openwrt 上使用 ipsec-tools 进行 xauth:身份验证失败?

openwrt 上使用 ipsec-tools 进行 xauth:身份验证失败?

我正在尝试在 openwrt 上使用 ipsec-tools 设置 xauth,我的设置显示如下:
cat /etc/racoon.conf:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/cert";

listen {
    adminsock disabled;
}

timer
{
        natt_keepalive 10 sec;
}

remote anonymous
{
        exchange_mode aggressive,main;          #必须添加main,否则苹果的vpn client无法连接

        initial_contact on ;
        passive on ;

        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method xauth_psk_server ;
                dh_group 2 ;
        }

        proposal_check obey;
        generate_policy on;
        dpd_delay 20;
        nat_traversal force;
        ike_frag on;
        esp_frag 552;
}

mode_cfg
{
        network4 211.153.68.231;              #VPN地址池
        pool_size 4;
        netmask4 255.255.255.0;
        auth_source system;                      #使用pam作为xauth的用户认证
        dns4 211.153.19.1;
        pfs_group 2;
        banner "/etc/racoon/motd" ;
}

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm aes ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}

猫/etc/setkey.conf

flush;
spdflush;

spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P in ipsec esp/transport//require;

猫/etc/racoon/psk.txt

test test

猫/etc/racoon/mod

welcome!

猫/etc/init.d/racoon

#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2011 OpenWrt.org
# Copyright (C) 2011 Artem Makhutov

START=49

SERVICE_USE_PID=1

start() {
    mkdir -m 0700 -p /var/racoon
    [ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/setkey.conf
    service_start /usr/sbin/racoon -f /etc/racoon.conf
}

stop() {
    service_stop /usr/sbin/racoon
}

然后启动服务器:

root@OpenWrt:~# setkey -f /etc/setkey.conf
root@OpenWrt:~# racoon -F -f /etc/racoon.conf
Foreground mode.
2013-09-06 15:52:19: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-09-06 15:52:19: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
2013-09-06 15:52:19: INFO: Reading configuration from "/etc/racoon.conf"
2013-09-06 15:52:19: WARNING: /etc/racoon.conf:33: "552" Your kernel does not support esp_frag
2013-09-06 15:52:19: INFO: Resize address pool from 0 to 4
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used as isakmp port (fd=6)
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used as isakmp port (fd=7)
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used as isakmp port (fd=8)
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used as isakmp port (fd=9)
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used as isakmp port (fd=11)
2013-09-06 15:52:19: INFO: ::1[500] used as isakmp port (fd=12)
2013-09-06 15:52:19: INFO: ::1[4500] used as isakmp port (fd=13)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[500] used as isakmp port (fd=14)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[4500] used as isakmp port (fd=15)

我只是为了调试而在前台运行它,然后让我们从另一个 ubuntu12.04.2 系统将它与 vpnc 连接起来:

liunx@ubuntu:~$ sudo vpnc
[sudo] password for liunx:
Enter IPSec gateway address: 10.129.228.201
Enter IPSec ID for 10.129.228.201: test
Enter IPSec secret for [email protected]:(test)
Enter username for 10.129.228.201: root
Enter password for [email protected]:(123456)
vpnc: authentication unsuccessful

我收到来自 racoon 的错误信息:

2013-09-06 15:55:14: INFO: respond new phase 1 negotiation: 10.129.228.201[500]<=>10.129.228.200[500]
2013-09-06 15:55:14: INFO: begin Aggressive mode.
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: received Vendor ID: RFC 3947
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-09-06 15:55:14: INFO: received Vendor ID: DPD
2013-09-06 15:55:14: [10.129.228.200] INFO: Selected NAT-T version: RFC 3947
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: INFO: Adding remote and local NAT-D payloads.
2013-09-06 15:55:14: [10.129.228.200] INFO: Hashing 10.129.228.200[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: [10.129.228.201] INFO: Hashing 10.129.228.201[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: INFO: Adding xauth VID payload.
2013-09-06 15:55:14: INFO: NAT-T: ports changed to: 10.129.228.200[4500]<->10.129.228.201[4500]
2013-09-06 15:55:14: [10.129.228.200] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: NAT-D payload #0 doesn't match
2013-09-06 15:55:14: INFO: NAT-D payload #1 doesn't match
2013-09-06 15:55:14: INFO: NAT detected: ME PEER
2013-09-06 15:55:14: INFO: Sending Xauth request
2013-09-06 15:55:14: INFO: ISAKMP-SA established 10.129.228.201[4500]-10.129.228.200[4500] spi:5f0e764b2ee4a7bd:a65bc2a2089f47f3
2013-09-06 15:55:14: INFO: Using port 0
2013-09-06 15:55:14: INFO: Released port 0
2013-09-06 15:55:14: INFO: login failed for user "root"
2013-09-06 15:55:14: ERROR: Attempt to release an unallocated address (port 0)
2013-09-06 15:55:14: ERROR: mode config 6 from 10.129.228.200[4500], but we have no ISAKMP-SA.

我确定我已经将 root 的密码设置为“123456”,但是我失败了,有什么提示吗?

答案1

这是影子密码的问题,在配置时,ipsec-tools会检测系统是否有影子密码,如果ipsec-tools使用_HAVE_SHADOW_H_进行编译,那么它就不会用非影子密码解析正确的密码,所以会失败,反之亦然。我已经与ubuntu系统、buildroot进行了比较,它们都运行良好。

相关内容