手机的IPSec Xauth PSK

手机的IPSec Xauth PSK

[root@sm ~]# yum install epel-release -y      #安装第三方yum源
[root@sm ~]# yum install strongswan -y
[root@sm ~]# vim /etc/strongswan/ipsec.conf

conn %default
     keyexchange=ikev1
     aggressive=yes   #使用野蛮模式
conn Android
     left=192.168.1.105
     leftid=@centos
     leftsubnet=192.168.10.0/24
     leftauth=psk
     rightsourceip=192.168.99.0/24   #分配虚拟ip
     right=%any
     rightauth=psk
     rightauth2=xauth
     ike=3des-md5-modp1024         
     auto=add

[root@sm ~]# vim /etc/strongswan/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file
192.168.1.105  @any : PSK  "linux123"
test   : XAUTH  "123"

[root@sm ~]# vim /etc/strongswan/strongswan.conf

charon {
        load_modular = yes
               i_dont_care_about_security_and_use_aggressive_mode_psk = yes  #ike1野蛮模式添加
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

[root@sm ~]# systemctl start strongswan

认证成功日志如下：
[root@sm ~]# tail -f /var/log/messages

Nov 29 11:18:07 sm charon: 10[NET] received packet: from 192.168.1.101[500] to 192.168.1.105[500] (921 bytes)
Nov 29 11:18:07 sm charon: 10[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V V V ]
Nov 29 11:18:07 sm charon: 10[IKE] received FRAGMENTATION vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] received XAuth vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] received Cisco Unity vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] received DPD vendor ID
Nov 29 11:18:07 sm charon: 10[IKE] 192.168.1.101 is initiating a Aggressive Mode IKE_SA
Nov 29 11:18:07 sm charon: 10[CFG] selected proposal: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Nov 29 11:18:07 sm charon: 10[CFG] looking for XAuthInitPSK peer configs matching 192.168.1.105…192.168.1.101[Erffg]
Nov 29 11:18:07 sm charon: 10[CFG] selected peer config “Android”
Nov 29 11:18:07 sm charon: 10[IKE] no shared key found for ‘centos’[192.168.1.105] - ‘Erffg’[192.168.1.101]
Nov 29 11:18:07 sm charon: 10[ENC] generating AGGRESSIVE response 0 [ SA KE No ID V V V V NAT-D NAT-D HASH ]
Nov 29 11:18:07 sm charon: 10[NET] sending packet: from 192.168.1.105[500] to 192.168.1.101[500] (398 bytes)
Nov 29 11:18:07 sm charon: 11[NET] received packet: from 192.168.1.101[500] to 192.168.1.105[500] (92 bytes)
Nov 29 11:18:07 sm charon: 11[IKE] queueing INFORMATIONAL_V1 request as tasks still active
Nov 29 11:18:07 sm charon: 11[NET] received packet: from 192.168.1.101[500] to 192.168.1.105[500] (88 bytes)
Nov 29 11:18:07 sm charon: 11[ENC] parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Nov 29 11:18:07 sm charon: 11[ENC] parsed INFORMATIONAL_V1 request 2150728845 [ HASH N(INITIAL_CONTACT) ]
Nov 29 11:18:07 sm charon: 11[ENC] generating TRANSACTION request 2986076664 [ HASH CPRQ(X_USER X_PWD) ]
Nov 29 11:18:07 sm charon: 11[NET] sending packet: from 192.168.1.105[500] to 192.168.1.101[500] (68 bytes)
Nov 29 11:18:07 sm charon: 13[NET] received packet: from 192.168.1.101[500] to 192.168.1.105[500] (84 bytes)
Nov 29 11:18:07 sm charon: 13[ENC] parsed TRANSACTION response 2986076664 [ HASH CPRP(X_USER X_PWD) ]
Nov 29 11:18:07 sm charon: 13[IKE] XAuth authentication of ‘test’ successful
Nov 29 11:18:07 sm charon: 13[ENC] generating TRANSACTION request 795313888 [ HASH CPS(X_STATUS) ]
Nov 29 11:18:07 sm charon: 13[NET] sending packet: from 192.168.1.105[500] to 192.168.1.101[500] (68 bytes)
Nov 29 11:18:07 sm charon: 14[NET] received packet: from 192.168.1.101[500] to 192.168.1.105[500] (76 bytes)
Nov 29 11:18:07 sm charon: 14[ENC] parsed TRANSACTION response 795313888 [ HASH CPA(X_STATUS) ]
Nov 29 11:18:07 sm charon: 14[IKE] IKE_SA Android[3] established between 192.168.1.105[centos]…192.168.1.101[Erffg]
Nov 29 11:18:07 sm charon: 14[IKE] scheduling reauthentication in 10002s
Nov 29 11:18:07 sm charon: 14[IKE] maximum IKE_SA lifetime 10542s
Nov 29 11:18:07 sm charon: 16[NET] received packet: from 192.168.1.101[500] to 192.168.1.105[500] (108 bytes)
Nov 29 11:18:07 sm charon: 16[ENC] parsed TRANSACTION request 3244743448 [ HASH CPRQ(ADDR MASK DNS NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
Nov 29 11:18:07 sm charon: 16[IKE] peer requested virtual IP %any
Nov 29 11:18:07 sm charon: 16[CFG] reassigning offline lease to ‘test’
Nov 29 11:18:07 sm charon: 16[IKE] assigning virtual IP 192.168.99.1 to peer ‘test’
Nov 29 11:18:07 sm charon: 16[CFG] sending UNITY_SPLIT_INCLUDE: 192.168.10.0/24
Nov 29 11:18:07 sm charon: 16[ENC] generating TRANSACTION response 3244743448 [ HASH CPRP(ADDR U_SPLITINC) ]
Nov 29 11:18:07 sm charon: 16[NET] sending packet: from 192.168.1.105[500] to 192.168.1.101[500] (84 bytes)