IPSec VPN 登录因证书认证而失败

IPSec VPN 登录因证书认证而失败

我正在研究一种 IPSec VPN 解决方案,允许 iPhone/iPad 连接到运行 Gentoo 的 Linux 服务器。我已经能够使用 PSK 身份验证(PSK + 登录名 + 密码)使 VPN 正常运行,但我无法使用证书身份验证(证书 + 登录名 + 密码)使 VPN 正常工作。我只运行 Racoon(IPSEC),没有运行 l2tp。

当我尝试从 iPhone 连接时,它有时成功(很少见,我找不到何时成功的规律)。大多数情况下,iPhone 无法连接并显示“与 VPN 服务器协商失败”。

证书是用easy-rsa(随openvpn一起安装)生成的。如下:

build-key-server ipsec-server
build-key --pkcs11 mgorbach_mobile_iPhone

我的设置中是否缺少了什么东西?

path certificate "/etc/racoon/ssl";                                   

remote anonymous {                                                    
    exchange_mode main,aggressive;                                    
    ca_type x509 "ca.crt";                                            
    certificate_type x509 "ipsec_server.crt" "ipsec_server.key";      
    proposal_check claim;                                             
    generate_policy on;                                               
    verify_cert off;                                                  
    nat_traversal on;                                                 
    dpd_delay 20;                                                     
    mode_cfg on;                                                      
    ike_frag on;                                                      
    passive on;                                                       
    my_identifier asn1dn;                                             
    script "/etc/racoon/phase1-up.sh" phase1_up;                      
    script "/etc/racoon/phase1-down.sh" phase1_down;                  
    proposal {                                                        
        encryption_algorithm aes 256;                                 
        hash_algorithm sha1;                                          
        authentication_method xauth_rsa_server;                       
        dh_group 5;                                                   
        lifetime time 3600 sec;                                       
    }                                                                 
}                                                                     

mode_cfg {                                                            
    conf_source local;                                                
    network4 10.0.8.1;                                                
    netmask4 255.255.255.0;                                           
    pool_size 10;                                                     
    auth_source system;                                               
    save_passwd off;                                                  
    split_network include 172.16.1.0/24;                              
    pfs_group 2;                                                      
}                                                                     

sainfo anonymous {                                                    
    pfs_group 5;                                                      
    lifetime time 3600 sec;                                           
    encryption_algorithm aes 256;                                     
    authentication_algorithm hmac_sha1;                               
    compression_algorithm deflate;                                    
}

故障情况下的服务器日志:

2012-02-14 20:41:19: INFO: 172.16.1.102[500] used for NAT-T  
2012-02-14 20:41:19: INFO: 172.16.1.102[500] used as isakmp port (fd=11)  
2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used for NAT-T  
2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used as isakmp port (fd=12)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[500] used as isakmp port (fd=13)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[4500] used as isakmp port (fd=14)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[500] used as isakmp port (fd=15)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[4500] used as isakmp port (fd=16)  
2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[500] used as isakmp port (fd=17)  
2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[4500] used as isakmp port (fd=18)  
2012-02-14 20:41:56: INFO: respond new phase 1 negotiation: 172.16.1.102[500]  <=>174.252.45.42[5331]  
2012-02-14 20:41:56: INFO: begin Identity Protection mode.  
2012-02-14 20:41:56: INFO: received Vendor ID: RFC 3947  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt  
2012-02-14 20:41:56: INFO: received Vendor ID: CISCO-UNITY  
2012-02-14 20:41:56: INFO: received Vendor ID: DPD  
2012-02-14 20:41:56: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947  
2012-02-14 20:41:56: INFO: Adding xauth VID payload.  
2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:56: INFO: NAT-D payload #0 doesn't match  
2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:56: INFO: NAT-D payload #1 doesn't match  
2012-02-14 20:41:56: INFO: NAT detected: ME PEER  
2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:56: INFO: Adding remote and local NAT-D payloads.  
2012-02-14 20:41:58: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500]  
2012-02-14 20:41:58: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:41:58: WARNING: CERT validation disabled by configuration  
2012-02-14 20:41:58: INFO: Sending Xauth request  
2012-02-14 20:41:58: [174.252.45.42] INFO: received INITIAL-CONTACT  
2012-02-14 20:41:58: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9  
2012-02-14 20:41:58: INFO: Using port 0  
2012-02-14 20:41:58: INFO: login succeeded for user "mgorbach"  
2012-02-14 20:41:58: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY  
2012-02-14 20:41:58: ERROR: Cannot open "/etc/motd"  
2012-02-14 20:41:58: WARNING: Ignored attribute 28683  
2012-02-14 20:41:58: INFO: unsupported PF_KEY message REGISTER  
2012-02-14 20:41:59: INFO: purging ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0.  
2012-02-14 20:41:59: INFO: purged ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0.  
2012-02-14 20:41:59: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9  
2012-02-14 20:41:59: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:41:59: INFO: Released port 0  
2012-02-14 20:41:59: INFO: unsupported PF_KEY message REGISTER  
2012-02-14 20:41:59: INFO: respond new phase 1 negotiation: 172.16.1.102[500]<=>174.252.45.42[5331]  
2012-02-14 20:41:59: INFO: begin Identity Protection mode.  
2012-02-14 20:41:59: INFO: received Vendor ID: RFC 3947  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt  
2012-02-14 20:41:59: INFO: received Vendor ID: CISCO-UNITY  
2012-02-14 20:41:59: INFO: received Vendor ID: DPD  
2012-02-14 20:41:59: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947  
2012-02-14 20:41:59: INFO: Adding xauth VID payload.  
2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:59: INFO: NAT-D payload #0 doesn't match  
2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:59: INFO: NAT-D payload #1 doesn't match  
2012-02-14 20:41:59: INFO: NAT detected: ME PEER  
2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:59: INFO: Adding remote and local NAT-D payloads.  
2012-02-14 20:42:01: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500]  
2012-02-14 20:42:01: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:42:01: WARNING: CERT validation disabled by configuration  
2012-02-14 20:42:01: INFO: Sending Xauth request  
2012-02-14 20:42:01: [174.252.45.42] INFO: received INITIAL-CONTACT  
2012-02-14 20:42:01: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8  
2012-02-14 20:42:16: INFO: purging ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8.  
2012-02-14 20:42:16: INFO: purged ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8.  
2012-02-14 20:42:16: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8  
2012-02-14 20:42:16: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:42:16: INFO: unsupported PF_KEY message REGISTER  

相关内容