带有 StrongSwan Cert+EAP 的 IPsec IKEv2 不工作

网络工程 ipsec 半径 艾克
2022-02-18 23:10:13

我正在尝试设置一个 Cisco 路由器 (881H) 作为 IPsec IKEv2 VPN 的前端。目标设置旨在供 StrongSWan 客户端使用(目前在 Android 智能手机上测试),我们希望使用证书 + EAP 身份验证。EAP 身份验证由 Radius 服务器完成。

由于某种原因,设置不起作用。我在处理 INITIAL_CONTACT 阶段看到了 IOS 端的一些错误,以及一些更通用的错误,例如“提供的参数不正确”。

您将在下面找到路由器配置(相关部分,如果需要,可以使用完整配置)、IOS 日志和客户端日志。

路由器配置:

aaa new-model
!
!
aaa group server radius nas
 server name nas
!
aaa authentication login ipsec-radius group nas
aaa authentication enable default none
aaa authorization exec default none 
aaa authorization commands 0 default none 
aaa authorization commands 15 default none 
aaa authorization network default if-authenticated 

aaa session-id common
memory-size iomem 10

crypto pki trustpoint pki_ca_home
 enrollment terminal pem
 revocation-check none
!
crypto pki trustpoint pki_crt_rtr.example.net
 subject-name CN=rtr.example.net,OU=Private,L=Brussels,C=BE
 chain-validation continue pki_ca_home
 revocation-check none
 rsakeypair pki_crt_rtr.example.net 2048
 auto-enroll
!
!
!
crypto pki certificate map crp_ph1_crt-map 10
 subject-name co @example.net
!         
crypto pki certificate chain pki_ca_home
 certificate ca CERT_SERIAL
  CONTENT_REMOVED
    quit
crypto pki certificate chain pki_crt_rtr.example.net
 certificate CERT_SERIAL
  CONTENT_REMOVED
    quit
 certificate ca CERT_SERIAL
  CONTENT_REMOVED
    quit
!
crypto ikev2 proposal crp_ph1_proposal 
 encryption aes-cbc-256
 integrity sha256
 group 14 15 16 19
!
crypto ikev2 policy crp_ph1_policy 
 proposal crp_ph1_proposal
!
!
crypto ikev2 profile crp_ph1_profile
 match certificate crp_ph1_crt-map
 identity local fqdn rtr.example.net
 authentication remote rsa-sig
 authentication remote eap query-identity
 authentication local rsa-sig
 pki trustpoint pki_crt_rtr.example.net
 aaa authentication eap ipsec-radius
 virtual-template 2
!
no crypto ikev2 http-url cert
!
!
!
crypto ipsec transform-set crp_ph2_ts esp-aes 256 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile crp_ph2_profile
 set transform-set crp_ph2_ts 
 set ikev2-profile crp_ph1_profile

interface Virtual-Template2 type tunnel
 ip unnumbered Vlan10
 ip mtu 1000
 tunnel source Vlan10
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile crp_ph2_profile
!
interface Vlan10
 description DMZ LAN
 ip address 192.168.10.1 255.255.255.0
 ip access-group acl4_in_dmz in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip nat inside
 ip virtual-reassembly in
 ipv6 address FE80::2000:1 link-local
 ipv6 address IPV6_PREFIX_1::1/64
 ipv6 enable
 ipv6 traffic-filter acl6_in_dmz in
 ipv6 traffic-filter acl6_out_dmz out
!         

interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ipv6 address FE80::10 link-local
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 dhcp client pd prefix_wan
 ipv6 traffic-filter acl6_out_wan out
 ppp authentication pap chap callin
 ppp chap hostname LOGIN
 ppp chap password 7 PASSWORD
 ppp pap sent-username LOGIN password 7 PASSWORD
 no cdp enable
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip radius source-interface Vlan10 
!
!
radius server nas
 address ipv4 192.168.10.5 auth-port 1812 acct-port 1813
 key 7 RAD_KEY
!

路由器日志:

008702: Oct  1 19:04:10.920: IKEv2:Received Packet [From CLIENT_PUBLIC_IP:20182/To RTR_PUBLIC_IP:500/VRF i0:f0] 
Initiator SPI : B0553C16D0F4AE75 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED) 

008703: Oct  1 19:04:10.920: IKEv2:(SESSION ID = 84,SA ID = 1):Verify SA init message
008704: Oct  1 19:04:10.920: IKEv2:(SESSION ID = 84,SA ID = 1):Insert SA
008705: Oct  1 19:04:10.920: IKEv2:Searching Policy with fvrf 0, local address RTR_PUBLIC_IP
008706: Oct  1 19:04:10.920: IKEv2:Found Policy 'crp_ph1_policy'
008707: Oct  1 19:04:10.920: IKEv2:(SESSION ID = 84,SA ID = 1):Processing IKE_SA_INIT message
008708: Oct  1 19:04:10.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
008709: Oct  1 19:04:10.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'pki_crt_rtr.example.net'   'pki_ca_home'   
008710: Oct  1 19:04:10.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
008711: Oct  1 19:04:10.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
008712: Oct  1 19:04:10.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
008713: Oct  1 19:04:10.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
008714: Oct  1 19:04:10.924: IKEv2:(SESSION ID = 84,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
008715: Oct  1 19:04:10.924: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
008716: Oct  1 19:04:10.924: IKEv2:(SESSION ID = 84,SA ID = 1):Request queued for computation of DH key
008717: Oct  1 19:04:10.924: IKEv2:(SESSION ID = 84,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
008718: Oct  1 19:04:10.956: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
008719: Oct  1 19:04:10.956: IKEv2:(SESSION ID = 84,SA ID = 1):Request queued for computation of DH secret
008720: Oct  1 19:04:10.956: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
008721: Oct  1 19:04:10.956: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
008722: Oct  1 19:04:10.956: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
008723: Oct  1 19:04:10.960: IKEv2:(SESSION ID = 84,SA ID = 1):Generating IKE_SA_INIT message
008724: Oct  1 19:04:10.960: IKEv2:(SESSION ID = 84,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_256_ECP/Group 19
008725: Oct  1 19:04:10.960: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
008726: Oct  1 19:04:10.960: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'pki_crt_rtr.example.net'   'pki_ca_home'   
008727: Oct  1 19:04:10.960: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
008728: Oct  1 19:04:10.960: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED 

008729: Oct  1 19:04:10.960: IKEv2:(SESSION ID = 84,SA ID = 1):Sending Packet [To CLIENT_PUBLIC_IP:20182/From RTR_PUBLIC_IP:500/VRF i0:f0] 
Initiator SPI : B0553C16D0F4AE75 - Responder SPI : 40124834C9DC3F39 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ 

008730: Oct  1 19:04:10.960: IKEv2:(SESSION ID = 84,SA ID = 1):Completed SA init exchange
008731: Oct  1 19:04:10.960: IKEv2:(SESSION ID = 84,SA ID = 1):Starting timer (30 sec) to wait for auth message 

008732: Oct  1 19:04:11.296: IKEv2:(SESSION ID = 84,SA ID = 1):Received Packet [From CLIENT_PUBLIC_IP:22052/To RTR_PUBLIC_IP:500/VRF i0:f0] 
Initiator SPI : B0553C16D0F4AE75 - Responder SPI : 40124834C9DC3F39 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 IDi CERT NOTIFY(INITIAL_CONTACT) AUTH CFG NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr NOTIFY(Unknown - 16396) NOTIFY(Unknown - 16399) NOTIFY(Unknown - 16417) NOTIFY(Unknown - 16420) 

008733: Oct  1 19:04:11.300: IKEv2:(SESSION ID = 84,SA ID = 1):Stopping timer to wait for auth message
008734: Oct  1 19:04:11.300: IKEv2:(SESSION ID = 84,SA ID = 1):Checking NAT discovery
008735: Oct  1 19:04:11.304: IKEv2:(SESSION ID = 84,SA ID = 1):NAT OUTSIDE found
008736: Oct  1 19:04:11.304: IKEv2:(SESSION ID = 84,SA ID = 1):NAT detected float to init port 22052, resp port 4500
008737: Oct  1 19:04:11.304: IKEv2:(SESSION ID = 84,SA ID = 1):Searching policy based on peer's identity 'e=nicolas@example.net,cn=android-nicolas,ou=Private,o=Private,l=Brussels,st=Belgium,c=BE' of type 'DER ASN1 DN'
008738: Oct  1 19:04:11.308: IKEv2:Optional profile description not updated in PSH
008739: Oct  1 19:04:11.308: IKEv2:Searching Policy with fvrf 0, local address RTR_PUBLIC_IP
008740: Oct  1 19:04:11.308: IKEv2:Found Policy 'crp_ph1_policy'
008741: Oct  1 19:04:11.308: IKEv2:Found matching IKEv2 profile 'crp_ph1_profile'
008742: Oct  1 19:04:11.308: IKEv2:(SESSION ID = 84,SA ID = 1):Verify peer's policy
008743: Oct  1 19:04:11.308: IKEv2:(SESSION ID = 84,SA ID = 1):Peer's policy verified
008744: Oct  1 19:04:11.308: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

008745: Oct  1 19:04:11.308: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint pki_crt_rtr.example.net
008746: Oct  1 19:04:11.312: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
008747: Oct  1 19:04:11.312: IKEv2:(SESSION ID = 84,SA ID = 1):Get peer's authentication method
008748: Oct  1 19:04:11.312: IKEv2:(SESSION ID = 84,SA ID = 1):Peer's authentication method is 'RSA'
008749: Oct  1 19:04:11.312: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain
008750: Oct  1 19:04:11.328: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain PASSED
008751: Oct  1 19:04:11.328: IKEv2:(SESSION ID = 84,SA ID = 1):Save pubkey
008752: Oct  1 19:04:11.332: IKEv2:(SESSION ID = 84,SA ID = 1):Verify peer's authentication data
008753: Oct  1 19:04:11.332: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
008754: Oct  1 19:04:11.332: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
008755: Oct  1 19:04:11.332: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data
008756: Oct  1 19:04:11.344: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED
008757: Oct  1 19:04:11.344: IKEv2:(SESSION ID = 84,SA ID = 1):Processing INITIAL_CONTACT
008758: Oct  1 19:04:11.344: IKEv2:(SESSION ID = 84,SA ID = 1):Received valid config mode data
008759: Oct  1 19:04:11.344: IKEv2:Config data recieved:
008760: Oct  1 19:04:11.344: IKEv2:(SESSION ID = 84,SA ID = 1):Config-type: Config-request 
008761: Oct  1 19:04:11.344: IKEv2:(SESSION ID = 84,SA ID = 1):Error in settig received config mode data
008762: Oct  1 19:04:11.348: IKEv2:(SESSION ID = 84,SA ID = 1):Auth exchange failed
008763: Oct  1 19:04:11.348: IKEv2:(SESSION ID = 84,SA ID = 1):: Auth exchange failed
008764: Oct  1 19:04:11.348: IKEv2:(SESSION ID = 84,SA ID = 1):Abort exchange
008765: Oct  1 19:04:11.348: IKEv2:(SESSION ID = 84,SA ID = 1):Deleting SA
008766: Oct  1 19:04:11.348: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
008767: Oct  1 19:04:11.348: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
008768: Oct  1 19:04:13.372: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI 

008769: Oct  1 19:04:13.372: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From CLIENT_PUBLIC_IP:22052/To RTR_PUBLIC_IP:4500/VRF i0:f0] 
Initiator SPI : B0553C16D0F4AE75 - Responder SPI : 40124834C9DC3F39 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
008770: Oct  1 19:04:13.372: IKEv2:: A supplied parameter is incorrect
008771: Oct  1 19:04:16.084: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI 

008772: Oct  1 19:04:16.084: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From CLIENT_PUBLIC_IP:22052/To RTR_PUBLIC_IP:4500/VRF i0:f0] 
Initiator SPI : B0553C16D0F4AE75 - Responder SPI : 40124834C9DC3F39 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
008773: Oct  1 19:04:16.088: IKEv2:: A supplied parameter is incorrect
008774: Oct  1 19:04:20.096: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI 

008775: Oct  1 19:04:20.100: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From CLIENT_PUBLIC_IP:22052/To RTR_PUBLIC_IP:4500/VRF i0:f0] 
Initiator SPI : B0553C16D0F4AE75 - Responder SPI : 40124834C9DC3F39 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
008776: Oct  1 19:04:20.100: IKEv2:: A supplied parameter is incorrect 

008777: Oct  1 19:04:25.524: IKEv2:Received Packet [From CLIENT_PUBLIC_IP:20182/To RTR_PUBLIC_IP:500/VRF i0:f0] 
Initiator SPI : 3B6C85C9F0377B8C - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED) 

008778: Oct  1 19:04:25.524: IKEv2:(SESSION ID = 85,SA ID = 1):Verify SA init message
008779: Oct  1 19:04:25.528: IKEv2:(SESSION ID = 85,SA ID = 1):Insert SA
008780: Oct  1 19:04:25.528: IKEv2:Searching Policy with fvrf 0, local address RTR_PUBLIC_IP
008781: Oct  1 19:04:25.528: IKEv2:Found Policy 'crp_ph1_policy'
008782: Oct  1 19:04:25.528: IKEv2:(SESSION ID = 85,SA ID = 1):Processing IKE_SA_INIT message
008783: Oct  1 19:04:25.528: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
008784: Oct  1 19:04:25.528: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'pki_crt_rtr.example.net'   'pki_ca_home'   
008785: Oct  1 19:04:25.528: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
008786: Oct  1 19:04:25.528: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
008787: Oct  1 19:04:25.528: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
008788: Oct  1 19:04:25.528: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
008789: Oct  1 19:04:25.528: IKEv2:(SESSION ID = 85,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
008790: Oct  1 19:04:25.528: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
008791: Oct  1 19:04:25.528: IKEv2:(SESSION ID = 85,SA ID = 1):Request queued for computation of DH key
008792: Oct  1 19:04:25.528: IKEv2:(SESSION ID = 85,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
008793: Oct  1 19:04:25.560: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
008794: Oct  1 19:04:25.560: IKEv2:(SESSION ID = 85,SA ID = 1):Request queued for computation of DH secret
008795: Oct  1 19:04:25.560: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
008796: Oct  1 19:04:25.560: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
008797: Oct  1 19:04:25.560: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
008798: Oct  1 19:04:25.560: IKEv2:(SESSION ID = 85,SA ID = 1):Generating IKE_SA_INIT message
008799: Oct  1 19:04:25.560: IKEv2:(SESSION ID = 85,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_256_ECP/Group 19
008800: Oct  1 19:04:25.564: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
008801: Oct  1 19:04:25.564: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'pki_crt_rtr.example.net'   'pki_ca_home'   
008802: Oct  1 19:04:25.564: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
008803: Oct  1 19:04:25.564: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED 

008804: Oct  1 19:04:25.564: IKEv2:(SESSION ID = 85,SA ID = 1):Sending Packet [To CLIENT_PUBLIC_IP:20182/From RTR_PUBLIC_IP:500/VRF i0:f0] 
Initiator SPI : 3B6C85C9F0377B8C - Responder SPI : 2ECCC038024F1EB5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ 

008805: Oct  1 19:04:25.564: IKEv2:(SESSION ID = 85,SA ID = 1):Completed SA init exchange
008806: Oct  1 19:04:25.564: IKEv2:(SESSION ID = 85,SA ID = 1):Starting timer (30 sec) to wait for auth message
008807: Oct  1 19:04:45 CEST: %SEC-6-IPACCESSLOGP: list acl4_in_users denied udp 192.168.11.6(1024) -> 81.14.202.21(123), 11 packets  
008808: Oct  1 19:04:55.564: IKEv2:(SESSION ID = 85,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
008809: Oct  1 19:04:55.564: IKEv2:(SESSION ID = 85,SA ID = 1):Auth exchange failed
008810: Oct  1 19:04:55.564: IKEv2:(SESSION ID = 85,SA ID = 1):: Auth exchange failed
008811: Oct  1 19:04:55.564: IKEv2:(SESSION ID = 85,SA ID = 1):Abort exchange
008812: Oct  1 19:04:55.564: IKEv2:(SESSION ID = 85,SA ID = 1):Deleting SA
008813: Oct  1 19:04:55.564: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
008814: Oct  1 19:04:55.564: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

客户端日志:

Oct  1 20:04:01 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Android 7.0 - NRD90M.A510FXXU4CQDL/2017-04-01, SM-A510F - samsung/a5xeltexx/samsung, Linux 3.10.61-11234767, armv8l)
Oct  1 20:04:01 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Oct  1 20:04:01 00[JOB] spawning 16 worker threads
Oct  1 20:04:01 07[CFG] loaded user certificate 'C=BE, ST=Belgium, L=Brussels, O=Private, OU=Private, CN=android-nicolas, E=nicolas@example.net' and private key
Oct  1 20:04:01 07[CFG] loaded CA certificate 'C=BE, ST=Belgium, L=Brussels, O=Private, OU=Private, CN=proxy.example.net, E=admin@example.net'
Oct  1 20:04:01 07[IKE] initiating IKE_SA android[25] to RTR_PUBLIC_IP
Oct  1 20:04:01 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct  1 20:04:01 07[NET] sending packet: from 10.200.240.151[46025] to RTR_PUBLIC_IP[500] (746 bytes)
Oct  1 20:04:02 09[NET] received packet: from RTR_PUBLIC_IP[500] to 10.200.240.151[46025] (297 bytes)
Oct  1 20:04:02 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct  1 20:04:02 09[IKE] received Cisco Delete Reason vendor ID
Oct  1 20:04:02 09[ENC] received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
Oct  1 20:04:02 09[IKE] local host is behind NAT, sending keep alives
Oct  1 20:04:02 09[IKE] received cert request for "C=BE, ST=Belgium, L=Brussels, O=Private, OU=Private, CN=proxy.example.net, E=admin@example.net"
Oct  1 20:04:02 09[IKE] authentication of 'C=BE, ST=Belgium, L=Brussels, O=Private, OU=Private, CN=android-nicolas, E=nicolas@example.net' (myself) with RSA signature successful
Oct  1 20:04:02 09[IKE] sending end entity cert "C=BE, ST=Belgium, L=Brussels, O=Private, OU=Private, CN=android-nicolas, E=nicolas@example.net"
Oct  1 20:04:02 09[IKE] establishing CHILD_SA android{28}
Oct  1 20:04:02 09[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct  1 20:04:02 09[NET] sending packet: from 10.200.240.151[35037] to RTR_PUBLIC_IP[4500] (1872 bytes)
Oct  1 20:04:04 11[IKE] retransmit 1 of request with message ID 1
Oct  1 20:04:04 11[NET] sending packet: from 10.200.240.151[35037] to RTR_PUBLIC_IP[4500] (1872 bytes)
Oct  1 20:04:07 12[IKE] retransmit 2 of request with message ID 1
Oct  1 20:04:07 12[NET] sending packet: from 10.200.240.151[35037] to RTR_PUBLIC_IP[4500] (1872 bytes)
Oct  1 20:04:11 13[IKE] retransmit 3 of request with message ID 1
Oct  1 20:04:11 13[NET] sending packet: from 10.200.240.151[35037] to RTR_PUBLIC_IP[4500] (1872 bytes)
Oct  1 20:04:16 14[IKE] giving up after 3 retransmits
Oct  1 20:04:16 14[IKE] peer not responding, trying again (2/0)
Oct  1 20:04:16 14[IKE] initiating IKE_SA android[25] to RTR_PUBLIC_IP
Oct  1 20:04:16 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct  1 20:04:16 14[NET] sending packet: from 10.200.240.151[46025] to RTR_PUBLIC_IP[500] (746 bytes)
Oct  1 20:04:16 16[IKE] destroying IKE_SA in state CONNECTING without notification
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇MAC ACL 和网络安全 下一篇802.11 管理帧元素解码