带有证书的 L2TP/IPsec:INVALID_KEY_INFORMATION

tag-icon tag-icon linux ipsec
带有证书的 L2TP/IPsec:INVALID_KEY_INFORMATION

我正在尝试在 Centos 7 上配置 L2TP/IPsec 客户端,软件包如下:

  • libreswan-3.15-5
  • xl2tpd-1.3.6-8

服务器是 MS Windows

我无法启动 vpn。

错误如下:

● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
   Active: active (running) since mar 2016-04-26 10:29:13 ART; 7min ago
  Process: 11269 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
  Process: 11267 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 11265 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 11260 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 11523 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
  Process: 11521 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
  Process: 11277 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 11275 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 11534 (pluto)
   CGroup: /system.slice/ipsec.service
           ├─11534 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
           └─11563 _pluto_adns

abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: STATE_MAIN_I2: sent MI2, expecting MR2
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: I am sending my cert
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: I am sending a certificate request
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
abr 26 10:29:22 initiator.example.local pluto[11534]: "windows" #1: STATE_MAIN_I3: sent MI3, expecting MR3
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=server.example.com'
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: no RSA public key known for 'CN=server.example.com'
abr 26 10:29:23 initiator.example.local pluto[11534]: "windows" #1: sending encrypted notification INVALID_KEY_INFORMATION to 190.0.2.236:4500

IPsec 设置为:

conn windows
        type=transport
        authby=rsasig
        #leftrsasigkey=%cert
        #rightrsasigkey=%dnsondemand
        pfs=no
        rekey=no
        keyingtries=3
        narrowing=yes
        left=192.168.40.21
        leftprotoport=udp/l2tp
        leftcert=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9
        #leftid=le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9
        right=192.0.2.236
        rightid="CN=server.example.com"
        #[email protected]
        #rightrsasigkey=%cert
        #rightca=%same
        #right=server.example.com
        rightprotoport=udp/%any
        auto=add

证书列表:

certutil -L -d sql:/etc/ipsec.d/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

le-3dbfb38a-2a4d-42a2-8830-0f2711db9df9                      u,u,u

这个配置有什么问题?

相关内容