我正在尝试在 18.04 上使用 Strong Swan 设置 IPSEC 服务器
我的 ipsec.conf 是:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2"
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=no
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=/etc/ssl/certs/domain.com.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=192.168.1.1
rightsourceip=10.11.12.0/24
rightsendcert=never
eap_identity=%identity
我的 ipsec.secrets 是
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
domain.com : RSA /etc/ssl/private/strongswan.key
user %any% : EAP "pass"
据我所知,我已经设置了 ufw 来允许流量通过:
administrator@fserver:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
80,443/tcp (Apache Full) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
137,138/udp (Samba) ALLOW IN Anywhere
139,445/tcp (Samba) ALLOW IN Anywhere
3389/tcp ALLOW IN Anywhere
8085/tcp ALLOW IN Anywhere
35000:36000/tcp ALLOW IN Anywhere # deluge
10000:20000/tcp ALLOW IN Anywhere # ftp passive
20:21/tcp ALLOW IN Anywhere # ftp
990/tcp ALLOW IN Anywhere # ftp tls
192.168.1.2/esp ALLOW IN Anywhere
500 ALLOW IN Anywhere # ipsec
4500 ALLOW IN Anywhere # ipsec
192.168.1.2/ah ALLOW IN Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6)
139,445/tcp (Samba (v6)) ALLOW IN Anywhere (v6)
3389/tcp (v6) ALLOW IN Anywhere (v6)
8085/tcp (v6) ALLOW IN Anywhere (v6)
35000:36000/tcp (v6) ALLOW IN Anywhere (v6) # deluge
10000:20000/tcp (v6) ALLOW IN Anywhere (v6) # ftp passive
20:21/tcp (v6) ALLOW IN Anywhere (v6) # ftp
990/tcp (v6) ALLOW IN Anywhere (v6) # ftp tls
500 (v6) ALLOW IN Anywhere (v6) # ipsec
4500 (v6) ALLOW IN Anywhere (v6) # ipsec
不幸的是,我无法在 Windows 10 上连接。当我尝试在 Windows 上连接时,它停留在“验证您的登录信息”上,然后停止并显示一条错误消息,提示由于服务器停止响应,因此无法建立连接。
我的系统日志显示:
Jul 3 11:20:51 fserver charon: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 06[ENC] generating INFORMATIONAL_V1 request 3859798652 [ N(NO_PROP) ]
Jul 3 11:20:51 fserver ipsec[4349]: 06[NET] sending packet: from 192.168.1.2[500] to 216.218.206.70[50231] (40 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 08[NET] received packet: from 216.218.206.98[28703] to 192.168.1.2[500] (64 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 08[ENC] parsed ID_PROT request 0 [ SA ]
Jul 3 11:20:51 fserver ipsec[4349]: 08[CFG] looking for an ike config for 192.168.1.2...216.218.206.98
Jul 3 11:20:51 fserver ipsec[4349]: 08[IKE] no IKE config found for 192.168.1.2...216.218.206.98, sending NO_PROPOSAL_CHOSEN
Jul 3 11:20:51 fserver ipsec[4349]: 08[ENC] generating INFORMATIONAL_V1 request 1302012061 [ N(NO_PROP) ]
Jul 3 11:20:51 fserver ipsec[4349]: 08[NET] sending packet: from 192.168.1.2[500] to 216.218.206.98[28703] (40 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 10[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received Vid-Initial-Contact vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] 142.68.61.15 is initiating an IKE_SA
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] proposal matches
Jul 3 11:20:51 fserver charon: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] local host is behind NAT, sending keep alives
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] remote host is behind NAT
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 3 11:20:51 fserver ipsec[4349]: 10[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 11[IKE] sending keep alive to 142.68.61.15[500]
Jul 3 11:20:51 fserver ipsec[4349]: 12[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Jul 3 11:20:51 fserver ipsec[4349]: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver charon: 13[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver charon: 13[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver charon: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver charon: 13[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul 3 11:20:51 fserver charon: 13[IKE] received Vid-Initial-Contact vendor ID
Jul 3 11:20:51 fserver charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 3 11:20:51 fserver charon: 13[IKE] 142.68.61.15 is initiating an IKE_SA
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] proposal matches
Jul 3 11:20:51 fserver charon: 13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 3 11:20:51 fserver charon: 13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver charon: 13[IKE] local host is behind NAT, sending keep alives
Jul 3 11:20:51 fserver charon: 13[IKE] remote host is behind NAT
Jul 3 11:20:51 fserver charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 3 11:20:51 fserver charon: 13[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul 3 11:21:11 fserver charon: 15[IKE] sending keep alive to 142.68.61.15[500]
Jul 3 11:21:21 fserver charon: 01[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
看起来 Windows 不再发送任何数据包。我已转发端口 500 和 4500。
也许是 ufw 没有正确设置,我愿意深入研究 iptables,但如果没有必要,我宁愿不这样做。
答案1
如果您可以排除防火墙阻止请求,则可能的原因是 IP 碎片(您可以使用 tcpdump/Wireshark 检查是否发送/接收消息)。
如果 IKE_AUTH 消息过大(例如由于客户端证书很大或证书请求很多),则会将其拆分为多个 IP 片段。此类片段通常会被防火墙/路由器丢弃。
避免这种情况的一个选项是使用 IKEv2 碎片化,但并非所有客户端都支持此扩展。例如,Windows 10 直到 2018 年春季更新才支持它。但如果您更新客户端,您应该能够设置fragmentation=yes
为使用 IKEv2 碎片化。
答案2
似乎您缺少一些插件。尝试在您的 ubuntu 中安装 libcharon-extra-plugins。
sudo apt-get install libcharon-extra-plugins
答案3
正如评论中提到的,最初的问题是端口转发中的拼写错误。后续问题是由于 Let's Encrypt 中间证书没有发送过来,尽管它是链文件的一部分。不得不手动将其放入/etc/ipsec.d/cacerts
。
我强烈建议使用 Strongswan 移动应用程序进行调试,因为它具有非常有用的日志信息,而 Windows 则几乎没用。