因此,我使用 Strongswan 连接到远程 Fortigate,因为本机 Fortinet VPN 客户端不支持 IPsec。我还有提供 OTP 的硬件 FortiToken 200。
我当前的配置如下:
/etc/ipsec.conf
conn my-config
keyexchange=ikev1
aggressive=yes
ike = aes256-sha256-modp1536
esp = aes256-sha1-modp1536
right=remote_ip
rightid=%any
rightsubnet=0.0.0.0/0
rightauth=psk
leftsourceip=%config
leftauth=psk
leftauth2=xauth
xauth_identity="username"
auto=add
/etc/ipsec.secrets
remote_ip : PSK "passphrase_here"
username : XAUTH "password_here"
当我跑步时:
ipsec 上我的配置
initiating Aggressive Mode IKE_SA german[5] to remote_ip
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 10.0.2.15[500] to remote_ip[500] (460 bytes)
received packet: from remote_ip[500] to 10.0.2.15[500] (536 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 10.0.2.15[4500] to remote_ip[4500] (140 bytes)
received packet: from remote_ip[4500] to 10.0.2.15[4500] (92 bytes)
parsed TRANSACTION request 1581697690 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
no XAuth method found
generating TRANSACTION response 1581697690 [ HASH CP ]
sending packet: from 10.0.2.15[4500] to remote_ip[4500] (76 bytes)
显然,有必要以某种方式编辑配置,这样它就会在某个时候提示输入 OTP。
问题是:我该怎么办呢?
答案1
可以使用 StrongSwan 和 FortiToken 一次性密码 (OTP) 连接到 FortiGate VPN。我还没有尝试过使用硬件令牌,但我希望它能起到同样的作用。
主要技巧是将 OTP 附加到 XAuth 密码。
这个答案的其余部分是关于制作一个方便的提示,并包括一个工作配置。
为了避免/etc/ipsec.secrets
每次连接时都发生更改,我构建了一个小脚本,提示使用 OTPzenity
并相应地修改机密文件。该脚本需要以 root 身份运行,因为它会对/etc/ipsec.secrets
.出于方便起见,它希望替换现有的 6 位数字,这意味着您第一次进行设置时,请在 XAuth 密码后输入任意 6 位数字。
免责声明:请注意,此脚本将替换每次出现的 6 位数字,后跟双引号"
。该脚本假定一组 XAuth 凭据,并且可能会破坏您想要的其他信息。使用时请自行承担风险,并且仅在您完全了解其用途的情况下使用。
#!/bin/bash
SECRETS_FILE="/etc/ipsec.secrets"
TOKEN=$(zenity --entry --title "FortiToken" --text "Enter FortiToken")
if [ ${#TOKEN} -ne 6 ]; then
echo "The token needs to be exactly 6 characters. Quitting."
exit
fi
# Expects a 6-digit token to be already present after the password.
sed -Ei 's/[0-9]{6}\"/'"$TOKEN"'\"/' "$SECRETS_FILE"
echo "Updated $SECRETS_FILE"
ipsec restart --nofork
为了完整起见,这是我的/etc/ipsec.conf
:
conn fortigate_vpn
type = tunnel
dpdaction = restart
dpddelay = 30
dpdtimeout = 60
keyexchange = ikev1
ike = aes128-sha1-modp1536
esp = aes256-sha256-modp1536
aggressive = yes
right = 1.2.3.4 # fortigate gateway
rightsubnet = 192.168.15.0/24 # subnet
rightid = %any
rightauth = psk
left = %defaultroute
leftsourceip = %config
leftauth = psk
leftauth2 = xauth
xauth_identity = "foo" # XAuth id
leftid = "bar" # local id / peer id
auto = start
还有/etc/ipsec.secrets
:
: PSK "foobarpsk"
foo : XAUTH "pa$$word990099" # where pa$$word is your XAuth password
感谢https://blog.boll.ch/fortigate-ipsec-vpn-with-native-macos-client/,我在那里找到了追加的想法。