使用 strongswan 进行公钥认证

tag-icon tag-icon ipsec public-key rsa strongswan
使用 strongswan 进行公钥认证

我有两个系统 r1 和 r2,我想使用公钥认证通过 Strongswan 在它们之间建立 ESP 隧道。我已使用 openssl 在两个系统中生成公钥,分别存储在 r1-pub.pem 和 r2-pub.pem 中。

现在我的 ipsec.conf 文件在系统 r1 中如下所示

conn host-host-rsa

left=1.1.1.1
leftsubnet=192.168.10.0/24
[email protected]
leftauth=pubkey
leftrsasigkey=/root/r1-pub.pem
right=2.2.2.2
rightsubnet=192.168.20.0/24
[email protected]
rightauth=pubkey
rightrsasigkey=/root/r2-pub.pem
type=tunnel
auto=add

在系统 r2 中,配置为

conn host-host-rsa
left=2.2.2.2
leftsubnet=192.168.20.0/24
[email protected]
leftauth=pubkey
leftrsasigkey=/root/r2-pub.pem
right=1.1.1.1
rightsubnet=192.168.10.0/24
[email protected]
rightauth=pubkey
rightrsasigkey=/root/r1-pub.pem
type=tunnel
auto=add

现在,在 r1 上启动 ipsec 时,我收到此错误

Starting strongSwan 5.1.2 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-32-generic, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (607) started after 300 ms
04[CFG] received stroke: add connection 'host-host-rsa'
04[LIB] building CRED_CERTIFICATE - TRUSTED_PUBKEY failed, tried 0 builders
04[CFG]   loading public key for "moon.strongswan.org" from '/root/r1-pub.pem' failed
04[LIB] building CRED_CERTIFICATE - TRUSTED_PUBKEY failed, tried 0 builders
04[CFG]   loading public key for "sun.strongswan.org" from '/root/r2-pub.pem' failed
04[CFG] added configuration 'host-host-rsa'

我不知道为什么会发生此加载公钥错误。如能提供任何帮助,我将不胜感激。

答案1

你需要公钥插件使用原始公钥。如果您指定charon.load确保strongswan.conf将该插件包含在列表中。如果没有,则说明您没有构建该插件,或者您的发行版没有提供该插件。在这两种情况下,您都必须从源代码重建 strongSwan使用适当的./configure选项。

相关内容