще нет Marketplace, готового к развертыванию, поэтому это будет означать повторную установку, как в случае со StronSwan.
1
ответ дан Wojtek_B
4 August 2021 в 11:42
Ссылка