Strongswan на vps и Windows 11

0

1

Привет. Прошу помощь к подключению, всё настроил ключи сгенерил в том числе и под винды, но не хочет. /etc/strongswan/ipsec.conf

config setup
        uniqueids=never
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
        keyexchange=ikev2
        ike=aes128gcm16-sha2_256-prfsha256-ecp256!
        esp=aes128gcm16-sha2_256-ecp256!
        fragmentation=yes
        rekey=no
        compress=yes
        dpdaction=clear
        left=%any
        leftauth=pubkey
        leftsourceip=server_vps
        leftid=server_vps
        leftcert=server-cert.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightauth=pubkey
        rightsourceip=10.10.10.0/24
        rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
        auto=add

Лог:

[root@localhost strongswan]# swanctl --log
plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available
08[NET] received packet: from home_ip[500] to server_vps[500] (1104 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
08[IKE] received MS-Negotiation Discovery Capable vendor ID
08[IKE] received Vid-Initial-Contact vendor ID
08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
08[IKE] home_ip is initiating an IKE_SA
08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_1024
08[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
08[IKE] remote host is behind NAT
08[IKE] received proposals unacceptable
08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
08[NET] sending packet: from server_vps[500] to home_ip[500] (36 bytes)
11[NET] received packet: from home_ip[500] to server_vps[500] (408 bytes)
11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
11[IKE] no IKE config found for server_vps...home_ip, sending NO_PROPOSAL_CHOSEN
11[ENC] generating INFORMATIONAL_V1 request 1880878183 [ N(NO_PROP) ]
11[NET] sending packet: from server_vps[500] to home_ip[500] (40 bytes)
12[NET] received packet: from home_ip[500] to server_vps[500] (408 bytes)
12[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
12[IKE] no IKE config found for server_vps...home_ip, sending NO_PROPOSAL_CHOSEN
12[ENC] generating INFORMATIONAL_V1 request 2664976946 [ N(NO_PROP) ]
12[NET] sending packet: from server_vps[500] to home_ip[500] (40 bytes)
09[NET] received packet: from home_ip[500] to server_vps[500] (408 bytes)
09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
09[IKE] no IKE config found for server_vps...home_ip, sending NO_PROPOSAL_CHOSEN
09[ENC] generating INFORMATIONAL_V1 request 1675694728 [ N(NO_PROP) ]
09[NET] sending packet: from server_vps[500] to home_ip[500] (40 bytes)
03[NET] received packet: from home_ip[500] to server_vps[500] (408 bytes)
03[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
03[IKE] no IKE config found for server_vps...home_ip, sending NO_PROPOSAL_CHOSEN
03[ENC] generating INFORMATIONAL_V1 request 1502460016 [ N(NO_PROP) ]
03[NET] sending packet: from server_vps[500] to home_ip[500] (40 bytes)

Ссылка

←	rsync block device через netcat

overlay в fstab не получается

→

у вас же английским по белому - received proposals unacceptable, настройте в strongswan подходящую комбинацию, или через powershell поправьте на стороне offtopic-а.

Bloody ★★
(05.06.24 15:09:29 MSK)
Последнее исправление: Bloody 05.06.24 15:09:50 MSK (всего исправлений: 1)

Ответ на: комментарий от Bloody 05.06.24 15:09:29 MSK

Подкрутил конфиг, всё равно не контачу.

08[NET] received packet: from home_ip[500] to server_vps[500] (1104 bytes)
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
08[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
08[IKE] received MS-Negotiation Discovery Capable vendor ID
08[IKE] received Vid-Initial-Contact vendor ID
08[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
08[IKE] home_ip is initiating an IKE_SA
08[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
08[IKE] remote host is behind NAT
08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
08[NET] sending packet: from server_vps[500] to home_ip[500] (328 bytes)
06[NET] received packet: from home_ip[4500] to server_vps[4500] (580 bytes)
06[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
06[ENC] received fragment #1 of 3, waiting for complete IKE message
06[NET] received packet: from home_ip[4500] to server_vps[4500] (580 bytes)
06[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
06[ENC] received fragment #2 of 3, waiting for complete IKE message
10[NET] received packet: from home_ip[4500] to server_vps[4500] (372 bytes)
10[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
10[ENC] received fragment #3 of 3, reassembled fragmented IKE message (1360 bytes)
10[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
10[IKE] received cert request for "CN=VPN root CA"
10[IKE] received 44 cert requests for an unknown ca
10[CFG] looking for peer configs matching server_vps[%any]...home_ip[192.168.1.169]
10[CFG] selected peer config 'test.net'
10[IKE] initiating EAP_IDENTITY method (id 0x00)
10[IKE] peer supports MOBIKE
10[IKE] authentication of 'server_vps' (myself) with RSA signature failed
10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
10[NET] sending packet: from server_vps[4500] to home_ip[4500] (80 bytes)```
ca-certs.pem в винду импортнул.

Apophis
(05.06.24 17:56:21 MSK) автор топика
Последнее исправление: Apophis 05.06.24 18:02:41 MSK (всего исправлений: 3)

Ответ на: комментарий от Apophis 05.06.24 17:56:21 MSK

а соответствие приватного ключа открытому прописано? я уже плохо помню старый синтаксис strongswan, но это вроде в отдельном файле прописывалось.

Bloody ★★
(05.06.24 18:06:27 MSK)

Ссылка

Если у тебя ubuntu/debian, то ЕМНИП, там протоколы авторизации, необходимые для работы с виндой ставятся отдельным пакетом. Не помню, как он называется, но он не ставится автоматически если просто установить strongswan.

Khnazile ★★★★★
(05.06.24 18:17:43 MSK)