我正在尝试设置 Strongswan VPN,但无法使其工作。它找不到匹配的对等配置,我不知道原因:
日志:
[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
[NET] <1> sending packet: from 111.111.111.111[500] to 222.222.222.222[34460] (312 bytes)
[NET] <1> received packet: from 222.222.222.222[34495] to 111.111.111.111[4500] (428 bytes)
[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 D_N) N( NON_FIRST_FRAG) SA TSi TSr ]
[CFG] <1> looking for peer configs matching 111.111.111.111[@vpn.example.net]...222.222.222.222[333.333.333.333]
[CFG] <1> no matching peer config found
[IKE] <1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
[IKE] <1> peer supports MOBIKE
[ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[NET] <1> sending packet: from 111.111.111.111[4500] to 222.222.222.222[34495] (76 bytes)
ipsec.conf:
config setup
conn %default
# Wait for peer connection
auto=add
keyexchange=ikev2
# Win7, iOS and Mac
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, mo
dp1024; OS X is 3DES, sha-1, modp1024
esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1
# Win7 only
#ike=aes256-sha1-modp1024!
#esp=aes256-sha1!
# Dead peer detection
dpdaction=clear
dpddelay=300s
# Win7 does not like rekeying
rekey=no
# Helps with restrictive firewalls
forceencaps=yes
# Suggest and accept compression
compress=yes
conn bbnet
# VPN Gateway is reachable via any network interface
left=%any
# For now tunnel all traffic, later we may refine this to specific subnets
# https://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
leftsubnet=0.0.0.0/0
# Auth
leftauth=pubkey
leftcert=serverCert.pem
[email protected]
# Mac/iOS: https://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
leftsendcert=always
# Peers:
# Allow all since peers have dynamic IPs
# Assign them IPs in the range 10.67.1.0-10.67.1.255
right=%any
rightsourceip=10.67.1.0/24
rightid=%any
# Peer auth
rightauth=eap-mschapv2
rightsendcert=never
# Not sure if needed
eap_identity=%any
ipsec.secret:
: RSA serverKey.pem
donny : EAP "abcd1234"
iOS/OSX 客户端: 服务器:vpn.example.net 远程 ID:@vpn.example.net 本地 ID:
验证:用户/密码 => donny / abcd1234
我的情况目前非常类似于https://www.strongswan.org/testing/testresults/ikev2/rw-eap-mschapv2-id-rsa/index.html但对等匹配在我的计算机上不起作用......
更新:Win8 可以连接,但不能连接我的 iOS/OS X 设备。以下是成功进行 Win8 身份验证和连接的日志:
[NET] <1> received packet: from 111.111.111.111[500] to 222.222.222.222[500] (880 bytes)
[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
[ENC] <1> received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
[ENC] <1> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
[IKE] <1> 111.111.111.111 is initiating an IKE_SA
[IKE] <1> remote host is behind NAT
[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
[NET] <1> sending packet: from 222.222.222.222[500] to 111.111.111.111[500] (312 bytes)
[NET] <1> received packet: from 111.111.111.111[4500] to 222.222.222.222[4500] (5708 bytes)
[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi
[IKE] <1> received cert request for "C=FR, O=strongSwan, CN=strongSwan CA"
[IKE] <1> received 262 cert requests for an unknown ca
[CFG] <1> looking for peer configs matching 222.222.222.222[%any]...111.111.111.111[333.333.333.333]
[CFG] <bbnet|1> selected peer config 'bbnet'
[IKE] <bbnet|1> initiating EAP_IDENTITY method (id 0x00)
[IKE] <bbnet|1> peer supports MOBIKE
[IKE] <bbnet|1> authentication of 'vpn.blubyte.de' (myself) with RSA signature successful
[IKE] <bbnet|1> sending end entity cert "C=FR, O=strongSwan, CN=vpn.blubyte.de"
[ENC] <bbnet|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
[NET] <bbnet|1> sending packet: from 222.222.222.222[4500] to 111.111.111.111[4500] (1228 bytes)
[NET] <bbnet|1> received packet: from 111.111.111.111[4500] to 222.222.222.222[4500] (76 bytes)
[ENC] <bbnet|1> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
[IKE] <bbnet|1> received EAP identity 'donny'
[IKE] <bbnet|1> initiating EAP_MSCHAPV2 method (id 0x0D)
[ENC] <bbnet|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[NET] <bbnet|1> sending packet: from 222.222.222.222[4500] to 111.111.111.111[4500] (108 bytes)
[NET] <bbnet|1> received packet: from 111.111.111.111[4500] to 222.222.222.222[4500] (140 bytes)
[ENC] <bbnet|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
...
仍然需要知道如何使其与 iOS/OS X 兼容...
答案1
其中有两个重要方面:
[]客户端发送的身份(这些是在日志消息中看到的身份looking for peer configs matching...)必须与服务器上配置的身份(远程身份,右标识,可以是 %any,以接受任何客户端身份 - 这实际上是默认的)。配置的身份可以在 的输出中看到ipsec statusall。客户端和服务器使用的身份必须包含在证书中,这通常意味着它们必须包含在 subjectAltName 扩展中(主题 DN 不能用作许多客户端的服务器身份)。请注意,某些客户端会将身份与 DN 中的 CN 等进行匹配,但 strongSwan 则不会。
后者意味着当 strongSwan 加载证书和配置的服务器身份时(左派) 与完整主题 DN 或任何 subjectAltName 扩展不匹配,它将回退到 DN 作为身份(有相应的日志消息,ipsec statusall也会显示此更改)。因此,即使客户端建议在左派它可能实际上不是 strongSwan 用来查找配置和验证自身的身份。
因此,请确保客户端和服务器上配置的身份匹配,并且这些身份通过身份验证期间使用的证书进行确认。