strongswan не авторизует

[admsasha]

/etc/ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vpn.mydomain.ru
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp102
4,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

/etc/ipsec.secrets

: RSA "server-key.pem"

admsasha : EAP "123456"
user1 : EAP "test"

авг 19 13:40:44 vpn charon[25339]: 08[NET] received packet: from x.x.x.x[47497] to y.y.y.y[500] (1128 bytes)
авг 19 13:40:44 vpn charon[25339]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
авг 19 13:40:44 vpn charon[25339]: 08[IKE] x.x.x.x is initiating an IKE_SA
авг 19 13:40:44 vpn charon[25339]: 08[IKE] x.x.x.x is initiating an IKE_SA
авг 19 13:40:44 vpn charon[25339]: 08[IKE] remote host is behind NAT
авг 19 13:40:44 vpn charon[25339]: 08[IKE] DH group ECP_256 unacceptable, requesting CURVE_25519
авг 19 13:40:44 vpn charon[25339]: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
авг 19 13:40:44 vpn charon[25339]: 08[NET] sending packet: from y.y.y.y[500] to x.x.x.x[47497] (38 bytes)
авг 19 13:40:44 vpn charon[25339]: 09[NET] received packet: from x.x.x.x[47497] to y.y.y.y[500] (1096 bytes)
авг 19 13:40:44 vpn charon[25339]: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
авг 19 13:40:44 vpn charon[25339]: 09[IKE] x.x.x.x is initiating an IKE_SA
авг 19 13:40:44 vpn charon[25339]: 09[IKE] x.x.x.x is initiating an IKE_SA
авг 19 13:40:44 vpn charon[25339]: 09[IKE] remote host is behind NAT
авг 19 13:40:44 vpn charon[25339]: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
авг 19 13:40:44 vpn charon[25339]: 09[NET] sending packet: from y.y.y.y[500] to x.x.x.x[47497] (236 bytes)
авг 19 13:40:44 vpn charon[25339]: 10[NET] received packet: from x.x.x.x[42626] to y.y.y.y[4500] (466 bytes)
авг 19 13:40:44 vpn charon[25339]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
авг 19 13:40:44 vpn charon[25339]: 10[IKE] received cert request for "CN=VPN root CA"
авг 19 13:40:44 vpn charon[25339]: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
авг 19 13:40:44 vpn charon[25339]: 10[IKE] peer supports MOBIKE
авг 19 13:40:44 vpn charon[25339]: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
авг 19 13:40:44 vpn charon[25339]: 10[IKE] authentication of 'vpn.mydomain.ru' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
авг 19 13:40:44 vpn charon[25339]: 10[IKE] sending end entity cert "CN=vpn.mydomain.ru"
авг 19 13:40:44 vpn charon[25339]: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
авг 19 13:40:44 vpn charon[25339]: 10[ENC] splitting IKE message (1969 bytes) into 2 fragments
авг 19 13:40:44 vpn charon[25339]: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
авг 19 13:40:44 vpn charon[25339]: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
авг 19 13:40:44 vpn charon[25339]: 10[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[42626] (1248 bytes)
авг 19 13:40:44 vpn charon[25339]: 10[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[42626] (786 bytes)
авг 19 13:40:44 vpn charon[25339]: 12[NET] received packet: from x.x.x.x[42626] to y.y.y.y[4500] (74 bytes)
авг 19 13:40:44 vpn charon[25339]: 12[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
авг 19 13:40:44 vpn charon[25339]: 12[IKE] received EAP identity 'admsasha'
авг 19 13:40:44 vpn charon[25339]: 12[IKE] initiating EAP_MSCHAPV2 method (id 0xC1)
авг 19 13:40:44 vpn charon[25339]: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
авг 19 13:40:44 vpn charon[25339]: 12[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[42626] (97 bytes)
авг 19 13:40:44 vpn charon[25339]: 13[NET] received packet: from x.x.x.x[42626] to y.y.y.y[4500] (128 bytes)
авг 19 13:40:44 vpn charon[25339]: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
авг 19 13:40:44 vpn charon[25339]: 13[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
авг 19 13:40:46 vpn charon[25339]: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
авг 19 13:40:46 vpn charon[25339]: 13[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[42626] (114 bytes)
авг 19 13:40:46 vpn charon[25339]: 14[NET] received packet: from x.x.x.x[42626] to y.y.y.y[4500] (65 bytes)
авг 19 13:40:46 vpn charon[25339]: 14[ENC] parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
авг 19 13:40:46 vpn charon[25339]: 14[ENC] generating INFORMATIONAL response 4 [ ]
авг 19 13:40:46 vpn charon[25339]: 14[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[42626] (57 bytes)

Делал по инструкции тут: https://www.vitaliy.org/post/7243

В чем может причина неавторизации?

Авторизуюсь так же на linux, через NetworkManager (KDE)

[alladyn77]

Из лога видно что DH-группа некорректная: несовместимость настроек на клиентской и серверной сторонах.
В логе есть сообщение о запросе сертификата "CN=VPN root CA". тоесть серт или не соответствует запросу или неправильно установлен
Проверяем параметры шифрования (включая группы DH).
Проверяем сертификаты.
Проверяем совместимость настроек NAT.
А вообще что делали что бы решить проблему, что сам автор предлагает? Судя по комментариям человек идет на контакт и отвечает на вопросы.

[admsasha]

Я пытался создать VPN подключение с разных источников. Всегда одно и тоже сообщение.

EAP-MS-CHAPv2 verification failed, retry (1)

[alladyn77]

Эта ошибка может из за неверных учетных данных, несовместимостью версий протоколов, не верными настройками обработки запросов EAP-MS-CHAPv2, конфликтом с другим ПО
EAP-MS-CHAPv2 поддержка включена на сервере?
Порты 500 и 4500 открыты?
Что делали что бы решить проблему, к автору статьи обращались?

[admsasha]

EAP-MS-CHAPv2 поддержка включена на сервере?

Помимо то что в конфиге где-то еще нужно включать?

Порты 500 и 4500 открыты?

да, открыты. Более того выключал firewall (iptables) вообще

Что делали что бы решить проблему, к автору статьи обращались?

Мои попытки это найти решение и попытаться сделать по другим статьям. В итоге всё тоже самое получал. К автору статьи не обращался. Вот сейчас написал. Посмотрим, что ответит.

[alladyn77]

sudo swanctl --list-algs плагины eap-mschapv2 и md4 активированы? стоит проверить.
проверяем что сертификаты клиента и сервера установлены и правильно настроены через leftcert и rightcert в конфигурации.
включаем расширенный уровень отладки в /etc/ipsec.conf
charondebug="ike 2, knl 2, cfg 2, eap 2"
sudo systemctl restart strongswan
sudo journalctl -u strongswan -f
Обращаем внимание на "failed", "error", "warning", "invalid",

[admsasha]

Вот, уже странно.

swanctl --list-algs|egrep -i 'eap-mschapv2|md4'
  HASH_MD4[openssl]

где включается eap-mschapv2 ?

19 августа 2024, 15:55:41

# swanctl --list-algs
encryption:
  AES_CBC[aes]
  AES_ECB[aes]
  RC2_CBC[rc2]
  3DES_CBC[openssl]
  AES_CTR[openssl]
  AES_CFB[openssl]
  CAMELLIA_CBC[openssl]
  CAMELLIA_CTR[openssl]
  CAST_CBC[openssl]
  BLOWFISH_CBC[openssl]
  DES_CBC[openssl]
  DES_ECB[openssl]
  NULL[openssl]
  SERPENT_CBC[gcrypt]
  TWOFISH_CBC[gcrypt]
integrity:
  HMAC_MD5_96[openssl]
  HMAC_MD5_128[openssl]
  HMAC_SHA1_96[openssl]
  HMAC_SHA1_128[openssl]
  HMAC_SHA1_160[openssl]
  HMAC_SHA2_256_128[openssl]
  HMAC_SHA2_256_256[openssl]
  HMAC_SHA2_384_192[openssl]
  HMAC_SHA2_384_384[openssl]
  HMAC_SHA2_512_256[openssl]
  HMAC_SHA2_512_512[openssl]
  HMAC_SHA2_256_96[af-alg]
  AES_XCBC_96[af-alg]
  CAMELLIA_XCBC_96[af-alg]
  AES_CMAC_96[cmac]
aead:
  AES_GCM_16[openssl]
  AES_GCM_12[openssl]
  AES_GCM_8[openssl]
  AES_CCM_16[openssl]
  AES_CCM_12[openssl]
  AES_CCM_8[openssl]
  CHACHA20_POLY1305[openssl]
  CAMELLIA_CCM_8[ccm]
  CAMELLIA_CCM_12[ccm]
  CAMELLIA_CCM_16[ccm]
hasher:
  HASH_SHA1[sha1]
  HASH_SHA2_224[sha2]
  HASH_SHA2_256[sha2]
  HASH_SHA2_384[sha2]
  HASH_SHA2_512[sha2]
  HASH_MD5[md5]
  HASH_MD4[openssl]
  HASH_SHA3_224[openssl]
  HASH_SHA3_256[openssl]
  HASH_SHA3_384[openssl]
  HASH_SHA3_512[openssl]
  HASH_IDENTITY[openssl]
prf:
  PRF_KEYED_SHA1[sha1]
  PRF_HMAC_MD5[openssl]
  PRF_HMAC_SHA1[openssl]
  PRF_HMAC_SHA2_256[openssl]
  PRF_HMAC_SHA2_384[openssl]
  PRF_HMAC_SHA2_512[openssl]
  PRF_AES128_XCBC[af-alg]
  PRF_CAMELLIA128_XCBC[af-alg]
  PRF_FIPS_SHA1_160[fips-prf]
  PRF_AES128_CMAC[cmac]
xof:
  XOF_MGF1_SHA1[mgf1]
  XOF_MGF1_SHA224[mgf1]
  XOF_MGF1_SHA256[mgf1]
  XOF_MGF1_SHA384[mgf1]
  XOF_MGF1_SHA512[mgf1]
  XOF_SHAKE128[openssl]
  XOF_SHAKE256[openssl]
  XOF_CHACHA20[chapoly]
kdf:
  KDF_PRF[openssl]
  KDF_PRF_PLUS[openssl]
drbg:
  DRBG_CTR_AES128[drbg]
  DRBG_CTR_AES192[drbg]
  DRBG_CTR_AES256[drbg]
  DRBG_HMAC_SHA1[drbg]
  DRBG_HMAC_SHA256[drbg]
  DRBG_HMAC_SHA384[drbg]
  DRBG_HMAC_SHA512[drbg]
dh:
  MODP_3072[openssl]
  MODP_4096[openssl]
  MODP_6144[openssl]
  MODP_8192[openssl]
  MODP_2048[openssl]
  MODP_2048_224[openssl]
  MODP_2048_256[openssl]
  MODP_1536[openssl]
  MODP_1024[openssl]
  MODP_1024_160[openssl]
  MODP_768[openssl]
  MODP_CUSTOM[openssl]
  CURVE_25519[openssl]
  CURVE_448[openssl]
  ECP_256[openssl]
  ECP_384[openssl]
  ECP_521[openssl]
  ECP_224[openssl]
  ECP_192[openssl]
  ECP_256_BP[openssl]
  ECP_384_BP[openssl]
  ECP_512_BP[openssl]
  ECP_224_BP[openssl]
rng:
  RNG_WEAK[openssl]
  RNG_STRONG[random]
  RNG_TRUE[random]
nonce-gen:
  NONCE_GEN[nonce]

19 августа 2024, 15:58:05

$ cat /etc/strongswan.d/charon/eap-mschapv2.conf

eap-mschapv2 {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

}

19 августа 2024, 16:01:20
НО

# ipsec listplugins | grep ^eap
eap-identity:
eap-aka:
eap-md5:
eap-gtc:
eap-mschapv2:
eap-radius:
eap-tls:
eap-ttls:
eap-tnc:

[alladyn77]

Видно что плагин установлен, включен но неактивен...
однако swanctl --list-algs | egrep -i 'eap-mschapv2|md4' показывает только HASH_MD4[openssl], что на первый взгляд указывает как будто eap-mschapv2 не используется.
Попробуйте переустановить sudo apt-get install --reinstall strongswan-plugin-eap-mschapv2
sudo systemctl restart strongswan
sudo journalctl -u strongswan -f
Если не поможет, попробуйте временно повысить уровень отладки

[admsasha]

В debian 12 нет похоже этого пакета

# apt-get install --reinstall strongswan-plugin-eap-mschapv2
Чтение списков пакетов... Готово
Построение дерева зависимостей... Готово
Чтение информации о состоянии... Готово
E: Невозможно найти пакет strongswan-plugin-eap-mschapv2

Переустановил вот этот

# apt-cache search mschapv2
libcharon-extauth-plugins - strongSwan charon library (extended authentication plugins)

Не помогло 

charondebug="ike 2, knl 2, cfg 2, esp 2"

Код Выделить Развернуть

авг 20 13:19:09 vpn charon[48405]: 11[NET] received packet: from x.x.x.x[45864] to y.y.y.y[500] (1128 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 06[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
авг 20 13:19:09 vpn ipsec[48405]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
авг 20 13:19:09 vpn ipsec[48405]: 06[NET] sending packet: from y.y.y.y[500] to x.x.x.x[53237] (236 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 07[NET] received packet: from x.x.x.x[51807] to y.y.y.y[4500] (466 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] local endpoint changed from y.y.y.y[500] to y.y.y.y[4500]
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] remote endpoint changed from x.x.x.x[53237] to x.x.x.x[51807]
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] received cert request for "CN=VPN root CA"
авг 20 13:19:09 vpn ipsec[48405]: 07[CFG] looking for peer configs matching y.y.y.y[%any]...x.x.x.x[admsasha]
авг 20 13:19:09 vpn ipsec[48405]: 07[CFG]  candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
авг 20 13:19:09 vpn ipsec[48405]: 07[CFG] selected peer config 'ikev2-vpn'
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] processing INTERNAL_IP4_ADDRESS attribute
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] processing INTERNAL_IP6_ADDRESS attribute
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] processing INTERNAL_IP4_DNS attribute
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] processing INTERNAL_IP4_NBNS attribute
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] processing INTERNAL_IP6_DNS attribute
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] peer supports MOBIKE
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] authentication of 'vpn.mydomain.ru' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] sending end entity cert "CN=vpn.mydomain.ru"
авг 20 13:19:09 vpn ipsec[48405]: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
авг 20 13:19:09 vpn ipsec[48405]: 07[ENC] splitting IKE message (1969 bytes) into 2 fragments
авг 20 13:19:09 vpn ipsec[48405]: 07[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
авг 20 13:19:09 vpn ipsec[48405]: 07[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
авг 20 13:19:09 vpn ipsec[48405]: 07[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[51807] (1248 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 07[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[51807] (786 bytes)
авг 20 13:19:09 vpn charon[48405]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
авг 20 13:19:09 vpn ipsec[48405]: 08[NET] received packet: from x.x.x.x[51807] to y.y.y.y[4500] (74 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
авг 20 13:19:09 vpn ipsec[48405]: 08[IKE] received EAP identity 'admsasha'
авг 20 13:19:09 vpn ipsec[48405]: 08[IKE] initiating EAP_MSCHAPV2 method (id 0xFB)
авг 20 13:19:09 vpn ipsec[48405]: 08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
авг 20 13:19:09 vpn ipsec[48405]: 08[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[51807] (97 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 10[NET] received packet: from x.x.x.x[51807] to y.y.y.y[4500] (128 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 10[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
авг 20 13:19:09 vpn ipsec[48405]: 10[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
авг 20 13:19:09 vpn ipsec[48405]: 10[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
авг 20 13:19:09 vpn ipsec[48405]: 10[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[51807] (114 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 14[NET] received packet: from x.x.x.x[51807] to y.y.y.y[4500] (65 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 14[ENC] parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
авг 20 13:19:09 vpn ipsec[48405]: 14[ENC] generating INFORMATIONAL response 4 [ ]
авг 20 13:19:09 vpn ipsec[48405]: 14[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[51807] (57 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 07[JOB] deleting half open IKE_SA with x.x.x.x after timeout
авг 20 13:19:09 vpn ipsec[48405]: 07[IKE] IKE_SA ikev2-vpn[2] state change: CONNECTING => DESTROYING
авг 20 13:19:09 vpn ipsec[48405]: 11[NET] received packet: from x.x.x.x[45864] to y.y.y.y[500] (1128 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] looking for an IKEv2 config for y.y.y.y...x.x.x.x
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG]  candidate: %any...%any, prio 28
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] found matching ike config: %any...%any with prio 28
авг 20 13:19:09 vpn ipsec[48405]: 11[IKE] local endpoint changed from 0.0.0.0[500] to y.y.y.y[500]
авг 20 13:19:09 vpn ipsec[48405]: 11[IKE] remote endpoint changed from 0.0.0.0 to x.x.x.x[45864]
авг 20 13:19:09 vpn ipsec[48405]: 11[IKE] x.x.x.x is initiating an IKE_SA
авг 20 13:19:09 vpn ipsec[48405]: 11[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] selecting proposal:
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG]  no acceptable ENCRYPTION_ALGORITHM found
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] selecting proposal:
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG]  proposal matches
авг 20 13:19:09 vpn charon[48405]: 11[CFG] looking for an IKEv2 config for y.y.y.y...x.x.x.x
авг 20 13:19:09 vpn charon[48405]: 11[CFG]  candidate: %any...%any, prio 28
авг 20 13:19:09 vpn charon[48405]: 11[CFG] found matching ike config: %any...%any with prio 28
авг 20 13:19:09 vpn charon[48405]: 11[IKE] local endpoint changed from 0.0.0.0[500] to y.y.y.y[500]
авг 20 13:19:09 vpn charon[48405]: 11[IKE] remote endpoint changed from 0.0.0.0 to x.x.x.x[45864]
авг 20 13:19:09 vpn charon[48405]: 11[IKE] x.x.x.x is initiating an IKE_SA
авг 20 13:19:09 vpn charon[48405]: 11[IKE] x.x.x.x is initiating an IKE_SA
авг 20 13:19:09 vpn charon[48405]: 11[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
авг 20 13:19:09 vpn charon[48405]: 11[CFG] selecting proposal:
авг 20 13:19:09 vpn charon[48405]: 11[CFG]  no acceptable ENCRYPTION_ALGORITHM found
авг 20 13:19:09 vpn charon[48405]: 11[CFG] selecting proposal:
авг 20 13:19:09 vpn charon[48405]: 11[CFG]  proposal matches
авг 20 13:19:09 vpn charon[48405]: 11[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
авг 20 13:19:09 vpn charon[48405]: 11[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
авг 20 13:19:09 vpn charon[48405]: 11[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
авг 20 13:19:09 vpn charon[48405]: 11[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
авг 20 13:19:09 vpn charon[48405]: 11[IKE] remote host is behind NAT
авг 20 13:19:09 vpn charon[48405]: 11[IKE] DH group ECP_256 unacceptable, requesting CURVE_25519
авг 20 13:19:09 vpn charon[48405]: 11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
авг 20 13:19:09 vpn charon[48405]: 11[NET] sending packet: from y.y.y.y[500] to x.x.x.x[45864] (38 bytes)
авг 20 13:19:09 vpn charon[48405]: 11[IKE] IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
авг 20 13:19:09 vpn charon[48405]: 10[NET] received packet: from x.x.x.x[45864] to y.y.y.y[500] (1096 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
авг 20 13:19:09 vpn ipsec[48405]: 11[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
авг 20 13:19:09 vpn ipsec[48405]: 11[IKE] remote host is behind NAT
авг 20 13:19:09 vpn ipsec[48405]: 11[IKE] DH group ECP_256 unacceptable, requesting CURVE_25519
авг 20 13:19:09 vpn ipsec[48405]: 11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
авг 20 13:19:09 vpn ipsec[48405]: 11[NET] sending packet: from y.y.y.y[500] to x.x.x.x[45864] (38 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 11[IKE] IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING
авг 20 13:19:09 vpn charon[48405]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
авг 20 13:19:09 vpn ipsec[48405]: 10[NET] received packet: from x.x.x.x[45864] to y.y.y.y[500] (1096 bytes)
авг 20 13:19:09 vpn ipsec[48405]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG] looking for an IKEv2 config for y.y.y.y...x.x.x.x
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG]  candidate: %any...%any, prio 28
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG] found matching ike config: %any...%any with prio 28
авг 20 13:19:09 vpn ipsec[48405]: 10[IKE] local endpoint changed from 0.0.0.0[500] to y.y.y.y[500]
авг 20 13:19:09 vpn ipsec[48405]: 10[IKE] remote endpoint changed from 0.0.0.0 to x.x.x.x[45864]
авг 20 13:19:09 vpn ipsec[48405]: 10[IKE] x.x.x.x is initiating an IKE_SA
авг 20 13:19:09 vpn ipsec[48405]: 10[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG] selecting proposal:
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG]  no acceptable ENCRYPTION_ALGORITHM found
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG] selecting proposal:
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG]  proposal matches
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
авг 20 13:19:09 vpn charon[48405]: 10[CFG] looking for an IKEv2 config for y.y.y.y...x.x.x.x
авг 20 13:19:09 vpn ipsec[48405]: 10[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
авг 20 13:19:09 vpn charon[48405]: 10[CFG]  candidate: %any...%any, prio 28
авг 20 13:19:09 vpn charon[48405]: 10[CFG] found matching ike config: %any...%any with prio 28
авг 20 13:19:09 vpn charon[48405]: 10[IKE] local endpoint changed from 0.0.0.0[500] to y.y.y.y[500]
авг 20 13:19:09 vpn charon[48405]: 10[IKE] remote endpoint changed from 0.0.0.0 to x.x.x.x[45864]
авг 20 13:19:09 vpn charon[48405]: 10[IKE] x.x.x.x is initiating an IKE_SA
авг 20 13:19:09 vpn charon[48405]: 10[IKE] x.x.x.x is initiating an IKE_SA
авг 20 13:19:09 vpn charon[48405]: 10[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
авг 20 13:19:09 vpn charon[48405]: 10[CFG] selecting proposal:
авг 20 13:19:09 vpn charon[48405]: 10[CFG]  no acceptable ENCRYPTION_ALGORITHM found
авг 20 13:19:09 vpn charon[48405]: 10[CFG] selecting proposal:
авг 20 13:19:09 vpn charon[48405]: 10[CFG]  proposal matches
авг 20 13:19:09 vpn charon[48405]: 10[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CHACHA20_POLY1305/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_448/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
авг 20 13:19:09 vpn charon[48405]: 10[CFG] configured proposals: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
авг 20 13:19:09 vpn charon[48405]: 10[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
авг 20 13:19:09 vpn charon[48405]: 10[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
авг 20 13:19:09 vpn charon[48405]: 10[IKE] remote host is behind NAT
авг 20 13:19:09 vpn charon[48405]: 10[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
авг 20 13:19:09 vpn charon[48405]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
авг 20 13:19:09 vpn charon[48405]: 10[NET] sending packet: from y.y.y.y[500] to x.x.x.x[45864] (236 bytes)
авг 20 13:19:09 vpn charon[48405]: 12[NET] received packet: from x.x.x.x[44520] to y.y.y.y[4500] (466 bytes)
авг 20 13:19:09 vpn charon[48405]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
авг 20 13:19:09 vpn charon[48405]: 12[IKE] local endpoint changed from y.y.y.y[500] to y.y.y.y[4500]
авг 20 13:19:09 vpn charon[48405]: 12[IKE] remote endpoint changed from x.x.x.x[45864] to x.x.x.x[44520]
авг 20 13:19:09 vpn charon[48405]: 12[IKE] received cert request for "CN=VPN root CA"
авг 20 13:19:09 vpn charon[48405]: 12[CFG] looking for peer configs matching y.y.y.y[%any]...x.x.x.x[admsasha]
авг 20 13:19:09 vpn charon[48405]: 12[CFG]  candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
авг 20 13:19:09 vpn charon[48405]: 12[CFG] selected peer config 'ikev2-vpn'
авг 20 13:19:09 vpn charon[48405]: 12[IKE] initiating EAP_IDENTITY method (id 0x00)
авг 20 13:19:09 vpn charon[48405]: 12[IKE] processing INTERNAL_IP4_ADDRESS attribute
авг 20 13:19:09 vpn charon[48405]: 12[IKE] processing INTERNAL_IP6_ADDRESS attribute
авг 20 13:19:09 vpn charon[48405]: 12[IKE] processing INTERNAL_IP4_DNS attribute
авг 20 13:19:09 vpn charon[48405]: 12[IKE] processing INTERNAL_IP4_NBNS attribute
авг 20 13:19:09 vpn charon[48405]: 12[IKE] processing INTERNAL_IP6_DNS attribute
авг 20 13:19:09 vpn charon[48405]: 12[IKE] peer supports MOBIKE
авг 20 13:19:09 vpn charon[48405]: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
авг 20 13:19:09 vpn charon[48405]: 12[IKE] authentication of 'vpn.mydomain.ru' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
авг 20 13:19:09 vpn charon[48405]: 12[IKE] sending end entity cert "CN=vpn.mydomain.ru"
авг 20 13:19:09 vpn charon[48405]: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
авг 20 13:19:09 vpn charon[48405]: 12[ENC] splitting IKE message (1969 bytes) into 2 fragments
авг 20 13:19:09 vpn charon[48405]: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
авг 20 13:19:09 vpn charon[48405]: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
авг 20 13:19:09 vpn charon[48405]: 12[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[44520] (1248 bytes)
авг 20 13:19:09 vpn charon[48405]: 12[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[44520] (786 bytes)
авг 20 13:19:09 vpn charon[48405]: 13[NET] received packet: from x.x.x.x[44520] to y.y.y.y[4500] (74 bytes)
авг 20 13:19:09 vpn charon[48405]: 13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
авг 20 13:19:09 vpn charon[48405]: 13[IKE] received EAP identity 'admsasha'
авг 20 13:19:09 vpn charon[48405]: 13[IKE] initiating EAP_MSCHAPV2 method (id 0xBB)
авг 20 13:19:09 vpn charon[48405]: 13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
авг 20 13:19:09 vpn charon[48405]: 13[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[44520] (97 bytes)
авг 20 13:19:10 vpn charon[48405]: 14[NET] received packet: from x.x.x.x[44520] to y.y.y.y[4500] (128 bytes)
авг 20 13:19:10 vpn charon[48405]: 14[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
авг 20 13:19:10 vpn charon[48405]: 14[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
авг 20 13:19:12 vpn charon[48405]: 14[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
авг 20 13:19:12 vpn charon[48405]: 14[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[44520] (114 bytes)
авг 20 13:19:12 vpn charon[48405]: 10[NET] received packet: from x.x.x.x[44520] to y.y.y.y[4500] (65 bytes)
авг 20 13:19:12 vpn charon[48405]: 10[ENC] parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
авг 20 13:19:12 vpn charon[48405]: 10[ENC] generating INFORMATIONAL response 4 [ ]
авг 20 13:19:12 vpn charon[48405]: 10[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[44520] (57 bytes)

20 августа 2024, 07:49:07
Попробовал подключиться с android. Подключение успешно. Тогда надо смотреть, что не так в настройках клиента под linux...

Тут ничего специфичного не требуется? Или оно не подходит?


20 августа 2024, 08:17:59
Попробовал через консольный strongSwan

Со стороны клиента

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.13, Linux 6.1.100-un-def-alt1, x86_64):
  uptime: 120 seconds, since Aug 20 10:10:24 2024
  malloc: sbrk 3108864, mmap 0, used 906640, free 2202224
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon ldap pkcs11 aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp curve25519 agent xcbc cmac hmac kdf ctr ccm gcm ntru drbg curl attr kernel-pfkey kernel-netlink resolve socket-default farp stroke vici smp updown eap-identity eap-sim eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic tnc-tnccs dhcp addrblock counters
Listening IP addresses:
  192.168.1.124
Connections:
ipsec-ikev2-vpn-client:  %any...vpn.mydomain.ru  IKEv1/2
ipsec-ikev2-vpn-client:   local:  [admsasha] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ipsec-ikev2-vpn-client:   remote: [vpn.mydomain.ru] uses public key authentication
ipsec-ikev2-vpn-client:   child:  dynamic === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 118 seconds ago, 192.168.1.124[admsasha]...y.y.y.y[kk-vpn-office.telenethd.ru]
ipsec-ikev2-vpn-client[1]: IKEv2 SPIs: d74a4f892e0ba12f_i* 22820a02ccce8920_r, EAP reauthentication in 2 hours
ipsec-ikev2-vpn-client[1]: IKE proposal: CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519

Вроде как успешно, должен ли появиться у меня дополнительный интерфейс? Вот его нету, если должен.




На сервере

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-23-amd64, x86_64):
  uptime: 5 minutes, since Aug 20 14:10:14 2024
  malloc: sbrk 2338816, mmap 0, used 1516976, free 821840
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/0
Listening IP addresses:
  y.y.y.y
  10.10.10.1
Connections:
   ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [vpn.mydomain.ru] uses public key authentication
   ikev2-vpn:    cert:  "CN=vpn.mydomain.ru"
   ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=none
Security Associations (1 up, 0 connecting):
   ikev2-vpn[2]: ESTABLISHED 5 minutes ago, y.y.y.y[vpn.mydomain.ru]...x.x.x.x[admsasha]
   ikev2-vpn[2]: IKEv2 SPIs: d74a4f892e0ba12f_i 22820a02ccce8920_r*, rekeying disabled
   ikev2-vpn[2]: IKE proposal: CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519

20 августа 2024, 09:34:51
В логах консольного клиента вот что

Код Выделить Развернуть

авг 20 11:25:37 host-89 charon[1003779]: 06[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] authentication of 'vpn.mydomain.ru' with EAP successful
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] installing DNS server 8.8.8.8 via resolvconf
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] installing DNS server 8.8.4.4 via resolvconf
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] installing new virtual IP 10.10.10.1
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] peer supports MOBIKE
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] IKE_SA ipsec-ikev2-vpn-client[1] established between 192.168.1.124[admsasha]...x.x.x.x[vpn.mydomain.ru]
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] IKE_SA ipsec-ikev2-vpn-client[1] established between 192.168.1.124[admsasha]...x.x.x.x[vpn.mydomain.ru]
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] scheduling rekeying in 9934s
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] maximum IKE_SA lifetime 10474s
авг 20 11:25:37 host-89 charon[1003779]: 06[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
авг 20 11:25:37 host-89 charon[1003779]: 06[KNL] unable to add SAD entry with SPI c9986138: Function not implemented (38)
авг 20 11:25:37 host-89 charon[1003779]: 06[KNL] unable to add SAD entry with SPI cac9490c: Function not implemented (38)
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] sending DELETE for ESP CHILD_SA with SPI c9986138
авг 20 11:25:37 host-89 charon[1003779]: 06[ENC] generating INFORMATIONAL request 6 [ D ]
авг 20 11:25:37 host-89 charon[1003779]: 06[NET] sending packet: from 192.168.1.124[4500] to x.x.x.x[4500] (69 bytes)
авг 20 11:25:38 host-89 charon[1003779]: 12[NET] received packet: from x.x.x.x[4500] to 192.168.1.124[4500] (69 bytes)
авг 20 11:25:38 host-89 charon[1003779]: 12[ENC] parsed INFORMATIONAL response 6 [ D ]
авг 20 11:25:38 host-89 charon[1003779]: 12[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 in failed, not found
авг 20 11:25:38 host-89 charon[1003779]: 12[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 fwd failed, not found
авг 20 11:25:38 host-89 charon[1003779]: 12[KNL] unable to delete SAD entry with SPI c9986138: No such process (3)
авг 20 11:25:38 host-89 charon[1003779]: 12[KNL] unable to delete SAD entry with SPI cac9490c: No such process (3)

Не понравилось вот что

авг 20 11:25:37 host-89 charon[1003779]: 06[KNL] unable to add SAD entry with SPI c9986138: Function not implemented (38)
авг 20 11:25:37 host-89 charon[1003779]: 06[KNL] unable to add SAD entry with SPI cac9490c: Function not implemented (38)
авг 20 11:25:37 host-89 charon[1003779]: 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

Неужеле ядро не поддерживает нужную фичу?