IPSec 与 strongswan 无法连接

tag-icon tag-icon networking server ipsec
IPSec 与 strongswan 无法连接

我正在尝试在 18.04 上使用 Strong Swan 设置 IPSEC 服务器

我的 ipsec.conf 是:

# ipsec.conf - strongSwan IPsec configuration file
config setup
   charondebug="cfg 2"

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=no
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=/etc/ssl/certs/domain.com.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=192.168.1.1
    rightsourceip=10.11.12.0/24
    rightsendcert=never
    eap_identity=%identity

我的 ipsec.secrets 是

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

domain.com : RSA /etc/ssl/private/strongswan.key
user %any% : EAP "pass"

据我所知,我已经设置了 ufw 来允许流量通过:

administrator@fserver:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Apache Full)   ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    Anywhere
137,138/udp (Samba)        ALLOW IN    Anywhere
139,445/tcp (Samba)        ALLOW IN    Anywhere
3389/tcp                   ALLOW IN    Anywhere
8085/tcp                   ALLOW IN    Anywhere
35000:36000/tcp            ALLOW IN    Anywhere                   # deluge
10000:20000/tcp            ALLOW IN    Anywhere                   # ftp passive
20:21/tcp                  ALLOW IN    Anywhere                   # ftp
990/tcp                    ALLOW IN    Anywhere                   # ftp tls
192.168.1.2/esp            ALLOW IN    Anywhere
500                        ALLOW IN    Anywhere                   # ipsec
4500                       ALLOW IN    Anywhere                   # ipsec
192.168.1.2/ah             ALLOW IN    Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)
137,138/udp (Samba (v6))   ALLOW IN    Anywhere (v6)
139,445/tcp (Samba (v6))   ALLOW IN    Anywhere (v6)
3389/tcp (v6)              ALLOW IN    Anywhere (v6)
8085/tcp (v6)              ALLOW IN    Anywhere (v6)
35000:36000/tcp (v6)       ALLOW IN    Anywhere (v6)              # deluge
10000:20000/tcp (v6)       ALLOW IN    Anywhere (v6)              # ftp passive
20:21/tcp (v6)             ALLOW IN    Anywhere (v6)              # ftp
990/tcp (v6)               ALLOW IN    Anywhere (v6)              # ftp tls
500 (v6)                   ALLOW IN    Anywhere (v6)              # ipsec
4500 (v6)                  ALLOW IN    Anywhere (v6)              # ipsec

不幸的是,我无法在 Windows 10 上连接。当我尝试在 Windows 上连接时,它停留在“验证您的登录信息”上,然后停止并显示一条错误消息,提示由于服务器停止响应,因此无法建立连接。

我的系统日志显示:

Jul  3 11:20:51 fserver charon: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 06[ENC] generating INFORMATIONAL_V1 request 3859798652 [ N(NO_PROP) ]
Jul  3 11:20:51 fserver ipsec[4349]: 06[NET] sending packet: from 192.168.1.2[500] to 216.218.206.70[50231] (40 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 08[NET] received packet: from 216.218.206.98[28703] to 192.168.1.2[500] (64 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 08[ENC] parsed ID_PROT request 0 [ SA ]
Jul  3 11:20:51 fserver ipsec[4349]: 08[CFG] looking for an ike config for 192.168.1.2...216.218.206.98
Jul  3 11:20:51 fserver ipsec[4349]: 08[IKE] no IKE config found for 192.168.1.2...216.218.206.98, sending NO_PROPOSAL_CHOSEN
Jul  3 11:20:51 fserver ipsec[4349]: 08[ENC] generating INFORMATIONAL_V1 request 1302012061 [ N(NO_PROP) ]
Jul  3 11:20:51 fserver ipsec[4349]: 08[NET] sending packet: from 192.168.1.2[500] to 216.218.206.98[28703] (40 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 10[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received Vid-Initial-Contact vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] 142.68.61.15 is initiating an IKE_SA
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   proposal matches
Jul  3 11:20:51 fserver charon: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] local host is behind NAT, sending keep alives
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] remote host is behind NAT
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul  3 11:20:51 fserver ipsec[4349]: 10[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 11[IKE] sending keep alive to 142.68.61.15[500]
Jul  3 11:20:51 fserver ipsec[4349]: 12[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Jul  3 11:20:51 fserver ipsec[4349]: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver charon: 13[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver charon: 13[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver charon: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver charon: 13[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul  3 11:20:51 fserver charon: 13[IKE] received Vid-Initial-Contact vendor ID
Jul  3 11:20:51 fserver charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul  3 11:20:51 fserver charon: 13[IKE] 142.68.61.15 is initiating an IKE_SA
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   proposal matches
Jul  3 11:20:51 fserver charon: 13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul  3 11:20:51 fserver charon: 13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver charon: 13[IKE] local host is behind NAT, sending keep alives
Jul  3 11:20:51 fserver charon: 13[IKE] remote host is behind NAT
Jul  3 11:20:51 fserver charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul  3 11:20:51 fserver charon: 13[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul  3 11:21:11 fserver charon: 15[IKE] sending keep alive to 142.68.61.15[500]
Jul  3 11:21:21 fserver charon: 01[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout

看起来 Windows 不再发送任何数据包。我已转发端口 500 和 4500。

也许是 ufw 没有正确设置,我愿意深入研究 iptables,但如果没有必要,我宁愿不这样做。

答案1

如果您可以排除防火墙阻止请求,则可能的原因是 IP 碎片(您可以使用 tcpdump/Wireshark 检查是否发送/接收消息)。

如果 IKE_AUTH 消息过大(例如由于客户端证书很大或证书请求很多),则会将其拆分为多个 IP 片段。此类片段通常会被防火墙/路由器丢弃。

避免这种情况的一个选项是使用 IKEv2 碎片化,但并非所有客户端都支持此扩展。例如,Windows 10 直到 2018 年春季更新才支持它。但如果您更新客户端,您应该能够设置fragmentation=yes为使用 IKEv2 碎片化。

答案2

似乎您缺少一些插件。尝试在您的 ubuntu 中安装 libcharon-extra-plugins。

sudo apt-get install libcharon-extra-plugins

答案3

正如评论中提到的,最初的问题是端口转发中的拼写错误。后续问题是由于 Let's Encrypt 中间证书没有发送过来,尽管它是链文件的一部分。不得不手动将其放入/etc/ipsec.d/cacerts

我强烈建议使用 Strongswan 移动应用程序进行调试,因为它具有非常有用的日志信息,而 Windows 则几乎没用。

相关内容