Jump to content
  • 0

3.9 Beta 2: После перезагрузки не подключается IPSec-клиент (телефон) к IPSec-серверу


stakp
 Share

Question

После перезагрузки настроенный и включенный IPsec VPN не подключается с клиента (телефон)

Если включить/выключить в вёбе тоггл IPsec VPN - всё начинает работать.

Скрытый текст

[I] Nov 12 14:41:35 ipsec: 06[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:41:38 ipsec: 09[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:41:41 ipsec: 06[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:41:45 ipsec: 07[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:41:48 ipsec: 13[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:41:51 ipsec: 06[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:41:52 ipsec: 12[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:41:57 ipsec: 16[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:42:00 ipsec: 13[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:42:02 ipsec: 07[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:42:35 ndm: IpSec::Manager: service enabled. 
[I] Nov 12 14:42:35 ndm: IpSec::Manager: crypto ike policy "VirtualIPServer" removed. 
[I] Nov 12 14:42:35 ndm: IpSec::Manager: crypto ipsec profile "VirtualIPServer" removed. 
[I] Nov 12 14:42:35 ndm: Network::Acl: "_WEBADMIN_IPSEC_VirtualIPServer" access list removed. 
[I] Nov 12 14:42:35 ndm: Network::Acl: rule accepted. 
[I] Nov 12 14:42:35 ndm: IpSec::Manager: "VirtualIPServer": crypto ike policy successfully created. 
[I] Nov 12 14:42:35 ndm: IpSec::Manager: "VirtualIPServer": crypto ipsec profile successfully created. 
[I] Nov 12 14:42:35 ndm: IpSec::ManagerVirtualIp: Virtual IP server successfully enabled. 
[I] Nov 12 14:42:35 ndm: Core::System::StartupConfig: saving (coala/rci). 
[I] Nov 12 14:42:36 ndm: IpSec::Manager: service enabled. 
[I] Nov 12 14:42:36 ndm: IpSec::Manager: crypto ike policy "VirtualIPServer" removed. 
[I] Nov 12 14:42:36 ndm: IpSec::Manager: crypto ipsec profile "VirtualIPServer" removed. 
[I] Nov 12 14:42:36 ndm: Network::Acl: "_WEBADMIN_IPSEC_VirtualIPServer" access list removed. 
[I] Nov 12 14:42:36 ndm: Network::Acl: rule accepted. 
[I] Nov 12 14:42:36 ndm: IpSec::Manager: "VirtualIPServer": crypto ike policy successfully created. 
[I] Nov 12 14:42:36 ndm: IpSec::Manager: "VirtualIPServer": crypto ipsec profile successfully created. 
[I] Nov 12 14:42:36 ndm: IpSec::ManagerVirtualIp: Virtual IP server successfully enabled. 
[I] Nov 12 14:42:36 ndm: Core::System::StartupConfig: saving (coala/rci). 
[I] Nov 12 14:42:38 ndm: IpSec::Manager: create IPsec reconfiguration transaction... 
[I] Nov 12 14:42:38 ndm: IpSec::Manager: "VPNL2TPServer": crypto map administratively disabled, skipping. 
[I] Nov 12 14:42:38 ndm: IpSec::Manager: add config for crypto map "VirtualIPServer". 
[I] Nov 12 14:42:38 ndm: IpSec::Manager: IPsec reconfiguration transaction was created. 
[I] Nov 12 14:42:38 ndm: IpSec::Configurator: start applying IPsec configuration. 
[I] Nov 12 14:42:38 ndhcps: NDM DHCP server stopped (exit status: 0). 
[I] Nov 12 14:42:38 ndm: IpSec::Configurator: IPsec configuration applying is done. 
[I] Nov 12 14:42:38 ndm: Core::System::StartupConfig: configuration saved. 
[I] Nov 12 14:42:38 ipsec: 15[CFG] loaded 0 entries for attr plugin configuration 
[I] Nov 12 14:42:38 ipsec: 15[CFG] loaded 1 RADIUS server configuration 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Socket: system failed [0xcffd0482], unload: connection 'VirtualIPServer' not found. 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Config: "VirtualIPServer": system failed [0xcffd0176], unable to unload conn: input/output error (5). 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Socket: system failed [0xcffd049a]. 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Config: "VirtualIPServer": system failed [0xcffd019a], unable to unload pool: input/output error (5). 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Socket: system failed [0xcffd049a]. 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Config: "VirtualIPServer": system failed [0xcffd01d1], unable to load pool: input/output error (5). 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Socket: system failed [0xcffd049a]. 
[C] Nov 12 14:42:38 ndm: IpSec::Vici::Config: "VirtualIPServer": system failed [0xcffd03e3], unable to load conn: input/output error (5). 
[I] Nov 12 14:42:38 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... 
[I] Nov 12 14:42:38 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. 
[I] Nov 12 14:42:38 ipsec: 11[CFG] vici terminate IKE_SA 'VirtualIPServer' 
[I] Nov 12 14:42:38 ipsec: 11[CFG] vici terminate CHILD_SA 'VirtualIPServer' 
[I] Nov 12 14:42:38 ndm: IpSec::Configurator: crypto map "VirtualIPServer" shutdown. 
[I] Nov 12 14:42:40 ndhcps: NDM DHCP Server, v3.2.51. 
[I] Nov 12 14:42:40 ndm: Core::Server: started Session /var/run/ndm.core.socket. 
[I] Nov 12 14:42:40 ndm: Core::Session: client disconnected. 
[I] Nov 12 14:43:02 ipsec: 07[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:05 ipsec: 12[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:09 ipsec: 06[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:12 ipsec: 08[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:15 ipsec: 12[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:19 ipsec: 12[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:22 ipsec: 16[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:24 ipsec: 09[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:28 ipsec: 10[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:43:31 ipsec: 07[IKE] no IKE config found for хх.хх.хх.19...хх.хх.хх.102, sending NO_PROPOSAL_CHOSEN 
[I] Nov 12 14:44:38 ndm: IpSec::Manager: service disabled. 
[I] Nov 12 14:44:38 ndm: IpSec::Manager: crypto ike policy "VirtualIPServer" removed. 
[I] Nov 12 14:44:38 ndm: IpSec::Manager: crypto ipsec profile "VirtualIPServer" removed. 
[I] Nov 12 14:44:38 ndm: Network::Acl: "_WEBADMIN_IPSEC_VirtualIPServer" access list removed. 
[I] Nov 12 14:44:38 ndm: Network::Acl: rule accepted. 
[I] Nov 12 14:44:38 ndm: IpSec::Manager: "VirtualIPServer": crypto ike policy successfully created. 
[I] Nov 12 14:44:38 ndm: IpSec::Manager: "VirtualIPServer": crypto ipsec profile successfully created. 
[I] Nov 12 14:44:38 ndm: IpSec::ManagerVirtualIp: Virtual IP server successfully enabled. 
[I] Nov 12 14:44:38 ndm: Core::System::StartupConfig: saving (http/rci). 
[I] Nov 12 14:44:40 ipsec: 16[CFG] vici terminate IKE_SA 'VirtualIPServer' 
[I] Nov 12 14:44:40 ipsec: 16[CFG] vici terminate CHILD_SA 'VirtualIPServer' 
[I] Nov 12 14:44:40 ndm: IpSec::Configurator: crypto map "VirtualIPServer" stopped. 
[I] Nov 12 14:44:40 ndhcps: NDM DHCP server stopped (exit status: 0). 
[I] Nov 12 14:44:40 ipsec: 00[DMN] SIGINT received, shutting down 
[I] Nov 12 14:44:42 ndm: Core::System::StartupConfig: configuration saved. 
[I] Nov 12 14:44:42 ndm: IpSec::Manager: service enabled. 
[I] Nov 12 14:44:42 ndm: IpSec::Manager: crypto ike policy "VirtualIPServer" removed. 
[I] Nov 12 14:44:42 ndm: IpSec::Manager: crypto ipsec profile "VirtualIPServer" removed. 
[I] Nov 12 14:44:42 ndm: Network::Acl: "_WEBADMIN_IPSEC_VirtualIPServer" access list removed. 
[I] Nov 12 14:44:42 ndm: Network::Acl: rule accepted. 
[I] Nov 12 14:44:42 ndm: IpSec::Manager: "VirtualIPServer": crypto ike policy successfully created. 
[I] Nov 12 14:44:42 ndm: IpSec::Manager: "VirtualIPServer": crypto ipsec profile successfully created. 
[I] Nov 12 14:44:42 ndm: IpSec::ManagerVirtualIp: Virtual IP server successfully enabled. 
[I] Nov 12 14:44:42 ndm: Core::System::StartupConfig: saving (http/rci). 
[I] Nov 12 14:44:44 ndm: IpSec::Manager: create IPsec reconfiguration transaction... 
[I] Nov 12 14:44:44 ndm: IpSec::Manager: "VPNL2TPServer": crypto map administratively disabled, skipping. 
[I] Nov 12 14:44:44 ndm: IpSec::Manager: add config for crypto map "VirtualIPServer". 
[I] Nov 12 14:44:44 ndm: IpSec::Manager: IPsec reconfiguration transaction was created. 
[I] Nov 12 14:44:44 ndm: IpSec::Configurator: start applying IPsec configuration. 
[I] Nov 12 14:44:44 ndm: IpSec::Configurator: IPsec configuration applying is done. 
[I] Nov 12 14:44:45 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration... 
[I] Nov 12 14:44:45 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done. 
[I] Nov 12 14:44:46 ndm: Core::System::StartupConfig: configuration saved. 
[I] Nov 12 14:44:46 ndhcps: NDM DHCP Server, v3.2.51. 
[I] Nov 12 14:44:46 ndm: Core::Server: started Session /var/run/ndm.core.socket. 
[I] Nov 12 14:44:46 ndm: Core::Session: client disconnected. 
[I] Nov 12 14:44:46 ipsec: Starting strongSwan 5.9.7 IPsec [starter]... 
[I] Nov 12 14:44:47 ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.7, Linux 4.9-ndm-5, aarch64) 
[I] Nov 12 14:44:47 ipsec: 00[LIB] providers loaded by OpenSSL: legacy default 
[I] Nov 12 14:44:47 ipsec: 00[CFG] loading secrets 
[I] Nov 12 14:44:47 ipsec: 00[CFG] loaded 1 RADIUS server configuration 
[I] Nov 12 14:44:47 ipsec: 00[CFG] enabling systime-fix, threshold: Tue Jan  1 00:00:00 2030 
[I] Nov 12 14:44:47 ipsec: 00[CFG]  
[I] Nov 12 14:44:47 ipsec: 00[CFG] starting system time check, interval: 10s 
[I] Nov 12 14:44:47 ipsec: 00[LIB] loaded plugins: charon ndm-pem random save-keys nonce x509 pubkey pkcs7 pem openssl pkcs8 xcbc cmac hmac ctr attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-peap xauth-generic xauth-eap error-notify systime-fix unity counters 
[I] Nov 12 14:44:47 ipsec: 00[LIB] dropped capabilities, running as uid 65534, gid 65534 
[I] Nov 12 14:44:47 ndm: Io::UnixStreamSocket: connected after 1 retries. 
[I] Nov 12 14:44:47 ipsec: 05[CFG] loaded IKE shared key with id 'VirtualIPServer-PSK' for: '%any' 
[I] Nov 12 14:44:47 ipsec: 09[CFG] loaded IKE shared key with id 'VirtualIPServer-PSK' for: 'mykeenetic.net' 
[I] Nov 12 14:44:47 ipsec: 10[CFG] loaded NTLM shared key with id 'USRNM-SERVER-XAUTH' for: 'USRNM'
[I] Nov 12 14:44:47 ipsec: 09[CFG] loaded 1 RADIUS server configuration 
[I] Nov 12 14:44:47 ipsec: 12[CFG] added vici pool VirtualIPServer: 172.20.0.1, 256 entries 
[I] Nov 12 14:44:47 ipsec: 03[CFG] added vici connection: VirtualIPServer 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received NAT-T (RFC 3947) vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received XAuth vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received Cisco Unity vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received FRAGMENTATION vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] received DPD vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] хх.хх.хх.102 is initiating a Main Mode IKE_SA 
[I] Nov 12 14:44:59 ipsec: 11[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 
[I] Nov 12 14:44:59 ipsec: 11[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 
[I] Nov 12 14:44:59 ipsec: 11[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
[I] Nov 12 14:44:59 ipsec: 11[IKE] sending XAuth vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] sending DPD vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] sending FRAGMENTATION vendor ID 
[I] Nov 12 14:44:59 ipsec: 11[IKE] sending NAT-T (RFC 3947) vendor ID 
[I] Nov 12 14:44:59 ipsec: 13[IKE] remote host is behind NAT 
[I] Nov 12 14:44:59 ipsec: 13[IKE] linked key for crypto map '(unnamed)' is not found, still searching 
[I] Nov 12 14:44:59 ipsec: 15[CFG] looking for XAuthInitPSK peer configs matching хх.хх.хх.19...хх.хх.хх.102[10.200.41.30] 
[I] Nov 12 14:44:59 ipsec: 15[CFG] selected peer config "VirtualIPServer" 
[I] Nov 12 14:44:59 ipsec: 12[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan' 
[I] Nov 12 14:44:59 ipsec: 12[IKE] XAuth authentication of 'USRNM' successful 
[I] Nov 12 14:44:59 ipsec: 14[IKE] IKE_SA VirtualIPServer[1] established between 92.101.159.19[mykeenetic.net]...хх.хх.хх.102[10.200.41.30] 
[I] Nov 12 14:44:59 ipsec: 14[IKE] scheduling rekeying in 27965s 
[I] Nov 12 14:44:59 ipsec: 14[IKE] scheduling reauthentication in 28778s 
[I] Nov 12 14:44:59 ipsec: 14[IKE] maximum IKE_SA lifetime 30845s 
[I] Nov 12 14:44:59 ipsec: 05[IKE] peer requested virtual IP %any 
 

 

  • Thanks 1
Link to comment
Share on other sites

2 answers to this question

Recommended Posts

  • 0
В 17.11.2022 в 16:40, hellonow сказал:

@stakp Похожее поведение есть с L2TP\IPsec туннелем - 


В следующей версии 3.9 будет исправление. Проверьте.

Проверил. Ничего не поменялось.
После перезагрузки (и обновления) не могу подключиться, в логе

12[IKE] no IKE config found for xx.xxx.137.39...xxx.xx.159.228, sending NO_PROPOSAL_CHOSEN

Выключаю/включаю на главной дашборда IPsec VPN - и вуаля, всё соединяется.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...