在 Ubuntu 上安装并配置 StrongSwan 客户端

我在尝试在 Ubuntu 上设置 StrongSwan 客户端时遇到了麻烦。

以下是我遵循的步骤：

导出用户证书：

openssl pkcs12 -in [email protected] -out username-cert.pem -clcerts -nokeys

导出用户私钥：

openssl pkcs12 -in [email protected] -out username-key.pem -nocerts -nodes

重命名CA证书：

mv cert_export_CA.crt cacert.pem

将证书和密钥文件复制到适当的目录：

cp username-cert.pem /etc/ipsec.d/certs
cp username-key.pem /etc/ipsec.d/private
cp cacert.pem /etc/ipsec.d/cacerts

编辑 /etc/ipsec.conf 文件：

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
conn "DOMAIN"
    leftsourceip=%config
    leftcert=username-cert.pem
    [email protected]
    leftfirewall=yes
    right=vpn.domain.com
    rightid=cvpn.domain.com
    rightsubnet=0.0.0.0/0
    auto=start

编辑/etc/ipsec.secrets：

: RSA username-key.pem "passphrase"

重新启动 ipsec 守护进程：

sudo ipsec restart

检查连接是否建立：

sudo ipsec status 

返回：安全关联（0 个启动，0 个连接）：无

ip a

返回：

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000   
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    
    inet 127.0.0.1/8 scope host lo   
       valid_lft forever preferred_lft forever    
    inet6 ::1/128 scope host     
       valid_lft forever preferred_lft forever    
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000    
    link/ether 8c:8c:aa:49:56:b0 brd ff:ff:ff:ff:ff:ff    
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000   
    link/ether b0:a4:60:d9:2c:a4 brd ff:ff:ff:ff:ff:ff  
    inet <ip>/24 brd <ip> scope global dynamic noprefixroute wlp3s0 
       valid_lft 168sec preferred_lft 168sec    
    inet6 <ip>/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

这意味着我无法连接。

当我运行 ipsec up DOMAIN 时我得到以下输出：

initiating IKE_SA DOMAIN[2] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (936 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA DOMAIN[2] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (1128 bytes)
received packet: from 1xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (437 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
sending cert request for "O=domain.com, CN=vpn.domain.com"
authentication of '[email protected]' (myself) with RSA signature successful
sending end entity cert "O=domain.com, CN=Template-User"
establishing CHILD_SA DOMAIN{2}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message (1536 bytes) into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (1236 bytes)
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (372 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (1204 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (564 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembled fragmented IKE message (1408 bytes)
parsed IKE_AUTH response 1 [ CERT IDr AUTH CPRP(ADDR MASK SUBNET) TSi TSr SA ]
received end entity cert "O=domain.com, CN=vpn.domain.com"
  using trusted certificate "O=domain.com, CN=vpn.domain.com"
signature validation failed, looking for another key
  using certificate "O=domain.com, CN=vpn.domain.com"
  using trusted ca certificate "O=domain.com, CN=vpn.domain.com"
checking certificate status of "O=domain.com, CN=vpn.domain.com"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'vpn.domain.com' with RSA signature successful
constraint check failed: identity 'cvpn.domain.com' required 
selected peer config 'DOMAIN' unacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (80 bytes)
establishing connection 'DOMAIN' failed