strongSwan 中的 ipsec 配置

strongSwan 中的 ipsec 配置

我正在尝试在 AWS 中托管的两个对等点之间设置 ipsec VPN,但无法使其工作,我的环境如下:

一个对等体具有 10.10.1.100 作为私有 IP 和 8.abc 作为公有 IP,远程客户端可从 IP 9.dec 访问,我被告知在配置中遵循以下参数:

第 1 阶段设置:

• IKE 版本:IKEv2

• IKE 身份验证方法:预共享密钥

• IKE 加密算法:AES256

• IKE 认证算法:HMAC_SHA256

• IKE Diffie-Hellman 组:第 2 组 - 1024 位

• IKE 第 1 阶段生命周期:86400 秒

• IKE 交换模式:主要

第 2 阶段设置:

• 加密算法:AES256

• 身份验证算法:HMAC_SHA256

• Diffie-Hellman 组:第 2 组 - 1024 位

• 第 2 阶段寿命:3600 秒

因此,在其中一个对等点中,我在 ipsec.conf 文件中进行了设置

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        charondebug="ike 4, knl 2, cfg 2, net 4, lib 2, chd 4, mgr 4, enc 4"
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

conn cet
        authby=secret
        keyexchange=ikev2
        esp=aes256-sha256-modp1024
        ikelifetime=86400s
        ike=aes256-sha256-modp1024
        keylife=3600s
        leftsubnet=10.10.1.0/24
        left=10.10.1.100
        right=9.d.e.c
        rightsubnet=192.168.1.0/24
        mobike=no
        auto=start

/etc/ipsec.secrets 文件如下所示:

#ipsec.secrets - strongSwan IPsec secrets file
54.169.72.161 : PSK "oddRandomCharacters"

但是当我尝试建立 VPN 连接时,我得到的输出如下:

initiating IKE_SA cet[68] to 9.d.e.f
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.10.1.100[500] to 9.d.e.f[500] (900 bytes)
received packet: from 9.d.e.f[500] to 10.10.1.100[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '10.10.1.100' (myself) with pre-shared key
establishing CHILD_SA cet
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.10.1.100[4500] to 9.d.e.f[4500] (384 bytes)
received packet: from 9.d.e.f[4500] to 10.10.1.100[4500] (80 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'cet' failed

我猜我遗漏了第 2 阶段的参数,因为就我而言,第 1 阶段协商很好,但当隧道尝试建立时却失败了。私钥是正确的,配置参数是之前共享的,所以这不应该是问题,不幸的是我无法访问远程对等日志,所以我只有 /var/log/syslog:

Aug 27 02:03:11 ap-southeast-2-gw charon: 10[IKE] successfully created shared key MAC
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[IKE] establishing CHILD_SA cet
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] proposing traffic selectors for us:
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG]  10.10.1.0/24
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] proposing traffic selectors for other:
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG]  192.168.1.0/24
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[KNL] got SPI cd02b0dc
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 27 02:03:11 ap-southeast-2-gw charon: 10[NET] sending packet: from 10.10.1.100[4500] to 54.169.72.161[4500] (384 bytes)
Aug 27 02:03:11 ap-southeast-2-gw charon: 05[NET] sending packet: from 10.10.1.100[4500] to 54.169.72.161[4500]
Aug 27 02:03:12 ap-southeast-2-gw charon: 03[NET] received packet: from 54.169.72.161[4500] to 10.10.1.100[4500]
Aug 27 02:03:12 ap-southeast-2-gw charon: 03[NET] waiting for data on sockets
Aug 27 02:03:12 ap-southeast-2-gw charon: 15[NET] received packet: from 54.169.72.161[4500] to 10.10.1.100[4500] (80 bytes)
Aug 27 02:03:12 ap-southeast-2-gw charon: 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 27 02:03:12 ap-southeast-2-gw charon: 15[IKE] received AUTHENTICATION_FAILED notify error

我是否遗漏了什么?

答案1

据我所知,Ikev2 不支持秘密作为身份验证方法

编辑:在站点到站点设置中,这可能不成立。我只使用 Strongswan 进行 Windows 10 客户端的 roadwarrior 设置,而 secret 或 PSK 在 Windows 中对于 Ikev2 不起作用。

您要么需要在双方执行相互 EAP 方法(如 EAP-TLS),要么在请求端执行 EAP,而在服务器端执行公钥。

编辑:您可以从另一端分享配置吗?

相关内容