我尝试在 Amazon Linux 实例上运行 strongSwan 并使用 RADIUS 进行身份验证,但在尝试启动 strongSwan 时收到错误
charon[9518]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required
为了安装 strongSwan,我运行
yum install strongswan
# swanctl --version strongSwan swanctl 5.7.1
# swanctl --stats loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
cat <<EOF > /etc/strongswan/strongswan.d/charon/eap-radius.conf
eap-radius {
load = yes
nas_identifier = ${DNSNAME}
retransmit_timeout = 30
retransmit_tries = 1
servers {
primary {
preference = 99
address = ${RADIUSFQDN}
auth_port = 1812
secret = ${RADIUSPSWD}
sockets = 5
}
}
}
EOF
完整的启动日志
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[MGR] tried to checkin and delete nonexisting IKE_SA
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[IKE] unable to resolve %any, initiate aborted
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[CFG] received stroke: initiate 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] added configuration 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] loaded certificate "CN=vpn.test.dev.poddev.naimuri.uk" from 'vpnserver.crt'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] adding virtual IP address pool 192.168.250.0/24
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] received stroke: add connection 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: charon (10493) started after 60 ms
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: charon (10493) started after 60 ms
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[JOB] spawning 16 worker threads
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation const
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] no script for ext-auth script defined, disabled
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] HA config misses local/remote address
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded 0 RADIUS server configurations
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading RADIUS server 'primary' failed, skipped
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] sql plugin: database URI not set
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/vpnserver.key'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" from '/etc/strongswan/ipsec.d/
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] openssl FIPS mode(2) - enabled
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] PKCS11 module '<name>' lacks library path
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 4.14.72-73.55.amzn2.x86_64, x86_64)
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: Starting strongSwan 5.7.1 IPsec [starter]...
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: Starting strongSwan 5.7.1 IPsec [starter]...
答案1
问题在于您在 FIPS 模式下使用 OpenSSL,这会禁用 MD5,因为它不符合 FIPS 的批准。
虽然你确实同时拥有md5和甲基安捷伦插件加载后,后者排在openssl插件,它仍然注册了自己的实现HMAC_MD5_128。这个实现甚至可以实例化,因为插件的 HMAC 构造函数实际上只检查EVP_MD给定哈希算法是否存在静态实例,不幸的是,即使在 FIPS 模式下,MD5 也是如此。但是,HMAC_INIT_ex()稍后使用该实例会失败(触发错误的原因是尝试在 HMAC 实例上设置密钥)。
为了避免这种情况,您可以禁用 FIPS 模式(通过charon.plugins.openssl.fips_mode),或者确保甲基安捷伦插件用来代替openssl插入。
后者可以通过修改加载在各自的配置片段中设置这两个插件/etc/strongswan/strongswan.d/charon降级openssl插件(将其设置为负数值),或者通过推广甲基安捷伦插件(将其设置为大于 1 的值)。重新启动后,在中看到的插件顺序swanctl --stats应该会相应改变,并且的输出swanctl --list-algs应该显示甲基安捷伦插件正在提供HMAC_MD5_128。