DHCPと連携するようにStrongSwanを構成する
StrongSwan VPNサーバーを実装しましたが、エンドクライアントにIPを動的に割り当てるように構成したいと思います。 VPNは、IP範囲を指定すると機能しますが、DHCPに設定すると機能しません。
これは私のdhcp.confファイルです:
dhcp {
# Always use the configured server address.
force_server_address = yes
# Derive user-defined MAC address from hash of IKE identity.
# identity_lease = yes
# Interface name the plugin uses for address allocation.
# interface =
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# DHCP server unicast or broadcast IP address.
server = 10.0.0.255
}
そして私のipsec.confファイル:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=10.0.0.2
leftsubnet=255.255.255.0/24
leftcert=vpnHostCert.pem
right=%any
rightsubnet=255.255.255.0/24
rightdns=10.0.0.2
rightsourceip=10.0.1.0/24
# rightsourceip=%dhcp
compress=yes
conn IPSec-IKEv2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
rightauth=pubkey
rightauth2=xauth
auto=add
現在、VPNが機能するようにDHCP機能をコメントアウトしています。
試行された接続からのログは次のとおりです:(新しいログ用にカット)
Jul 8 16:13:09 dhcp charon: 04[IKE] IKE_SA IPSec-IKEv2-EAP[15] state change: CONNECTING => ESTABLISHED
Jul 8 16:13:09 dhcp charon: 04[IKE] peer requested virtual IP %any
Jul 8 16:13:09 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:10 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:11 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:11 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:11 dhcp charon: 07[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:12 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:14 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:14 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:14 dhcp charon: 13[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:15 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:18 dhcp charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 8 16:13:18 dhcp charon: 15[NET] waiting for data on sockets
Jul 8 16:13:18 dhcp charon: 01[MGR] ignoring request with ID 5, already processing
Jul 8 16:13:19 dhcp charon: 04[CFG] sending DHCP DISCOVER to 10.0.0.2
Jul 8 16:13:24 dhcp charon: 04[CFG] DHCP DISCOVER timed out
ログからわかるように、StrongSwanはDHCPサーバーからリースを取得しようとしていますが、DHCPDiscoverへの応答を取得することはありません。
VPNサーバーとDHCPサーバーは両方とも同じマシン(10.0.0.2)上にあります。 dhcp.confファイルに表示されているように、10.0.0.255を指定しました(この下部の注記に従って strongswan doc )。 10.0.0.2、0.0.0.0、127.0.0.1、255.255.255.0、255.255.255.255も試しましたが、どれも機能しませんでした。
DHCPは内部のすべてに対して完全に正常に機能するため、StrongSwanの問題であると確信しています。
編集:DHCPサーバーから応答を取得できましたが、VPNソフトウェアがそれを認識できません。これが私のVPNのDHCP設定とログへの変更です。
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 08[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (528 bytes)
Jul 10 09:41:52 dhcp charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 10 09:41:52 dhcp charon: 08[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:41:52 dhcp charon: 08[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:41:52 dhcp charon: 08[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Jul 10 09:41:52 dhcp charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:41:52 dhcp charon: 08[CFG] selecting proposal:
Jul 10 09:41:52 dhcp charon: 08[CFG] proposal matches
Jul 10 09:41:52 dhcp charon: 08[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:41:52 dhcp charon: 08[IKE] local Host is behind NAT, sending keep alives
Jul 10 09:41:52 dhcp charon: 08[IKE] remote Host is behind NAT
Jul 10 09:41:52 dhcp charon: 08[IKE] sending cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 10 09:41:52 dhcp charon: 08[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (337 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (972 bytes)
Jul 10 09:41:52 dhcp charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Jul 10 09:41:52 dhcp charon: 07[IKE] received cert request for "C=AU, O=EXAMPLE, CN=EXAMPLE CA"
Jul 10 09:41:52 dhcp charon: 07[IKE] received 31 cert requests for an unknown ca
Jul 10 09:41:52 dhcp charon: 07[CFG] looking for peer configs matching 10.0.0.2[%any]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG] candidate "IPSec-IKEv2-EAP", match: 1/1/1052 (me/other/ike)
Jul 10 09:41:52 dhcp charon: 07[CFG] selected peer config 'IPSec-IKEv2'
Jul 10 09:41:52 dhcp charon: 07[IKE] peer requested EAP, config inacceptable
Jul 10 09:41:52 dhcp charon: 07[CFG] switching to peer config 'IPSec-IKEv2-EAP'
Jul 10 09:41:52 dhcp charon: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_NBNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP4_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_DNS attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] processing INTERNAL_IP6_SERVER attribute
Jul 10 09:41:52 dhcp charon: 07[IKE] peer supports MOBIKE
Jul 10 09:41:52 dhcp charon: 07[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with RSA signature successful
Jul 10 09:41:52 dhcp charon: 07[IKE] sending end entity cert "C=AU, O=EXAMPLE, CN=EXAMPLE AU"
Jul 10 09:41:52 dhcp charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 10 09:41:52 dhcp charon: 07[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (1516 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 10[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 10 09:41:52 dhcp charon: 10[IKE] received EAP identity 'shane'
Jul 10 09:41:52 dhcp charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xB2)
Jul 10 09:41:52 dhcp charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 10[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (108 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 09[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[IKE] EAP-MS-CHAPv2 username: 'shane'
Jul 10 09:41:52 dhcp charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 09[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 10 09:41:52 dhcp charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 10 09:41:52 dhcp charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 10 09:41:52 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:41:52 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:52 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:52 dhcp charon: 12[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (92 bytes)
Jul 10 09:41:52 dhcp charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of '10.1.1.5' with EAP successful
Jul 10 09:41:52 dhcp charon: 12[IKE] authentication of 'C=AU, O=EXAMPLE, CN=EXAMPLE AU' (myself) with EAP
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] established between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:41:52 dhcp charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED
Jul 10 09:41:52 dhcp charon: 12[IKE] peer requested virtual IP %any
Jul 10 09:41:52 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:52 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be via team0
Jul 10 09:41:53 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:53 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:54 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:54 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:54 dhcp charon: 06[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:55 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:55 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:55 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:57 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:41:57 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:41:57 dhcp charon: 15[MGR] ignoring request with ID 5, already processing
Jul 10 09:41:58 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:41:58 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:41:58 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:00 dhcp chronyd[728]: NTP packet received from unauthorised Host 10.0.0.2 port 123
Jul 10 09:42:02 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:02 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:02 dhcp charon: 10[MGR] ignoring request with ID 5, already processing
Jul 10 09:42:02 dhcp charon: 12[CFG] sending DHCP DISCOVER to 255.255.255.255
Jul 10 09:42:02 dhcp dhcpd: DHCPDISCOVER from 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:02 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:0c:e0:49:be (shane) via team0
Jul 10 09:42:07 dhcp charon: 12[CFG] DHCP DISCOVER timed out
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] peer requested virtual IP %any6
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found for %any6 requested by 'shane'
Jul 10 09:42:07 dhcp charon: 12[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jul 10 09:42:07 dhcp charon: 12[CFG] looking for a child config for ::/0 0.0.0.0/0 === ::/0 0.0.0.0/0
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for us:
Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG] proposing traffic selectors for other:
Jul 10 09:42:07 dhcp charon: 12[CFG] 255.255.255.0/24
Jul 10 09:42:07 dhcp charon: 12[CFG] candidate "IPSec-IKEv2-EAP" with prio 1+1
Jul 10 09:42:07 dhcp charon: 12[CFG] found matching child config "IPSec-IKEv2-EAP" with prio 2
Jul 10 09:42:07 dhcp charon: 12[IKE] configuration payload negotiation failed, no CHILD_SA built
Jul 10 09:42:07 dhcp charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jul 10 09:42:07 dhcp charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
Jul 10 09:42:07 dhcp charon: 12[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (124 bytes)
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500]
Jul 10 09:42:07 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:07 dhcp charon: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.0.0.2[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[ENC] parsed INFORMATIONAL request 6 [ D ]
Jul 10 09:42:07 dhcp charon: 11[IKE] received DELETE for IKE_SA IPSec-IKEv2-EAP[1]
Jul 10 09:42:07 dhcp charon: 11[IKE] deleting IKE_SA IPSec-IKEv2-EAP[1] between 10.0.0.2[C=AU, O=EXAMPLE, CN=EXAMPLE AU]...xxx.xxx.xxx.xxx[10.1.1.5]
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: ESTABLISHED => DELETING
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA deleted
Jul 10 09:42:07 dhcp charon: 11[ENC] generating INFORMATIONAL response 6 [ ]
Jul 10 09:42:07 dhcp charon: 11[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500] (76 bytes)
Jul 10 09:42:07 dhcp charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: DELETING => DESTROYING
Jul 10 09:42:07 dhcp charon: 04[NET] sending packet: from 10.0.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jul 10 09:42:08 dhcp charon: 01[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500]
Jul 10 09:42:08 dhcp charon: 01[NET] waiting for data on sockets
Jul 10 09:42:08 dhcp charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.0.0.2[500] (384 bytes)
Jul 10 09:42:08 dhcp charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
Jul 10 09:42:08 dhcp charon: 14[CFG] looking for an ike config for 10.0.0.2...xxx.xxx.xxx.xxx
Jul 10 09:42:08 dhcp charon: 14[CFG] candidate: 10.0.0.2...%any, prio 1052
Jul 10 09:42:08 dhcp charon: 14[CFG] found matching ike config: 10.0.0.2...%any with prio 1052
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:08
Jul 10 09:42:08 dhcp charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Jul 10 09:42:08 dhcp charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Jul 10 09:42:08 dhcp charon: 14[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Jul 10 09:42:08 dhcp charon: 14[IKE] xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] selecting proposal:
Jul 10 09:42:08 dhcp charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 10 09:42:08 dhcp charon: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 10 09:42:08 dhcp charon: 14[IKE] no proposal found
Jul 10 09:42:08 dhcp charon: 14[IKE] queueing INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[IKE] activating new tasks
Jul 10 09:42:08 dhcp charon: 14[IKE] activating INFORMATIONAL task
Jul 10 09:42:08 dhcp charon: 14[ENC] generating INFORMATIONAL_V1 request 2146740619 [ N(NO_PROP) ]
Jul 10 09:42:08 dhcp charon: 14[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500] (56 bytes)
Jul 10 09:42:08 dhcp charon: 14[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Jul 10 09:42:08 dhcp charon: 04[NET] sending packet: from 10.0.0.2[500] to xxx.xxx.xxx.xxx[500]
そして新しい構成:
dhcp {
force_server_address = yes
interface = team0
load = yes
server = 255.255.255.255
}
解決しました!ページの下部にあるメモを参照してください(ここ)[1] ...前に指定したように、私はこれを試しましたが、運がありませんでした。チーム0になるために、em1とem2にNICチームがあります。StrongSwanはこのインターフェイスを考慮していないようです。
インターフェイスをteam0に変更したところ、サーバーは255.255.255.255でした。DHCPサーバーは要求を認識できましたが、VPNは応答を認識できませんでした。サーバーを10.0.0.255に設定し、インターフェイスをteam0に設定すると、すべてが機能し始めました。
したがって、コツは、NICチーミングを使用している場合、チームをインターフェイスとして指定し、サーバーをローカルブロードキャストアドレスとして指定する必要があるということです。force_server_addressをyesに設定する必要がありますが、identity_leaseは影響はないようです。
これが他の人を悪夢から救うことを願っています。
私の最終設定:
dhcp {
# Always use the configured server address.
force_server_address = yes
# Derive user-defined MAC address from hash of IKE identity.
identity_lease = yes
# Interface name the plugin uses for address allocation.
interface = team0
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# DHCP server unicast or broadcast IP address.
server = 10.0.0.255
}
そして、私のログのDHCPセクションは今どのようになっていますか:
Jul 10 10:05:27 dhcp charon: 02[IKE] IKE_SA IPSec-IKEv2-EAP[1] state change: CONNECTING => ESTABLISHED
Jul 10 10:05:27 dhcp charon: 02[IKE] peer requested virtual IP %any
Jul 10 10:05:27 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255
Jul 10 10:05:27 dhcp dhcpd: DHCPDISCOVER from 7a:a7:b4:f2:4e:dc via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP DISCOVER to 10.0.0.255
Jul 10 10:05:28 dhcp dhcpd: DHCPOFFER on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 07[CFG] received DHCP OFFER 10.0.0.188 from 10.0.0.2
Jul 10 10:05:28 dhcp charon: 02[CFG] sending DHCP REQUEST for 10.0.0.188 to 10.0.0.2
Jul 10 10:05:28 dhcp dhcpd: DHCPREQUEST for 10.0.0.188 (10.0.0.2) from 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp dhcpd: DHCPACK on 10.0.0.188 to 7a:a7:b4:f2:4e:dc (shane) via 10.0.0.2
Jul 10 10:05:28 dhcp charon: 08[CFG] received DHCP ACK for 10.0.0.188
Jul 10 10:05:28 dhcp charon: 02[IKE] assigning virtual IP 10.0.0.188 to peer 'shane'
DHCPデーモンは、Charonが何かを要求したことをログに記録するよりも速く、要求を受信していることをログに記録しているように見えることに注意してください。
これが他の誰かの時間と欲求不満を節約することを願っています。