Strongswan VPN证书认证失败

tag-icon tag-icon windows vpn certificate ipsec strongswan
Strongswan VPN证书认证失败

我已经在我的 ubuntu 服务器上安装了 strongswan vpn。设置证书认证。我已经设置了我的安卓手机,它运行良好。但 windows 机器上没有建立连接。我将 ca-cert 复制到根 ca 中,将客户端证书复制到个人存储中。但我收到错误 13806(错误证书)。我做错了什么?

/etc/ipsec.conf

config setup
        # strictcrlpolicy=yes
        uniqueids = no
        charondebug="ike 4"

include /var/lib/strongswan/ipsec.conf.inc

conn %default
        dpdaction=clear
        dpddelay=35s
        dpdtimeout=300s

        fragmentation=yes
        rekey=no

        ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024

        esp=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
        # left - local (server) side
        left=%any
        leftauth=pubkey
        leftcert=server.crt
        leftsendcert=always
        leftsubnet=0.0.0.0/0,::/0

        # right - remote (client) side
        right=%any
        rightauth=pubkey
        rightsourceip=192.168.103.0/24,2002:25f7:7489:3::/112
        rightdns=8.8.8.8,2001:4860:4860::8888

conn ikev2-pubkey
        keyexchange=ikev2
        auto=add

conn ikev2-pubkey-osx
        also="ikev2-pubkey"
        leftid=ip_address_server

/etc/ipsec.secrets

: RSA server.key

服务器证书

 subject:  "CN=domain_name"
  issuer:   "CN=IPsec CA"
  validity:  not before Apr 18 10:07:00 2022, ok
             not after  Apr 02 10:07:00 2025, ok (expires in 1079 days)
  serial:    a9:e3:a4:
  altNames:  ip_address_server
  flags:     serverAuth
  authkeyId: 13:f8:f0:
  subjkeyId: 5a:a8:11:
  pubkey:    RSA 2048 bits, has private key

客户端证书

subject:  "CN=client"
  issuer:   "CN=IPsec CA"
  validity:  not before Apr 18 10:07:19 2022, ok
             not after  Apr 02 10:07:19 2025, ok (expires in 1079 days)
  serial:    4c:e2:46:09:81:87:14:60:96:79:cf:bb:d6:62:13:68
  altNames:  client
  flags:     clientAuth

这就是日志

09[IKE] sending cert request for "CN=IPsec CA"
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
09[NET] sending packet: from server_ip[500] to client_ip[500] (353 bytes)
07[NET] received packet: from client_ip[500] to server_ip[500] (40 bytes)
07[ENC] payload type NOTIFY was not encrypted
07[ENC] could not decrypt payloads
07[IKE] integrity check failed
07[IKE] INFORMATIONAL request with message ID 0 processing failed

如您所见,我在服务器证书中将 IP 地址设置为 SAN,因为通过 IP 地址连接。但它仍然不起作用。

答案1

听起来您把证书和密钥安装到了错误的密钥库中。要通过常规 IKEv2 证书身份验证进行身份验证,您必须将它们安装到存储中Local Machine。用户特定的存储仅在通过 EAP-TLS 进行身份验证时使用(并且仅适用于客户端证书/密钥,CA 证书仍必须安装在存储中Local Machine)。

相关内容