ipsec.conf:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
#aggressive=yes
conn net-net
type=transport
left=192.168.0.132
leftsubnet=0.0.0.0/0
#leftid=@sun
leftid=192.168.0.132
leftfirewall=yes
right=192.168.0.124
rightsubnet=0.0.0.0/0
#rightid=@moon
rightid=192.168.0.124
auto=add
ipsec.secrets:
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.132 192.168.0.124 : PSK 0saGVsbG8=
注意,选用的是main模式,安卓机选L2TPoverIPsec,注意IPsec标识符不要设置,设置PSK为hello。
安卓机如果不设置标识符,那么他的身份是IP地址,协商是MAIN模式。
如果设置为1.1.1.1这样的点分式,他的身份就是FQDN了,协商变为野蛮模式。
如果设置为moon这样的字符串,身份方式变为KEY_ID,协商也是野蛮模式。
[root@- strongswan.d]# cat /var/log/charon.log
Dec 16 16:27:07 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, Linux 3.4.44, x86_64)
Dec 16 16:27:07 00[LIB] plugin 'pkcs11': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'aes': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'des': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'rc2': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'sha1': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'sha2': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'md5': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'random': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'nonce': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'x509': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'revocation': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'constraints': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'pubkey': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'pkcs1': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'pkcs7': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'pkcs8': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'pkcs12': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'pgp': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'dnskey': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'sshkey': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'pem': loaded successfully
Dec 16 16:27:07 00[LIB] openssl FIPS mode(0) - disabled
Dec 16 16:27:07 00[LIB] plugin 'openssl': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'fips-prf': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'gmp': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'xcbc': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'cmac': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'hmac': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'attr': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'kernel-netlink': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'resolve': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'socket-default': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'stroke': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'updown': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'eap-identity': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'eap-md5': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'eap-mschapv2': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'eap-radius': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'xauth-generic': loaded successfully
Dec 16 16:27:07 00[LIB] plugin 'unity': loaded successfully
Dec 16 16:27:07 00[KNL] known interfaces and IP addresses:
Dec 16 16:27:07 00[KNL] lo
Dec 16 16:27:07 00[KNL] 127.0.0.1
Dec 16 16:27:07 00[KNL] ::1
Dec 16 16:27:07 00[KNL] eno16777736
Dec 16 16:27:07 00[KNL] 192.168.0.132
Dec 16 16:27:07 00[KNL] fe80::20c:29ff:fe95:8e0c
Dec 16 16:27:07 00[KNL] eno33554960
Dec 16 16:27:07 00[KNL] 192.168.152.150
Dec 16 16:27:07 00[KNL] 192.168.152.132
Dec 16 16:27:07 00[KNL] fe80::20c:29ff:fe95:8e16
Dec 16 16:27:07 00[KNL] eno50332184
Dec 16 16:27:07 00[KNL] 192.168.233.128
Dec 16 16:27:07 00[KNL] fe80::20c:29ff:fe95:8e20
Dec 16 16:27:07 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
Dec 16 16:27:07 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
Dec 16 16:27:07 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS
Dec 16 16:27:07 00[LIB] feature CERT_DECODE:X509_OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:X509_OCSP_REQUEST
Dec 16 16:27:07 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Dec 16 16:27:07 00[ASN] file content is not binary ASN.1
Dec 16 16:27:07 00[ASN] -----BEGIN CERTIFICATE-----
Dec 16 16:27:07 00[ASN] -----END CERTIFICATE-----
Dec 16 16:27:07 00[ASN] L0 - x509:
Dec 16 16:27:07 00[ASN] L1 - tbsCertificate:
Dec 16 16:27:07 00[ASN] L2 - DEFAULT v1:
Dec 16 16:27:07 00[ASN] L3 - version:
Dec 16 16:27:07 00[ASN] X.509v3
Dec 16 16:27:07 00[ASN] L2 - serialNumber:
Dec 16 16:27:07 00[ASN] L2 - signature:
Dec 16 16:27:07 00[ASN] L3 - algorithmIdentifier:
Dec 16 16:27:07 00[ASN] L4 - algorithm:
Dec 16 16:27:07 00[ASN] 'sha256WithRSAEncryption'
Dec 16 16:27:07 00[ASN] L2 - issuer:
Dec 16 16:27:07 00[ASN] 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
Dec 16 16:27:07 00[ASN] L2 - validity:
Dec 16 16:27:07 00[ASN] L3 - notBefore:
Dec 16 16:27:07 00[ASN] L4 - utcTime:
Dec 16 16:27:07 00[ASN] 'Sep 10 10:01:18 UTC 2004'
Dec 16 16:27:07 00[ASN] L3 - notAfter:
Dec 16 16:27:07 00[ASN] L4 - utcTime:
Dec 16 16:27:07 00[ASN] 'Sep 07 10:01:18 UTC 2019'
Dec 16 16:27:07 00[ASN] L2 - subject:
Dec 16 16:27:07 00[ASN] 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
Dec 16 16:27:07 00[ASN] L2 - subjectPublicKeyInfo:
Dec 16 16:27:07 00[ASN] -- > --
Dec 16 16:27:07 00[ASN] L0 - subjectPublicKeyInfo:
Dec 16 16:27:07 00[ASN] L1 - algorithm:
Dec 16 16:27:07 00[ASN] L2 - algorithmIdentifier:
Dec 16 16:27:07 00[ASN] L3 - algorithm:
Dec 16 16:27:07 00[ASN] 'rsaEncryption'
Dec 16 16:27:07 00[ASN] L1 - subjectPublicKey:
Dec 16 16:27:07 00[ASN] -- > --
Dec 16 16:27:07 00[ASN] L0 - RSAPublicKey:
Dec 16 16:27:07 00[ASN] L1 - modulus:
Dec 16 16:27:07 00[ASN] L1 - publicExponent:
Dec 16 16:27:07 00[ASN] -- < --
Dec 16 16:27:07 00[ASN] -- < --
Dec 16 16:27:07 00[ASN] L2 - optional extensions:
Dec 16 16:27:07 00[ASN] L3 - extensions:
Dec 16 16:27:07 00[ASN] L4 - extension:
Dec 16 16:27:07 00[ASN] L5 - extnID:
Dec 16 16:27:07 00[ASN] 'basicConstraints'
Dec 16 16:27:07 00[ASN] L5 - critical:
Dec 16 16:27:07 00[ASN] TRUE
Dec 16 16:27:07 00[ASN] L5 - extnValue:
Dec 16 16:27:07 00[ASN] L6 - basicConstraints:
Dec 16 16:27:07 00[ASN] L7 - CA:
Dec 16 16:27:07 00[ASN] TRUE
Dec 16 16:27:07 00[ASN] L7 - pathLenConstraint:
Dec 16 16:27:07 00[ASN] L4 - extension:
Dec 16 16:27:07 00[ASN] L5 - extnID:
Dec 16 16:27:07 00[ASN] 'keyUsage'
Dec 16 16:27:07 00[ASN] L5 - critical:
Dec 16 16:27:07 00[ASN] FALSE
Dec 16 16:27:07 00[ASN] L5 - extnValue:
Dec 16 16:27:07 00[ASN] L4 - extension:
Dec 16 16:27:07 00[ASN] L5 - extnID:
Dec 16 16:27:07 00[ASN] 'subjectKeyIdentifier'
Dec 16 16:27:07 00[ASN] L5 - critical:
Dec 16 16:27:07 00[ASN] FALSE
Dec 16 16:27:07 00[ASN] L5 - extnValue:
Dec 16 16:27:07 00[ASN] L6 - keyIdentifier:
Dec 16 16:27:07 00[ASN] L4 - extension:
Dec 16 16:27:07 00[ASN] L5 - extnID:
Dec 16 16:27:07 00[ASN] 'authorityKeyIdentifier'
Dec 16 16:27:07 00[ASN] L5 - critical:
Dec 16 16:27:07 00[ASN] FALSE
Dec 16 16:27:07 00[ASN] L5 - extnValue:
Dec 16 16:27:07 00[ASN] L6 - authorityKeyIdentifier:
Dec 16 16:27:07 00[ASN] L7 - keyIdentifier:
Dec 16 16:27:07 00[ASN] L7 - authorityCertIssuer:
Dec 16 16:27:07 00[ASN] L7 - authorityCertSerialNumber:
Dec 16 16:27:07 00[ASN] L1 - signatureAlgorithm:
Dec 16 16:27:07 00[ASN] L2 - algorithmIdentifier:
Dec 16 16:27:07 00[ASN] L3 - algorithm:
Dec 16 16:27:07 00[ASN] 'sha256WithRSAEncryption'
Dec 16 16:27:07 00[ASN] L1 - signatureValue:
Dec 16 16:27:07 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/usr/local/etc/ipsec.d/cacerts/strongswanCert.pem'
Dec 16 16:27:07 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Dec 16 16:27:07 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Dec 16 16:27:07 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Dec 16 16:27:07 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Dec 16 16:27:07 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Dec 16 16:27:07 00[CFG] loaded IKE secret for @moon @sun
Dec 16 16:27:07 00[CFG] loaded IKE secret for 192.168.152.150 192.168.152.1
Dec 16 16:27:07 00[CFG] loaded IKE secret for 192.168.0.132 192.168.0.124
Dec 16 16:27:07 00[CFG] loaded 0 RADIUS server configurations
Dec 16 16:27:07 00[LIB] loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic unity
Dec 16 16:27:07 00[LIB] unable to load 4 plugin features (4 due to unmet dependencies)
Dec 16 16:27:07 00[JOB] spawning 6 worker threads
Dec 16 16:27:07 05[LIB] created thread 05 [11125]
Dec 16 16:27:07 05[JOB] started worker thread 05
Dec 16 16:27:07 05[JOB] no events, waiting
Dec 16 16:27:07 06[LIB] created thread 06 [11126]
Dec 16 16:27:07 06[JOB] started worker thread 06
Dec 16 16:27:07 06[JOB] watcher going to poll() 4 fds
Dec 16 16:27:07 06[JOB] watcher got notification, rebuilding
Dec 16 16:27:07 06[JOB] watcher going to poll() 4 fds
Dec 16 16:27:07 01[LIB] created thread 01 [11121]
Dec 16 16:27:07 01[JOB] started worker thread 01
Dec 16 16:27:07 01[NET] waiting for data on sockets
Dec 16 16:27:07 02[LIB] created thread 02 [11122]
Dec 16 16:27:07 02[JOB] started worker thread 02
Dec 16 16:27:07 03[LIB] created thread 03 [11123]
Dec 16 16:27:07 03[JOB] started worker thread 03
Dec 16 16:27:07 04[LIB] created thread 04 [11124]
Dec 16 16:27:07 04[JOB] started worker thread 04
Dec 16 16:27:07 06[JOB] watched FD 16 ready to read
Dec 16 16:27:07 06[JOB] watcher going to poll() 3 fds
Dec 16 16:27:07 03[CFG] stroke message => 835 bytes @ 0x7f37500011f0
Dec 16 16:27:07 03[CFG] 0: 43 03 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 C...............
Dec 16 16:27:07 03[CFG] 16: 92 02 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 48: 00 00 00 00 00 00 00 00 01 00 00 00 40 00 00 00 ............@...
Dec 16 16:27:07 03[CFG] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 96: 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 112: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
Dec 16 16:27:07 03[CFG] 128: 9A 02 00 00 00 00 00 00 C2 02 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 144: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 160: B0 04 00 00 00 00 00 00 10 0E 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 176: B4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 208: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 224: 64 00 00 00 00 00 00 00 1E 00 00 00 00 00 00 00 d...............
Dec 16 16:27:07 03[CFG] 240: 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 288: 00 00 00 00 00 00 00 00 3B 03 00 00 00 00 00 00 ........;.......
Dec 16 16:27:07 03[CFG] 304: 00 00 00 00 00 00 00 00 D8 02 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 400: E6 02 00 00 00 00 00 00 FD 02 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 416: F4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 432: 00 00 00 00 00 00 00 00 0B 03 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 448: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 464: 00 00 00 00 FF FF 00 00 3F 03 00 00 00 00 00 00 ........?.......
Dec 16 16:27:07 03[CFG] 480: 00 00 00 00 00 00 00 00 15 03 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 496: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 512: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 528: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 544: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 576: 00 00 00 00 00 00 00 00 23 03 00 00 00 00 00 00 ........#.......
Dec 16 16:27:07 03[CFG] 592: F4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 608: 00 00 00 00 00 00 00 00 31 03 00 00 00 00 00 00 ........1.......
Dec 16 16:27:07 03[CFG] 624: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 640: 00 00 00 00 FF FF 00 00 FF FF FF FF 00 00 00 00 ................
Dec 16 16:27:07 03[CFG] 656: 00 04 6E 65 74 2D 6E 65 74 00 61 65 73 31 32 38 ..net-net.aes128
Dec 16 16:27:07 03[CFG] 672: 2D 73 68 61 31 2D 6D 6F 64 70 32 30 34 38 2C 33 -sha1-modp2048,3
Dec 16 16:27:07 03[CFG] 688: 64 65 73 2D 73 68 61 31 2D 6D 6F 64 70 31 35 33 des-sha1-modp153
Dec 16 16:27:07 03[CFG] 704: 36 00 61 65 73 31 32 38 2D 73 68 61 31 2C 33 64 6.aes128-sha1,3d
Dec 16 16:27:07 03[CFG] 720: 65 73 2D 73 68 61 31 00 31 39 32 2E 31 36 38 2E es-sha1.192.168.
Dec 16 16:27:07 03[CFG] 736: 30 2E 31 33 32 00 69 70 73 65 63 20 5F 75 70 64 0.132.ipsec _upd
Dec 16 16:27:07 03[CFG] 752: 6F 77 6E 20 69 70 74 61 62 6C 65 73 00 31 39 32 own iptables.192
Dec 16 16:27:07 03[CFG] 768: 2E 31 36 38 2E 30 2E 31 33 32 00 30 2E 30 2E 30 .168.0.132.0.0.0
Dec 16 16:27:07 03[CFG] 784: 2E 30 2F 30 00 31 39 32 2E 31 36 38 2E 30 2E 31 .0/0.192.168.0.1
Dec 16 16:27:07 03[CFG] 800: 32 34 00 31 39 32 2E 31 36 38 2E 30 2E 31 32 34 24.192.168.0.124
Dec 16 16:27:07 03[CFG] 816: 00 30 2E 30 2E 30 2E 30 2F 30 00 70 73 6B 00 70 .0.0.0.0/0.psk.p
Dec 16 16:27:07 03[CFG] 832: 73 6B 00 sk.
Dec 16 16:27:07 03[CFG] received stroke: add connection 'net-net'
Dec 16 16:27:07 03[CFG] conn net-net
Dec 16 16:27:07 03[CFG] left=192.168.0.132
Dec 16 16:27:07 03[CFG] leftsubnet=0.0.0.0/0
Dec 16 16:27:07 03[CFG] leftauth=psk
Dec 16 16:27:07 03[CFG] leftid=192.168.0.132
Dec 16 16:27:07 03[CFG] leftupdown=ipsec _updown iptables
Dec 16 16:27:07 03[CFG] right=192.168.0.124
Dec 16 16:27:07 03[CFG] rightsubnet=0.0.0.0/0
Dec 16 16:27:07 03[CFG] rightauth=psk
Dec 16 16:27:07 03[CFG] rightid=192.168.0.124
Dec 16 16:27:07 03[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
Dec 16 16:27:07 03[CFG] esp=aes128-sha1,3des-sha1
Dec 16 16:27:07 03[CFG] dpddelay=30
Dec 16 16:27:07 03[CFG] dpdtimeout=150
Dec 16 16:27:07 03[CFG] mediation=no
Dec 16 16:27:07 03[CFG] keyexchange=ikev1
Dec 16 16:27:07 03[KNL] 192.168.0.124 is not a local address or the interface is down
Dec 16 16:27:07 06[JOB] watcher got notification, rebuilding
Dec 16 16:27:07 06[JOB] watcher going to poll() 4 fds
Dec 16 16:27:07 03[CFG] added configuration 'net-net'
Dec 16 16:27:07 06[JOB] watcher got notification, rebuilding
Dec 16 16:27:07 06[JOB] watcher going to poll() 4 fds
Dec 16 16:27:10 01[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]
Dec 16 16:27:10 01[NET] waiting for data on sockets
Dec 16 16:27:10 04[MGR] checkout IKE_SA by message
Dec 16 16:27:10 04[MGR] created IKE_SA (unnamed)[1]
Dec 16 16:27:10 04[NET] <1> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (444 bytes)
Dec 16 16:27:10 04[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V ]
Dec 16 16:27:10 04[CFG] <1> looking for an ike config for 192.168.0.132...192.168.0.124
Dec 16 16:27:10 04[CFG] <1> ike config match: 3100 (192.168.0.132 192.168.0.124 IKEv1)
Dec 16 16:27:10 04[CFG] <1> candidate: 192.168.0.132...192.168.0.124, prio 3100
Dec 16 16:27:10 04[CFG] <1> found matching ike config: 192.168.0.132...192.168.0.124 with prio 3100
Dec 16 16:27:10 04[IKE] <1> received NAT-T (RFC 3947) vendor ID
Dec 16 16:27:10 04[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 16 16:27:10 04[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 16 16:27:10 04[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Dec 16 16:27:10 04[IKE] <1> received FRAGMENTATION vendor ID
Dec 16 16:27:10 04[IKE] <1> received DPD vendor ID
Dec 16 16:27:10 04[IKE] <1> 192.168.0.124 is initiating a Main Mode IKE_SA
Dec 16 16:27:10 04[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable DIFFIE_HELLMAN_GROUP found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable PSEUDO_RANDOM_FUNCTION found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:10 04[CFG] <1> selecting proposal:
Dec 16 16:27:10 04[CFG] <1> proposal matches
Dec 16 16:27:10 05[JOB] next event in 29s 993ms, waiting
Dec 16 16:27:10 04[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Dec 16 16:27:10 04[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Dec 16 16:27:10 04[CFG] <1> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 16 16:27:10 04[IKE] <1> sending XAuth vendor ID
Dec 16 16:27:10 04[IKE] <1> sending DPD vendor ID
Dec 16 16:27:10 04[IKE] <1> sending NAT-T (RFC 3947) vendor ID
Dec 16 16:27:10 04[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
Dec 16 16:27:10 04[NET] <1> sending packet: from 192.168.0.132[500] to 192.168.0.124[500] (132 bytes)
Dec 16 16:27:10 04[MGR] <1> checkin IKE_SA (unnamed)[1]
Dec 16 16:27:10 04[MGR] <1> check-in of IKE_SA successful.
Dec 16 16:27:10 02[NET] sending packet: from 192.168.0.132[500] to 192.168.0.124[500]
Dec 16 16:27:10 01[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]
Dec 16 16:27:10 01[NET] waiting for data on sockets
Dec 16 16:27:10 03[MGR] checkout IKE_SA by message
Dec 16 16:27:10 03[MGR] IKE_SA (unnamed)[1] successfully checked out
Dec 16 16:27:10 03[NET] <1> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (228 bytes)
Dec 16 16:27:10 03[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 16 16:27:10 03[LIB] <1> size of DH secret exponent: 1023 bits
Dec 16 16:27:10 03[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 16 16:27:10 03[NET] <1> sending packet: from 192.168.0.132[500] to 192.168.0.124[500] (244 bytes)
Dec 16 16:27:10 03[MGR] <1> checkin IKE_SA (unnamed)[1]
Dec 16 16:27:10 03[MGR] <1> check-in of IKE_SA successful.
Dec 16 16:27:10 02[NET] sending packet: from 192.168.0.132[500] to 192.168.0.124[500]
Dec 16 16:27:10 01[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]
Dec 16 16:27:10 01[NET] waiting for data on sockets
Dec 16 16:27:10 04[MGR] checkout IKE_SA by message
Dec 16 16:27:10 04[MGR] IKE_SA (unnamed)[1] successfully checked out
Dec 16 16:27:10 04[NET] <1> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (76 bytes)
Dec 16 16:27:10 04[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
Dec 16 16:27:10 04[CFG] <1> looking for pre-shared key peer configs matching 192.168.0.132...192.168.0.124[192.168.0.124]
Dec 16 16:27:10 04[CFG] <1> peer config match local: 1 (ID_ANY)
Dec 16 16:27:10 04[CFG] <1> peer config match remote: 20 (ID_IPV4_ADDR -> c0:a8:00:7c)
Dec 16 16:27:10 04[CFG] <1> ike config match: 3100 (192.168.0.132 192.168.0.124 IKEv1)
Dec 16 16:27:10 04[CFG] <1> candidate "net-net", match: 1/20/3100 (me/other/ike)
Dec 16 16:27:10 04[CFG] <1> selected peer config "net-net"
Dec 16 16:27:10 04[IKE] <net-net|1> IKE_SA net-net[1] established between 192.168.0.132[192.168.0.132]...192.168.0.124[192.168.0.124]
Dec 16 16:27:10 04[IKE] <net-net|1> IKE_SA net-net[1] state change: CONNECTING => ESTABLISHED
Dec 16 16:27:10 04[IKE] <net-net|1> scheduling reauthentication in 3271s
Dec 16 16:27:10 04[IKE] <net-net|1> maximum IKE_SA lifetime 3451s
Dec 16 16:27:10 04[ENC] <net-net|1> generating ID_PROT response 0 [ ID HASH ]
Dec 16 16:27:10 04[NET] <net-net|1> sending packet: from 192.168.0.132[500] to 192.168.0.124[500] (68 bytes)
Dec 16 16:27:10 04[MGR] <net-net|1> checkin IKE_SA net-net[1]
Dec 16 16:27:10 04[MGR] <net-net|1> check-in of IKE_SA successful.
Dec 16 16:27:10 04[MGR] checkout IKE_SA
Dec 16 16:27:10 04[MGR] IKE_SA net-net[1] successfully checked out
Dec 16 16:27:10 04[MGR] <net-net|1> checkin IKE_SA net-net[1]
Dec 16 16:27:10 04[MGR] <net-net|1> check-in of IKE_SA successful.
Dec 16 16:27:10 05[JOB] next event in 29s 944ms, waiting
Dec 16 16:27:10 02[NET] sending packet: from 192.168.0.132[500] to 192.168.0.124[500]
Dec 16 16:27:10 01[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]
Dec 16 16:27:10 01[NET] waiting for data on sockets
Dec 16 16:27:10 04[MGR] checkout IKE_SA by message
Dec 16 16:27:10 04[MGR] IKE_SA net-net[1] successfully checked out
Dec 16 16:27:10 04[NET] <net-net|1> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (92 bytes)
Dec 16 16:27:10 04[ENC] <net-net|1> parsed INFORMATIONAL_V1 request 2818635222 [ HASH N(INITIAL_CONTACT) ]
Dec 16 16:27:10 04[MGR] <net-net|1> checkin IKE_SA net-net[1]
Dec 16 16:27:10 04[MGR] <net-net|1> check-in of IKE_SA successful.
Dec 16 16:27:14 01[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]
Dec 16 16:27:14 01[NET] waiting for data on sockets
Dec 16 16:27:14 03[MGR] checkout IKE_SA by message
Dec 16 16:27:14 03[MGR] IKE_SA net-net[1] successfully checked out
Dec 16 16:27:14 03[NET] <net-net|1> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (340 bytes)
Dec 16 16:27:14 03[ENC] <net-net|1> parsed QUICK_MODE request 3411731601 [ HASH SA No ID ID ]
Dec 16 16:27:14 03[CFG] <net-net|1> looking for a child config for 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp]
Dec 16 16:27:14 03[CFG] <net-net|1> proposing traffic selectors for us:
Dec 16 16:27:14 03[CFG] <net-net|1> 0.0.0.0/0
Dec 16 16:27:14 03[CFG] <net-net|1> proposing traffic selectors for other:
Dec 16 16:27:14 03[CFG] <net-net|1> 0.0.0.0/0
Dec 16 16:27:14 03[CFG] <net-net|1> candidate "net-net" with prio 1+1
Dec 16 16:27:14 03[CFG] <net-net|1> found matching child config "net-net" with prio 2
Dec 16 16:27:14 03[CFG] <net-net|1> selecting traffic selectors for other:
Dec 16 16:27:14 03[CFG] <net-net|1> config: 0.0.0.0/0, received: 192.168.0.124/32[udp] => match: 192.168.0.124/32[udp]
Dec 16 16:27:14 03[CFG] <net-net|1> selecting traffic selectors for us:
Dec 16 16:27:14 03[CFG] <net-net|1> config: 0.0.0.0/0, received: 192.168.0.132/32[udp/l2tp] => match: 192.168.0.132/32[udp/l2tp]
Dec 16 16:27:14 03[CFG] <net-net|1> selecting proposal:
Dec 16 16:27:14 03[CFG] <net-net|1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:14 03[CFG] <net-net|1> selecting proposal:
Dec 16 16:27:14 03[CFG] <net-net|1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:14 03[CFG] <net-net|1> selecting proposal:
Dec 16 16:27:14 03[CFG] <net-net|1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:14 03[CFG] <net-net|1> selecting proposal:
Dec 16 16:27:14 03[CFG] <net-net|1> no acceptable ENCRYPTION_ALGORITHM found
Dec 16 16:27:14 03[CFG] <net-net|1> selecting proposal:
Dec 16 16:27:14 03[CFG] <net-net|1> proposal matches
Dec 16 16:27:14 03[CFG] <net-net|1> received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ
Dec 16 16:27:14 03[CFG] <net-net|1> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Dec 16 16:27:14 03[CFG] <net-net|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Dec 16 16:27:14 03[IKE] <net-net|1> received 28800s lifetime, configured 1200s
Dec 16 16:27:14 03[KNL] <net-net|1> got SPI c71db09a
Dec 16 16:27:14 03[ENC] <net-net|1> generating QUICK_MODE response 3411731601 [ HASH SA No ID ID ]
Dec 16 16:27:14 03[NET] <net-net|1> sending packet: from 192.168.0.132[500] to 192.168.0.124[500] (172 bytes)
Dec 16 16:27:14 03[MGR] <net-net|1> checkin IKE_SA net-net[1]
Dec 16 16:27:14 03[MGR] <net-net|1> check-in of IKE_SA successful.
Dec 16 16:27:14 02[NET] sending packet: from 192.168.0.132[500] to 192.168.0.124[500]
Dec 16 16:27:14 05[JOB] next event in 3s 999ms, waiting
Dec 16 16:27:14 01[NET] received packet: from 192.168.0.124[500] to 192.168.0.132[500]
Dec 16 16:27:14 01[NET] waiting for data on sockets
Dec 16 16:27:14 04[MGR] checkout IKE_SA by message
Dec 16 16:27:14 04[MGR] IKE_SA net-net[1] successfully checked out
Dec 16 16:27:14 04[NET] <net-net|1> received packet: from 192.168.0.124[500] to 192.168.0.132[500] (68 bytes)
Dec 16 16:27:14 04[ENC] <net-net|1> parsed QUICK_MODE request 3411731601 [ HASH ]
Dec 16 16:27:14 04[CHD] <net-net|1> using AES_CBC for encryption
Dec 16 16:27:14 04[CHD] <net-net|1> using HMAC_SHA1_96 for integrity
Dec 16 16:27:14 04[CHD] <net-net|1> adding inbound ESP SA
Dec 16 16:27:14 04[CHD] <net-net|1> SPI 0xc71db09a, src 192.168.0.124 dst 192.168.0.132
Dec 16 16:27:14 04[KNL] <net-net|1> adding SAD entry with SPI c71db09a and reqid {1} (mark 0/0x00000000)
Dec 16 16:27:14 04[KNL] <net-net|1> using encryption algorithm AES_CBC with key size 128
Dec 16 16:27:14 04[KNL] <net-net|1> using integrity algorithm HMAC_SHA1_96 with key size 160
Dec 16 16:27:14 04[KNL] <net-net|1> using replay window of 32 packets
Dec 16 16:27:14 04[CHD] <net-net|1> adding outbound ESP SA
Dec 16 16:27:14 04[CHD] <net-net|1> SPI 0x0c8e9d0c, src 192.168.0.132 dst 192.168.0.124
Dec 16 16:27:14 04[KNL] <net-net|1> adding SAD entry with SPI 0c8e9d0c and reqid {1} (mark 0/0x00000000)
Dec 16 16:27:14 04[KNL] <net-net|1> using encryption algorithm AES_CBC with key size 128
Dec 16 16:27:14 04[KNL] <net-net|1> using integrity algorithm HMAC_SHA1_96 with key size 160
Dec 16 16:27:14 04[KNL] <net-net|1> using replay window of 32 packets
Dec 16 16:27:14 04[KNL] <net-net|1> adding policy 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] out (mark 0/0x00000000)
Dec 16 16:27:14 04[KNL] <net-net|1> adding policy 192.168.0.124/32[udp] === 192.168.0.132/32[udp/l2tp] in (mark 0/0x00000000)
Dec 16 16:27:14 04[KNL] <net-net|1> policy 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] out (mark 0/0x00000000) already exists, increasing refcount
Dec 16 16:27:14 04[KNL] <net-net|1> updating policy 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp] out (mark 0/0x00000000)
Dec 16 16:27:14 04[KNL] <net-net|1> policy 192.168.0.124/32[udp] === 192.168.0.132/32[udp/l2tp] in (mark 0/0x00000000) already exists, increasing refcount
Dec 16 16:27:14 04[KNL] <net-net|1> updating policy 192.168.0.124/32[udp] === 192.168.0.132/32[udp/l2tp] in (mark 0/0x00000000)
Dec 16 16:27:14 04[IKE] <net-net|1> CHILD_SA net-net{1} established with SPIs c71db09a_i 0c8e9d0c_o and TS 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp]
Dec 16 16:27:14 04[KNL] <net-net|1> 192.168.0.132 is on interface eno16777736
Dec 16 16:27:14 04[MGR] <net-net|1> checkin IKE_SA net-net[1]
Dec 16 16:27:14 04[MGR] <net-net|1> check-in of IKE_SA successful.
[root@- strongswan.d]# ipsec statusall
Status of IKE charon daemon (weakSwan 5.3.3, Linux 3.4.44, x86_64):
uptime: 5 minutes, since Dec 16 16:27:06 2015
malloc: sbrk 2023424, mmap 0, used 1257568, free 765856
worker threads: 1 of 6 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic unity
Listening IP addresses:
192.168.0.132
192.168.152.150
192.168.152.132
192.168.233.128
Connections:
net-net: 192.168.0.132...192.168.0.124 IKEv1
net-net: local: [192.168.0.132] uses pre-shared key authentication
net-net: remote: [192.168.0.124] uses pre-shared key authentication
net-net: child: 0.0.0.0/0 === 0.0.0.0/0 TRANSPORT
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 5 minutes ago, 192.168.0.132[192.168.0.132]...192.168.0.124[192.168.0.124]
net-net[1]: IKEv1 SPIs: 93baf6ca86368600_i da8704758e4e31b4_r*, pre-shared key reauthentication in 49 minutes
net-net[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-net{1}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c71db09a_i 0c8e9d0c_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 115 bytes_i (1 pkt, 321s ago), 0 bytes_o, rekeying in 8 minutes
net-net{1}: 192.168.0.132/32[udp/l2tp] === 192.168.0.124/32[udp]
No leaks detected, 1 suppressed by whitelist
[root@- strongswan.d]#
7071
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
