问题[ikev2](server)

在 AWS VPS 上，我安装了 Strongswan 以将其用作 VPN。它适用于 iPhone 客户端。但是，当我尝试从 Windows 客户端连接时，SA 连接成功建立并在几分钟内正常工作，但几分钟后（2 到 10 分钟，在大多数情况下为 2 或更多）连接挂起并且停止通过交通。似乎双方都认为连接是有效的，至少我看不到任何错误迹象。

我花了几天时间试图找出问题所在。互联网上描述这种情况的材料似乎很少。另外，我是 Linux 管理和网络的新手，所以我可能看到了对此问题的描述和解决方案，但我就是无法理解。我将非常感谢任何帮助。

下面是ipsec.conf（这里服务器的真实外部IP替换为EXT.SRVR.IP.ADR）

config setup
    uniqueids=never
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    keyexchange=ikev2
    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1!
    fragmentation=yes
    rekey=no
    compress=yes
    dpdaction=clear
    left=%any
    leftauth=pubkey
    leftsourceip=EXT.SRVR.IP.ADR
    leftid=EXT.SRVR.IP.ADR
    leftcert=debian.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=pubkey
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
    auto=add

这里是摘录ipsec.log（真实IP替换为"EXT.SRVR.IP.ADR"，对于服务器的外部IP，分别是其内部IP和我的Windows客户端，省略了明显不相关的行"INT.SRVR.IP.ADR"）"MY.CLNT.IP.ADR"

Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i 0000000000000000_r
Mar 17 12:41:17 server-name charon: 07[MGR] created IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500] (536 bytes)
Mar 17 12:41:17 server-name charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 17 12:41:17 server-name charon: 07[CFG] looking for an ike config for INT.SRVR.IP.ADR...MY.CLNT.IP.ADR
Mar 17 12:41:17 server-name charon: 07[CFG]   candidate: %any...%any, prio 28
Mar 17 12:41:17 server-name charon: 07[CFG] found matching ike config: %any...%any with prio 28
Mar 17 12:41:17 server-name charon: 07[IKE] MY.CLNT.IP.ADR is initiating an IKE_SA
Mar 17 12:41:17 server-name charon: 07[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[IKE] local host is behind NAT, sending keep alives
Mar 17 12:41:17 server-name charon: 07[IKE] remote host is behind NAT
Mar 17 12:41:17 server-name charon: 07[IKE] sending cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 17 12:41:17 server-name charon: 07[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500] (465 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:17 server-name charon: 08[MGR] IKE_SA (unnamed)[1] successfully checked out
Mar 17 12:41:17 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (3408 bytes)
Mar 17 12:41:17 server-name charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 39:9e:66:a7:20:3c:4d:06:fb:62:6b:65:87:22:35:57:a0:a0:0a:22
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Mar 17 12:41:17 server-name charon: 08[IKE] received 67 cert requests for an unknown ca
Mar 17 12:41:17 server-name charon: 08[IKE] received end entity cert "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] looking for peer configs matching INT.SRVR.IP.ADR[%any]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey", match: 1/1/28 (me/other/ike)
Mar 17 12:41:17 server-name charon: 08[CFG] selected peer config 'ikev2-pubkey'
Mar 17 12:41:17 server-name charon: 08[CFG]   using certificate "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=me" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   using trusted ca certificate "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[CFG] checking certificate status of "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] ocsp check skipped, no ocsp found
Mar 17 12:41:17 server-name charon: 08[CFG] certificate status is not available
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=EXT.SRVR.IP.ADR" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   reached self-signed root ca with a path length of 0
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'CN=me' with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_SERVER attribute
Mar 17 12:41:17 server-name charon: 08[IKE] peer supports MOBIKE
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'EXT.SRVR.IP.ADR' (myself) with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] established between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] state change: CONNECTING => ESTABLISHED
Mar 17 12:41:17 server-name charon: 08[IKE] sending end entity cert "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] peer requested virtual IP %any
Mar 17 12:41:17 server-name charon: 08[CFG] assigning new lease to 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] assigning virtual IP 10.10.10.1 to peer 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[CFG] looking for a child config for 0.0.0.0/0 === 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey" with prio 5+1
Mar 17 12:41:17 server-name charon: 08[CFG] found matching child config "ikev2-pubkey" with prio 6
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 08[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[KNL] got SPI c6bcf84d
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 10.10.10.1/32, received: 0.0.0.0/0 => match: 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI c6bcf84d and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 32 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI b74162a4 and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 0 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] policy 0.0.0.0/0 === 10.10.10.1/32 out already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] getting a local address in traffic selector 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[KNL] using host %any
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface name for index 2
Mar 17 12:41:17 server-name charon: 08[KNL] using 172.26.0.1 as nexthop and eth0 as dev to reach MY.CLNT.IP.ADR/32
Mar 17 12:41:17 server-name charon: 08[KNL] installing route: 10.10.10.1/32 via 172.26.0.1 src %any dev eth0
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 in already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 fwd already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs c6bcf84d_i b74162a4_o and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Mar 17 12:41:17 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (2048 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:41:37 server-name charon: 10[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:37 server-name charon: 10[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:37 server-name charon: 10[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:37 server-name charon: 10[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:37 server-name charon: 10[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:41:47 server-name dhclient[358]: XMT: Renew on eth0, interval 9070ms.
Mar 17 12:41:47 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:41:47 server-name charon: 11[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 11[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 11[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name charon: 12[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 12[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:41:47 server-name charon: 12[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 12[MGR] checkin of IKE_SA successful
Mar 17 12:41:56 server-name charon: 13[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:56 server-name charon: 13[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:56 server-name charon: 13[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:56 server-name charon: 13[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:56 server-name charon: 13[MGR] checkin of IKE_SA successful
...
Mar 17 12:49:35 server-name charon: 16[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:35 server-name charon: 16[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:35 server-name charon: 16[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:35 server-name charon: 16[MGR] checkin of IKE_SA successful
Mar 17 12:49:51 server-name charon: 05[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:51 server-name charon: 05[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:51 server-name charon: 05[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:49:51 server-name charon: 05[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:51 server-name charon: 05[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 06[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 06[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:55 server-name charon: 06[IKE] sending DPD request
Mar 17 12:49:55 server-name charon: 06[IKE] queueing IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 06[IKE]   activating IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[ENC] generating INFORMATIONAL request 0 [ ]
Mar 17 12:49:55 server-name charon: 06[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 06[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 06[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:49:55 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 07[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 07[ENC] parsed INFORMATIONAL response 0 [ ]
Mar 17 12:49:55 server-name charon: 07[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 07[IKE] nothing to initiate
Mar 17 12:49:55 server-name charon: 07[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:49:57 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:49:57 server-name dhclient[358]: XMT: Renew on eth0, interval 10290ms.
Mar 17 12:49:57 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:49:59 server-name charon: 09[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:59 server-name charon: 09[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:59 server-name charon: 09[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:59 server-name charon: 09[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 08[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[ENC] parsed INFORMATIONAL request 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[IKE] closing CHILD_SA ikev2-pubkey{1} with SPIs c6bcf84d_i (1148939 bytes) b74162a4_o (21040410 bytes) and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:50:00 server-name charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[IKE] CHILD_SA closed
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[ENC] generating INFORMATIONAL response 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 11[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 11[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[ENC] parsed INFORMATIONAL request 3 [ D ]
Mar 17 12:50:00 server-name charon: 11[IKE] received DELETE for IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] deleting IKE_SA ikev2-pubkey[1] between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: ESTABLISHED => DELETING
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA deleted
Mar 17 12:50:00 server-name charon: 11[ENC] generating INFORMATIONAL response 3 [ ]
Mar 17 12:50:00 server-name charon: 11[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: DELETING => DESTROYING
Mar 17 12:50:00 server-name charon: 11[CFG] lease 10.10.10.1 by 'CN=me' went offline
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy of IKE_SA successful

Windows 报告的连接属性：

DataEncryption = Require maximum
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = Machine Certificate 
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
Dial-in User = admin
VpnStrategy = IKEv2

当连接被冻结（不通过流量）时，swanctl --list-sasreprts 如下

ikev2-pubkey: #1, ESTABLISHED, IKEv2, f77fbfbe7c371b32_i e0e250355a87db62_r*
   local  'EXT.SRVR.IP.ADR' @ INT.SRVR.IP.ADR[4500]
   remote 'CN=me' @ MY.CLNT.IP.ADR[4500] [10.10.10.1]
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   established 287s ago
   ikev2-pubkey: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
     installed 287s ago
     in  ce57563f, 792014 bytes,  4493 packets,   150s ago
     out 6b24b7fd, 10904301 bytes, 10680 packets,     1s ago
     local  0.0.0.0/0
     remote 10.10.10.1/32

Windows 还显示连接正常，事件查看器中没有错误迹象，SEP 防火墙日志中也没有相关的阻止数据包。

服务器：Debian 4.9.246-2，strongSwan 5.5.1。

客户端：Windows 2008 R2、Agile VPN（通过连接属性设置）

这种行为的原因可能是什么以及如何解决？

我该怎么做才能找出确切的原因？

如果有任何帮助，我将不胜感激。

UPD1：当传出流量变得相对较高时，连接最常（或可能总是）冻结。例如，当我访问 时speedtest.net，连接在尝试测量上传速度时冻结。

UPD2：其他设备在同一个本地网络上工作正常，在同一个路由器后面，NAT，ISP等。这清楚地表明问题只与使用W2k8的特定机器有关。机器上有 SEP 防火墙，但这不是罪魁祸首——关闭它不会影响行为。Strongswan也几乎不相关，因为它是一个已经建立的冻结隧道。

我尝试通过 IKEv2 手动连接到 surfshark VPN 提供商。这是日志

 charon-nm[5070]: 05[CFG] received initiate for NetworkManager connection Surfshark IKE2
 charon-nm[5070]: 05[CFG] using gateway identity 'ru-mos.prod.surfshark.com'
 charon-nm[5070]: 05[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
 charon-nm[5070]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
 charon-nm[5070]: 05[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1096 bytes)
 NetworkManager[4583]: <info>  [1636055533.4566] vpn-connection[0x56150178a510,6c89b390-d6ee-47d8-a547-346f75797487,"Surfshark IKE2",0]: VPN plugin: state changed: starting (3)
 charon-nm[5070]: 15[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (38 bytes)
 charon-nm[5070]: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
 charon-nm[5070]: 15[IKE] peer didn't accept DH group ECP_256, it requested ECP_521
 charon-nm[5070]: 15[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
 charon-nm[5070]: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
 charon-nm[5070]: 15[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1164 bytes)
 charon-nm[5070]: 01[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (332 bytes)
 charon-nm[5070]: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
 charon-nm[5070]: 01[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
 charon-nm[5070]: 01[IKE] local host is behind NAT, sending keep alives
 charon-nm[5070]: 01[IKE] sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
 charon-nm[5070]: 01[IKE] establishing CHILD_SA Surfshark IKE2{1}
 charon-nm[5070]: 01[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
 charon-nm[5070]: 01[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (438 bytes)
 charon-nm[5070]: 07[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
 charon-nm[5070]: 07[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
 charon-nm[5070]: 07[ENC] received fragment #1 of 3, waiting for complete IKE message
 charon-nm[5070]: 08[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
 charon-nm[5070]: 08[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
 charon-nm[5070]: 08[ENC] received fragment #2 of 3, waiting for complete IKE message
 charon-nm[5070]: 09[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (579 bytes)
 charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
 charon-nm[5070]: 09[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2949 bytes)
 charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
 charon-nm[5070]: 09[IKE] received end entity cert "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[IKE] received issuer cert "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG]   using certificate "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[CFG]   using untrusted intermediate certificate "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG] checking certificate status of "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[CFG] certificate status is not available
 charon-nm[5070]: 09[CFG]   using trusted ca certificate "C=VG, O=Surfshark, CN=Surfshark Root CA"
 charon-nm[5070]: 09[CFG] checking certificate status of "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG] certificate status is not available
 charon-nm[5070]: 09[CFG]   reached self-signed root ca with a path length of 1
 charon-nm[5070]: 09[IKE] authentication of 'ru-mos.prod.surfshark.com' with RSA_EMSA_PKCS1_SHA2_256 successful
 charon-nm[5070]: 09[IKE] server requested EAP_IDENTITY (id 0x00), sending 'mYidENtitY'
 charon-nm[5070]: 09[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
 charon-nm[5070]: 09[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (90 bytes)
 charon-nm[5070]: 10[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (67 bytes)
 charon-nm[5070]: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 10[IKE] server requested EAP_PEAP authentication (id 0x01)
 charon-nm[5070]: 10[TLS] EAP_PEAP version is v0
 charon-nm[5070]: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
 charon-nm[5070]: 10[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (275 bytes)
 charon-nm[5070]: 11[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1065 bytes)
 charon-nm[5070]: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 11[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 charon-nm[5070]: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
 charon-nm[5070]: 11[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
 charon-nm[5070]: 12[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1061 bytes)
 charon-nm[5070]: 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
 charon-nm[5070]: 12[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
 charon-nm[5070]: 13[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (747 bytes)
 charon-nm[5070]: 13[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 13[TLS] received TLS server certificate 'C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org'
 charon-nm[5070]: 13[TLS] received TLS intermediate certificate 'C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority'
 charon-nm[5070]: 13[CFG]   using certificate "C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org"
 charon-nm[5070]: 13[CFG]   using untrusted intermediate certificate "C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority"
 charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021)
 charon-nm[5070]: 13[TLS] no TLS public key found for server '%any'
 charon-nm[5070]: 13[TLS] sending fatal TLS alert 'certificate unknown'
 charon-nm[5070]: 13[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ]
 charon-nm[5070]: 13[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (74 bytes)
 charon-nm[5070]: 14[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (65 bytes)
 charon-nm[5070]: 14[ENC] parsed IKE_AUTH response 6 [ EAP/FAIL ]
 charon-nm[5070]: 14[IKE] received EAP_FAILURE, EAP authentication failed

一切看起来都很好，直到在响应 5 我得到一些奇怪的证书。我不知道 PEAP 协议到底是如何进行的，以及在该步骤中应该发生什么，但连接在 Windows 上有效，所以我认为我这边有问题。

我有一个 StrongSwan VPN，由于某种我不知道的原因，它无法将 iOS 用户连接到我的 VPN 服务器。

一些快速说明：

• 我的 StrongSwan 服务器是连接到我的网络的 VPN 客户端的前端。我用于WireGuard我的后端站点到站点路由。

• 所有 StrongSwan VPN 用户都经过FreeRadius服务器验证。

• StrongSwan 客户端在子网上被分配一个 IP 192.168.201.0/24，而 WireGuard 主干网络在192.168.200.0/24子网上运行。

• 所有客户端也都获得了一个公共 IPv6 地址，该地址属于分配给我的 /48 子网。

我在 Ubuntu 20.04 上运行 StrongSwan，我的配置文件位于该/etc/swanctl/config/文件夹中，由于文件名以.conf.

内容如下：

# Default VPN server settings for all connections
conn-defaults {
    local_addrs = PUBLIC_IPV4, PUBLIC_IPV6

    local {
      auth = pubkey
      certs = vpn-ecdsa.cer
      id = vpn.example.com
    }

    version = 2
    send_certreq = no
    send_cert = always
    unique = never
    fragmentation = yes
    encap = yes
    dpd_delay = 60s

    rekey_time = 0s
}

# Default login method
eap-defaults {
  remote {
   auth = eap-radius
   id = %any
   eap_id = %any
  }
}

connections
{
  # Generic Android configuration that is extended further down.
  #
  # Works with StrongSwan VPN client for Android
  conn-unix : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      net-unix : child-defaults {
      }

      esp_proposals = aes128gcm128-x25519
    }

    proposals = aes128-sha256-x25519
  }

  # All Windows klients matches this rule as username validation 
  # is done by 'eap_start = yes' in strongswan.conf. 
  #
  # Works with Windows 10 built-in VPN client.
  conn-windows : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha256-prfsha256-modp1024
    }

    proposals = aes256-sha256-prfsha256-modp1024
    pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6

  }

  # A very similar configuration to Windows clients 
  # configuration, except iOS uses 2048 bit keys, 
  # while Windows uses 1024 bit keys.
  #
  # Does NOT work in its current state.
  conn-ios : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha2_256
      pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6

    }

    proposals = aes256-sha256-prfsha256-modp2048
  }

  # Android users is matched against this connection as they are 
  # running the app StrongSwan VPN client. Username is passed in the
  # 'id' field to StrongSwan VPN server.
  conn-unix-site : connections.conn-unix {
    remote {
      id = *@site.example.com
    }
    pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6
  }
}

pools
{
   IkeVPN-site-ipv4 {
      addrs = 192.168.201.0/24
      dns = 192.168.200.1
   }

   IkeVPN-site-ipv6 {
      addrs = 2001:db8:cafe::/97
      dns = 2001:db8::1
   }
}

我的配置是使用以下网页给出的结构创建的：

https://wiki.strongswan.org/projects/strongswan/wiki/Strongswanconf#Referencing-other-Sections

我使用它的原因是避免在我的所有连接配置文件中重复相同的配置设置。

如果您不熟悉此设置，conn-ios则应将以下配置视为等效：

conn-ios {
   # Obtained from conn-default
   local_addrs = PUBLIC_IPV4, PUBLIC_IPV6

   local {
      auth = pubkey
      certs = vpn-ecdsa.cer
      id = vpn.example.com
   }

   version = 2
   send_certreq = no
   send_cert = always
   unique = never
   fragmentation = yes
   encap = yes
   dpd_delay = 60s

   rekey_time = 0s

   # Obtained from eap-defaults
   remote {
      auth = eap-radius
      id = %any
      eap_id = %any
   }

   # Obtained from original conn-ios profile above.
   children {
      net {
         local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha2_256
      pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6
   }

   proposals = aes256-sha256-prfsha256-modp2048
}

本conn-default节中列出的服务器证书是使用 Acme.sh 从 Let's Encrypt 获得的 ECDSA 证书。

proposalsiOS 配置中的加密值esp_proposals取自https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients中的提示。

在测试 Android 或 Windows 用户的所有组合时，连接没有任何问题，但是当有人尝试使用 iPhone 登录时，连接就会停止。

iPhone尝试连接时的日志输出如下：

10[IKE] CLIENT_IPV4 is initiating an IKE_SA
10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
10[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
10[IKE] no matching proposal found, trying alternative config
10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
10[IKE] no matching proposal found, trying alternative config
10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10[IKE] remote host is behind NAT
10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
10[NET] sending packet: from PUBLIC_IPV4[500] to CLIENT_IPV4[6452] (456 bytes)
06[NET] received packet: from CLIENT_IPV4[13549] to PUBLIC_IPV4[4500] (512 bytes)
06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
06[CFG] looking for peer configs matching PUBLIC_IPV4[vpn.example.com]...CLIENT_IPV4[PRIVATE_CLASS_A_ADDRESS]
06[CFG] selected peer config 'conn-ios'
06[IKE] initiating EAP_IDENTITY method (id 0x00)
06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
06[IKE] peer supports MOBIKE
06[IKE] authentication of 'vpn.example.com' (myself) with ECDSA-256 signature successful
06[IKE] sending end entity cert "CN=vpn.example.com"
06[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
06[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
06[ENC] splitting IKE message (2816 bytes) into 3 fragments
06[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
06[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
06[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (1236 bytes)
06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (1236 bytes)
06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (500 bytes)
11[JOB] deleting half open IKE_SA with CLIENT_IPV4 after timeout

iPhone 用户使用以下设置使用内置 VPN 客户端进行连接：

• 类型 IKEv2

• 描述：VPN服务器

• 服务器：vpn.example.com

• 远程 ID：vpn.example.com

• 本地标识：空白

• 用户名和密码验证。

• 用户名：user@site.example.com

• 密码：ItIsASecret

有谁知道为什么 iOS 用户在加载conn-ios配置文件时连接会停止？

更新 我们起飞了！:-)

根据@ecdsa 的建议，我已将证书切换为 2048 位 RSA 证书。

我的 Radius 服务器被调用。用户身份验证成功，客户端获得分配 IP 地址。我很开心。:-)

我conn-ios现在的配置是：

  conn-ios : conn-defaults, eap-defaults {

    # Overriding defaults from 'conn-default'
    local {
      auth = pubkey
      certs = vpn-rsa.cer
      id = vpn.example.com
    }

    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha256
    }

    pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6
    proposals = aes256-sha256-prfsha256-modp2048
  }

其他一切都与我的初始配置一样。

在 Ubuntu 20.04 上，我正在尝试使用 Strongswan 建立通往 IKEv2/Ipsec VPN 站点的 VPN 隧道。

但是，即使我有/etc/ipsec.conf如图所示的文件

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    # strictcrlpolicy=yes
    # uniqueids = no

conn foo
    left= ...
    right= ...
    ...

当我运行时sudo ipsec up foo，我得到了错误

没有名为“foo”的配置

我在运行之前尝试了以下命令ipsec up foo，但错误仍然存​​在。

sudo ipsec update
sudo ipsec reload 
sudo ipsec restart

Strongswan U5.8.2/K5.4.0-60-generic 安装使用

sudo apt-get install strongswan libcharon-extra-plugins -y

似乎是什么阻止了foo连接被检测到？

谢谢！

出于测试目的，我想使用不需要任何身份验证的 IKEv1 或 v2（最好是 v2）设置 ipsec 隧道 - 所以只需使用协议就 ipsec 隧道的密钥达成一致并跳过身份验证。IKEv1 或 v2 协议是否支持这样的选项？如果是这样，我怎样才能在 strongswan 中启用它（我需要设置什么值leftauth并rightauth启用它？）

我是 IKEv2 的新成员，我想在 ubuntu 18.04 服务器上安装 IKEv2 vpn，我通过本教程完成了，但我有几个问题。

首先如何配置它的远程 id，因为我在我的 ios 应用程序中使用了一个 url。

第二个是如何在客户端中省略使用证书文件，我的意思是我只想使用用户名和密码登录它，我不想信任客户端设备中的证书，因为我在应用程序中使用它。

我正在部署一个使用带有证书的 IKEv2+ipsec 的解决方案，以将 roadwarriors 连接到公司网络。Mikrotik CHR 用作入口点。

一切都很快，直到我开始在戴尔笔记本电脑上部署该解决方案。与路由器建立连接后，笔记本电脑不会拆分包含，并且只有 VPN 子网可用。相反，我的管理员电脑是固定工作站，没有这样的问题。

Windows 10 接收拆分包括使用 DHCP。经过一番研究，我发现由于某种原因，戴尔提供的 Windows 10 Pro 1909 无法向路由器发送 DHCP 请求。笔记本电脑获得了它们的地址 DNS，只有拆分包含的路由丢失了。此外，DHCP 在 Wi-Fi 适配器上运行良好。

做了什么：

• 检查了笔记本电脑和管理员 PC 的路由器日志。笔记本电脑连接时未找到 DHCP 请求。
• Microtik CHR 嗅探到流量：来自管理员计算机的 DHCP 请求并非来自笔记本电脑。
• 在笔记本上嗅探流量，未检测到 DHCP 请求。

重新启动、重置ip和winsock使用netsh、恢复到旧的 wi-fi 驱动程序、删除和重新创建 WAN 微型端口、强制 DHCP 进行连接、在笔记本电脑周围跳舞——所有这些都没有帮助。

目前唯一可行的解​​决方案是干净的 MSDN 版本的 Windows 10 1909 安装。有了这个，笔记本电脑可以很好地拆分。但是，这对我来说似乎不是一个合理的解决方案。

我的问题是：

• 问题的可能原因是什么？
• 可以做些什么来修复它？

通过 Wi-Fi 一切正常。

我尝试使用配置文件禁用 IPv6。

我在两个不同的设备（iPhone 6 和当前的 iPhone SE）上尝试使用相同的 VPN 配置文件（每台设备都使用自己的 LTE 运营商）。

我正在尝试让机器身份验证与 Microsoft“始终使用 vpn”一起工作。我在尝试与客户端连接时遇到错误 13801。这个错误意味着存在某种与证书相关的问题——尽管我已经检查了所有明显的项目。

客户端和 RAS 服务器都将 CA 作为受信任的根授权，并且都已颁发证书，保存在其本地计算机/个人存储中。客户端具有客户端身份验证 EKU，服务器具有服务器身份验证、IPSEC IKE 中间和客户端身份验证 EKU。服务器证书上的主题名称与客户端连接中的主机名匹配。作为故障排除过程的一部分，我还禁用了客户端上的 IKE EKU 和 CRL 检查。

我已经生成了 RRAS 跟踪日志，我所看到的只是 vpnike 模块正在以错误 13801 回退。我看不到它所经历的任何过程，它实际尝试使用的证书等等......

这是我的客户端 VPN 连接上的配置输出，它是使用系统上下文根据 Microsoft 指示创建的，因此可以使用机器证书...

ServerAddress         : server.domain.com
AllUserConnection     : True
Guid                  : {87C51048-BC50-475F-8CEF-2C9C49687205}
TunnelType            : Ikev2
AuthenticationMethod  : {MachineCertificate}
EncryptionLevel       : Maximum
L2tpIPsecAuth         :
UseWinlogonCredential : False
EapConfigXmlStream    :
ConnectionStatus      : Disconnected
RememberCredential    : True
SplitTunneling        : True
DnsSuffix             :
IdleDisconnectSeconds : 0

我在使用 IKEV2 配置 VPN 时遇到了一些问题。这是我的服务器配置文件

config setup

    #  Uncomment to allow few simultaneous connections with one user account.
    #  By default only one active connection per user allowed.
    # uniqueids=no

    # Increase debug level
    # charondebug = ike 3, cfg 3

conn %default

    # More advanced ciphers. Uncomment if you need it.
    # Default ciphers will works on most platforms.
    # ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    # esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!

    # Dead peer detection will ping clients and terminate sessions after timeout
    dpdaction=clear
    dpddelay=35s
    dpdtimeout=2000s

    keyexchange=ikev2
    auto=add
    rekey=no
    reauth=no
    fragmentation=yes
    #compress=yes

    # left - local (server) side
    leftcert=mydomain.net.crt # Filename of certificate located at /etc/ipsec.d/certs/
    leftsendcert=always
    # Routes pushed to clients. If you don't have ipv6 then remove ::/0
    leftsubnet=0.0.0.0/0

    # right - remote (client) side
    eap_identity=%identity
    # ipv4 and ipv6 subnets that assigns to clients. If you don't have ipv6 then remove it
    rightsourceip=192.168.0.0/24
    rightdns=192.168.0.1,8.8.8.8

# Windows and BlackBerry clients usually goes here
conn ikev2-mschapv2
    rightauth=eap-mschapv2

# Apple clients usually goes here
conn ikev2-mschapv2-apple
    rightauth=eap-mschapv2
    leftid=mydomain.net

问题是我已经指定rightsourceip=192.168.0.0/24了，所以每个新客户端都会在这个网络中获得 IP，但当然我的本地网络中已经有计算机。

当我尝试连接到我的 VPN 时，它会连接，但客户端会获得 192.168.0.1 IP 地址，即路由器 IP。

此外，我在此网络中有其他设备和 PC，因此客户端将获得现有的 IP 问题。

我的路由器充当 DHCP 服务器，IP 为 192.168.0.1

我试图搜索正确的 IP 池配置，但没有找到任何信息。

我不确定这是否可能，但如果我可以将 IP 地址租用路由到我的路由器而不是通过 VPN 服务器租用地址，那就太好了（据我所知，如果我错了，请纠正我）。

请帮我解决这个问题。谢谢。