我正在尝试在树莓派上使用 Stringswan 设置 roadwarrior 客户端场景 VPN。
服务器配置如下所示:
pi@raspberrypi:~ $ sudo cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
auto=add
keyexchange=ikev2
ike=aes128-sha256-ecp256
esp=aes128-sha256-ecp256
dpdaction=clear
dpddelay=300s
dpdtimeout = 5s
forceencaps=yes
fragmentation=yes
keyingtries=5
rekey=yes
left=%any
leftfirewall=yes
leftid=MYDNSNAME
leftsubnet=0.0.0.0/0
leftcert=vpnGatewayCert.pem
leftsendcert=always
mobike=yes
right=%any
rightdns=1.1.1.1,1.0.0.1
rightsourceip=192.168.122.101/24 ## LOCAL IP RANGE FOR VPN CONNECTED DEVICES
type=tunnel
conn IKEv2
rightauth=pubkey
include /var/lib/strongswan/ipsec.conf.inc
我还像这样修改了秘密:
nano /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created $
include /var/lib/strongswan/ipsec.secrets.inc
: ECDSA vpnGatewayKey.pem
我还在树莓派上创建了一个 CA,创建了 Strongswan 证书,并使用以下命令创建了客户端证书捆绑 .p12 文件:
cd /etc/ipsec.d/
#creating CA Key
ipsec pki --gen --type ecdsa --size 521 --outform pem > private/CA_strongswanKey.pem
chmod 600 private/CA_strongswanKey.pem
#creating CA certificate
ipsec pki --self --ca --lifetime 3650 --in private/CA_strongswanKey.pem --type ecdsa --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" --outform pem > cacerts/CA_strongswanCert.pem
#creating server key
ipsec pki --gen --type ecdsa --size 521 --outform pem > private/vpnGatewayKey.pem
chmod 600 private/vpnGatewayKey.pem
#creating serverCert
ipsec pki --pub --in private/vpnGatewayKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/CA_strongswanCert.pem \
--cakey private/CA_strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=MYDNSNAME" \
--san MYDNSNAME \
--flag serverAuth --flag ikeIntermediate \
--outform pem > certs/vpnGatewayCert.pem
#Client Key
ipsec pki --gen --type ecdsa --size 521 --outform pem > private/ClientKey.pem
chmod 600 private/ClientKey.pem
#Client cert
ipsec pki --pub --in private/ClientKey.pem --type ecdsa | \
ipsec pki --issue --lifetime 730 \
--cacert cacerts/CA_strongswanCert.pem \
--cakey private/CA_strongswanKey.pem \
--dn "C=CH, O=strongSwan, CN=Client Key" \
--san Client_Key \
--outform pem > certs/ClientCert.pem
#Exporting client bundle
openssl pkcs12 -export -inkey private/ClientKey.pem \
-in certs/ClientCert.pem -name "Client's VPN Certificate" \
-certfile cacerts/CA_strongswanCert.pem \
-caname "strongSwan Root CA" \
-out Client.p12
现在我检查并确保端口 500 和 4500 已正确转发到树莓派。我将上一步中制作的 .p12 文件下载到我的 iPhone 上,并将其作为配置文件导入。我还将 vpnGatewayCert.pem 和 CA_strongswanCert.pem 导入到我的 iPhone 中,这样它就会信任 ipsec 网关服务器!
当我尝试将 iPhone 连接到 VPN 时,iPhone 上出现错误。在 Strongswan 的日志中我看到了这一点:
Sep 29 16:18:45 raspberrypi charon: 13[IKE] received end entity cert "C=CH, O=strongSwan, CN=Client Key"
Sep 29 16:18:45 raspberrypi charon: 13[CFG] looking for peer configs matching 192.168.123.101[myDNSNAME]...94.109.49.167[10.218.49.167]
Sep 29 16:18:45 raspberrypi charon: 13[CFG] candidate "IKEv2", match: 20/1/28 (me/other/ike)
Sep 29 16:18:45 raspberrypi charon: 13[CFG] selected peer config 'IKEv2'
Sep 29 16:18:45 raspberrypi charon: 13[IKE] no trusted RSA public key found for '10.218.49.167'
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_NETMASK attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_DHCP attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP4_DNS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP6_ADDRESS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP6_DHCP attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing INTERNAL_IP6_DNS attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] processing (25) attribute
Sep 29 16:18:45 raspberrypi charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 29 16:18:45 raspberrypi charon: 13[IKE] peer supports MOBIKE
Sep 29 16:18:45 raspberrypi charon: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 29 16:18:45 raspberrypi charon: 13[NET] sending packet: from 192.168.123.101[4500] to 94.109.49.167[28920] (80 bytes)
Sep 29 16:18:45 raspberrypi charon: 04[NET] sending packet: from 192.168.123.101[4500] to 94.109.49.167[28920]
Sep 29 16:18:45 raspberrypi charon: 13[IKE] IKE_SA IKEv2[3] state change: CONNECTING => DESTROYING
答案1
您为客户端证书配置的 subjectAlternativeName (SAN) 可能并不理想(至少如果Client_Key
确实是您使用的)。最好将其设为电子邮件地址或域名。然后将该身份配置为本地ID在客户端上,因此它不使用其 IP 地址,这就是当前发生的情况:
Sep 29 16:18:45 raspberrypi charon: 13[CFG] looking for peer configs matching 192.168.123.101[myDNSNAME]...94.109.49.167[10.218.49.167]