我正在尝试使用 VPN API 在 CentOS 上为 iOS 设置 StrongSwan。此 API 使用 IKEv2 协议。这是我的日志 + 配置文件。当我在 iOS 设备上按下“连接”时,它会在几分钟后关闭。看起来 iOS 不喜欢某些服务器信息,但我不知道是哪一个。
PS 我已经检查了官方的 strongswan 我的配置看起来一样
2015-09-16T14:20:13.881974+00:00 charon: 02[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500]
2015-09-16T14:20:13.881977+00:00 charon: 02[NET] waiting for data on sockets
2015-09-16T14:20:13.881980+00:00 charon: 06[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500] (316 bytes)
2015-09-16T14:20:13.882095+00:00 charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
2015-09-16T14:20:13.882106+00:00 charon: 06[CFG] looking for peer configs matching 94.242.232.178[lu135.example.net]...178.159.28.49[VPN]
2015-09-16T14:20:13.882111+00:00 charon: 06[CFG] peer config match local: 20 (ID_FQDN -> 6c:75:31:33:35:2e:68:6d:6e:2e:6d:65)
2015-09-16T14:20:13.882115+00:00 charon: 06[CFG] peer config match remote: 1 (ID_FQDN -> 56:50:4e)
2015-09-16T14:20:13.882121+00:00 charon: 06[CFG] ike config match: 1052 (94.242.232.178 178.159.28.49 IKEv2)
2015-09-16T14:20:13.882127+00:00 charon: 06[CFG] candidate "ikev2", match: 20/1/1052 (me/other/ike)
2015-09-16T14:20:13.882134+00:00 charon: 06[CFG] selected peer config 'ikev2'
2015-09-16T14:20:13.882153+00:00 charon: 06[IKE] initiating EAP_IDENTITY method (id 0x00)
2015-09-16T14:20:13.882166+00:00 charon: 06[IKE] processing INTERNAL_IP4_ADDRESS attribute
2015-09-16T14:20:13.882171+00:00 charon: 06[IKE] processing INTERNAL_IP4_DHCP attribute
2015-09-16T14:20:13.882180+00:00 charon: 06[IKE] processing INTERNAL_IP4_DNS attribute
2015-09-16T14:20:13.882183+00:00 charon: 06[IKE] processing INTERNAL_IP4_NETMASK attribute
2015-09-16T14:20:13.882187+00:00 charon: 06[IKE] processing INTERNAL_IP6_ADDRESS attribute
2015-09-16T14:20:13.882196+00:00 charon: 06[IKE] processing INTERNAL_IP6_DHCP attribute
2015-09-16T14:20:13.882202+00:00 charon: 06[IKE] processing INTERNAL_IP6_DNS attribute
2015-09-16T14:20:13.882214+00:00 charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2015-09-16T14:20:13.882266+00:00 charon: 06[IKE] IDx' => 16 bytes @ 0x7fa281236940
2015-09-16T14:20:13.882273+00:00 charon: 06[IKE] 0: 02 00 00 00 6C 75 31 33 35 2E 68 6D 6E 2E 6D 65 ....lu135.example.net
2015-09-16T14:20:13.882277+00:00 charon: 06[IKE] SK_p => 20 bytes @ 0x7fa24c003430
2015-09-16T14:20:13.882282+00:00 charon: 06[IKE] 0: 45 A5 6E C1 FA 17 82 BF 81 13 71 3A 94 EC 46 A1 E.n.......q:..F.
2015-09-16T14:20:13.882288+00:00 charon: 06[IKE] 16: 73 A6 F7 47 s..G
2015-09-16T14:20:13.882318+00:00 charon: 06[IKE] octets = message + nonce + prf(Sk_px, IDx') => 344 bytes
…. SOME BYTES HERE ….
2015-09-16T14:20:13.884696+00:00 charon: 06[IKE] authentication of 'lu135.example.net' (myself) with RSA signature successful
2015-09-16T14:20:13.884706+00:00 charon: 06[IKE] sending end entity cert "C=GB, O=COMPANY, CN=lu135.example.net"
2015-09-16T14:20:13.884718+00:00 charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2015-09-16T14:20:13.884897+00:00 charon: 06[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500] (1220 bytes)
2015-09-16T14:20:13.884924+00:00 charon: 03[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500]
2015-09-16T14:20:43.786966+00:00 charon: 09[JOB] deleting half open IKE_SA after timeout
2015-09-16T14:20:43.786983+00:00 charon: 09[IKE] IKE_SA ikev2[2] state change: CONNECTING => DESTROYING
服务器证书
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6619988021187675067 (0x5bdeec07f43b83bb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, O=COMPANY, CN=CERTROOT
Validity
Not Before: Sep 16 13:57:53 2015 GMT
Not After : Sep 15 13:57:53 2018 GMT
Subject: C=GB, O=COMPANY, CN=lu135.example.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
… BYTES …
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8B:88:DA:1A:76:18:F4:F8:64:51:9C:BB:54:48:C6:3C:2E:5B:E9:8C
X509v3 Subject Alternative Name:
DNS:lu135.example.net, IP Address:94.242.232.178, DNS:94.242.232.178
X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
Signature Algorithm: sha256WithRSAEncryption
… BYTES ….
IPSec配置文件
config setup
charondebug="cfg 7, dmn 7, ike 7, net 7"
uniqueids=no
conn %default
left=%defaultroute
leftsubnet=0.0.0.0/0
right=%any
auto=add
dpdaction=clear
dpddelay=300s
conn ikev2
keyexchange=ikev2
fragmentation = yes
forceencaps = yes
ike=aes256-sha1-modp1024,aes256-sha1-modp2048
esp=aes256-sha1,aes128-sha1
left={{ ansible_default_ipv4.address }}
leftid={{ dnsname }}
leftcert=server_cert.pem
leftsendcert=always
leftauth=pubkey
mobike=yes
right=%any
rightid=%any
rightsendcert=never
rightauth=eap-radius
rightsourceip=172.16.198.0/24
rightfirewall=yes
eap_identity=%identity
rightdns=8.8.8.8,8.8.4.4
dpaction=clear
auto=add
** ansible 变量 + 剧本 **
cakey: /etc/strongswan/ipsec.d/private/ios.pem
cacert: /etc/strongswan/ipsec.d/cacerts/ios.pem
srvkey: /etc/strongswan/ipsec.d/private/server.pem
srvcert: /etc/strongswan/ipsec.d/certs/server_cert.pem
clnkey: /etc/strongswan/ipsec.d/private/client.pem
clncert: /etc/strongswan/ipsec.d/certs/client.pem
p12: /etc/strongswan/ipsec.d/private/client.p12
issuer: CERTROOT
org: COMPANY
剧本
---
- name: Installing strongswan config
template: src=ipsec.conf dest=/etc/strongswan/ipsec.conf
- name: Ipsec secrets
template: src=ipsec.secrets dest=/etc/strongswan/ipsec.secrets
- name: Generating CA KEY
shell: strongswan pki --gen --outform pem > {{ cakey }} creates={{ cakey }}
- name: Generate CA Cert
shell: strongswan pki --self --in {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ issuer }}" --ca --outform pem > {{ cacert }} creates={{ cacert }}
- name: Generate server key
shell: strongswan pki --gen --outform pem > {{ srvkey }} creates={{ srvkey }}
- name: Create server cert
shell: strongswan pki --pub --in {{ srvkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ dnsname }}" --san="{{ dnsname }}" --san {{ ansible_default_ipv4.address }} --san @{{ ansible_default_ipv4.address }} --flag serverAuth --flag ikeIntermediate --outform pem > {{ srvcert }} creates={{ srvcert }}
- name: Generating client key
shell: strongswan pki --gen --outform pem > {{ clnkey }} creates={{ clnkey }}
- name: Create client cert
shell: strongswan pki --pub --in {{ clnkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN=demo" --outform pem > {{ clncert }} creates={{ clncert }}
- name: Generate p12 file for client
shell: openssl pkcs12 -export -inkey {{ clnkey }} -in {{ clncert }} -name "demo" -certfile {{ cacert }} -caname "{{ issuer }}" -out {{ p12 }} -password pass:hello creates={{ p12 }}
- name: Restarart strongswan
service: name=strongswan state=restarted