Roadwarrior 场景 Strongswan- Iphone 设置

tag-icon tag-icon ipsec strongswan iphone
Roadwarrior 场景 Strongswan- Iphone 设置

我正在尝试在树莓派上使用 Stringswan 设置 roadwarrior 客户端场景 VPN。

服务器配置如下所示:

pi@raspberrypi:~ $ sudo cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup
  uniqueids=never
  charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
  auto=add
  keyexchange=ikev2
  ike=aes128-sha256-ecp256
  esp=aes128-sha256-ecp256
  dpdaction=clear
  dpddelay=300s
  dpdtimeout = 5s
  forceencaps=yes
  fragmentation=yes
  keyingtries=5
  rekey=yes
  left=%any
  leftfirewall=yes
  leftid=MYDNSNAME
  leftsubnet=0.0.0.0/0
  leftcert=vpnGatewayCert.pem
  leftsendcert=always
  mobike=yes
  right=%any
  rightdns=1.1.1.1,1.0.0.1
  rightsourceip=192.168.122.101/24 ## LOCAL IP RANGE FOR VPN CONNECTED DEVICES
  type=tunnel

conn IKEv2
  rightauth=pubkey

include /var/lib/strongswan/ipsec.conf.inc

我还像这样修改了秘密:

nano /etc/ipsec.secrets


# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

# this file is managed with debconf and will contain the automatically created $
include /var/lib/strongswan/ipsec.secrets.inc

: ECDSA vpnGatewayKey.pem

我还在树莓派上创建了一个 CA,创建了 Strongswan 证书,并使用以下命令创建了客户端证书捆绑 .p12 文件:

cd /etc/ipsec.d/
#creating CA Key
ipsec pki --gen --type ecdsa --size 521  --outform pem > private/CA_strongswanKey.pem
chmod 600 private/CA_strongswanKey.pem

#creating CA certificate
ipsec pki --self --ca --lifetime 3650 --in private/CA_strongswanKey.pem --type ecdsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/CA_strongswanCert.pem


#creating server key
ipsec pki --gen --type ecdsa --size 521 --outform pem > private/vpnGatewayKey.pem
chmod 600 private/vpnGatewayKey.pem

#creating serverCert
ipsec pki --pub --in private/vpnGatewayKey.pem --type ecdsa | \
        ipsec pki --issue --lifetime 730 \
        --cacert cacerts/CA_strongswanCert.pem \
        --cakey private/CA_strongswanKey.pem \
        --dn "C=CH, O=strongSwan, CN=MYDNSNAME" \
        --san MYDNSNAME \
        --flag serverAuth --flag ikeIntermediate \
        --outform pem > certs/vpnGatewayCert.pem


#Client Key
ipsec pki --gen --type ecdsa --size 521 --outform pem > private/ClientKey.pem
chmod 600 private/ClientKey.pem

#Client cert
ipsec pki --pub --in private/ClientKey.pem --type ecdsa | \
        ipsec pki --issue --lifetime 730 \
        --cacert cacerts/CA_strongswanCert.pem \
        --cakey private/CA_strongswanKey.pem \
        --dn "C=CH, O=strongSwan, CN=Client Key" \
        --san Client_Key \
        --outform pem > certs/ClientCert.pem


#Exporting client bundle
openssl pkcs12 -export -inkey private/ClientKey.pem \
        -in certs/ClientCert.pem -name "Client's VPN Certificate" \
        -certfile cacerts/CA_strongswanCert.pem \
        -caname "strongSwan Root CA" \
        -out Client.p12

现在我检查并确保端口 500 和 4500 已正确转发到树莓派。我将上一步中制作的 .p12 文件下载到我的 iPhone 上,并将其作为配置文件导入。我还将 vpnGatewayCert.pem 和 CA_strongswanCert.pem 导入到我的 iPhone 中,这样它就会信任 ipsec 网关服务器!

当我尝试将 iPhone 连接到 VPN 时,iPhone 上出现错误。在 Strongswan 的日志中我看到了这一点:

Sep 29 16:18:45 raspberrypi charon: 13[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key"
Sep 29 16:18:45 raspberrypi charon: 13[CFG] looking for peer configs matching 192.168.123.101[myDNSNAME]...94.109.49.167[10.218.49.167]
Sep 29 16:18:45 raspberrypi charon: 13[CFG]   candidate "IKEv2", match: 20/1/28 (me/other/ike)
Sep 29 16:18:45 raspberrypi charon: 13[CFG] selected peer config 'IKEv2'
Sep 29 16:18:45 raspberrypi charon: 13[IKE] no trusted RSA public key found for '10.218.49.167'
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_NETMASK attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_DHCP attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_DNS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP6_DHCP attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP6_DNS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing (25) attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 29 16:18:45 raspberrypi charon: 13[IKE] peer supports MOBIKE
Sep 29 16:18:45 raspberrypi charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 29 16:18:45 raspberrypi charon: 13[NET] sending packet: from 192.168.123.101[4500] to 94.109.49.167[28920] (80 bytes)
Sep 29 16:18:45 raspberrypi charon: 04[NET] sending packet: from 192.168.123.101[4500] to 94.109.49.167[28920]
Sep 29 16:18:45 raspberrypi charon: 13[IKE] IKE_SA IKEv2[3] state change: CONNECTING => DESTROYING

在此输入图像描述

答案1

您为客户端证书配置的 subjectAlternativeName (SAN) 可能并不理想(至少如果Client_Key确实是您使用的)。最好将其设为电子邮件地址或域名。然后将该身份配置为本地ID在客户端上,因此它不使用其 IP 地址,这就是当前发生的情况:

Sep 29 16:18:45 raspberrypi charon: 13[CFG] looking for peer configs matching 192.168.123.101[myDNSNAME]...94.109.49.167[10.218.49.167]

相关内容