• Home
  • Categories
  • WIKI
  • LANGUAGE: en
    • L2TP/IPsec方式的vpn连接失败,请开发帮忙分析下
    Experiences and Insight 1w views · 24 replies ·
    Tofloor
    poster avatar
    DebuggerX
    deepin
    2018-03-01 00:32
    Author
    这个问题长时间以来一直有人反馈,但可能是没能提供足够有效的信息所以一直没能解决。1年多以前我就没能连接成功,当时直接换ss方式了所以也就没管。最近由于工作需要必须用这个方式的vpn,所以花了点时间想看看能不能找出原因。

    先上系统日志:

    1. -- Logs begin at Tue 2017-12-26 13:08:19 CST. --
    2. 2月 28 15:43:58 debuggerx-pc NetworkManager[908]: establishing connection '33d8fc19-a978-4ac2-a327-abfa07b5fbb4' failed
    3. 2月 28 15:43:58 debuggerx-pc charon[12302]: 10[IKE] received NO_PROPOSAL_CHOSEN error notify
    4. 2月 28 15:43:58 debuggerx-pc NetworkManager[908]: Stopping strongSwan IPsec...
    5. 2月 28 15:43:58 debuggerx-pc charon[12302]: 00[DMN] signal of type SIGINT received. Shutting down
    6. 2月 28 15:43:58 debuggerx-pc ipsec_starter[12301]: child 12302 (charon) has quit (exit code 0)
    7. 2月 28 15:43:58 debuggerx-pc ipsec_starter[12301]:
    8. 2月 28 15:43:58 debuggerx-pc nm-l2tp-service[12242]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
    9. 2月 28 15:43:58 debuggerx-pc NetworkManager[908]:   [1519803838.9917] vpn-connection[0x5641a70576a0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: VPN plugin: state changed: stopped (6)
    10. 2月 28 15:43:58 debuggerx-pc NetworkManager[908]:   [1519803838.9935] vpn-connection[0x5641a70576a0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: VPN service disappeared
    11. 2月 28 15:43:58 debuggerx-pc NetworkManager[908]:   [1519803838.9965] vpn-connection[0x5641a70576a0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
    12. 2月 28 15:46:40 debuggerx-pc NetworkManager[908]:   [1519804000.5405] audit: op="connection-activate" uuid="33d8fc19-a978-4ac2-a327-abfa07b5fbb4" name="flutter" pid=2439 uid=1000 result="success"
    13. 2月 28 15:46:40 debuggerx-pc NetworkManager[908]:   [1519804000.5453] vpn-connection[0x5641a70574b0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: Started the VPN service, PID 14102
    14. 2月 28 15:46:40 debuggerx-pc NetworkManager[908]: Stopping strongSwan IPsec failed: starter is not running
    15. 2月 28 15:46:40 debuggerx-pc NetworkManager[908]:   [1519804000.5529] vpn-connection[0x5641a70574b0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: Saw the service appear; activating connection
    16. 2月 28 15:46:40 debuggerx-pc nm-l2tp-service[14102]: Check port 1701
    17. 2月 28 15:46:42 debuggerx-pc NetworkManager[908]: Starting strongSwan 5.5.3 IPsec [starter]...
    18. 2月 28 15:46:42 debuggerx-pc NetworkManager[908]: Loading config setup
    19. 2月 28 15:46:42 debuggerx-pc NetworkManager[908]: Loading conn '33d8fc19-a978-4ac2-a327-abfa07b5fbb4'
    20. 2月 28 15:46:42 debuggerx-pc ipsec_starter[14117]: Starting strongSwan 5.5.3 IPsec [starter]...
    21. 2月 28 15:46:42 debuggerx-pc ipsec_starter[14117]: Loading config setup
    22. 2月 28 15:46:42 debuggerx-pc ipsec_starter[14117]: Loading conn '33d8fc19-a978-4ac2-a327-abfa07b5fbb4'
    23. 2月 28 15:46:42 debuggerx-pc NetworkManager[908]: found netkey IPsec stack
    24. 2月 28 15:46:42 debuggerx-pc ipsec_starter[14117]: found netkey IPsec stack
    25. 2月 28 15:46:42 debuggerx-pc ipsec_starter[14154]: Attempting to start charon...
    26. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.14.0-deepin2-amd64, x86_64)
    27. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    28. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    29. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    30. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    31. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
    32. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
    33. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
    34. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-33d8fc19-a978-4ac2-a327-abfa07b5fbb4.secrets'
    35. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[CFG]   loaded IKE secret for %any
    36. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
    37. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[LIB] dropped capabilities, running as uid 0, gid 0
    38. 2月 28 15:46:42 debuggerx-pc charon[14155]: 00[JOB] spawning 16 worker threads
    39. 2月 28 15:46:42 debuggerx-pc ipsec_starter[14154]: charon (14155) started after 20 ms
    40. 2月 28 15:46:42 debuggerx-pc charon[14155]: 05[CFG] received stroke: add connection '33d8fc19-a978-4ac2-a327-abfa07b5fbb4'
    41. 2月 28 15:46:42 debuggerx-pc charon[14155]: 05[CFG] added configuration '33d8fc19-a978-4ac2-a327-abfa07b5fbb4'
    42. 2月 28 15:46:43 debuggerx-pc charon[14155]: 08[CFG] rereading secrets
    43. 2月 28 15:46:43 debuggerx-pc charon[14155]: 08[CFG] loading secrets from '/etc/ipsec.secrets'
    44. 2月 28 15:46:43 debuggerx-pc charon[14155]: 08[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
    45. 2月 28 15:46:43 debuggerx-pc charon[14155]: 08[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-33d8fc19-a978-4ac2-a327-abfa07b5fbb4.secrets'
    46. 2月 28 15:46:43 debuggerx-pc charon[14155]: 08[CFG]   loaded IKE secret for %any
    47. 2月 28 15:46:43 debuggerx-pc charon[14155]: 09[CFG] received stroke: initiate '33d8fc19-a978-4ac2-a327-abfa07b5fbb4'
    48. 2月 28 15:46:43 debuggerx-pc charon[14155]: 10[IKE] initiating Main Mode IKE_SA 33d8fc19-a978-4ac2-a327-abfa07b5fbb4[1] to 18.221.140.253
    49. 2月 28 15:46:43 debuggerx-pc charon[14155]: 10[IKE] initiating Main Mode IKE_SA 33d8fc19-a978-4ac2-a327-abfa07b5fbb4[1] to 18.221.140.253
    50. 2月 28 15:46:43 debuggerx-pc charon[14155]: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ]
    51. 2月 28 15:46:43 debuggerx-pc charon[14155]: 10[NET] sending packet: from 10.0.0.227[500] to 18.221.140.253[500] (240 bytes)
    52. 2月 28 15:46:43 debuggerx-pc charon[14155]: 11[NET] received packet: from 18.221.140.253[500] to 10.0.0.227[500] (40 bytes)
    53. 2月 28 15:46:43 debuggerx-pc charon[14155]: 11[ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
    54. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: initiating Main Mode IKE_SA 33d8fc19-a978-4ac2-a327-abfa07b5fbb4[1] to 18.221.140.253
    55. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: generating ID_PROT request 0 [ SA V V V V V ]
    56. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: sending packet: from 10.0.0.227[500] to 18.221.140.253[500] (240 bytes)
    57. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: received packet: from 18.221.140.253[500] to 10.0.0.227[500] (40 bytes)
    58. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
    59. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: received NO_PROPOSAL_CHOSEN error notify
    60. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: establishing connection '33d8fc19-a978-4ac2-a327-abfa07b5fbb4' failed
    61. 2月 28 15:46:43 debuggerx-pc charon[14155]: 11[IKE] received NO_PROPOSAL_CHOSEN error notify
    62. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]: Stopping strongSwan IPsec...
    63. 2月 28 15:46:43 debuggerx-pc charon[14155]: 00[DMN] signal of type SIGINT received. Shutting down
    64. 2月 28 15:46:43 debuggerx-pc ipsec_starter[14154]: child 14155 (charon) has quit (exit code 0)
    65. 2月 28 15:46:43 debuggerx-pc ipsec_starter[14154]:
    66. 2月 28 15:46:43 debuggerx-pc nm-l2tp-service[14102]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
    67. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]:   [1519804003.9757] vpn-connection[0x5641a70574b0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: VPN plugin: state changed: stopped (6)
    68. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]:   [1519804003.9780] vpn-connection[0x5641a70574b0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: VPN service disappeared
    69. 2月 28 15:46:43 debuggerx-pc NetworkManager[908]:   [1519804003.9789] vpn-connection[0x5641a70574b0,33d8fc19-a978-4ac2-a327-abfa07b5fbb4,"flutter",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
    Copy the Code


    根据这些信息我是没找到什么有用的信息,所以又尝试在vm虚拟机里用centos配置vpn连接结果完全没有问题。几次比较和摸索以后发现有个文件比较可疑,就是位于
    /etc/ipsec.d/nm-l2tp-ipsec-33d8fc19-a978-4ac2-a327-abfa07b5fbb4.secrets 这个文件 与centos中生成的 /etc/ipsec.d/ipsec-xxxx-xxxxxx-xxxxxx-xxxx.secrets文件的内容不同,其中centos的内容为:
    1. 18.221.140.253 %any: PSK "fluttertestvpn.com"
    Copy the Code
    而deepin生成的内容则是:
    1. : PSK "fluttertestvpn.com"
    Copy the Code
    感觉像是缺失了一部分内容。我尝试修改这个文件,但是每次点击连接的时候它都会被修改刷新,结果还是连接失败,看代码也没找到是哪里在修改这个文件,所以希望相关开发能帮忙看看是不是这里出的问题。

    https://bbs.deepin.org/user/48640 https://bbs.deepin.org/user/101846 @https://bbs.deepin.org/user/33235
    Reply Favorite View the author
    All Replies
    2 / 2
    To page
    junior_chan
    deepin
    2019-10-21 23:59
    #21
    https://bbs.deepin.org/post/153665
    那要看你的V{忽略}P{忽略}N是不是国外的,如果是国外的,那就已经被网络长城给拦下来了(他不给我们f{忽略 ...

    思科交换机配置的VPN,严格来说只是在国内
    Reply View the author
    180******69
    deepin
    2019-11-03 17:29
    #22
    https://bbs.deepin.org/post/153665
    试下这个,目前控制中心创建 VPN 时可直接指定加密算法

    换了一个VPN,下面是用ike-scan.sh的输出,麻烦看看应该如何指定加密算法。谢谢!
    1.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    2.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    3.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    4.         SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
    5.         SA=(Enc=AES Hash=SHA1 Auth=PSK Group=5:modp1536 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
    6.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    7.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    8.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    9.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    10.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    11.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    12.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    13.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    14.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    15.         SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    16.         SA=(Enc=AES Hash=SHA1 Auth=PSK Group=5:modp1536 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)
    17.         SA=(Enc=AES Hash=SHA1 Auth=PSK Group=14:modp2048 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)
    Copy the Code
    Reply View the author
    yanbowen
    deepin
    2019-11-04 17:40
    #23
    https://bbs.deepin.org/post/153665
    换了一个VPN,下面是用ike-scan.sh的输出,麻烦看看应该如何指定加密算法。谢谢!
    ...
    1. aes256-sha1-modp2048, aes128-sha1-modp1024

    3. aes256-sha1,aes128-sha1
    Copy the Code
    Reply View the author
    180******69
    deepin
    2019-11-08 08:16
    #24
    https://bbs.deepin.org/post/153665

    谢谢!不过还没有成功连上,正在查看是否有其它问题。
    Reply View the author
    2 / 2
    To page