我在 Ubuntu 16.04 服务器上运行 StrongSwan 5.6.2,我可以使用证书从 OSX Sierra 连接到该服务器,但无法以相同的方式从 Windows 10 连接。有人可以帮忙吗?
我已经UDP 500/4500通过防火墙(AWS 安全组)打开,并且如上所述,我可以从 OSX 连接并验证 StrongSwan。
我使用以下配置从源代码构建了 StrongSwan:
./configure --prefix=/usr --sysconfdir=/etc \
--enable-systemd --enable-swanctl \
--disable-charon --disable-stroke --disable-scepclient \
--enable-gcm --enable-eap-tls --enable-eap-identity
我的 swanctl 配置文件具有以下设置:
connections {
ikev2-cert {
version = 2
send_cert = always
encap = yes
pools = pool1
dpd_delay = 60s
unique = keep
local {
certs = vpn-server-cert.pem
id = vpnserver
}
remote {
auth = eap-tls
eap_id = %any
}
children {
net {
local_ts = 10.0.0.0/20
inactivity = 120s
}
}
}
}
pools {
pool1 {
addrs = 172.16.0.0/12
}
}
使用带有标志创建的服务器证书--flag serverAuth --flag ikeIntermediate
ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=VPN Server" \
--san vpnserver \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem
我还必须在 Windows 10 中设置注册密钥,以便使用更好的密码(拍头)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters [DWORD 32bit] NegotiateDH2048_AES256 1
Windows 10客户端尝试连接时服务器日志如下:
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] checkout IKEv2 SA by message with SPIs 6177fa9aadb3cdd5_i 0000000000000000_r
Apr 05 15:25:12 charon-systemd[1497]: received packet: from 35.36.37.38[42772] to 10.0.3.212[500] (624 bytes)
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] created IKE_SA (unnamed)[19]
Apr 05 15:25:12 charon-systemd[1497]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Apr 05 15:25:12 charon-systemd[1497]: 14[NET] received packet: from 35.36.37.38[42772] to 10.0.3.212[500] (624 bytes)
Apr 05 15:25:12 charon-systemd[1497]: received MS NT5 ISAKMPOAKLEY v9 vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Apr 05 15:25:12 charon-systemd[1497]: received MS-Negotiation Discovery Capable vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] looking for an ike config for 10.0.3.212...35.36.37.38
Apr 05 15:25:12 charon-systemd[1497]: received Vid-Initial-Contact vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] ike config match: 28 (10.0.3.212 35.36.37.38 IKEv2)
Apr 05 15:25:12 charon-systemd[1497]: received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] candidate: %any...%any, prio 28
Apr 05 15:25:12 charon-systemd[1497]: 35.36.37.38 is initiating an IKE_SA
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] found matching ike config: %any...%any with prio 28
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] received MS-Negotiation Discovery Capable vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] received Vid-Initial-Contact vendor ID
Apr 05 15:25:12 charon-systemd[1497]: 14[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] 35.36.37.38 is initiating an IKE_SA
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] IKE_SA (unnamed)[19] state change: CREATED => CONNECTING
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] selecting proposal:
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] proposal matches
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Apr 05 15:25:12 charon-systemd[1497]: 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Apr 05 15:25:12 charon-systemd[1497]: 14[LIB] size of DH secret exponent: 2047 bits
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] local host is behind NAT, sending keep alives
Apr 05 15:25:12 charon-systemd[1497]: local host is behind NAT, sending keep alives
Apr 05 15:25:12 charon-systemd[1497]: 01[JOB] next event in 19s 999ms, waiting
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] remote host is behind NAT
Apr 05 15:25:12 charon-systemd[1497]: remote host is behind NAT
Apr 05 15:25:12 charon-systemd[1497]: sending cert request for "C=GB, O=Self Signed, CN=VPN Server Root CA"
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] 0: 0E F2 A0 61 A3 44 38 E5 49 4A B1 50 BE 3C 7C 7B ...a.D8.IJ.P.<|{
Apr 05 15:25:12 charon-systemd[1497]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] 16: E0 B4 5C C1 ..\.
Apr 05 15:25:12 charon-systemd[1497]: sending packet: from 10.0.3.212[500] to 35.36.37.38[42772] (465 bytes)
Apr 05 15:25:12 charon-systemd[1497]: 14[IKE] sending cert request for "C=GB, O=Self Signed, CN=VPN Server Root CA"
Apr 05 15:25:12 charon-systemd[1497]: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 05 15:25:12 charon-systemd[1497]: 14[NET] sending packet: from 10.0.3.212[500] to 35.36.37.38[42772] (465 bytes)
Apr 05 15:25:12 charon-systemd[1497]: 01[JOB] next event in 19s 998ms, waiting
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] checkin IKE_SA (unnamed)[19]
Apr 05 15:25:12 charon-systemd[1497]: 14[MGR] checkin of IKE_SA successful
Apr 05 15:25:32 charon-systemd[1497]: 01[JOB] got event, queuing job for execution
Apr 05 15:25:32 charon-systemd[1497]: sending keep alive to 35.36.37.38[42772]
Apr 05 15:25:32 charon-systemd[1497]: 01[JOB] next event in 10s 1ms, waiting
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] checkout IKEv2 SA with SPIs 6177fa9aadb3cdd5_i 222d0fd2d78e519d_r
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] IKE_SA (unnamed)[19] successfully checked out
Apr 05 15:25:32 charon-systemd[1497]: 16[IKE] sending keep alive to 35.36.37.38[42772]
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] checkin IKE_SA (unnamed)[19]
Apr 05 15:25:32 charon-systemd[1497]: 16[MGR] checkin of IKE_SA successful
Apr 05 15:25:32 charon-systemd[1497]: 01[JOB] next event in 10s 0ms, waiting
Apr 05 15:25:42 charon-systemd[1497]: 01[JOB] got event, queuing job for execution
Apr 05 15:25:42 charon-systemd[1497]: deleting half open IKE_SA with 35.36.37.38 after timeout
我注意到在 Windows 10 VPN 配置器中,没有地方可以设置Remote ID或Local ID(就像在 OSX 中一样),所以我猜测微软有一种神奇的方法(像往常一样)。
答案1
答案是服务器和客户端的证书格式。
Windows 要求将主机名或 IP 地址列在 中san,而 OSX 要求Remote ID将 列在 中san,因此您最终会得到如下所示的服务器证书
ipsec pki --pub --in vpn-server-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=vpnserver" \
--san vpnserver \
--san dns:34.35.36.37 \
--flag serverAuth --flag ikeIntermediate \
--outform pem > vpn-server-cert.pem
客户端证书的情况也类似。将 swanctl 配置设置为 后eap_id = %any,StrongSwan 会向客户端请求其身份。Windows 返回其证书的 CN 部分,而 OSX 返回Local ID,这意味着证书如下所示:
ipsec pki --pub --in vpn-$USER-key.pem \
--type rsa | ipsec pki --issue --lifetime 1825 \
--cacert /etc/swanctl/x509ca/server-root-ca.pem \
--cakey /etc/swanctl/private/server-root-key.pem \
--dn "C=GB, O=Self signed, CN=$USER" \
--san $USER \
--outform pem > vpn-$USER-cert.pem
在 Windows 的配置设置中,您可以告诉它使用不同的用户名以及要连接的服务器,我怀疑这会使其行为与 OSX 相同,但默认情况下,这些都没有被选中。
Windows 还会对服务器进行身份验证,并发出未知服务器的警告,您可以单击“继续”,也可以server authentication checking从 Windows 客户端 VPN 设置中禁用该警告(不推荐)。