拥有加密证书的Strongswan (IKEv2-EAP)

Question

我正在为VPN客户端配置Strongswan服务器以访问内部网络(EAP-IKEv2)。我使用自签名服务器证书成功地设置了它，在将ca.crt添加到客户端的根CA作为受信任的之后，它适用于使用Mac、Windows 7和Windows 10的客户端。

现在，我想切换到Letsencrypt证书，它应该是可信的，而不需要任何额外的客户端配置，不幸的是，由于某种原因，我无法让它正常工作。

服务器:Ubuntu18.04上的Strongswan版本5.6.2。客户端: Mac 10.14.2 / Ubuntu 18.04 / Windows 7/ Windows 10

我收到的Mac错误是：The VPN server did not respond。为了与没有将ca.crt添加到Mac的自签名证书进行比较，我将接收User Authentication failed。

当我将server.crt复制到客户端时，上面写着This certificate is valid。

我还尝试将DST根CA X3证书的IP安全性(IPsec，IPsec)设置为Always trust，并在Mac中将任何其他与加密相关的CA证书都设置为D4，但这没有帮助。

我还试图为Always Trust证书强制执行server.crt证书，但仍然没有成功。

我测试了所有提到的OSes (Linux使用强天鹅网络管理器applet)，但它没有工作。

因为我无法从Mac和Windows获得任何合理的调试日志，所以我使用没有网络管理器applet的Ubuntu在其他服务器上设置了Strongswan 客户机。它在客户端将DST_Root_CA_X3.pem证书从/etc/ssl/certs复制到/etc/ipsec.d/cacerts后开始工作。

我有三个问题：

1. 如何从Mac本地VPN客户端获取任何调试日志记录？
2. Strongswan VPN甚至可以使用Letsencrypt证书吗？这里有什么问题吗？
3. 你推荐其他可行的方法吗？浣熊，Openswan？让我按B计划离开OpenVPN。

下面你可以找到所有的细节。

谢谢你帮我。如有任何意见，我将不胜感激。

服务器

$ certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email info@company.com -d vpn.company.com

$ cp /etc/letsencrypt/live/vpn.company.com/fullchain.pem /etc/ipsec.d/certs/server.crt
$ cp /etc/letsencrypt/live/vpn.company.com/privkey.pem /etc/ipsec.d/private/server.key

我知道strongswan只读取在server.crt中找到的第一个证书。但是，第二链证书被删除后，它仍然不能工作。如果我尝试将chain.pem添加到/etc/ipsec.d/ auth或/etc/ssl/certs中的任何其他CA证书中，这也是无效的，因为服务器上的CAcerts不会对客户端auth产生影响。

我还测试了将证书转换成DER和PEM格式。

PKI验证

$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt
no issuer certificate found for "CN=vpn.company.com"
  issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
  using trusted certificate "CN=vpn.company.com"
certificate trusted, lifetimes valid

证书详细信息

$ openssl x509 -in certs/server.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:50:51:[...]
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Mar  1 13:40:42 2019 GMT
            Not After : May 30 13:40:42 2019 GMT
        Subject: CN = vpn.company.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:a8:ea:8e:[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                EC:6A:[...]
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:[...]

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:vpn.company.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 74:7E:DA:[...]
                    Timestamp : Mar  1 14:40:42.419 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:[...]
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:3C:51:[...]
                    Timestamp : Mar  1 14:40:42.499 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:[...]
    Signature Algorithm: sha256WithRSAEncryption
         8e:da:a3:[...]

ipsec.conf

config setup
  charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1, tnc 1, imc 1, imv 1, pts 1"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes256-sha1-modp1024
    esp=aes256-sha1
    fragmentation=no
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vpn.company.com
  leftauth=pubkey
    leftcert=server.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0
  leftfirewall=yes
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.255.255.0/24
    rightdns=1.1.1.1
    rightsendcert=never
    eap_identity=%identity

ipsec.secrets

vpn.company.com : RSA server.key
user %any% : EAP "user_password"

Strongswan服务器日志

ipsec[11918]: Starting strongSwan 5.6.2 IPsec [starter]...
ipsec_starter[11918]: Starting strongSwan 5.6.2 IPsec [starter]...
charon[11943]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64)
charon[11943]: 00[CFG] PKCS11 module '' lacks library path
charon[11943]: 00[CFG] disabling load-tester plugin, not configured
charon[11943]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
charon[11943]: 00[NET] could not open socket: Address family not supported by protocol
charon[11943]: 00[NET] could not open IPv6 socket, IPv6 disabled
charon[11943]: 00[KNL] received netlink error: Address family not supported by protocol (97)
charon[11943]: 00[KNL] unable to create IPv6 routing table rule
charon[11943]: 00[CFG] dnscert plugin is disabled
charon[11943]: 00[CFG] ipseckey plugin is disabled
charon[11943]: 00[CFG] attr-sql plugin: database URI not set
charon[11943]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon[11943]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon[11943]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon[11943]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon[11943]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon[11943]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[11943]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
charon[11943]: 00[CFG]   loaded EAP secret for USERNAME_HERE %any%
charon[11943]: 00[CFG] sql plugin: database URI not set
charon[11943]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
charon[11943]: 00[CFG] eap-simaka-sql database URI missing
charon[11943]: 00[CFG] loaded 0 RADIUS server configurations
charon[11943]: 00[CFG] HA config misses local/remote address
charon[11943]: 00[CFG] no threshold configured for systime-fix, disabled
charon[11943]: 00[CFG] coupling file path unspecified
charon[11943]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
charon[11943]: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon[11943]: 00[JOB] spawning 16 worker threads
ipsec[11918]: charon (11943) started after 40 ms
ipsec_starter[11918]: charon (11943) started after 40 ms
charon[11943]: 06[CFG] received stroke: add connection 'ikev2-vpn'
charon[11943]: 06[CFG] adding virtual IP address pool 10.255.255.0/24
charon[11943]: 06[CFG]   loaded certificate "CN=vpn.company.com" from 'server.crt'
charon[11943]: 06[CFG] added configuration 'ikev2-vpn'
charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
charon[11943]: 08[IKE] remote host is behind NAT
charon[11943]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon[11943]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes)
charon[11943]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 09[ENC] unknown attribute type (25)
charon[11943]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
charon[11943]: 09[CFG] selected peer config 'ikev2-vpn'
charon[11943]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[11943]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
charon[11943]: 09[IKE] peer supports MOBIKE
charon[11943]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful
charon[11943]: 09[IKE] sending end entity cert "CN=vpn.company.com"
charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 10[ENC] unknown attribute type (25)
ipsec[11918]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64)
ipsec[11918]: 00[CFG] PKCS11 module '' lacks library path
ipsec[11918]: 00[CFG] disabling load-tester plugin, not configured
ipsec[11918]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
ipsec[11918]: 00[NET] could not open socket: Address family not supported by protocol
ipsec[11918]: 00[NET] could not open IPv6 socket, IPv6 disabled
ipsec[11918]: 00[KNL] received netlink error: Address family not supported by protocol (97)
ipsec[11918]: 00[KNL] unable to create IPv6 routing table rule
ipsec[11918]: 00[CFG] dnscert plugin is disabled
ipsec[11918]: 00[CFG] ipseckey plugin is disabled
ipsec[11918]: 00[CFG] attr-sql plugin: database URI not set
ipsec[11918]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
ipsec[11918]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
ipsec[11918]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
ipsec[11918]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
ipsec[11918]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
ipsec[11918]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
ipsec[11918]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
ipsec[11918]: 00[CFG]   loaded EAP secret for USERNAME_HERE %any%
ipsec[11918]: 00[CFG] sql plugin: database URI not set
ipsec[11918]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
ipsec[11918]: 00[CFG] eap-simaka-sql database URI missing
ipsec[11918]: 00[CFG] loaded 0 RADIUS server configurations
ipsec[11918]: 00[CFG] HA config misses local/remote address
ipsec[11918]: 00[CFG] no threshold configured for systime-fix, disabled
ipsec[11918]: 00[CFG] coupling file path unspecified
charon[11943]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
ipsec[11918]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
ipsec[11918]: 00[LIB] dropped capabilities, running as uid 0, gid 0
ipsec[11918]: 00[JOB] spawning 16 worker threads
ipsec[11918]: 06[CFG] received stroke: add connection 'ikev2-vpn'
ipsec[11918]: 06[CFG] adding virtual IP address pool 10.255.255.0/24
ipsec[11918]: 06[CFG]   loaded certificate "CN=vpn.company.com" from 'server.crt'
ipsec[11918]: 06[CFG] added configuration 'ikev2-vpn'
ipsec[11918]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
ipsec[11918]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
ipsec[11918]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
ipsec[11918]: 08[IKE] remote host is behind NAT
ipsec[11918]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
ipsec[11918]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes)
ipsec[11918]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
ipsec[11918]: 09[ENC] unknown attribute type (25)
ipsec[11918]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
ipsec[11918]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
ipsec[11918]: 09[CFG] selected peer config 'ikev2-vpn'
ipsec[11918]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[11943]: 10[IKE] received retransmit of request with ID 1, retransmitting response
ipsec[11918]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
ipsec[11918]: 09[IKE] peer supports MOBIKE
ipsec[11918]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful
ipsec[11918]: 09[IKE] sending end entity cert "CN=vpn.company.com"
ipsec[11918]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
ipsec[11918]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
ipsec[11918]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
ipsec[11918]: 10[ENC] unknown attribute type (25)
charon[11943]: 10[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 11[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 11[ENC] unknown attribute type (25)
charon[11943]: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 11[IKE] received retransmit of request with ID 1, retransmitting response
charon[11943]: 11[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 12[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 12[ENC] unknown attribute type (25)
charon[11943]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 12[IKE] received retransmit of request with ID 1, retransmitting response
charon[11943]: 12[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)

编辑: Mac在启用碎片后开始工作。不幸的是，Windows 10最终出现了错误。从Windows 10连接时的服务器日志：

charon[12236]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
charon[12236]: 06[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44742] (320 bytes)
charon[12236]: 09[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (576 bytes)
charon[12236]: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
charon[12236]: 09[ENC] received fragment #1 of 2, waiting for complete IKE message
charon[12236]: 07[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (368 bytes)
charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
charon[12236]: 07[ENC] received fragment #2 of 2, reassembling fragmented IKE message
charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
charon[12236]: 07[IKE] received 27 cert requests for an unknown ca
charon[12236]: 07[CFG] looking for peer configs matching SERVER_IP_HERE[%any]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
charon[12236]: 07[CFG] selected peer config 'ikev2-vpn'
charon[12236]: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[12236]: 07[IKE] authentication of 'vpn.autouncle.com' (myself) with RSA signature successful
charon[12236]: 07[IKE] sending end entity cert "CN=vpn.autouncle.com"
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[12236]: 07[ENC] splitting IKE message with length of 1740 bytes into 2 fragments
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (1248 bytes)
charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (560 bytes)

Answer 1

可能是IP碎片问题。由于证书的缘故，IKE_AUTH响应大于MTU (1744字节)：

charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)

所以这会被分割成多个IP片段。有些路由器放弃这些，客户端可能无法接收完整的数据包。

幸运的是，客户端支持IKEv2碎片(FRAG_SUP通知)：

charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

因此，请尝试在服务器上启用IKEv2碎片，即启用fragmentation选项，或者在默认情况下删除它。

Answer 2

除了您的叶证书之外，您还需要安装Letsencrypt的中间证书！把那个chain.pem放回ipsec.d/仙人掌

您希望在您的强天鹅日志中看到的是，它同时将它们发送给它们：

charon: 07发送终端实体证书"CN=vpn.example.com“charon: 07发送颁发者证书"C=US，O=让我们加密，CN=让我们加密权限X3”

在Windows上，我强烈建议通过PowerShell创建和配置VPN条目，这允许您在GUI允许的范围之外调整参数。例如,

Add-VpnConnection -Name "My VPN" -ServerAddress vpn.example.com -TunnelType IKEv2 -AuthenticationMethod EAP -EncryptionLevel Maximum -RememberCredential:$True -SplitTunnel:$False -PassThru
Set-VpnConnectionIPsecConfiguration -ConnectionName "My VPN" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup Pfs2048 -PassThru -Force

这里的文档：undefined Set-VpnConnectionIPsecConfiguration

如果仍然有问题，请签入Windows事件日志。对于强work /letsencrypt设置，它肯定可以很好地工作。