文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Ubuntu16.04下iOS NEVPNManager与StrongSwan的虚拟专用网连接

Ubuntu16.04下iOS NEVPNManager与StrongSwan的虚拟专用网连接
EN

Stack Overflow用户
提问于 2021-05-05 17:19:22
回答 1查看 187关注 0票数 0

我正在尝试在我的应用中创建vpn连接。在服务器端,在Ubuntu16.04上使用带有StrongSwan的IKEv2虚拟专用网络服务器。按此guid构建(https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04)。

当我试着连接的时候。服务器发送此日志:

代码语言:javascript
复制
 - May  5 08:58:21 ip-2 charon: 05[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:21 ip-2 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:21 ip-2 charon: 05[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:21 ip-2 charon: 05[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:21 ip-2 charon: 05[IKE] remote host is behind NAT
 - May  5 08:58:21 ip-2 charon: 05[IKE] received proposals inacceptable
 - May  5 08:58:21 ip-2 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:21 ip-2 charon: 05[NET] sending packet: from 2[500] to 3[500] (36 bytes)
 - May  5 08:58:22 ip-2 charon: 16[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:22 ip-2 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:22 ip-2 charon: 16[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:22 ip-2 charon: 16[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:22 ip-2 charon: 16[IKE] remote host is behind NAT
 - May  5 08:58:22 ip-2 charon: 16[IKE] received proposals inacceptable
 - May  5 08:58:22 ip-2 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:22 ip-2 charon: 16[NET] sending packet: from 2[500] to 3[500] (36 bytes)

我在服务器上使用以下配置:

代码语言:javascript
复制
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    lifetime=8h
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=<IP>
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!

在iOS上使用以下代码:

代码语言:javascript
复制
class VpnManager {
    
    let vpnManager = NEVPNManager.shared()
    let info = VPNINFO()
    
    func connectToVPN() {
        vpnManager.loadFromPreferences { error in
            guard error == nil else {
                print(error)
                return
            }

            let IKEv2Protocol = NEVPNProtocolIKEv2()
            IKEv2Protocol.serverAddress = self.info.serverAddress
            IKEv2Protocol.authenticationMethod = .certificate
            
            let certificate = SecCertificateCreateWithData(nil, Data(base64Encoded: self.info.cert)! as CFData)!
            let certificateData = SecCertificateCopyData(certificate) as Data
            IKEv2Protocol.identityData = certificateData
            
            self.vpnManager.protocolConfiguration = IKEv2Protocol
            self.vpnManager.isEnabled = true
            
            self.vpnManager.saveToPreferences { error in
                guard error == nil else {
                    print(error)
                    return
                }
                do {
                    try self.vpnManager.connection.startVPNTunnel(
                        options: ([
                            NEVPNConnectionStartOptionUsername: "username",
                            NEVPNConnectionStartOptionPassword: KeychainWrapper.passwordRefForVPNID("MY_PASSWORD")
                        ] as! [String: NSObject]))
                } catch let error {
                    print(error)
                }
            }
        }
    }
    
    
}

预期结果:已连接

实际结果: Connection ->断开连接

上次控制台日志:

代码语言:javascript
复制
Jun  4 15:44:51 charon: 06[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 06[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 06[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 06[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 06[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:44:51 charon: 05[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 05[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 05[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 05[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 05[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:45:11 charon: 08[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:11 charon: 09[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:21 charon: 10[JOB] deleting half open IKE_SA with <my ip> after timeout
Jun  4 15:45:21 charon: 11[JOB] deleting half open IKE_SA with <my ip> after timeout
ubuntu
vpn
nevpnmanager
strongswan
swift
EN

回答 1

Stack Overflow用户

发布于 2021-06-01 18:57:00

您的strongswan服务器配置了以下加密算法。

代码语言:javascript
复制
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!

解决方案

您需要在VPN Server支持的NEVPNProtocolIKEv2实例中指定密码。

代码语言:javascript
复制
    IKEv2Protocol.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.ikeSecurityAssociationParameters.diffieHellmanGroup = .group2 
    IKEv2Protocol.ikeSecurityAssociationParameters.lifetimeMinutes = 480
    
    IKEv2Protocol.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.childSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.childSecurityAssociationParameters.diffieHellmanGroup = .group2
    IKEv2Protocol.childSecurityAssociationParameters.lifetimeMinutes = 60
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/67398467

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档