哥哥们求助!host-host无法建立链接!请帮我看看问题 #21
Description
host-host无法建立链接!请帮我看看问题
配置:
server:
connections {
host-host {
proposals = sm4cbc-sm3-sm2dh
local_addrs=192.168.133.128
remote_addrs=192.168.133.129
local {
auth = pubkey
id = "Alt name for server"
certs = server.cert.pem
}
remote {
auth = pubkey
id = "Alt name for end entity"
}
children {
host-host {
local_ts = dynamic[udp/8887-8888]
remote_ts = 192.168.133.0/24[udp/81-65535]
esp_proposals = sm4cbc-sm3-sm2dh
updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables
}
}
}
}
client :
connections {
host-host {
proposals = sm4cbc-sm3-sm2dh
local_addrs=192.168.133.129
remote_addrs=192.168.133.128
local {
auth = pubkey
id = "Alt name for end entity"
certs = client.cert.pem
}
remote {
auth = pubkey
id = "Alt name for server"
}
children {
host-host {
remote_ts = 192.168.133.0/24[udp/8887-8888]
local_ts =dynamic[udp/81-65535]
esp_proposals = sm4cbc-sm3-sm2dh
updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables
}
}
}
}
问题:
server:
06[NET] received packet: from 192.168.133.129[500] to 192.168.133.128[500] (274 bytes)
06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
06[IKE] 192.168.133.129 is initiating an IKE_SA
06[CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2
06[IKE] remote host is behind NAT
06[IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name"
06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
06[NET] sending packet: from 192.168.133.128[500] to 192.168.133.129[500] (307 bytes)
16[NET] received packet: from 192.168.133.129[4500] to 192.168.133.128[4500] (864 bytes)
16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
16[IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name"
16[IKE] received end entity cert "C=Country, O=Company Name, CN=End Entity Name"
16[CFG] looking for peer configs matching 192.168.133.128[Alt name for server]...192.168.133.129[Alt name for end entity]
16[CFG] selected peer config 'host-host'
16[CFG] using certificate "C=Country, O=Company Name, CN=End Entity Name"
16[CFG] using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name"
16[CFG] checking certificate status of "C=Country, O=Company Name, CN=End Entity Name"
16[CFG] certificate status is not available
16[CFG] reached self-signed root ca with a path length of 0
16[IKE] authentication of 'Alt name for end entity' with SM2_WITH_SM3 successful
16[IKE] peer supports MOBIKE
16[IKE] authentication of 'Alt name for server' (myself) with SM2_WITH_SM3 successful
16[IKE] IKE_SA host-host[6] established between 192.168.133.128[Alt name for server]...192.168.133.129[Alt name for end entity]
16[IKE] scheduling rekeying in 13810s
16[IKE] maximum IKE_SA lifetime 15250s
16[IKE] sending end entity cert "C=Country, O=Company Name, CN=Unit Name"
16[CFG] selected proposal: ESP:SM4_CBC_128/HMAC_SM3/NO_EXT_SEQ
16[KNL] can't install route for 192.168.133.128/32[udp/8887-8888] === 192.168.133.129/32[udp/81-65535] out, conflicts with IKE traffic
16[IKE] unable to install IPsec policies (SPD) in kernel
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
16[NET] sending packet: from 192.168.133.128[4500] to 192.168.133.129[4500] (704 bytes)
^Cdisconnecting...
client:
[IKE] initiating IKE_SA host-host[7] to 192.168.133.128
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.133.129[500] to 192.168.133.128[500] (274 bytes)
[NET] received packet: from 192.168.133.128[500] to 192.168.133.129[500] (307 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2
[IKE] remote host is behind NAT
[IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name"
[IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name"
[IKE] authentication of 'Alt name for end entity' (myself) with SM2_WITH_SM3 successful
[IKE] sending end entity cert "C=Country, O=Company Name, CN=End Entity Name"
[IKE] establishing CHILD_SA host-host{7}
[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.133.129[4500] to 192.168.133.128[4500] (864 bytes)
[NET] received packet: from 192.168.133.128[4500] to 192.168.133.129[4500] (704 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
[IKE] received end entity cert "C=Country, O=Company Name, CN=Unit Name"
[CFG] using certificate "C=Country, O=Company Name, CN=Unit Name"
[CFG] using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name"
[CFG] checking certificate status of "C=Country, O=Company Name, CN=Unit Name"
[CFG] certificate status is not available
[CFG] reached self-signed root ca with a path length of 0
[IKE] authentication of 'Alt name for server' with SM2_WITH_SM3 successful
[IKE] IKE_SA host-host[7] established between 192.168.133.129[Alt name for end entity]...192.168.133.128[Alt name for server]
[IKE] scheduling rekeying in 13122s
[IKE] maximum IKE_SA lifetime 14562s
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
[IKE] peer supports MOBIKE
initiate failed: establishing CHILD_SA 'host-host' failed