Alexandre Bougakov

Upd: надо было ещё продублировать в неприметной закладке Child SA params:

К сожалению, не работает - "no acceptable proposal found ": [I] Jul 23 20:45:24 ipsec: 06[IKE] a.a.a.a is initiating an IKE_SA [I] Jul 23 20:45:24 ipsec: 06[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 [I] Jul 23 20:45:24 ipsec: 06[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 [I] Jul 23 20:45:24 ipsec: 06[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 [I] Jul 23 20:45:24 ipsec: 06[IKE] remote host is behind NAT [I] Jul 23 20:45:24 ipsec: 05[CFG] looking for peer configs matching b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] [I] Jul 23 20:45:24 ipsec: 05[CFG] selected peer config 'VirtualIPServerIKE2' [I] Jul 23 20:45:24 ipsec: 05[IKE] initiating EAP_IDENTITY method (id 0x00) [I] Jul 23 20:45:24 ipsec: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding [I] Jul 23 20:45:24 ipsec: 05[IKE] peer supports MOBIKE, but disabled in config [I] Jul 23 20:45:24 ipsec: 05[IKE] authentication of 'censored.keenetic.link' (myself) with RSA signature successful [I] Jul 23 20:45:24 ipsec: 05[IKE] sending end entity cert "CN=censored.keenetic.link" [I] Jul 23 20:45:24 ipsec: 05[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R11" [I] Jul 23 20:45:24 ipsec: 04[IKE] received EAP identity 'username' [I] Jul 23 20:45:24 ipsec: 04[IKE] initiating EAP_MSCHAPV2 method (id 0x53) [I] Jul 23 20:45:25 ipsec: 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established [I] Jul 23 20:45:25 ipsec: 16[IKE] authentication of 'censored.keenetic.link' with EAP successful [I] Jul 23 20:45:25 ipsec: 16[IKE] authentication of 'censored.keenetic.link' (myself) with EAP [I] Jul 23 20:45:25 ipsec: 16[IKE] IKE_SA VirtualIPServerIKE2[108] established between b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] [I] Jul 23 20:45:25 ipsec: 16[IKE] peer requested virtual IP %any [I] Jul 23 20:45:25 ndm: Core::Server: started Session /var/run/ndm.core.socket. [I] Jul 23 20:45:25 ndm: IpSec::CryptoMapInfo: "VirtualIPServerIKE2": allocated address "172.20.8.3" for user "username" @ "censored.keenetic.link" from "a.a.a.a". [I] Jul 23 20:45:25 ndm: Core::Session: client disconnected. [I] Jul 23 20:45:25 ipsec: 16[IKE] assigning virtual IP 172.20.8.3 to peer 'username' [I] Jul 23 20:45:25 ipsec: 16[IKE] peer requested virtual IP %any6 [I] Jul 23 20:45:25 ipsec: 16[IKE] no virtual IP found for %any6 requested by 'username' [I] Jul 23 20:45:25 ipsec: 16[CFG] received proposals: ESP:AES_GCM_16=256/NO_EXT_SEQ [I] Jul 23 20:45:25 ipsec: 16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA2_256_128/NO_EXT_SEQ [I] Jul 23 20:45:25 ipsec: 16[IKE] no acceptable proposal found [I] Jul 23 20:45:25 ipsec: 16[IKE] closing IKE_SA due CHILD_SA setup failure [E] Jul 23 20:45:25 ndm: IpSec::Configurator: "VirtualIPServerIKE2": error while establishing CHILD_SA. [I] Jul 23 20:45:25 ipsec: 16[CFG] scheduling RADIUS Interim-Updates every 5s [I] Jul 23 20:45:25 ipsec: 06[IKE] deleting IKE_SA VirtualIPServerIKE2[108] between b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] [I] Jul 23 20:45:25 ipsec: 06[IKE] sending DELETE for IKE_SA VirtualIPServerIKE2[108]

Привет. На Keenetic Giga поднят сервер IKEv2. Если на iPhone создать простое VPN-соединение вручную, просто введя имя домена xxxx.keenetic.link, логин и пароль, то всё отлично работает из коробки: Jul 22 11:42:01 ipsec 10[IKE] y.y.y.y is initiating an IKE_SA Jul 22 11:42:01 ipsec 10[CFG] received proposals: IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Jul 22 11:42:01 ipsec 10[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 Jul 22 11:42:01 ipsec 10[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Jul 22 11:42:01 ipsec 10[IKE] remote host is behind NAT Jul 22 11:42:01 ipsec 10[IKE] DH group ECP_256 unacceptable, requesting MODP_2048 Jul 22 11:42:01 ipsec 05[IKE] y.y.y.y is initiating an IKE_SA Jul 22 11:42:01 ipsec 05[CFG] received proposals: IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Jul 22 11:42:01 ipsec 05[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 Jul 22 11:42:01 ipsec 05[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Jul 22 11:42:02 ipsec 05[IKE] remote host is behind NAT Jul 22 11:42:02 ipsec 15[CFG] looking for peer configs matching x.x.x.x[censored.keenetic.link]...y.y.y.y[z.z.z.z] Jul 22 11:42:02 ipsec 15[CFG] selected peer config 'VirtualIPServerIKE2' Jul 22 11:42:02 ipsec 15[IKE] initiating EAP_IDENTITY method (id 0x00) Jul 22 11:42:02 ipsec 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jul 22 11:42:02 ipsec 15[IKE] peer supports MOBIKE, but disabled in config Jul 22 11:42:02 ipsec 15[IKE] authentication of 'censored.keenetic.link' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful Jul 22 11:42:02 ipsec 15[IKE] sending end entity cert "CN=censored.keenetic.link" Jul 22 11:42:02 ipsec 15[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R11" Jul 22 11:42:03 ipsec 16[IKE] received EAP identity 'username' Jul 22 11:42:03 ipsec 16[IKE] initiating EAP_MSCHAPV2 method (id 0x21) Jul 22 11:42:03 ipsec 05[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Jul 22 11:42:03 ipsec 08[IKE] authentication of 'z.z.z.z' with EAP successful Jul 22 11:42:03 ipsec 08[IKE] authentication of 'censored.keenetic.link' (myself) with EAP Jul 22 11:42:03 ipsec 08[IKE] IKE_SA VirtualIPServerIKE2[41] established between x.x.x.x[censored.keenetic.link]...y.y.y.y[z.z.z.z] Jul 22 11:42:03 ipsec 08[IKE] peer requested virtual IP %any Jul 22 11:42:03 ndm Core::Server: started Session /var/run/ndm.core.socket. Jul 22 11:42:03 ndm IpSec::CryptoMapInfo: "VirtualIPServerIKE2": allocated address "172.20.8.1" for user "username" @ "z.z.z.z" from "y.y.y.y". Теперь я пытаюсь создать профиль mobileconfig, чтобы его можно накатывать на устройства - и не могу подобрать комбинацию ciphers. Вот что предлагает конфигуратор для Encryption algorithm, Integrity algorithm и Diffie-Helman group. Вопрос - какую именно комбинацию клиенту IKEv2 надо предложить Кинетику, чтоб тот был счастлив? Спасибо.

Вы не задумывались, что раз проблема существует, неплохо было бы добавить плашку "There are known issues with TimeMachine on the latest MacOS versions, please stay tuned"? А то я часа два угробил... Скажите, а поддержку файловой системы HFS+ на внешних накопителях тот же "поставщик решения" принёс? А то Keenetic стал раздалбывать диски так, что если их потом воткнуть в макбук, DiskAid долго думает, потом говорит "это не лечится, я перевёл диск в read only, вытаскивай данные".

Добрый день! столкнулся с невозможностью сделать бэкап на диск по протоколу SMB (доступ к папке не анонимный, а по паролю). Если расшарить диск по древнему протоколу AFP, то проблем нет. Симптомы - на диске создаётся первоначальный "скелет" директорий для бэкапа, затем макбук задумывается и сообщает об ошибке "could'n backup". В логах макбука следующее (ключевое слово "Failed to read capabilities" ) 2024-07-12 08:02:06 Backup requested to destination with ID 2AACC547-1010-40FB-BA50-F1B650EB7DA7. specifiedOptions: TMBackupOptions(rawValue: 1042) 2024-07-12 08:02:06 Starting backup with mode "manual backup" 2024-07-12 08:02:06 Rejecting candidate mount point: /Volumes/TimeMachine, not owned by root 2024-07-12 08:02:06 Attempting to mount 'smb://sanja@Keenetic%20CIFS._smb._tcp.local./TimeMachine' 2024-07-12 08:02:08 Failed to read capabilities for '/Volumes/TimeMachine', error: Operation not permitted 2024-07-12 08:02:08 Initial network volume options for 'TimeMachine' {disablePrimaryReconnect: 0, disableSecondaryReconnect: 0, reconnectTimeOut: 0, QoS: 0x0, attributes: 0x1C} 2024-07-12 08:02:08 Failed to read capabilities for '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine', error: Operation not permitted 2024-07-12 08:02:08 Configured network volume options for 'TimeMachine' {disablePrimaryReconnect: 0, disableSecondaryReconnect: 0, reconnectTimeOut: 30, QoS: 0x20, attributes: 0x1C} 2024-07-12 08:02:08 Mounted 'smb://sanja@Keenetic%20CIFS._smb._tcp.local./TimeMachine' at '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine' (1.01 TB of 1.01 TB available) 2024-07-12 08:02:08 Mountpoint '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine' is still valid 2024-07-12 08:02:08 Creating an encrypted diskimage 2024-07-12 08:02:08 Mountpoint '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine' is still valid 2024-07-12 08:02:08 Using a band size of 245.8 MB (on a volume with size of 1.01 TB) 2024-07-12 08:02:12 Mountpoint '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine' is still valid 2024-07-12 08:02:12 Successfully attached using DiskImages2 as 'disk4' from URL '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine/CF188161-89B3-5A01-87CB-C7F035BE8EC0_2024-07-12-080208.sparsebundle' 2024-07-12 08:02:14 Failed to get resource value 'NSURLVolumeURLForRemountingKey' for '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine', error: Error Domain=NSCocoaErrorDomain Code=257 "The file “TimeMachine” couldn’t be opened because you don’t have permission to view it." UserInfo={NSURL=file:///Volumes/.timemachine/Keenetic%20CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine/, NSFilePath=/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine, NSUnderlyingError=0x60000236d7a0 {Error Domain=NSPOSIXErrorDomain Code=13 "Permission denied"}} 2024-07-12 08:02:14 Failed to create volume info from disk '<TMDisk: 0x60000236e460> '/Volumes/.timemachine/Keenetic CIFS._smb._tcp.local./F9C7BBE3-C862-42F5-A21C-5BDB224FB5DB/TimeMachine'', error: missingURLForRemounting 2024-07-12 08:02:56 Failed to read capabilities for '/Volumes/TimeMachine', error: Operation not permitted 2024-07-12 08:04:00 Failed to read capabilities for '/Volumes/TimeMachine', error: Operation not permitted 2024-07-12 08:05:04 Failed to read capabilities for '/Volumes/TimeMachine', error: Operation not permitted Чтение документации привело к тому, что в прошивке при установке галочки "TimeMachine" напротив шары должно быть прописано в Samba SMB_VFS_OBJECTS="fruit streams_xattr" Подробнее - https://wiki.samba.org/index.php/Configure_Samba_to_Work_Better_with_Mac_OS_X , https://github.com/mbentley/docker-timemachine/discussions/174#discussioncomment-8118176 self-test_KN-1010_stable_4.01.C.7.0-1_router_2024-07-12T09-01-35.074Z.txt

Было выключено, но компонент не был удалён. Попробую. К сожалению, я полез обновлять ядро Linix на клиенте, как советовал товарищ выше и всё предсказуемо пошло в... ну, в общем, в тот орган тела, в который обычно идут дела, когда ты нарушаешь великий принцип "работает, не трогай".

Используется как раз Network manager сбэкендом iwd

А если бы у меня был, простигосподи, умный WiFi холодильник с этой версией Ubuntu, прошитой намертво, мне что - надо было бы его выкинуть и купить новый ради совместимости с Кинетиком? Может наоборот производитель озаботится поддержкой всех ciphers со своей стороны?

Да, устройства на iOS 17 и iPadOS 17 нормально, были странности с MacOS Sonoma, но решились удалением сети и перенастройкой на Кинетике. Чтение в интернетах намекает на эту проблему - https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267 - похоже что из OpenSSL выпилили TLS 1.1 и это приводит к сбоям. В качестве решения предлагается в конфигах OpenSSL вписать: [system_default_sect] Options = UnsafeLegacyRenegotiation CipherString = DEFAULT@SECLEVEL=1 Но засада в том, что это для wpa_supplicant, а не для моего iwd, про который написано что "iwd does not use OpenSSL or any other userspace cryptographic library. " В связи с этим вопрос. Как заставить Кинетик быть более толерантным к ciphers на клиенте?

# uname -a Linux orangepizero 5.4.45-sunxi #20.05.3 SMP Wed Jun 10 12:09:20 CEST 2020 armv7l GNU/Linux

Выключил Кинетик из розетки. Достал с антресолей дешманский роутер Netis, настроил на нём такую же WiFi сеть. Делаю `iwlist scanning` - вместо странного `Authentication Suites (2) : PSK unknown (4)` вижу корректное `PSK`: Cell 06 - Address: 04:5E:A4:57:D2:EB Channel:9 Frequency:2.452 GHz (Channel 9) Quality=70/70 Signal level=-19 dBm Encryption key:on ESSID:"kv405 2.4GHz" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=0000000007fde465 Extra: Last beacon: 452ms ago IE: Unknown: 000C6B7634303520322E3447487A IE: Unknown: 010882848B960C121824 IE: Unknown: 030109 IE: Unknown: 2A0100 IE: Unknown: 32043048606C IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : CCMP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00 IE: Unknown: DD0600E04C020160 IE: Unknown: 7F080000000000000000 Успешно подключаюсь: root@orangepizero:~# nmcli --ask dev wifi con "kv405 2.4GHz" Password: •••••••••• Device 'wlan0' successfully activated with 'dea5c03c-9f08-43b6-818f-108701e00e2c'. root@orangepizero:~# nmcli -f in-use,ssid,bssid,signal,bars dev wifi IN-USE SSID BSSID SIGNAL BARS * kv405 2.4GHz 00:01:02:00:00:00 100 ▂▄▆█ MTS_GPON_EEBC 00:01:02:00:00:01 57 ▂▄▆_ MGTS_GPON_C7CF 00:01:02:00:00:04 52 ▂▄__ root@orangepizero:~# nmcli dev status DEVICE TYPE STATE CONNECTION eth0 ethernet connected Wired connection 1 wlan0 wifi connected kv405 2.4GHz lo loopback unmanaged -- root@orangepizero:~# cd /etc/NetworkManager/system-connections root@orangepizero:/etc/NetworkManager/system-connections# ls -la total 12 drwxr-xr-x 2 root root 4096 Feb 1 12:25 . drwxr-xr-x 7 root root 4096 Jan 31 22:49 .. -rw------- 1 root root 319 Feb 1 12:25 'kv405 2.4GHz.nmconnection' root@orangepizero:/etc/NetworkManager/system-connections# cat kv405\ 2.4GHz.nmconnection [connection] id=kv405 2.4GHz uuid=dea5c03c-9f08-43b6-818f-108701e00e2c type=wifi permissions= [wifi] mac-address-blacklist= mode=infrastructure ssid=kv405 2.4GHz [wifi-security] auth-alg=open key-mgmt=wpa-psk psk=redacted [ipv4] dns-search= method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= method=auto Хмыкаю, выдёргиваю дешманский роутер из розетки, включаю обратно Кинетик: # nmcli con up dea5c03c-9f08-43b6-818f-108701e00e2c Error: Connection activation failed: Secrets were required, but not provided В логе снова до боли знакомое про 4-way handshake: Feb 01 12:48:56 orangepizero nm-dispatcher[1630]: req:1 'down' [wlan0]: start running ordered scripts... Feb 01 12:48:56 orangepizero kernel: xradio TXRX-WRN: received frame has no key status Feb 01 12:48:56 orangepizero kernel: xradio TXRX-WRN: dropped received frame Feb 01 12:48:56 orangepizero kernel: xradio TXRX-WRN: received frame has no key status Feb 01 12:48:56 orangepizero kernel: xradio TXRX-WRN: dropped received frame Feb 01 12:48:56 orangepizero kernel: xradio TXRX-WRN: received frame has no key status Feb 01 12:48:56 orangepizero kernel: xradio TXRX-WRN: dropped received frame Feb 01 12:48:57 orangepizero kernel: xradio TXRX-WRN: received frame has no key status Feb 01 12:48:57 orangepizero kernel: xradio TXRX-WRN: dropped received frame Feb 01 12:48:59 orangepizero kernel: xradio TXRX-WRN: received frame has no key status Feb 01 12:48:59 orangepizero kernel: xradio TXRX-WRN: dropped received frame Feb 01 12:49:01 orangepizero iwd[563]: 4-Way handshake failed for ifindex: 3, reason: 15 Feb 01 12:49:01 orangepizero kernel: wlan0: deauthenticating from 52:ff:20:50:59:fa by local choice (Reason: 15=4WAY_HANDSHAKE_TIMEOUT) Feb 01 12:49:01 orangepizero kernel: xradio WSM-WRN: Issue unjoin command(TX). Feb 01 12:49:01 orangepizero NetworkManager[608]: <error> [1706780941.2391] device (wlan0): Activation: (wifi) Network.Connect failed: GDBus.Error:net.connman.iwd.Failed: Operation failed Feb 01 12:49:01 orangepizero NetworkManager[608]: <info> [1706780941.2447] device (wlan0): new IWD device state is disconnected Feb 01 12:49:01 orangepizero NetworkManager[608]: <info> [1706780941.2463] device (wlan0): state change: config -> failed (reason 'no-secrets', sys-iface-state: 'managed') Feb 01 12:49:01 orangepizero NetworkManager[608]: <warn> [1706780941.2558] device (wlan0): Activation: failed for connection 'kv405 2.4GHz' Feb 01 12:49:01 orangepizero NetworkManager[608]: <info> [1706780941.2620] device (wlan0): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')

Продолжаю копать. Заметил, что BSSID Кинетика отличается на одну цифру - настоящий это 50:ff:20:50:59:fa, а в логах на клиенте первые цифры "52". Также бросается в глаза "Unknown" в Authentication suites. # iw dev wlan0 scan BSS 52:ff:20:50:59:fa(on wlan0) TSF: 49667392996 usec (0d, 13:47:47) freq: 2437 beacon interval: 100 TUs capability: ESS Privacy RadioMeasure (0x1011) signal: -54.00 dBm last seen: 13632 ms ago Information elements from Probe Response frame: SSID: kv405 2.4GHz Supported rates: 6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0 DS Parameter set: channel 6 HT capabilities: Capabilities: 0x9ad RX LDPC HT20 SM Power Save disabled RX HT20 SGI TX STBC RX STBC 1-stream Max AMSDU length: 7935 bytes No DSSS/CCK HT40 Maximum RX AMPDU length 65535 bytes (exponent: 0x003) Minimum RX AMPDU time spacing: 4 usec (0x05) HT RX MCS rate indexes supported: 0-15, 32 HT TX MCS rate indexes are undefined HT operation: * primary channel: 6 * secondary channel offset: no secondary * STA channel width: 20 MHz * RIFS: 0 * HT protection: no * non-GF present: 1 * OBSS non-GF present: 0 * dual beacon: 0 * dual CTS protection: 0 * STBC beacon: 0 * L-SIG TXOP Prot: 0 * PCO active: 0 * PCO phase: 0 RSN: * Version: 1 * Group cipher: CCMP * Pairwise ciphers: CCMP * Authentication suites: PSK FT/PSK * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000) Extended capabilities: * BSS Transition * Max Number Of MSDUs In A-MSDU is unlimited BSS Load: * station count: 5 * channel utilisation: 0/255 * available admission capacity: 31250 [*32us] WMM: * Parameter version 1 * BE: CW 15-1023, AIFSN 3 * BK: CW 15-1023, AIFSN 7 * VI: CW 7-15, AIFSN 2, TXOP 3008 usec * VO: CW 3-7, AIFSN 2, TXOP 1504 usec Power constraint: 3 dB TPC report: TX power: 26 dBm Country: RU Environment: Indoor/Outdoor Channels [1 - 13] @ 20 dBm VHT capabilities: VHT Capabilities (0x33c001b1): Max MPDU length: 7991 Supported Channel Width: neither 160 nor 80+80 RX LDPC short GI (80 MHz) TX STBC +HTC-VHT RX antenna pattern consistency TX antenna pattern consistency VHT RX MCS set: 1 streams: MCS 0-8 2 streams: MCS 0-8 3 streams: not supported 4 streams: not supported 5 streams: not supported 6 streams: not supported 7 streams: not supported 8 streams: not supported VHT RX highest supported: 156 Mbps VHT TX MCS set: 1 streams: MCS 0-8 2 streams: MCS 0-8 3 streams: not supported 4 streams: not supported 5 streams: not supported 6 streams: not supported 7 streams: not supported 8 streams: not supported VHT TX highest supported: 156 Mbps VHT operation: * channel width: 0 (20 or 40 MHz) * center freq segment 1: 6 * center freq segment 2: 0 * VHT basic MCS set: 0xfff5 альтернативно # iwlist scanning Cell 09 - Address: 52:FF:20:50:59:FA Channel:6 Frequency:2.437 GHz (Channel 6) Quality=56/70 Signal level=-54 dBm Encryption key:on ESSID:"kv405 2.4GHz" Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=0000000bb481c9e8 Extra: Last beacon: 560ms ago IE: Unknown: 000C6B7634303520322E3447487A IE: Unknown: 01088C129824B048606C IE: Unknown: 030106 IE: Unknown: 2D1AAD0917FFFF000001000000000000000000000000000000000000 IE: Unknown: 3D1606000400000000000000000000000000000000000000 IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : CCMP Pairwise Ciphers (1) : CCMP Authentication Suites (2) : PSK unknown (4) IE: Unknown: 7F080000080000000000 IE: Unknown: 0B05060000127A IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00 IE: Unknown: 46050200010000 IE: Unknown: 330E040102030405060708090A0B0C0D IE: Unknown: 200103 IE: Unknown: 23021A00 IE: Unknown: 0706525520010D14 IE: Unknown: BF0CB101C033F5FF9C00F5FF9C20 IE: Unknown: C005000600F5FF IE: Unknown: 3603784400 IE: Unknown: DD21000CE708000000BF0CB101C0332AFF92042AFF9204C0050000002AFFC303010202

Там Armbian - Ubuntu, собранная под ARM - https://www.armbian.com/orange-pi-zero/ # cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster

Да, обычно у меня выбран канал 1, выбирал и 6, и 11 - не помогает. Глушить 5Ггц - не помогает. Менять режимы b/g/n не помогает.

Нашёл в загашнике USB-0bda:8176 Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter. Та же фигня: nmcli device status DEVICE TYPE STATE CONNECTION eth0 ethernet connected Wired connection 1 wlan0 wifi disconnected -- wlx000f02389210 wifi disconnected -- lo loopback unmanaged -- root@orangepizero:~# nmcli --ask dev wifi con "kv405 2.4GHz" ifname wlx000f02389210 Password: •••••••••• Error: Connection activation failed: (7) Secrets were required, but not provided. в логе похожее: Jan 31 23:23:36 orangepizero NetworkManager[596]: <info> [1706732616.6218] keyfile: add connection /run/NetworkManager/system-connections/kv405 2.4GHz 1.nmconnection (f7b8a023-f41c-4fb2-bc87-a14249903bf0,"kv405 2.4GHz 1") Jan 31 23:23:36 orangepizero NetworkManager[596]: <info> [1706732616.6416] device (wlx000f02389210): Activation: starting connection 'kv405 2.4GHz 1' (f7b8a023-f41c-4fb2-bc87-a14249903bf0) Jan 31 23:23:36 orangepizero NetworkManager[596]: <info> [1706732616.6640] settings-connection[0x1581860,f7b8a023-f41c-4fb2-bc87-a14249903bf0]: write: successfully commited (keyfile: update /etc/NetworkManager/system-connections/kv405 2. Jan 31 23:23:36 orangepizero NetworkManager[596]: <info> [1706732616.6652] audit: op="connection-add-activate" uuid="f7b8a023-f41c-4fb2-bc87-a14249903bf0" name="kv405 2.4GHz 1" pid=1516 uid=0 result="success" Jan 31 23:23:36 orangepizero NetworkManager[596]: <info> [1706732616.7067] device (wlx000f02389210): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed') Jan 31 23:23:36 orangepizero NetworkManager[596]: <info> [1706732616.7131] device (wlx000f02389210): state change: prepare -> config (reason 'none', sys-iface-state: 'managed') Jan 31 23:23:36 orangepizero NetworkManager[596]: <info> [1706732616.7217] device (wlx000f02389210): new IWD device state is connecting Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: authenticate with 52:ff:20:50:59:fa Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: send auth to 52:ff:20:50:59:fa (try 1/3) Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: send auth to 52:ff:20:50:59:fa (try 2/3) Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: authenticated Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: associate with 52:ff:20:50:59:fa (try 1/3) Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: RX AssocResp from 52:ff:20:50:59:fa (capab=0x1011 status=0 aid=7) Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: associated Jan 31 23:23:36 orangepizero kernel: wlx000f02389210: Limiting TX power to 20 (20 - 0) dBm as advertised by 52:ff:20:50:59:fa Jan 31 23:23:41 orangepizero iwd[571]: 4-Way handshake failed for ifindex: 4, reason: 15 Jan 31 23:23:41 orangepizero kernel: wlx000f02389210: deauthenticating from 52:ff:20:50:59:fa by local choice (Reason: 15=4WAY_HANDSHAKE_TIMEOUT) Jan 31 23:23:41 orangepizero NetworkManager[596]: <error> [1706732621.8671] device (wlx000f02389210): Activation: (wifi) Network.Connect failed: GDBus.Error:net.connman.iwd.Failed: Operation failed Jan 31 23:23:41 orangepizero NetworkManager[596]: <info> [1706732621.8728] device (wlx000f02389210): new IWD device state is disconnected Jan 31 23:23:41 orangepizero NetworkManager[596]: <info> [1706732621.8751] device (wlx000f02389210): state change: config -> failed (reason 'no-secrets', sys-iface-state: 'managed') Jan 31 23:23:41 orangepizero NetworkManager[596]: <warn> [1706732621.8847] device (wlx000f02389210): Activation: failed for connection 'kv405 2.4GHz 1' Jan 31 23:23:41 orangepizero polkitd(authority=local)[1122]: Unregistered Authentication Agent for unix-process:1516:26872 (system bus name :1.17, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnec Jan 31 23:23:41 orangepizero NetworkManager[596]: <info> [1706732621.9452] device (wlx000f02389210): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')