我正在尝试使用 Docker 中的 StrongSwan 在 AWS EC2 中的两个区域(两个虚拟机)之间建立 VPN 连接。但是,在尝试启动连接时,我收到大量错误。
命令sudo ipsec start --nofork和sudo ipsec restart分别给出以下错误:
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[374]: Starting strongSwan 5.3.5 IPsec [starter]...
00[LIB] expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied
00[LIB] expanding file pattern '/etc/strongswan.d/*.conf' failed: Permission denied
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin
'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon
charon has quit: initialization failed
ipsec_starter[374]: charon has quit: initialization failed
charon refused to be started
ipsec_starter[374]: charon refused to be started
ipsec starter stopped
ipsec_starter[374]: ipsec starter stopped
和
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[389]: Starting strongSwan 5.3.5 IPsec [starter]...
root@b65e01b190f6:/etc# ipsec_starter[408]: charon has quit:
initialization failed
ipsec_starter[408]: charon refused to be started
ipsec_starter[408]: ipsec starter stopped
(第二个在最后一个命令后挂起,必须使用 Ctrl+C 退出)
为了修复一些错误,我注释掉了以下行:
load_modular = 是
在文件中:
/etc/strongswan.conf
现在运行相同的命令输出:
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[413]: Starting strongSwan 5.3.5 IPsec [starter]...
00[LIB] expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied
00[LIB] expanding file pattern '/etc/strongswan.d/*.conf' failed: Permission denied
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[LIB] opening directory '/etc/ipsec.d/cacerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[LIB] opening directory '/etc/ipsec.d/acerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[LIB] opening directory '/etc/ipsec.d/crls' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for B.B.B.B X.X.X.X
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (426) started after 20 ms
ipsec_starter[413]: charon (426) started after 20 ms
11[CFG] received stroke: add connection 'A-to-B'
11[CFG] left nor right host is our side, assuming left=local
11[CFG] algorithm 'sha_256' not recognized
11[CFG] skipped invalid proposal string: aes256-sha_256-modp1024
11[CFG] added configuration 'A-to-B'
13[CFG] received stroke: initiate 'A-to-B'
13[IKE] initiating IKE_SA A-to-B[1] to X.X.X.X
13[IKE] configured DH group MODP_NONE not supported
13[MGR] tried to check-in and delete nonexisting IKE_SA
和
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[444]: Starting strongSwan 5.3.5 IPsec [starter]...
root@b65e01b190f6:/etc# ipsec_starter[463]: charon (464) started after 20 ms
现在两个命令都挂在那里,所以我不确定注释掉该行是否有帮助。
这 expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied行可能会导致我的许多错误,但我不确定如何解决这个问题,因为我已经是 Docker 中的 root 用户了。
我还包括了部分 Dockerfile,希望这可能会有帮助:
FROM ubuntu:16.04
RUN apt update && apt install -y --no-install-recommends apt-utils
RUN apt -y install sudo
RUN apt upgrade -y
RUN apt install strongswan -y
RUN apt install nano -y
RUN apt install openssh-client -y
RUN apt install kmod
RUN echo "IdentityFile ~/.ssh/id_rsa" >> /etc/ssh/ssh_config
RUN sudo rm /etc/ipsec.conf
RUN touch /etc/ipsec.conf
RUN echo "# basic configuration" >> /etc/ipsec.conf \
&& echo "config setup" >> /etc/ipsec.conf \
&& echo ' charondebug="all"' >> /etc/ipsec.conf \
&& echo " uniqueids=yes" >> /etc/ipsec.conf \
&& echo " strictcrlpolicy=no" >> /etc/ipsec.conf \
&& echo "" >> /etc/ipsec.conf \
&& echo "conn A-to-B" >> /etc/ipsec.conf \
&& echo " authby=secret" >> /etc/ipsec.conf \
&& echo " left=A.A.A.A" >> /etc/ipsec.conf \
&& echo " leftid=B.B.B.B" >> /etc/ipsec.conf \
&& echo " leftsubnet=A.C.C.C/16" >> /etc/ipsec.conf \
&& echo " right=X.X.X.X" >> /etc/ipsec.conf \
&& echo " rightsubnet=Y.Y.Y.Y/16" >> /etc/ipsec.conf \
&& echo " ike=aes256-sha_256-modp1024!" >> /etc/ipsec.conf \
&& echo " esp=aes256-sha2_256!" >> /etc/ipsec.conf \
&& echo " keyingtries=0" >> /etc/ipsec.conf \
&& echo " ikelifetime=1h" >> /etc/ipsec.conf \
&& echo " lifetime=8h" >> /etc/ipsec.conf \
&& echo " dpddelay=30" >> /etc/ipsec.conf \
&& echo " dpdtimeout=120" >> /etc/ipsec.conf \
&& echo " dpdaction=restart" >> /etc/ipsec.conf \
&& echo " auto=start" >> /etc/ipsec.conf
RUN sudo rm /etc/ipsec.secrets
RUN touch /etc/ipsec.secrets
RUN echo "'B.B.B.B X.X.X.X : PSK "mykey"' >> /etc/ipsec.secrets
RUN echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
RUN sudo sysctl -p /etc/sysctl.conf
另一个实例上的 Dockerfile 几乎与交换了 IP 的内容相同。
编辑:更新(不是原始问题的一部分)
我切换了加密算法,因为 mod1024 不再足够强大,无法满足 strongSwan 的标准。我现在使用的是:
ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384!
这修复了一些错误。我还使用了以下命令:
sudo docker run -itv ~:/mnt/ nameHere bash
但添加了标签后--cap-add=NET_ADMIN,所有预连接错误都消失了。然而,尝试连接时出现了一个新错误,即连接在 5 次尝试后超时。
root@aaaaaaaaaa:/etc# sudo ipsec start --nofork
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[482]: Starting strongSwan 5.3.5 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for X.X.X.X Y.Y.Y.Y
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (495) started after 20 ms
ipsec_starter[482]: charon (495) started after 20 ms
11[CFG] received stroke: add connection 'A-to-B'
11[CFG] left nor right host is our side, assuming left=local
11[CFG] added configuration 'A-to-B'
13[CFG] received stroke: initiate 'A-to-B'
13[IKE] initiating IKE_SA A-to-B[1] to Y.Y.Y.Y
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
13[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
15[IKE] retransmit 1 of request with message ID 0
15[NET] sending packet: from X.X.X.X (private ip)[500] to Y.Y.Y.Y (public ip of other connection)[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
.
.
.
04[IKE] retransmit 5 of request with message ID 0
04[NET] sending packet: from X.X.X.X (private ip)[500] to Y.Y.Y.Y (public ip of other connection)[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
03[IKE] giving up after 5 retransmits
03[IKE] establishing IKE_SA failed, peer not responding
现在它一直挂在这里,直到我再次使用 CTRL+C 将其杀死。任何想法都将不胜感激。
答案1
我遇到了和你一样的问题和困惑,我从日志中发现权限被拒绝的原因是apparmor
audit: type=1400 audit(1592238171.739:83): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/lib/docker/overlay2/02767f1d398d73371577bf0894a350595be9cecaecdbb9f416b7f421ae7820eb/diff/etc/strongswan.d/charon/" pid=46257 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1592238171.739:84): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/lib/docker/overlay2/02767f1d398d73371577bf0894a350595be9cecaecdbb9f416b7f421ae7820eb/diff/etc/strongswan.d/" pid=46257 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
简单的解决方法是停止apparmor使用命令aa-teardown(您会看到使用启用的规则aa-status),但显然这不是最佳的,真正的解决方案是修改charon包含在中的规则/etc/apparmor.d/usr.lib.ipsec.charon。