我想在 iOS 设备上连接 Strongswan IKEv2 VPN。它使用 FreeRADIUS 服务器为用户提供 AAA。
它已经在 Android 和 Windows 设备上完美运行。但当我尝试使用 iOS 设备连接时,它会显示以下日志。我正在手动创建 VPN 配置文件并手动安装 .p12 证书以进行服务器身份验证
server hostname: nas.example.com
server ip: 89.89.89.89
client ip: 99.99.99.99
ipsec配置文件
config setup
charondebug="all"
uniqueids=no
conn ikev2-vpn
auto=add
compress=yes
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=3600s
dpdtimeout=5s
rekey=no
left=%any
leftid=89.89.89.89
leftcert=vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
#rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
服务器端日志
Oct 06 02:14:43 nas.example.com charon[3607]: 13[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (604 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] remote host is behind NAT
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (38 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (476 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] remote host is behind NAT
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (316 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] received packet: from 99.99.99.99[4500] to 89.89.89.89[4500] (484 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] unknown attribute type (25)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] looking for peer configs matching 89.89.89.89[89.89.89.89]...99.99.99.99[varun]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] selected peer config 'ikev2-vpn'
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] peer supports MOBIKE
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] authentication of '89.89.89.89' (myself) with RSA signature successful
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] sending end entity cert "C=US, O=nas.example.com, CN=89.89.89.89"
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (1248 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:12 nas.example.com charon[3607]: 16[JOB] deleting half open IKE_SA with 99.99.99.99 after timeout
任何帮助都将不胜感激。谢谢
答案1
您需要双击将证书 /etc/ipsec.d/certs/vpn-server-cert.pem 添加到 MacBook,并在 MacBook 证书存储区的设置中为其建立完全信任(设置“证书使用参数”)。
答案2
在 IOS/MAC 上,如果您使用 EAP,则不需要安装证书。您可以创建 2 种类型的连接配置文件。对我来说最有效的如下。
config setup
strictcrlpolicy=no
uniqueids=never
conn %default
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
leftid=111.111.111.111
ikelifetime=24h
keylife=24h
dpdaction=clear
dpdtimeout=3600s
dpddelay=1800s
compress=no
rekey=yes
inactivity=1800s
forceencaps=yes
left=%defaultroute
leftsubnet=0.0.0.0/0,::/0
rightsourceip=%config4,%config6
leftfirewall=yes
rightsourceip=10.10.0.0/16,2001:db8::3:0/16
keyingtries=%forever
fragmentation=yes
right=%any
mobike=yes
rekeymargin=1m
keyingtries=1
lefthostaccess=yes
type=tunnel
conn IPSec-IKEv2
leftauth=pubkey
leftcert=vpnHostCert.pem
rightid=%any
eap_identity=%any
auto=add
conn IOS-PSK-VPN
also=IPSec-IKEv2
rightauth=psk
rightsendcert=never
conn IOS-EAP-VPN
also=IPSec-IKEv2
rightauth=eap-mschapv2
rightsendcert=never
conn IOS-EAP-Radius
also=IPSec-IKEv2
rightauth=eap-radius
rightsendcert=never
conn windows-android
also=IPSec-IKEv2
rightauth=pubkey
rightcert=userCert.pem
我们已经创建了 .sh 文件,用于在 ubuntu 上安装 strongswan 并运行 ipsec vpn。该脚本可以在以下位置找到:
您也可以使用我们的 IKEv2 应用程序,该应用程序适用于 IOS 和 MAC,可以从苹果商店的链接下载 Brooog IKEv2