Strongswan 5.7.1 Android 客户端 IKEv2 证书配置

Strongswan 5.7.1 Android 客户端 IKEv2 证书配置

我正在尝试为 Android strongswan “IKEv2 证书”连接配置 strongswan 5.7.1。我使用的是自签名用户证书和 godaddy 通配符服务器证书。我无法连接,在日志中我看到“本地 ID 匹配:0”和“未找到匹配的对等配置”

ipsec.conf:

conn android
       fragmentation=yes
       keyexchange=ikev2
       left=%defaultroute
       leftsubnet=0.0.0.0/0
       leftfirewall=yes
       leftcert=serverCert.pem
       leftsendcert=always
       right=%any
       rightauth=pubkey
       rightsubnet=10.1.0.0/16
       rightsourceip=10.1.0.0/16
       auto=add

ipsec statusall 输出:

Virtual IP pools (size/online/offline):
  10.0.0.0/16: 65534/0/0
  10.1.0.0/16: 65534/0/0
Listening IP addresses:
  172.30.3.123
Connections:
         ios:  %any...%any  IKEv1
         ios:   local:  [OU=Domain Control Validated, CN=*.vpntest.com] uses public key authentication
         ios:    cert:  "OU=Domain Control Validated, CN=*.vpntest.com"
         ios:   remote: uses public key authentication
         ios:   remote: uses XAuth authentication: any
         ios:   child:  0.0.0.0/0 === 10.0.0.0/16 TUNNEL
     android:  %any...%any  IKEv2
     android:   local:  [OU=Domain Control Validated, CN=*.vpntest.com] uses public key authentication
     android:    cert:  "OU=Domain Control Validated, CN=*.vpntest.com"
     android:   remote: uses public key authentication
     android:   child:  0.0.0.0/0 === 10.1.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):

/var/log/syslog:

Dec 10 21:25:11 vpn-server charon: 07[CFG]   rightauth=pubkey
Dec 10 21:25:11 vpn-server charon: 07[CFG]   dpddelay=30
Dec 10 21:25:11 vpn-server charon: 07[CFG]   dpdtimeout=150
Dec 10 21:25:11 vpn-server charon: 07[CFG]   sha256_96=no
Dec 10 21:25:11 vpn-server charon: 07[CFG]   mediation=no
Dec 10 21:25:11 vpn-server charon: 07[CFG]   keyexchange=ikev2
Dec 10 21:25:11 vpn-server charon: 07[CFG] adding virtual IP address pool 10.1.0.0/16
Dec 10 21:25:11 vpn-server charon: 07[CFG]   loaded certificate "OU=Domain Control Validated, CN=*.vpntest.com" from 'serverCert.pem'
Dec 10 21:25:11 vpn-server charon: 07[CFG]   id '%any' not confirmed by certificate, defaulting to 'OU=Domain Control Validated, CN=*.vpntest.com'
Dec 10 21:25:11 vpn-server charon: 07[CFG] added configuration 'android'
Dec 10 21:27:26 vpn-server charon: 09[CFG] looking for an IKEv2 config for 172.30.3.123...181.171.184.17
Dec 10 21:27:26 vpn-server charon: 09[CFG] ike config match: 0 (%any...%any IKEv1)
Dec 10 21:27:26 vpn-server charon: 09[CFG] ike config match: 28 (%any...%any IKEv2)
Dec 10 21:27:26 vpn-server charon: 09[CFG]   candidate: %any...%any, prio 28
Dec 10 21:27:26 vpn-server charon: 09[CFG] found matching ike config: %any...%any with prio 28
Dec 10 21:27:26 vpn-server charon: 09[IKE] 181.171.184.17 is initiating an IKE_SA
Dec 10 21:27:26 vpn-server charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Dec 10 21:27:26 vpn-server charon: 09[CFG] selecting proposal:
Dec 10 21:27:26 vpn-server charon: 09[CFG]   proposal matches
Dec 10 21:27:26 vpn-server charon: 09[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/P
RF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_819
2/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_H
MAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/
HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
Dec 10 21:27:26 vpn-server charon: 09[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 10 21:27:26 vpn-server charon: 09[IKE] local host is behind NAT, sending keep alives
Dec 10 21:27:26 vpn-server charon: 09[IKE] remote host is behind NAT
Dec 10 21:27:26 vpn-server charon: 09[IKE] DH group ECP_256 unacceptable, requesting CURVE_25519
Dec 10 21:27:26 vpn-server charon: 09[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
Dec 10 21:27:26 vpn-server charon: 10[CFG] looking for an IKEv2 config for 172.30.3.123...181.171.184.17
Dec 10 21:27:26 vpn-server charon: 10[CFG] ike config match: 0 (%any...%any IKEv1)
Dec 10 21:27:26 vpn-server charon: 10[CFG] ike config match: 28 (%any...%any IKEv2)
Dec 10 21:27:26 vpn-server charon: 10[CFG]   candidate: %any...%any, prio 28
Dec 10 21:27:26 vpn-server charon: 10[IKE] 181.171.184.17 is initiating an IKE_SA
Dec 10 21:27:26 vpn-server charon: 10[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Dec 10 21:27:26 vpn-server charon: 10[CFG] selecting proposal:
Dec 10 21:27:26 vpn-server charon: 10[CFG]   proposal matches
Dec 10 21:27:26 vpn-server charon: 10[CFG] received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/P
RF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_819
2/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_H
MAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/CURVE_25519/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 10[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/
HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 10 21:27:26 vpn-server charon: 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
Dec 10 21:27:26 vpn-server charon: 10[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 10 21:27:26 vpn-server charon: 10[IKE] local host is behind NAT, sending keep alives
Dec 10 21:27:26 vpn-server charon: 10[IKE] remote host is behind NAT
Dec 10 21:27:26 vpn-server charon: 10[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=CN, O=strongSwan, CN=strongSwan CA"
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=CN, O=VpnTest, CN=VpnTest CA"
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certifica$
e Authority - G2"
Dec 10 21:27:26 vpn-server charon: 10[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Cer$
ification Authority, SN=07969287"
Dec 10 21:27:26 vpn-server charon: 11[IKE] received cert request for "C=CN, O=VpnTest, CN=VpnTest CA"
Dec 10 21:27:26 vpn-server charon: 11[IKE] received cert request for "C=CN, O=VpnTest, CN=VpnTest CA"
Dec 10 21:27:26 vpn-server charon: 11[IKE] received end entity cert "CN=user1, O=VpnTest"
Dec 10 21:27:26 vpn-server charon: 11[CFG] looking for peer configs matching 172.30.3.123["OU=Domain Control Validated, CN=*.vpntest.com"]...181.171.184.17[CN=user1, O=VpnTest]
Dec 10 21:27:26 vpn-server charon: 11[CFG] peer config "ios", ike match: 0 (%any...%any IKEv1)
Dec 10 21:27:26 vpn-server charon: 11[CFG] peer config "android", ike match: 28 (%any...%any IKEv2)
Dec 10 21:27:26 vpn-server charon: 11[CFG]   local id match: 0 (ID_KEY_ID: 22:4f:55:3d:44:6f:6d:61:69:6e:20:43:6f:6e:74:72:6f:6c:20:56:61:6c:69:64:61:74:65:64:2c:20:43:4e:3d:2a:2e:70:75:72:65$
73:69:67:68:74:2e:63:6f:6d:22)
Dec 10 21:27:26 vpn-server charon: 11[CFG] no matching peer config found
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP6_ADDRESS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP4_DNS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] processing INTERNAL_IP6_DNS attribute
Dec 10 21:27:26 vpn-server charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 10 21:27:26 vpn-server charon: 11[IKE] peer supports MOBIKE
Dec 10 21:27:26 vpn-server charon: 11[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING

答案1

我在 Android 客户端上用引号配置了服务器标识。删除引号后,我能够连接

相关内容