我正在尝试遵循在 Linux 上配置点对站点 (P2S) VPN 以与 Azure 文件一起使用,并且配置似乎可以正常工作。但是,当我尝试连接时,它会失败。
我能找到的错误部分说:
peer didn't accept DH group ECP_256, it requested ECP_384
requesting ocsp status from 'http://ocsp.digicert.com' ...
nonce in ocsp response doesn't match
received MS_NOTIFY_STATUS notify error
establishing connection 'my-share-vn' failed
这是完整的输出:
user@user-temp-ubuntu-2004LTS-vm:~/temp$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.8.2 IPsec [starter]...
user@user-temp-ubuntu-2004LTS-vm:~/temp$ sudo ipsec up $virtualNetworkName
initiating IKE_SA my-share-vn[1] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (1128 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested ECP_384
initiating IKE_SA my-share-vn[1] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (1160 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (357 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
received MS-Negotiation Discovery Capable vendor ID
selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
local host is behind NAT, sending keep alives
received cert request for "CN=P2SRootCert"
sending cert request for "CN=P2SRootCert"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
establishing CHILD_SA my-share-vn{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (1276 bytes)
parsed IKE_AUTH response 1 [ EF(1/3) ]
received fragment #1 of 3, waiting for complete IKE message
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (1276 bytes)
parsed IKE_AUTH response 1 [ EF(2/3) ]
received fragment #2 of 3, waiting for complete IKE message
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (1244 bytes)
parsed IKE_AUTH response 1 [ EF(3/3) ]
received fragment #3 of 3, reassembled fragmented IKE message (3625 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com"
received issuer cert "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
using certificate "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com"
using untrusted intermediate certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
checking certificate status of "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com"
requesting ocsp status from 'http://ocsp.digicert.com' ...
nonce in ocsp response doesn't match
ocsp check failed, fallback to crl
fetching crl from 'http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl' ...
using certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
certificate policy 2.23.140.1.1 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
certificate policy 2.23.140.1.2.1 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
certificate policy 2.23.140.1.2.2 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
certificate policy 2.23.140.1.2.3 for 'C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA' not allowed by trustchain, ignored
reached self-signed root ca with a path length of 0
crl correctly signed by "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
crl is valid: until Aug 22 18:37:40 2021
certificate status is good
using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
requesting ocsp status from 'http://ocsp.digicert.com' ...
nonce in ocsp response doesn't match
ocsp check failed, fallback to crl
fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
using trusted certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
crl correctly signed by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
crl is valid: until Sep 02 20:49:32 2021
certificate status is good
certificate policy 2.23.140.1.2.2 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com' not allowed by trustchain, ignored
reached self-signed root ca with a path length of 1
authentication of 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=00000000-0000-0000-0000-000000000000.vpn.azure.com' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'client'
EAP_IDENTITY not supported, sending EAP_NAK
generating IKE_AUTH request 2 [ EAP/RES/NAK ]
sending packet: from yyy.yyy.yyy.yyy[4500] to xxx.xxx.xxx.xxx[4500] (67 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4500] (72 bytes)
parsed IKE_AUTH response 2 [ N(MS_STATUS(1244)) ]
received MS_NOTIFY_STATUS notify error
establishing connection 'my-share-vn' failed
user@user-temp-ubuntu-2004LTS-vm:~/temp$
我不知道如何解决这个问题。可以连接到 Strongswan,我应该尝试其他一些 VPN 客户端。ECP_384 有问题吗?我什至从哪里开始解决这个问题?
顺便说一句,我可以使用从门户下载的 Windows VPN 客户端和使用/导入由文档中的脚本生成的 client.p12 证书连接到这个 VPN。
谢谢!