使用 Coreporate 拥有的专用设备注册配置文件,我们创建了一个配置文件并使用它注册了设备。现在我们回来添加更多设备,并且配置文件和令牌已过期。与此配置文件关联的所有设备会发生什么情况?他们需要重新注册吗?
我们的任务是更改我们公司的电子邮件域。Active Directory 将保持不变。我已创建(但未应用)一个新的电子邮件地址策略,用于指定新域。唯一的其他电子邮件地址策略是我们原始域的默认设置。
当我们迁移时,我需要能够一次将其应用于用户,以帮助他们更新他们的设备。谷歌让我失望了。有没有人有这个过程的经验/提示?
我正在尝试使用 PEAP-MSChapv2 将我的 Microsoft Server 2016 网络策略服务器配置修复为半径服务器。
众所周知,一些现代设备无法“验证”服务器证书,因为该选项太弱并且已被禁用(例如某些android 11 设备)
据我所知,应该有向这些(非域)设备添加内部 CA 证书的解决方案,以便它们可以验证 nps 服务器证书(并避免管理客户端证书)。
我发现由内部 CA 颁发的 nps 服务器证书,并且该内部 CA 的证书是自签名的(由自己颁发)。我尝试导出 ca 证书(不带私钥),并将其导入设备中,但现在,没有成功我收到错误 22:服务器无法处理 Eap 类型或错误 265:颁发了证书链由不受信任的权威
不清楚我是否仅在将客户端上的字段域更改为仅在 nps 服务器证书的 cn 名称中的 FQDN 的域时才获得 265。
我怎样才能正确实现这一点(PEAP-MSchapv2 在非域客户端上具有服务器身份验证)?
注意:现在它可以正常工作,对于“旧”无线客户端:它们正确地作为 AD 用户进行身份验证,并获得网络访问权限,所以我希望只为这些较新的设备更正设置,而不是从根本上改变它。
尝试设置 OpenVPN 以将 android 设备连接回我的家庭网络。目前我可以连接到 VPN 但无法传输任何数据,IE 无法 ping,无法访问站点等。这是我的服务器配置文件
port 1234
proto udp
dev tap
dev-node tap-bridge
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
topology subnet
push "topology subnet"
ifconfig-pool-persist ipp.txt
server-bridge 172.26.0.2 255.255.255.248 172.26.0.3 172.26.0.5
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
这是我的客户端配置
client
dev tap
dev-node tap-bridge
proto udp
remote **** 1234
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
topology subnet
这是来自 VPN 服务器的状态窗口
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 TLS: Initial packet from [AF_INET6]::ffff:174.215.16.183:15438, sid=8c2f0064 9d7a75c8
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 VERIFY OK: depth=1, CN=example.com
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 VERIFY OK: depth=0, CN=Client1
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_VER=3.git::662eae9a:Release
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_PLAT=android
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_NCP=2
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_TCPNL=1
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_PROTO=2
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_AUTO_SESS=1
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 peer info: IV_SSO=openurl
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1589', remote='link-mtu 1557'
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Nov 8 20:50:33 2021 174.215.16.183:15438 [Client1] Peer Connection Initiated with [AF_INET6]::ffff:174.215.16.183:15438
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI_sva: pool returned IPv4=172.26.0.3, IPv6=(Not enabled)
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 Data Channel: using negotiated cipher 'AES-256-GCM'
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 PUSH: Received control message: 'PUSH_REQUEST'
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 SENT CONTROL [Client1]: 'PUSH_REPLY,topology subnet,route-gateway 172.26.0.2,ping 10,ping-restart 120,ifconfig 172.26.0.3 255.255.255.248,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 00:01:fe:80:00:00@0 -> Client1/174.215.16.183:15438
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 3a:ff:fe:80:00:00@0 -> Client1/174.215.16.183:15438
最后,这是来自 android 设备的日志。
20:10:43.123 -- ----- OpenVPN Start -----
20:10:43.124 -- EVENT: CORE_THREAD_ACTIVE
20:10:43.126 -- OpenVPN core 3.git::662eae9a:Release android arm64 64-bit PT_PROXY
20:10:43.127 -- Frame=512/2048/512 mssfix-ctrl=1250
20:10:43.127 -- UNUSED OPTIONS
1 [dev-node] [tap-bridge]
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
13 [verb] [3]
20:10:43.128 -- EVENT: RESOLVE
20:10:43.130 -- Contacting 1.2.3.4:1234 via UDP
20:10:43.131 -- EVENT: WAIT
20:10:43.132 -- Connecting to [example.com]:1234 (1.2.3.4) via UDPv4
20:10:43.200 -- EVENT: CONNECTING
20:10:43.204 -- Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
20:10:43.204 -- Creds: UsernameEmpty/PasswordEmpty
20:10:43.205 -- Peer Info:
IV_VER=3.git::662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
IV_SSO=openurl
20:10:43.296 -- VERIFY OK: depth=1, /CN=example
20:10:43.297 -- VERIFY OK: depth=0, /CN=server
20:10:43.428 -- SSL Handshake: CN=server, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
20:10:43.429 -- Session is ACTIVE
20:10:43.429 -- EVENT: GET_CONFIG
20:10:43.432 -- Sending PUSH_REQUEST to server...
20:10:43.486 -- OPTIONS:
0 [topology] [subnet]
1 [route-gateway] [172.26.0.2]
2 [ping] [10]
3 [ping-restart] [120]
4 [ifconfig] [172.26.0.3] [255.255.255.248]
5 [peer-id] [0]
6 [cipher] [AES-256-GCM]
20:10:43.487 -- PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: NONE
peer ID: 0
20:10:43.488 -- EVENT: ASSIGN_IP
20:10:43.499 -- Connected via tun
20:10:43.500 -- EVENT: CONNECTED info='example.com:6832 (1.2.3.4) via /UDPv4 on tun/172.26.0.3/ gw=[172.26.0.2/]'
20:10:43.992 -- TUN write exception: write_some: Invalid argument
20:10:44.012 -- TUN write exception: write_some: Invalid argument
20:10:44.013 -- TUN write exception: write_some: Invalid argument
当从 android 设备发送指向 VPN 服务器(172.26.0.2)的 ping 时,我没有得到服务器的响应,但是服务器日志中的底线继续增长,我认为 mac 地址每次 ping 都会发生变化。当尝试从 LAN、网站、相机等请求某些内容时,也会发生这种情况。
Mon Nov 8 20:50:33 2021 Client1/174.215.16.183:15438 MULTI: Learn: 3a:ff:fe:80:00:00@0 -> Client1/174.215.16.183:15438
在 android 日志中,最后一行只是每隔几秒左右重复一次。
20:10:44.013 -- TUN write exception: write_some: Invalid argument
在我的实验室中,我想设置一个 ssh 跳转主机,它将传入的 ssh 连接转发到通过 USB 连接到它的 Android 设备。所有 Android 设备都已打开 USB 网络共享。网络共享连接会在每个 Android 设备的子网 192.168.42.0/24 中生成一个网络适配器。每个 Android 设备都在不同的端口上运行 ssh 服务器。设置如下图所示:
我的想法是根据端口转发ssh连接。因此,我将网络适配器添加到网桥并通过 iptables 转发连接。为此,我编造了以下内容:
sudo ip link add name ogt type bridge
sudo ip l set eno1 master ogt
sudo ip l set usb0 master ogt
sudo ip l set usb1 master ogt
sudo ip a a 192.168.42.1/24 dev ogt
sudo ip link set ogt up
sudo iptables -t nat -A POSTROUTING -o ogt -j MASQUERADE
sudo iptables -t nat -A POSTROUTING ! -d 192.168.42.0/24 -o eno1 -j SNAT --to-source 172.16.1.100
echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -A PREROUTING -t nat -i eno1 -p tcp --dport 130 -j DNAT --to 192.168.42.130:130
sudo iptables -A FORWARD -p tcp -d 192.168.42.130 --dport 130 -j ACCEPT
sudo iptables -A PREROUTING -t nat -i eno1 -p tcp --dport 131 -j DNAT --to 192.168.42.131:131
sudo iptables -A FORWARD -p tcp -d 192.168.42.131 --dport 130 -j ACCEPT
设置有效,但我在跳转主机上没有互联网。不幸的是,我不太明白为什么。我该如何改进转发或者是否有更好的解决方案?我很高兴能得到帮助!
Android 11 现在似乎支持 IKEv2/IPsec,所以我正在尝试为它构建一个 roadwarrior swanctl 配置文件。到目前为止,我已经建立了 SA,但随后立即被删除。有什么建议吗?
Android VPN 配置文件具有:
- 类型:IKEv2/IPsec PSK
- 服务器:moon.isuldor.com
- IPsec 标识符:isuldor.com 上的 strongswan
- IPsec PSK:猎人2
我的 vpn 网关有:
$ swanctl --version
strongSwan swanctl 5.9.0
$ cat /etc/swanctl/conf.d/android11.conf
connections {
rw-isuldor {
local_addrs = moon.isuldor.com
pools = android11_pool4, android11_pool6
fragmentation = yes
send_cert = always
rekey_time = 0s
dpd_delay = 30s
local {
auth = pubkey
certs = moon.pem
id = moon.isuldor.com
}
remote {
auth = psk
id = strongswan at isuldor.com
}
children {
moon {
local_ts = 0.0.0.0/0,::/0
rekey_time = 0s
dpd_action = clear
}
}
}
}
secrets {
ike-isuldor {
id_isuldor = strongswan at isuldor.com
secret = hunter2
}
}
pools {
android11_pool4 {
addrs = 192.168.2.0/24
dns = 1.1.1.1,1.0.0.1
}
android11_pool6 {
addrs = 2607:9cf3:0:ae::6:1300/120
dns = 2606:4700:4700::1111,2606:4700:4700::1001
}
}
来自 charon-systemd 的相关日志:
X.X.X.X is initiating an IKE_SA
IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
remote host is behind NAT
...
looking for peer configs matching Y.Y.Y.Y[moon.isuldor.com]...X.X.X.X[strongswan at isuldor.com]
selected peer config 'rw-isuldor'
authentication of 'strongswan at isuldor.com' with pre-shared key successful
...
peer requested virtual IP %any
assigning new lease to 'strongswan at isuldor.com'
assigning virtual IP 192.168.2.1 to peer 'strongswan at isuldor.com'
peer requested virtual IP %any6
assigning virtual IP <redacted> to peer 'strongswan at isuldor.com'
...
CHILD_SA moon{4} established with SPIs cba17603_i 0f8dcc81_o and TS 0.0.0.0/0 ::/0 === 192.168.2.1/32
CHILD_SA moon{4} state change: INSTALLING => INSTALLED
generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr ]
splitting IKE message (2416 bytes) into 3 fragments
generating IKE_AUTH response 1 [ EF(1/3) ]
generating IKE_AUTH response 1 [ EF(2/3) ]
generating IKE_AUTH response 1 [ EF(3/3) ]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (1236 bytes)
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (1236 bytes)
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (84 bytes)
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
checkin IKE_SA rw-isuldor[7]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
checkin of IKE_SA successful
received packet: from X.X.X.X[38733] to Y.Y.Y.Y[4500]
waiting for data on sockets
checkout IKEv2 SA by message with SPIs ce7fea937528e3ca_i 115e7e1303dd7bc4_r
IKE_SA rw-isuldor[7] successfully checked out
received packet: from X.X.X.X[38733] to Y.Y.Y.Y[4500] (80 bytes)
parsed INFORMATIONAL request 2 [ D ]
received DELETE for IKE_SA rw-isuldor[7]
deleting IKE_SA rw-isuldor[7] between Y.Y.Y.Y[moon.isuldor.com]...X.X.X.X[strongswan at isuldor.com]
IKE_SA rw-isuldor[7] state change: ESTABLISHED => DELETING
IKE_SA deleted
generating INFORMATIONAL response 2 [ ]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (80 bytes)
checkin and destroy IKE_SA rw-isuldor[7]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
IKE_SA rw-isuldor[7] state change: DELETING => DESTROYING
CHILD_SA moon{4} state change: INSTALLED => DESTROYING
deleting policy 0.0.0.0/0 === 192.168.2.1/32 out
deleting policy 192.168.2.1/32 === 0.0.0.0/0 in
deleting policy 192.168.2.1/32 === 0.0.0.0/0 fwd
deleting SAD entry with SPI cba17603
deleted SAD entry with SPI cba17603
deleting SAD entry with SPI 0f8dcc81
deleted SAD entry with SPI 0f8dcc81
lease 192.168.2.1 by 'strongswan at isuldor.com' went offline
checkin and destroy of IKE_SA successful
更新:一旦我检索到 android 日志,问题就会立即显现出来。基本上我曾经adb shell访问过设备,然后logcat使用适当的过滤器。可能有终端应用程序也可以做到这一点。不需要根。
130|sargo:/ $ whoami
shell
130|sargo:/ $ logcat *:S IkeV2VpnRunner:V
--------- beginning of system
--------- beginning of main
[..] IkeV2VpnRunner: com.android.internal.net.ipsec.ike.exceptions.AuthenticationFailedException: Expected the remote/server to use PSK-based authentication but they used: 14
结论: swanctl 配置文件应该auth=psk在该local部分下和一个附加行为服务器分配预共享密钥,例如:id_moon = moon.isuldor.com在secrets.ike-isuldor. 这仅适用于 strongswan swanctl 5.9.0,但到目前为止,我无法使用早期版本重现成功5.7.2。我怀疑语法可能以某种方式发生了变化。但最终的问题是不正确的服务器身份验证。
我正在尝试解决打印问题,但首先我需要描述我的环境(这有点不标准)。
我有一台 HP 1102 USB 打印机,连接到运行 CUPS 的 Ubuntu 20.04 系统,并将打印机共享到 LAN 中的其他系统。通过 IPP 从其他系统(Ubuntu 18.04、Ubuntu 20.04、Windows 10)打印可以正常工作。
我有一个运行 Android 10 的客户端,在它之上,它在同一个 LAN 的 chroot 中运行 Linux Deploy 和 Linux 18.04。linux系统有XFCE和CUPS,我配置打印机的方式和其他系统一样。
当我尝试打印(本地杯子设置为调试)时,这就是我的工作得到的:
D [25/Nov/2020:10:12:01 +0200] [Job 8] Connecting to 192.168.1.13:631
D [25/Nov/2020:10:12:01 +0200] [Job 8] Connecting to printer.
D [25/Nov/2020:10:12:01 +0200] [Job 8] Connection error: Permission denied
E [25/Nov/2020:10:12:01 +0200] [Job 8] The printer is not responding.
D [25/Nov/2020:10:12:31 +0200] [Job 8] Connecting to 192.168.1.13:631
D [25/Nov/2020:10:12:31 +0200] [Job 8] Connecting to printer.
D [25/Nov/2020:10:12:31 +0200] [Job 8] Connection error: Permission denied
E [25/Nov/2020:10:12:31 +0200] [Job 8] The printer is not responding.
我正在 cups 服务器端进行数据包捕获,当它说它正在尝试连接到打印机时没有数据包。手动连接(telnet 192.168.1.13 631打开一个套接字和 TCP 通信工作)。
在 Android linux chroot 上运行的 CUPS 内部一定有问题,但我不知道是什么问题。本地打印作业看起来不错,/var/spool/cups 目录的文件权限看起来不错,cups 以 root 身份运行。
我不确定在哪里进一步寻找故障排除...
我正在看 android logcat 试图同时查看是否有问题,是这样的:
11-25 10:28:29.179 2980 3091 W Netd : No subsystem found in netlink event
11-25 10:28:31.012 20789 20789 I printers.cgi: type=1400 audit(0.0:785): avc: denied { ioctl } for path="socket:[151451]" dev="sockfs" ino=151451 ioctlcmd=0x8933 scontext=u:r:magisk:s0 tcontext=u:r:magisk:s0 tclass=unix_dgram_socket permissive=1
所以 - 我在想 cups 正在尝试创建一个套接字而 android 正在否认它?如果它是基于文件的套接字,有什么想法,它的名称是什么以及它在文件系统中的位置?
有什么建议么?
我尝试使用 Strongswan Android 应用程序在服务器和 Android 手机之间创建一个简单的 Strongswan 连接。
我的 Android 手机信息:
Android 8.0.0使用 Samsung Experience 9.0 这是 Galaxy A5 (2017) 型号
我尝试同时使用 4G 和 Wifi 我的 Strongswan 应用已开启version 2.3.0,2020 年 6 月更新
我的服务器信息:这是一个Ubuntu 18.04最新的 VPS
我的 Strongswan 服务器配置如下我手动下载Strongswan 5.9.0然后使用
./configure --prefix=/custompath/strongroot --disable-stroke --with-piddir=/custompath/strongroot/var/run --enable-eap-dynamic --enable-eap-mschapv2 --enable-eap-aka --enable-eap-identity --enable-md4
make
make install
我的 strongswan.conf 如下
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
我的服务器端 swanctl.conf 如下
connections {
server {
pools = primary-pool-ipv4, primary-pool-ipv6
local {
auth = pubkey
certs = <server_crt>
id = <server_id>
}
remote {
auth = eap-dynamic
id = %any
}
children {
client {
start_action = trap
local_ts = 0.0.0.0/0,::/0
}
}
}
}
secrets {
eap-test {
id = <user_id>
secret = <user_password>
}
}
pools {
primary-pool-ipv4 {
addrs = 127.0.0.0/8
dns = 8.8.8.8
}
primary-pool-ipv6 {
addrs = ::/24
}
}
服务器以 root 身份使用以下命令启动,并显示这些结果
/custompath/strongroot/libexec/ipsec/charon &
/custompath/strongroot/sbin/swanctl -q
loaded certificate from '/custompath/strongroot/etc/swanctl/x509/<server_crt'
loaded certificate from '/custompath/strongroot/etc/swanctl/x509ca/<CA_crt>'
loaded rsa key from '/custompath/strongroot/etc/swanctl/private/<server_key>'
loaded eap secret 'eap-test'
no authorities found, 0 unloaded
loaded pool 'primary-pool-ipv4'
loaded pool 'primary-pool-ipv6'
successfully loaded 2 pools, 0 unloaded
loaded connection 'server'
successfully loaded 1 connections, 0 unloaded
在我的安卓手机上,我在我的 Strongswan 应用程序上使用了以下参数
Server : <server ipv4>
VPN Type : IKEv2 EAP (Username/Password)
Username : <user_id>
Password <user_password>
CA certificate : <CA_crt>
Server identity : <server_id>
Client identity : <user_id>
其他所有字段都保留为默认值/空白值(除了 OCSP 检查我禁用的证书,因为它是本地生成的 CA 证书,不确定它是否会在这里产生任何影响)
在我的服务器端,一切都设置正确(尤其是 CA 和服务器 crt)
但是当我尝试建立连接时,我在客户端得到了这些日志(因为有
[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[DMN] Starting IKE service (strongSwan 5.8.4, Android 8.0.0 - R16NW.A520FXXSFCTG8/2020-08-01, SM-A520F - samsung/a5y17ltexx/samsung, Linux 3.18.14-13712092-QB33307948, aarch64)
Oct 23 16:11:53 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
[JOB] spawning 16 worker threads
[LIB] all OCSP validation disabled
[IKE] initiating IKE_SA android[15] to <server_ip>
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from <client_ip>[33144] to <server_ip>[500] (716 bytes)
[NET] received packet: from <server_ip>[500] to <client_ip>[33144] (38 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[IKE] peer didn't accept DH group ECP_256, it requested CURVE_25519
[IKE] initiating IKE_SA android[15] to <server_ip>
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from <client_ip>[33144] to <server_ip>[500] (684 bytes)
[NET] received packet: from <server_ip>[500] to <client_ip>[33144] (273 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=FR, O=Test, CN=Test CA"
[IKE] sending cert request for "C=FR, O=Test, CN=Test CA"
[IKE] establishing CHILD_SA android{15}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (480 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (1184 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ]
[IKE] received end entity cert "C=FR, O=Test, CN=<server_id>"
[CFG] using certificate "C=FR, O=Test, CN=<server_id>"
[CFG] using trusted ca certificate "C=FR, O=Test, CN=Test CA"
[CFG] checking certificate status of "C=FR, O=Test, CN=<server_id>"
[CFG] certificate status is not available
[CFG] reached self-signed root ca with a path length of 0
[IKE] authentication of 'serv' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] server requested EAP_AKA authentication (id 0xCA)
[IKE] EAP method not supported, sending EAP_NAK
[ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (80 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (112 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[IKE] server requested EAP_MSCHAPV2 authentication (id 0x7A)
[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (144 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (144 bytes)
[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (80 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (80 bytes)
[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
[IKE] authentication of <user_id> (myself) with EAP
[ENC] generating IKE_AUTH request 5 [ AUTH ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (96 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (336 bytes)
[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
[IKE] authentication of <server_id> with EAP successful
[IKE] IKE_SA android[15] established between <client_ip>[<user_id>]...<server_ip>[<server_id>]
[IKE] scheduling rekeying in 35468s
[IKE] maximum IKE_SA lifetime 37268s
[IKE] installing DNS server 8.8.8.8
[IKE] installing new virtual IP 127.0.0.1
[IKE] installing new virtual IP ::1
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
[IKE] CHILD_SA android{15} established with SPIs d1729f20_i cded7525_o and TS 127.0.0.1/32 ::1/128 === 0.0.0.0/0 ::/0
[DMN] setting up TUN device for CHILD_SA android{15}
[LIB] builder: failed to build TUN device
[DMN] failed to setup TUN device
[IKE] peer supports MOBIKE
[IKE] deleting IKE_SA android[15] between <client_ip>[<user_id>]...<server_ip>[<server_id>]
[IKE] sending DELETE for IKE_SA android[15]
[ENC] generating INFORMATIONAL request 6 [ D ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (80 bytes)
这里的重要线路似乎是
[LIB] builder: failed to build TUN device
[DMN] failed to setup TUN device
我只找到了关于 android 4.4 错误的在线资源,这里不是这种情况,关于如何解决它的任何想法?
我没有显示服务器端日志,因为它们非常冗长,但没有报告错误(如果需要,我仍然可以向您展示)。似乎服务器从客户端收到 DELETE 然后继续关闭连接,从 ESTABLISHED 到 DELETING 到 DESTROYING 如下所示
[IKE] <server|8> IKE_SA server[8] state change: ESTABLISHED => DELETING
[...]
[MGR] <server|8> checkin and destroy IKE_SA server[8]
[IKE] <server|8> IKE_SA server[8] state change: DELETING => DESTROYING
[CHD] <server|8> CHILD_SA client{4} state change: INSTALLED => DESTROYING
[KNL] <server|8> deleting policy 0.0.0.0/0 === 127.0.0.1/32 out
描述:我创建了一个 jenkins 作业,将 jenkins 与 Android Studio 集成以生成工件,
在Android Studio中构建项目时,构建成功..
但是当我通过 jenkins 构建相同的项目时,我收到以下错误..!
Starting a Gradle Daemon (subsequent builds will be faster)
> Task :clean UP-TO-DATE
> Task :app:clean UP-TO-DATE
> Task :app:preBuild UP-TO-DATE
> Task :app:preDebugBuild UP-TO-DATE
> Task :app:compileDebugAidl NO-SOURCE
> Task :app:generateDebugBuildConfig
> Task :app:compileDebugRenderscript NO-SOURCE
> Task :app:javaPreCompileDebug
> Task :app:generateDebugResValues
> Task :app:generateDebugResources
> Task :app:createDebugCompatibleScreenManifests
> Task :app:extractDeepLinksDebug
> Task :app:processDebugManifest
> Task :app:mergeDebugResources
> Task :app:processDebugResources FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':app:processDebugResources'.
> Could not resolve all files for configuration ':app:debugRuntimeClasspath'.
> Failed to transform navigation-ui-2.3.0.aar (androidx.navigation:navigation-ui:2.3.0) to match attributes {artifactType=android-compiled-dependencies-resources, org.gradle.category=library, org.gradle.dependency.bundling=external, org.gradle.libraryelements=aar, org.gradle.status=release, org.gradle.usage=java-runtime}.
> Execution failed for AarResourcesCompilerTransform: C:\Windows\System32\config\systemprofile\.gradle\caches\transforms-2\files-2.1\d0f92c0b26fabb47a28488bab3cc8456\navigation-ui-2.3.0.
> Android resource compilation failed
AAPT: C:\Windows\System32\config\systemprofile\.gradle\caches\transforms-2\files-2.1\9db20844a7f2758cbc14bea528bced6c\androidx.navigation.ui: error: The system cannot find the file specified. (2).
任何帮助表示赞赏..!
我正在尝试配置我的 Fios G1100 以强制向我的内部 DNS 服务器发出 DNS 请求192.168.1.131。该设备运行 Pi-hole,配置为向1.1.1.3和发出 DNS 请求1.0.0.3。这效果很好!
但是,现在我试图通过手动配置 DNS 来限制网络上的设备绕过 DHCP 的 DNS 服务器。我最初看到这篇文章提供了一种避免这种规避的方法:如何防止用户使用防火墙规则规避 OpenDNS。
因此,我使用以下访问控制规则设置了我的 Fios G1100:
据我了解,此规则仅允许192.168.1.0, 192.168.1.1,192.168.1.131向 LAN 发出 DNS 请求。
我已重新启动 G1100 并验证请求的 DNS 仍在工作并通过192.168.1.131. 他们是。
然后在我的 Mac 上,我进入System Preferences -> Network -> Wi-Fi:Advanced -> DNS并添加了8.8.8.8DNS 服务器。果然DNS在设备上被阻止了。
然而,当我在我的 Pixel 2 XL 上做同样的事情时,DNS 请求被解析并被192.168.1.131绕过。我关闭了移动数据,Wi-Fi配置如下:
Proxy: None
IP settings: Static
Privacy: Use device MAC
IP address: 192.168.1.120
Gateway: 192.168.1.1
Network prefix length: 24
DNS 1: 1.1.1.1
是什么允许 Android 绕过访问控制规则?