Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

配置了ikev2,但是无法连接VPn服务器 #1312

Closed
kevinliukaiwen opened this issue Jan 5, 2023 · 11 comments
Closed

配置了ikev2,但是无法连接VPn服务器 #1312

kevinliukaiwen opened this issue Jan 5, 2023 · 11 comments

Comments

@kevinliukaiwen
Copy link

已经按照排查步骤排查了,没找到问题所在,我用自己的流量ping vps 服务器可以ping通,但是服务器就是连接不上,
8f28ef9de179b0ea2e5cc369950b98c
@kevinliukaiwen
Copy link
Author

Jan 5 09:42:22 vultr pluto[140878]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
Jan 5 09:42:22 vultr pluto[140878]: FIPS Mode: NO
Jan 5 09:42:22 vultr pluto[140878]: NSS crypto library initialized
Jan 5 09:42:22 vultr pluto[140878]: FIPS mode disabled for pluto daemon
Jan 5 09:42:22 vultr pluto[140878]: FIPS HMAC integrity support [disabled]
Jan 5 09:42:22 vultr pluto[140878]: libcap-ng support [enabled]
Jan 5 09:42:22 vultr pluto[140878]: Linux audit support [disabled]
Jan 5 09:42:22 vultr pluto[140878]: Starting Pluto (Libreswan Version 4.9 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-KDF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:140878
Jan 5 09:42:22 vultr pluto[140878]: core dump dir: /run/pluto
Jan 5 09:42:22 vultr pluto[140878]: secrets file: /etc/ipsec.secrets
Jan 5 09:42:22 vultr pluto[140878]: leak-detective enabled
Jan 5 09:42:22 vultr pluto[140878]: NSS crypto [enabled]
Jan 5 09:42:22 vultr pluto[140878]: XAUTH PAM support [enabled]
Jan 5 09:42:22 vultr pluto[140878]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
Jan 5 09:42:22 vultr pluto[140878]: NAT-Traversal support [enabled]
Jan 5 09:42:22 vultr pluto[140878]: Encryption algorithms:
Jan 5 09:42:22 vultr pluto[140878]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
Jan 5 09:42:22 vultr pluto[140878]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b
Jan 5 09:42:22 vultr pluto[140878]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a
Jan 5 09:42:22 vultr pluto[140878]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des
Jan 5 09:42:22 vultr pluto[140878]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP
Jan 5 09:42:22 vultr pluto[140878]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia
Jan 5 09:42:22 vultr pluto[140878]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c
Jan 5 09:42:22 vultr pluto[140878]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b
Jan 5 09:42:22 vultr pluto[140878]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a
Jan 5 09:42:22 vultr pluto[140878]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr
Jan 5 09:42:22 vultr pluto[140878]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes
Jan 5 09:42:22 vultr pluto[140878]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac
Jan 5 09:42:22 vultr pluto[140878]: NULL [] IKEv1: ESP IKEv2: ESP
Jan 5 09:42:22 vultr pluto[140878]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305
Jan 5 09:42:22 vultr pluto[140878]: Hash algorithms:
Jan 5 09:42:22 vultr pluto[140878]: MD5 IKEv1: IKE IKEv2: NSS
Jan 5 09:42:22 vultr pluto[140878]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha
Jan 5 09:42:22 vultr pluto[140878]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256
Jan 5 09:42:22 vultr pluto[140878]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384
Jan 5 09:42:22 vultr pluto[140878]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512
Jan 5 09:42:22 vultr pluto[140878]: IDENTITY IKEv1: IKEv2: FIPS
Jan 5 09:42:22 vultr pluto[140878]: PRF algorithms:
Jan 5 09:42:22 vultr pluto[140878]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512
Jan 5 09:42:22 vultr pluto[140878]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc
Jan 5 09:42:22 vultr pluto[140878]: Integrity algorithms:
Jan 5 09:42:22 vultr pluto[140878]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Jan 5 09:42:22 vultr pluto[140878]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Jan 5 09:42:22 vultr pluto[140878]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Jan 5 09:42:22 vultr pluto[140878]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
Jan 5 09:42:22 vultr pluto[140878]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
Jan 5 09:42:22 vultr pluto[140878]: DH algorithms:
Jan 5 09:42:22 vultr pluto[140878]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0
Jan 5 09:42:22 vultr pluto[140878]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2
Jan 5 09:42:22 vultr pluto[140878]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5
Jan 5 09:42:22 vultr pluto[140878]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14
Jan 5 09:42:22 vultr pluto[140878]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
Jan 5 09:42:22 vultr pluto[140878]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
Jan 5 09:42:22 vultr pluto[140878]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
Jan 5 09:42:22 vultr pluto[140878]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
Jan 5 09:42:22 vultr pluto[140878]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
Jan 5 09:42:22 vultr pluto[140878]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
Jan 5 09:42:22 vultr pluto[140878]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
Jan 5 09:42:22 vultr pluto[140878]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
Jan 5 09:42:22 vultr pluto[140878]: IPCOMP algorithms:
Jan 5 09:42:22 vultr pluto[140878]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
Jan 5 09:42:22 vultr pluto[140878]: LZS IKEv1: IKEv2: ESP AH FIPS
Jan 5 09:42:22 vultr pluto[140878]: LZJH IKEv1: IKEv2: ESP AH FIPS
Jan 5 09:42:22 vultr pluto[140878]: testing CAMELLIA_CBC:
Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 256-bit key
Jan 5 09:42:22 vultr pluto[140878]: Camellia: 16 bytes with 256-bit key
Jan 5 09:42:22 vultr pluto[140878]: testing AES_GCM_16:
Jan 5 09:42:22 vultr pluto[140878]: empty string
Jan 5 09:42:22 vultr pluto[140878]: one block
Jan 5 09:42:22 vultr pluto[140878]: two blocks
Jan 5 09:42:22 vultr pluto[140878]: two blocks with associated data
Jan 5 09:42:22 vultr pluto[140878]: testing AES_CTR:
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 octets using AES-CTR with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 octets using AES-CTR with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 36 octets using AES-CTR with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 octets using AES-CTR with 192-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 octets using AES-CTR with 192-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 36 octets using AES-CTR with 192-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 octets using AES-CTR with 256-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 octets using AES-CTR with 256-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 36 octets using AES-CTR with 256-bit key
Jan 5 09:42:22 vultr pluto[140878]: testing AES_CBC:
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Jan 5 09:42:22 vultr pluto[140878]: testing AES_XCBC:
Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Jan 5 09:42:22 vultr pluto[140878]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Jan 5 09:42:22 vultr pluto[140878]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Jan 5 09:42:22 vultr pluto[140878]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Jan 5 09:42:22 vultr pluto[140878]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Jan 5 09:42:22 vultr pluto[140878]: testing HMAC_MD5:
Jan 5 09:42:22 vultr pluto[140878]: RFC 2104: MD5_HMAC test 1
Jan 5 09:42:22 vultr pluto[140878]: RFC 2104: MD5_HMAC test 2
Jan 5 09:42:22 vultr pluto[140878]: RFC 2104: MD5_HMAC test 3
Jan 5 09:42:22 vultr pluto[140878]: testing HMAC_SHA1:
Jan 5 09:42:22 vultr pluto[140878]: CAVP: IKEv2 key derivation with HMAC-SHA1
Jan 5 09:42:22 vultr pluto[140878]: 1 CPU cores online
Jan 5 09:42:22 vultr pluto[140878]: starting up 1 helper threads
Jan 5 09:42:22 vultr pluto[140878]: started thread for helper 0
Jan 5 09:42:22 vultr pluto[140878]: using Linux xfrm kernel support code on #1 SMP Debian 5.10.149-2 (2022-10-21)
Jan 5 09:42:22 vultr pluto[140878]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Jan 5 09:42:22 vultr pluto[140878]: watchdog: sending probes every 100 secs
Jan 5 09:42:22 vultr pluto[140878]: helper(1) seccomp security for helper not supported
Jan 5 09:42:22 vultr pluto[140878]: seccomp security not supported
Jan 5 09:42:22 vultr pluto[140878]: "l2tp-psk": added IKEv1 connection
Jan 5 09:42:22 vultr pluto[140878]: "xauth-psk": added IKEv1 connection
Jan 5 09:42:22 vultr pluto[140878]: listening for IKE messages
Jan 5 09:42:22 vultr pluto[140878]: Kernel supports NIC esp-hw-offload
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 149.28.132.175:500
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 149.28.132.175:4500
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo 127.0.0.1:500
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo 127.0.0.1:4500
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo [::1]:500
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface lo [::1]:4500
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:500
Jan 5 09:42:22 vultr pluto[140878]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:4500
Jan 5 09:42:22 vultr pluto[140878]: loading secrets from "/etc/ipsec.secrets"
Jan 5 09:42:29 vultr pluto[140878]: shutting down
Jan 5 09:42:29 vultr pluto[140878]: Pluto is shutting down
Jan 5 09:42:29 vultr pluto[140878]: forgetting secrets
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:4500
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:500
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo [::1]:4500
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo [::1]:500
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo 127.0.0.1:4500
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface lo 127.0.0.1:500
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 149.28.132.175:4500
Jan 5 09:42:29 vultr pluto[140878]: shutting down interface enp1s0 149.28.132.175:500
Jan 5 09:42:29 vultr pluto[140878]: leak detective found no leaks
Jan 5 09:42:29 vultr pluto[141268]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
Jan 5 09:42:29 vultr pluto[141268]: FIPS Mode: NO
Jan 5 09:42:29 vultr pluto[141268]: NSS crypto library initialized
Jan 5 09:42:29 vultr pluto[141268]: FIPS mode disabled for pluto daemon
Jan 5 09:42:29 vultr pluto[141268]: FIPS HMAC integrity support [disabled]
Jan 5 09:42:29 vultr pluto[141268]: libcap-ng support [enabled]
Jan 5 09:42:29 vultr pluto[141268]: Linux audit support [disabled]
Jan 5 09:42:29 vultr pluto[141268]: Starting Pluto (Libreswan Version 4.9 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-KDF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:141268
Jan 5 09:42:29 vultr pluto[141268]: core dump dir: /run/pluto
Jan 5 09:42:29 vultr pluto[141268]: secrets file: /etc/ipsec.secrets
Jan 5 09:42:29 vultr pluto[141268]: leak-detective enabled
Jan 5 09:42:29 vultr pluto[141268]: NSS crypto [enabled]
Jan 5 09:42:29 vultr pluto[141268]: XAUTH PAM support [enabled]
Jan 5 09:42:29 vultr pluto[141268]: initializing libevent in pthreads mode: headers: 2.1.12-stable (2010c00); library: 2.1.12-stable (2010c00)
Jan 5 09:42:29 vultr pluto[141268]: NAT-Traversal support [enabled]
Jan 5 09:42:29 vultr pluto[141268]: Encryption algorithms:
Jan 5 09:42:29 vultr pluto[141268]: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c
Jan 5 09:42:29 vultr pluto[141268]: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b
Jan 5 09:42:29 vultr pluto[141268]: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a
Jan 5 09:42:29 vultr pluto[141268]: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des
Jan 5 09:42:29 vultr pluto[141268]: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP
Jan 5 09:42:29 vultr pluto[141268]: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia
Jan 5 09:42:29 vultr pluto[141268]: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c
Jan 5 09:42:29 vultr pluto[141268]: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b
Jan 5 09:42:29 vultr pluto[141268]: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a
Jan 5 09:42:29 vultr pluto[141268]: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr
Jan 5 09:42:29 vultr pluto[141268]: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes
Jan 5 09:42:29 vultr pluto[141268]: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac
Jan 5 09:42:29 vultr pluto[141268]: NULL [] IKEv1: ESP IKEv2: ESP
Jan 5 09:42:29 vultr pluto[141268]: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305
Jan 5 09:42:29 vultr pluto[141268]: Hash algorithms:
Jan 5 09:42:29 vultr pluto[141268]: MD5 IKEv1: IKE IKEv2: NSS
Jan 5 09:42:29 vultr pluto[141268]: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha
Jan 5 09:42:29 vultr pluto[141268]: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256
Jan 5 09:42:29 vultr pluto[141268]: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384
Jan 5 09:42:29 vultr pluto[141268]: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512
Jan 5 09:42:29 vultr pluto[141268]: IDENTITY IKEv1: IKEv2: FIPS
Jan 5 09:42:29 vultr pluto[141268]: PRF algorithms:
Jan 5 09:42:29 vultr pluto[141268]: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512
Jan 5 09:42:29 vultr pluto[141268]: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc
Jan 5 09:42:29 vultr pluto[141268]: Integrity algorithms:
Jan 5 09:42:29 vultr pluto[141268]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Jan 5 09:42:29 vultr pluto[141268]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Jan 5 09:42:29 vultr pluto[141268]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Jan 5 09:42:29 vultr pluto[141268]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
Jan 5 09:42:29 vultr pluto[141268]: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null
Jan 5 09:42:29 vultr pluto[141268]: DH algorithms:
Jan 5 09:42:29 vultr pluto[141268]: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0
Jan 5 09:42:29 vultr pluto[141268]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh2
Jan 5 09:42:29 vultr pluto[141268]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5
Jan 5 09:42:29 vultr pluto[141268]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14
Jan 5 09:42:29 vultr pluto[141268]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
Jan 5 09:42:29 vultr pluto[141268]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
Jan 5 09:42:29 vultr pluto[141268]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
Jan 5 09:42:29 vultr pluto[141268]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
Jan 5 09:42:29 vultr pluto[141268]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
Jan 5 09:42:29 vultr pluto[141268]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
Jan 5 09:42:29 vultr pluto[141268]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
Jan 5 09:42:29 vultr pluto[141268]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
Jan 5 09:42:29 vultr pluto[141268]: IPCOMP algorithms:
Jan 5 09:42:29 vultr pluto[141268]: DEFLATE IKEv1: ESP AH IKEv2: ESP AH FIPS
Jan 5 09:42:29 vultr pluto[141268]: LZS IKEv1: IKEv2: ESP AH FIPS
Jan 5 09:42:29 vultr pluto[141268]: LZJH IKEv1: IKEv2: ESP AH FIPS
Jan 5 09:42:29 vultr pluto[141268]: testing CAMELLIA_CBC:
Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 256-bit key
Jan 5 09:42:29 vultr pluto[141268]: Camellia: 16 bytes with 256-bit key
Jan 5 09:42:29 vultr pluto[141268]: testing AES_GCM_16:
Jan 5 09:42:29 vultr pluto[141268]: empty string
Jan 5 09:42:29 vultr pluto[141268]: one block
Jan 5 09:42:29 vultr pluto[141268]: two blocks
Jan 5 09:42:29 vultr pluto[141268]: two blocks with associated data
Jan 5 09:42:29 vultr pluto[141268]: testing AES_CTR:
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 octets using AES-CTR with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 octets using AES-CTR with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 36 octets using AES-CTR with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 octets using AES-CTR with 192-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 octets using AES-CTR with 192-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 36 octets using AES-CTR with 192-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 octets using AES-CTR with 256-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 octets using AES-CTR with 256-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 36 octets using AES-CTR with 256-bit key
Jan 5 09:42:29 vultr pluto[141268]: testing AES_CBC:
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Jan 5 09:42:29 vultr pluto[141268]: testing AES_XCBC:
Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Jan 5 09:42:29 vultr pluto[141268]: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Jan 5 09:42:29 vultr pluto[141268]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Jan 5 09:42:29 vultr pluto[141268]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Jan 5 09:42:29 vultr pluto[141268]: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Jan 5 09:42:29 vultr pluto[141268]: testing HMAC_MD5:
Jan 5 09:42:29 vultr pluto[141268]: RFC 2104: MD5_HMAC test 1
Jan 5 09:42:29 vultr pluto[141268]: RFC 2104: MD5_HMAC test 2
Jan 5 09:42:29 vultr pluto[141268]: RFC 2104: MD5_HMAC test 3
Jan 5 09:42:29 vultr pluto[141268]: testing HMAC_SHA1:
Jan 5 09:42:29 vultr pluto[141268]: CAVP: IKEv2 key derivation with HMAC-SHA1
Jan 5 09:42:29 vultr pluto[141268]: 1 CPU cores online
Jan 5 09:42:29 vultr pluto[141268]: starting up 1 helper threads
Jan 5 09:42:29 vultr pluto[141268]: started thread for helper 0
Jan 5 09:42:29 vultr pluto[141268]: using Linux xfrm kernel support code on #1 SMP Debian 5.10.149-2 (2022-10-21)
Jan 5 09:42:29 vultr pluto[141268]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Jan 5 09:42:29 vultr pluto[141268]: watchdog: sending probes every 100 secs
Jan 5 09:42:29 vultr pluto[141268]: seccomp security not supported
Jan 5 09:42:29 vultr pluto[141268]: helper(1) seccomp security for helper not supported
Jan 5 09:42:29 vultr pluto[141268]: "l2tp-psk": added IKEv1 connection
Jan 5 09:42:29 vultr pluto[141268]: "xauth-psk": added IKEv1 connection
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": IKE SA proposals (connection add):
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 2:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 3:IKE=AES_CBC_256-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 4:IKE=AES_CBC_128-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": Child SA proposals (connection add):
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 1:ESP=AES_GCM_C_128+AES_GCM_C_256-NONE-NONE-ENABLED+DISABLED
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 2:ESP=AES_CBC_128-HMAC_SHA1_96-NONE-ENABLED+DISABLED
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 3:ESP=AES_CBC_256-HMAC_SHA1_96-NONE-ENABLED+DISABLED
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 4:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": 5:ESP=AES_CBC_256-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": loaded private key matching left certificate '149.28.132.175'
Jan 5 09:42:29 vultr pluto[141268]: "ikev2-cp": added IKEv2 connection
Jan 5 09:42:29 vultr pluto[141268]: listening for IKE messages
Jan 5 09:42:29 vultr pluto[141268]: Kernel supports NIC esp-hw-offload
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 149.28.132.175:500
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 149.28.132.175:4500
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo 127.0.0.1:500
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo 127.0.0.1:4500
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo [::1]:500
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface lo [::1]:4500
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:500
Jan 5 09:42:29 vultr pluto[141268]: adding UDP interface enp1s0 [2001:19f0:4400:693c:5400:4ff:fe41:6059]:4500
Jan 5 09:42:29 vultr pluto[141268]: forgetting secrets
Jan 5 09:42:29 vultr pluto[141268]: loading secrets from "/etc/ipsec.secrets"

@kevinliukaiwen
Copy link
Author

Jan 5 09:18:46 vultr xl2tpd[128276]: Not looking for kernel SAref support.
Jan 5 09:18:46 vultr xl2tpd[128276]: Using l2tp kernel support.
Jan 5 09:18:46 vultr xl2tpd[128272]: Starting xl2tpd: xl2tpd.
Jan 5 09:18:46 vultr xl2tpd[128280]: xl2tpd version xl2tpd-1.3.12 started on vultr PID:128280
Jan 5 09:18:46 vultr xl2tpd[128280]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan 5 09:18:46 vultr xl2tpd[128280]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan 5 09:18:46 vultr xl2tpd[128280]: Inherited by Jeff McAdams, (C) 2002
Jan 5 09:18:46 vultr xl2tpd[128280]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jan 5 09:18:46 vultr xl2tpd[128280]: Listening on IP address 0.0.0.0, port 1701
Jan 5 09:42:22 vultr xl2tpd[128280]: death_handler: Fatal signal 15 received
Jan 5 09:42:22 vultr xl2tpd[140885]: Stopping xl2tpd: xl2tpd.
Jan 5 09:42:22 vultr systemd[1]: xl2tpd.service: Succeeded.
Jan 5 09:42:22 vultr xl2tpd[140893]: Not looking for kernel SAref support.
Jan 5 09:42:22 vultr xl2tpd[140893]: Using l2tp kernel support.
Jan 5 09:42:22 vultr xl2tpd[140890]: Starting xl2tpd: xl2tpd.
Jan 5 09:42:22 vultr xl2tpd[140894]: xl2tpd version xl2tpd-1.3.12 started on vultr PID:140894
Jan 5 09:42:22 vultr xl2tpd[140894]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jan 5 09:42:22 vultr xl2tpd[140894]: Forked by Scott Balmos and David Stipp, (C) 2001
Jan 5 09:42:22 vultr xl2tpd[140894]: Inherited by Jeff McAdams, (C) 2002
Jan 5 09:42:22 vultr xl2tpd[140894]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jan 5 09:42:22 vultr xl2tpd[140894]: Listening on IP address 0.0.0.0, port 1701

@hwdsl2
Copy link
Owner

hwdsl2 commented Jan 5, 2023

@kevinliukaiwen 你好!你的日志中没有显示 VPN 客户端的连接请求,说明该连接请求没有到达服务器。对于有外部防火墙的服务器(比如 EC2/GCE),你需要为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 #433

@hwdsl2 hwdsl2 closed this as completed Jan 5, 2023
@kevinliukaiwen
Copy link
Author

image

@kevinliukaiwen
Copy link
Author

500端口和4500端口都打开了,还是连不上

@hwdsl2
Copy link
Owner

hwdsl2 commented Jan 6, 2023

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

@kevinliukaiwen
Copy link
Author

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

换过服务器了还是不行,vultr服务器搭建的,没有开启防火墙

@kevinliukaiwen
Copy link
Author

@kevinliukaiwen 你好!你的日志中没有显示 VPN 客户端的连接请求,说明该连接请求没有到达服务器。对于有外部防火墙的服务器(比如 EC2/GCE),你需要为 VPN 打开 UDP 端口 500 和 4500。阿里云用户请参见 #433

image

@kevinliukaiwen
Copy link
Author

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

image

@kevinliukaiwen
Copy link
Author

@kevinliukaiwen 如果你的服务器使用外部防火墙比如 Vultr firewall,需要在外部防火墙也打开上述端口。如果仍然无法连接,可以换一个服务器重新安装试一下。

image

我自己试了下,是500和4500两个端口都被墙了,这个有办法解决吗

@hwdsl2
Copy link
Owner

hwdsl2 commented Jan 13, 2023

@kevinliukaiwen 你好!对于该情况,IPsec VPN 较容易被干扰。建议换用其他解决方案比如 Shadowsocks。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hwdsl2 @kevinliukaiwen