我正在研究一种 IPSec VPN 解决方案,允许 iPhone/iPad 连接到运行 Gentoo 的 Linux 服务器。我已经能够使用 PSK 身份验证(PSK + 登录名 + 密码)使 VPN 正常运行,但我无法使用证书身份验证(证书 + 登录名 + 密码)使 VPN 正常工作。我只运行 Racoon(IPSEC),没有运行 l2tp。
当我尝试从 iPhone 连接时,它有时成功(很少见,我找不到何时成功的规律)。大多数情况下,iPhone 无法连接并显示“与 VPN 服务器协商失败”。
证书是用easy-rsa(随openvpn一起安装)生成的。如下:
build-key-server ipsec-server
build-key --pkcs11 mgorbach_mobile_iPhone
我的设置中是否缺少了什么东西?
path certificate "/etc/racoon/ssl";
remote anonymous {
exchange_mode main,aggressive;
ca_type x509 "ca.crt";
certificate_type x509 "ipsec_server.crt" "ipsec_server.key";
proposal_check claim;
generate_policy on;
verify_cert off;
nat_traversal on;
dpd_delay 20;
mode_cfg on;
ike_frag on;
passive on;
my_identifier asn1dn;
script "/etc/racoon/phase1-up.sh" phase1_up;
script "/etc/racoon/phase1-down.sh" phase1_down;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method xauth_rsa_server;
dh_group 5;
lifetime time 3600 sec;
}
}
mode_cfg {
conf_source local;
network4 10.0.8.1;
netmask4 255.255.255.0;
pool_size 10;
auth_source system;
save_passwd off;
split_network include 172.16.1.0/24;
pfs_group 2;
}
sainfo anonymous {
pfs_group 5;
lifetime time 3600 sec;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
故障情况下的服务器日志:
2012-02-14 20:41:19: INFO: 172.16.1.102[500] used for NAT-T
2012-02-14 20:41:19: INFO: 172.16.1.102[500] used as isakmp port (fd=11)
2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used for NAT-T
2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used as isakmp port (fd=12)
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[500] used as isakmp port (fd=13)
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[4500] used as isakmp port (fd=14)
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[500] used as isakmp port (fd=15)
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[4500] used as isakmp port (fd=16)
2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[500] used as isakmp port (fd=17)
2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[4500] used as isakmp port (fd=18)
2012-02-14 20:41:56: INFO: respond new phase 1 negotiation: 172.16.1.102[500] <=>174.252.45.42[5331]
2012-02-14 20:41:56: INFO: begin Identity Protection mode.
2012-02-14 20:41:56: INFO: received Vendor ID: RFC 3947
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-02-14 20:41:56: INFO: received Vendor ID: CISCO-UNITY
2012-02-14 20:41:56: INFO: received Vendor ID: DPD
2012-02-14 20:41:56: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947
2012-02-14 20:41:56: INFO: Adding xauth VID payload.
2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2
2012-02-14 20:41:56: INFO: NAT-D payload #0 doesn't match
2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2
2012-02-14 20:41:56: INFO: NAT-D payload #1 doesn't match
2012-02-14 20:41:56: INFO: NAT detected: ME PEER
2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2
2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2
2012-02-14 20:41:56: INFO: Adding remote and local NAT-D payloads.
2012-02-14 20:41:58: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500]
2012-02-14 20:41:58: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335]
2012-02-14 20:41:58: WARNING: CERT validation disabled by configuration
2012-02-14 20:41:58: INFO: Sending Xauth request
2012-02-14 20:41:58: [174.252.45.42] INFO: received INITIAL-CONTACT
2012-02-14 20:41:58: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9
2012-02-14 20:41:58: INFO: Using port 0
2012-02-14 20:41:58: INFO: login succeeded for user "mgorbach"
2012-02-14 20:41:58: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
2012-02-14 20:41:58: ERROR: Cannot open "/etc/motd"
2012-02-14 20:41:58: WARNING: Ignored attribute 28683
2012-02-14 20:41:58: INFO: unsupported PF_KEY message REGISTER
2012-02-14 20:41:59: INFO: purging ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0.
2012-02-14 20:41:59: INFO: purged ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0.
2012-02-14 20:41:59: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9
2012-02-14 20:41:59: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335]
2012-02-14 20:41:59: INFO: Released port 0
2012-02-14 20:41:59: INFO: unsupported PF_KEY message REGISTER
2012-02-14 20:41:59: INFO: respond new phase 1 negotiation: 172.16.1.102[500]<=>174.252.45.42[5331]
2012-02-14 20:41:59: INFO: begin Identity Protection mode.
2012-02-14 20:41:59: INFO: received Vendor ID: RFC 3947
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-02-14 20:41:59: INFO: received Vendor ID: CISCO-UNITY
2012-02-14 20:41:59: INFO: received Vendor ID: DPD
2012-02-14 20:41:59: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947
2012-02-14 20:41:59: INFO: Adding xauth VID payload.
2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2
2012-02-14 20:41:59: INFO: NAT-D payload #0 doesn't match
2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2
2012-02-14 20:41:59: INFO: NAT-D payload #1 doesn't match
2012-02-14 20:41:59: INFO: NAT detected: ME PEER
2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2
2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2
2012-02-14 20:41:59: INFO: Adding remote and local NAT-D payloads.
2012-02-14 20:42:01: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500]
2012-02-14 20:42:01: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335]
2012-02-14 20:42:01: WARNING: CERT validation disabled by configuration
2012-02-14 20:42:01: INFO: Sending Xauth request
2012-02-14 20:42:01: [174.252.45.42] INFO: received INITIAL-CONTACT
2012-02-14 20:42:01: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8
2012-02-14 20:42:16: INFO: purging ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8.
2012-02-14 20:42:16: INFO: purged ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8.
2012-02-14 20:42:16: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8
2012-02-14 20:42:16: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335]
2012-02-14 20:42:16: INFO: unsupported PF_KEY message REGISTER