IPsec PSK VPN,使用 StrongSwan 到 FortiGate,使用一次性密码 (Fortitoken)

tag-icon tag-icon ipsec strongswan xauth
IPsec PSK VPN,使用 StrongSwan 到 FortiGate,使用一次性密码 (Fortitoken)

因此,我使用 Strongswan 连接到远程 Fortigate,因为本机 Fortinet VPN 客户端不支持 IPsec。我还有提供 OTP 的硬件 FortiToken 200。

我当前的配置如下:

/etc/ipsec.conf

conn my-config
keyexchange=ikev1
aggressive=yes
ike = aes256-sha256-modp1536
esp = aes256-sha1-modp1536

right=remote_ip
rightid=%any
rightsubnet=0.0.0.0/0
rightauth=psk

leftsourceip=%config
leftauth=psk
leftauth2=xauth
xauth_identity="username"
auto=add

/etc/ipsec.secrets

remote_ip : PSK "passphrase_here"
username : XAUTH "password_here"

当我跑步时:

ipsec 上我的配置

initiating Aggressive Mode IKE_SA german[5] to remote_ip
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to remote_ip[500] (460 bytes)
received packet: from remote_ip[500] to 10.0.2.15[500] (536 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to remote_ip[4500] (140 bytes)
received packet: from remote_ip[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 1581697690 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
no XAuth method found
generating TRANSACTION response 1581697690 [ HASH CP ]
sending packet: from 10.0.2.15[4500] to remote_ip[4500] (76 bytes)

显然,有必要以某种方式编辑配置,这样它就会在某个时候提示输入 OTP。

问题是:我该怎么办呢?

答案1

可以使用 StrongSwan 和 FortiToken 一次性密码 (OTP) 连接到 FortiGate VPN。我还没有尝试过使用硬件令牌,但我希望它能起到同样的作用。

主要技巧是将 OTP 附加到 XAuth 密码

这个答案的其余部分是关于制作一个方便的提示,并包括一个工作配置。

为了避免/etc/ipsec.secrets每次连接时都发生更改,我构建了一个小脚本,提示使用 OTPzenity并相应地修改机密文件。该脚本需要以 root 身份运行,因为它会对/etc/ipsec.secrets.出于方便起见,它希望替换现有的 6 位数字,这意味着您第一次进行设置时,请在 XAuth 密码后输入任意 6 位数字。

免责声明:请注意,此脚本将替换每次出现的 6 位数字,后跟双引号"。该脚本假定一组 XAuth 凭据,并且可能会破坏您想要的其他信息。使用时请自行承担风险,并且仅在您完全了解其用途的情况下使用。

#!/bin/bash

SECRETS_FILE="/etc/ipsec.secrets"

TOKEN=$(zenity --entry --title "FortiToken" --text "Enter FortiToken")

if [ ${#TOKEN} -ne 6 ]; then
    echo "The token needs to be exactly 6 characters. Quitting."
    exit
fi

# Expects a 6-digit token to be already present after the password.
sed -Ei 's/[0-9]{6}\"/'"$TOKEN"'\"/' "$SECRETS_FILE"

echo "Updated $SECRETS_FILE"

ipsec restart --nofork

为了完整起见,这是我的/etc/ipsec.conf

conn fortigate_vpn
    type = tunnel
    dpdaction = restart
    dpddelay = 30
    dpdtimeout = 60
    keyexchange = ikev1
    ike = aes128-sha1-modp1536
    esp = aes256-sha256-modp1536
    aggressive = yes
    right = 1.2.3.4                  # fortigate gateway
    rightsubnet = 192.168.15.0/24    # subnet
    rightid = %any
    rightauth = psk

    left = %defaultroute
    leftsourceip = %config
    leftauth = psk
    leftauth2 = xauth
    xauth_identity = "foo"           # XAuth id
    leftid = "bar"                   # local id / peer id
    auto = start

还有/etc/ipsec.secrets

: PSK "foobarpsk"
foo : XAUTH "pa$$word990099"         # where pa$$word is your XAuth password

感谢https://blog.boll.ch/fortigate-ipsec-vpn-with-native-macos-client/,我在那里找到了追加的想法。

相关内容