0

我正在尝试在我的应用程序中创建 vpn 连接。在服务器端,在 Ubuntu 16.04 上使用带有 StrongSwan 的 IKEv2 VPN 服务器。按此 guid ( https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04 ) 构建。

当我尝试连接时。服务器发送此日志:

 - May  5 08:58:21 ip-2 charon: 05[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:21 ip-2 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:21 ip-2 charon: 05[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:21 ip-2 charon: 05[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:21 ip-2 charon: 05[IKE] remote host is behind NAT
 - May  5 08:58:21 ip-2 charon: 05[IKE] received proposals inacceptable
 - May  5 08:58:21 ip-2 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:21 ip-2 charon: 05[NET] sending packet: from 2[500] to 3[500] (36 bytes)
 - May  5 08:58:22 ip-2 charon: 16[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:22 ip-2 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:22 ip-2 charon: 16[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:22 ip-2 charon: 16[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:22 ip-2 charon: 16[IKE] remote host is behind NAT
 - May  5 08:58:22 ip-2 charon: 16[IKE] received proposals inacceptable
 - May  5 08:58:22 ip-2 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:22 ip-2 charon: 16[NET] sending packet: from 2[500] to 3[500] (36 bytes)

我在服务器上使用此配置:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    lifetime=8h
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=<IP>
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1! 

在 iOS 上使用此代码:

class VpnManager {
    
    let vpnManager = NEVPNManager.shared()
    let info = VPNINFO()
    
    func connectToVPN() {
        vpnManager.loadFromPreferences { error in
            guard error == nil else {
                print(error)
                return
            }

            let IKEv2Protocol = NEVPNProtocolIKEv2()
            IKEv2Protocol.serverAddress = self.info.serverAddress
            IKEv2Protocol.authenticationMethod = .certificate
            
            let certificate = SecCertificateCreateWithData(nil, Data(base64Encoded: self.info.cert)! as CFData)!
            let certificateData = SecCertificateCopyData(certificate) as Data
            IKEv2Protocol.identityData = certificateData
            
            self.vpnManager.protocolConfiguration = IKEv2Protocol
            self.vpnManager.isEnabled = true
            
            self.vpnManager.saveToPreferences { error in
                guard error == nil else {
                    print(error)
                    return
                }
                do {
                    try self.vpnManager.connection.startVPNTunnel(
                        options: ([
                            NEVPNConnectionStartOptionUsername: "username",
                            NEVPNConnectionStartOptionPassword: KeychainWrapper.passwordRefForVPNID("MY_PASSWORD")
                        ] as! [String: NSObject]))
                } catch let error {
                    print(error)
                }
            }
        }
    }
    
    
}

预期结果:已连接

实际结果:连接 -> 断开连接

最后的控制台日志:

Jun  4 15:44:51 charon: 06[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 06[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 06[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 06[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 06[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:44:51 charon: 05[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 05[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 05[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 05[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 05[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:45:11 charon: 08[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:11 charon: 09[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:21 charon: 10[JOB] deleting half open IKE_SA with <my ip> after timeout
Jun  4 15:45:21 charon: 11[JOB] deleting half open IKE_SA with <my ip> after timeout
4

1 回答 1

0

您的 strongswan 服务器配置有以下加密算法。

ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!

解决方案

您需要在 VPN Server 支持的 NEVPNProtocolIKEv2 实例中指定 Cipher。

    IKEv2Protocol.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.ikeSecurityAssociationParameters.diffieHellmanGroup = .group2 
    IKEv2Protocol.ikeSecurityAssociationParameters.lifetimeMinutes = 480
    
    IKEv2Protocol.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.childSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.childSecurityAssociationParameters.diffieHellmanGroup = .group2
    IKEv2Protocol.childSecurityAssociationParameters.lifetimeMinutes = 60 
于 2021-06-01T10:56:59.603 回答