服务器

服务器

我正在配置 Strongswan 服务器,以便 VPN 客户端访问内部网络 (EAP-IKEv2)。我使用自签名服务器证书成功设置了它,并且在将 ca.crt 添加到客户端的根 CA 中作为受信任后,它适用于使用 Mac OS X、Windows 7 和 Windows 10 的客户端。

现在我想切换到 Letsencrypt 证书,该证书应该是值得信任的,不需要任何额外的客户端配置,但不幸的是由于某种原因我无法让它工作。

服务器:Ubuntu 18.04 上的 Strongswan 版本 5.6.2。客户端:Mac OS X 10.14.2 / Ubuntu 18.04 / Windows 7 / Windows 10

我收到的 Mac OS X VPN 错误是:The VPN server did not respond。仅与自签名证书进行比较,如果不将 ca.crt 添加到 Mac OS,我会收到User Authentication failed

当我复制server.crt给客户端时它显示This certificate is valid

我还尝试为 DST ROOT CA X3 证书和 Mac OS 中的任何其他 Letsencrypt 相关的 CA 证书设置 IP 安全性 (IPsec),Always trust但这没有帮助。

我也尝试强制Always Trust执行server.crt证书但仍然没有成功。

我测试了所有提到的操作系统(使用 strongswan 网络管理器小程序的 Linux),但没有起作用。

因为我无法从 Mac OS 和 Windows 获取任何合理的调试日志,所以我设置了 Strongswan客户在其他服务器上使用没有网络管理器小程序的 Ubuntu。在客户端上将DST_Root_CA_X3.pem证书从复制/etc/ssl/certs到后,它开始工作。/etc/ipsec.d/cacerts

我有 3 个问题:

  1. 如何从 Mac OS 原生 VPN 客户端获取任何调试日志?
  2. Strongswan VPN 是否适用于 Letsencrypt 证书?这里可能存在什么问题?
  3. 你能推荐一些可行的替代方案吗?Racoon、Openswan?我还是把 OpenVPN 作为 B 计划吧。

下面您可以找到所有详细信息。

感谢您的帮助。如果您有任何建议,我将不胜感激。

服务器

$ certbot certonly --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email [email protected] -d vpn.company.com

$ cp /etc/letsencrypt/live/vpn.company.com/fullchain.pem /etc/ipsec.d/certs/server.crt
$ cp /etc/letsencrypt/live/vpn.company.com/privkey.pem /etc/ipsec.d/private/server.key

我知道 strongswan 只读取在 中找到的第一个证书server.crt。但是,如果删除了第二个链证书,它仍然不起作用。如果我尝试chain.pem从 /etc/ssl/certs 添加到 /etc/ipsec.d/cacerts 或任何其他 CA 证书,它也不起作用,这是可以理解的,因为服务器上的 CAcerts 对客户端身份验证没有影响。

我还测试了将证书转换为 DER 和 PEM 格式。

PKI 验证

$ ipsec pki --verify --in /etc/ipsec.d/certs/server.crt
no issuer certificate found for "CN=vpn.company.com"
  issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
  using trusted certificate "CN=vpn.company.com"
certificate trusted, lifetimes valid

证书详细信息

$ openssl x509 -in certs/server.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:50:51:[...]
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Mar  1 13:40:42 2019 GMT
            Not After : May 30 13:40:42 2019 GMT
        Subject: CN = vpn.company.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:a8:ea:8e:[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                EC:6A:[...]
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:[...]

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:vpn.company.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 74:7E:DA:[...]
                    Timestamp : Mar  1 14:40:42.419 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:[...]
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:3C:51:[...]
                    Timestamp : Mar  1 14:40:42.499 2019 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:[...]
    Signature Algorithm: sha256WithRSAEncryption
         8e:da:a3:[...]

ipsec配置文件


config setup
  charondebug="dmn 1, mgr 1, ike 1, chd 1, job 1, cfg 1, knl 1, net 1, asn 1, enc 1, lib 1, esp 1, tls 1, tnc 1, imc 1, imv 1, pts 1"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes256-sha1-modp1024
    esp=aes256-sha1
    fragmentation=no
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
  leftauth=pubkey
    leftcert=server.crt
    leftsendcert=always
    leftsubnet=0.0.0.0/0
  leftfirewall=yes
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.255.255.0/24
    rightdns=1.1.1.1
    rightsendcert=never
    eap_identity=%identity

ipsec.secrets

vpn.company.com : RSA server.key
user %any% : EAP "user_password"

Strongswan 服务器日志

ipsec[11918]: Starting strongSwan 5.6.2 IPsec [starter]...
ipsec_starter[11918]: Starting strongSwan 5.6.2 IPsec [starter]...
charon[11943]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64)
charon[11943]: 00[CFG] PKCS11 module '<name>' lacks library path
charon[11943]: 00[CFG] disabling load-tester plugin, not configured
charon[11943]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
charon[11943]: 00[NET] could not open socket: Address family not supported by protocol
charon[11943]: 00[NET] could not open IPv6 socket, IPv6 disabled
charon[11943]: 00[KNL] received netlink error: Address family not supported by protocol (97)
charon[11943]: 00[KNL] unable to create IPv6 routing table rule
charon[11943]: 00[CFG] dnscert plugin is disabled
charon[11943]: 00[CFG] ipseckey plugin is disabled
charon[11943]: 00[CFG] attr-sql plugin: database URI not set
charon[11943]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon[11943]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon[11943]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon[11943]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon[11943]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon[11943]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[11943]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
charon[11943]: 00[CFG]   loaded EAP secret for USERNAME_HERE %any%
charon[11943]: 00[CFG] sql plugin: database URI not set
charon[11943]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
charon[11943]: 00[CFG] eap-simaka-sql database URI missing
charon[11943]: 00[CFG] loaded 0 RADIUS server configurations
charon[11943]: 00[CFG] HA config misses local/remote address
charon[11943]: 00[CFG] no threshold configured for systime-fix, disabled
charon[11943]: 00[CFG] coupling file path unspecified
charon[11943]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
charon[11943]: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon[11943]: 00[JOB] spawning 16 worker threads
ipsec[11918]: charon (11943) started after 40 ms
ipsec_starter[11918]: charon (11943) started after 40 ms
charon[11943]: 06[CFG] received stroke: add connection 'ikev2-vpn'
charon[11943]: 06[CFG] adding virtual IP address pool 10.255.255.0/24
charon[11943]: 06[CFG]   loaded certificate "CN=vpn.company.com" from 'server.crt'
charon[11943]: 06[CFG] added configuration 'ikev2-vpn'
charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
charon[11943]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
charon[11943]: 08[IKE] remote host is behind NAT
charon[11943]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon[11943]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes)
charon[11943]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 09[ENC] unknown attribute type (25)
charon[11943]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
charon[11943]: 09[CFG] selected peer config 'ikev2-vpn'
charon[11943]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[11943]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
charon[11943]: 09[IKE] peer supports MOBIKE
charon[11943]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful
charon[11943]: 09[IKE] sending end entity cert "CN=vpn.company.com"
charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 10[ENC] unknown attribute type (25)
ipsec[11918]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic, x86_64)
ipsec[11918]: 00[CFG] PKCS11 module '<name>' lacks library path
ipsec[11918]: 00[CFG] disabling load-tester plugin, not configured
ipsec[11918]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
ipsec[11918]: 00[NET] could not open socket: Address family not supported by protocol
ipsec[11918]: 00[NET] could not open IPv6 socket, IPv6 disabled
ipsec[11918]: 00[KNL] received netlink error: Address family not supported by protocol (97)
ipsec[11918]: 00[KNL] unable to create IPv6 routing table rule
ipsec[11918]: 00[CFG] dnscert plugin is disabled
ipsec[11918]: 00[CFG] ipseckey plugin is disabled
ipsec[11918]: 00[CFG] attr-sql plugin: database URI not set
ipsec[11918]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
ipsec[11918]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
ipsec[11918]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
ipsec[11918]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
ipsec[11918]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
ipsec[11918]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
ipsec[11918]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
ipsec[11918]: 00[CFG]   loaded EAP secret for USERNAME_HERE %any%
ipsec[11918]: 00[CFG] sql plugin: database URI not set
ipsec[11918]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
ipsec[11918]: 00[CFG] eap-simaka-sql database URI missing
ipsec[11918]: 00[CFG] loaded 0 RADIUS server configurations
ipsec[11918]: 00[CFG] HA config misses local/remote address
ipsec[11918]: 00[CFG] no threshold configured for systime-fix, disabled
ipsec[11918]: 00[CFG] coupling file path unspecified
charon[11943]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
ipsec[11918]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
ipsec[11918]: 00[LIB] dropped capabilities, running as uid 0, gid 0
ipsec[11918]: 00[JOB] spawning 16 worker threads
ipsec[11918]: 06[CFG] received stroke: add connection 'ikev2-vpn'
ipsec[11918]: 06[CFG] adding virtual IP address pool 10.255.255.0/24
ipsec[11918]: 06[CFG]   loaded certificate "CN=vpn.company.com" from 'server.crt'
ipsec[11918]: 06[CFG] added configuration 'ikev2-vpn'
ipsec[11918]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
ipsec[11918]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
ipsec[11918]: 08[IKE] CLIENT_IP_HERE is initiating an IKE_SA
ipsec[11918]: 08[IKE] remote host is behind NAT
ipsec[11918]: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
ipsec[11918]: 08[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44709] (440 bytes)
ipsec[11918]: 09[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
ipsec[11918]: 09[ENC] unknown attribute type (25)
ipsec[11918]: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
ipsec[11918]: 09[CFG] looking for peer configs matching SERVER_IP_HERE[vpn.company.com]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
ipsec[11918]: 09[CFG] selected peer config 'ikev2-vpn'
ipsec[11918]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[11943]: 10[IKE] received retransmit of request with ID 1, retransmitting response
ipsec[11918]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
ipsec[11918]: 09[IKE] peer supports MOBIKE
ipsec[11918]: 09[IKE] authentication of 'vpn.company.com' (myself) with RSA signature successful
ipsec[11918]: 09[IKE] sending end entity cert "CN=vpn.company.com"
ipsec[11918]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
ipsec[11918]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
ipsec[11918]: 10[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
ipsec[11918]: 10[ENC] unknown attribute type (25)
charon[11943]: 10[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 11[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 11[ENC] unknown attribute type (25)
charon[11943]: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 11[IKE] received retransmit of request with ID 1, retransmitting response
charon[11943]: 11[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)
charon[11943]: 12[NET] received packet: from CLIENT_IP_HERE[44710] to SERVER_IP_HERE[4500] (512 bytes)
charon[11943]: 12[ENC] unknown attribute type (25)
charon[11943]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
charon[11943]: 12[IKE] received retransmit of request with ID 1, retransmitting response
charon[11943]: 12[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)

编辑:启用碎片化后,Mac OS 开始工作。不幸的是,Windows 10 最终出现错误。从 Windows 10 连接时的服务器日志:

charon[12236]: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
charon[12236]: 06[NET] sending packet: from SERVER_IP_HERE[500] to CLIENT_IP_HERE[44742] (320 bytes)
charon[12236]: 09[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (576 bytes)
charon[12236]: 09[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
charon[12236]: 09[ENC] received fragment #1 of 2, waiting for complete IKE message
charon[12236]: 07[NET] received packet: from CLIENT_IP_HERE[44743] to SERVER_IP_HERE[4500] (368 bytes)
charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
charon[12236]: 07[ENC] received fragment #2 of 2, reassembling fragmented IKE message
charon[12236]: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
charon[12236]: 07[IKE] received 27 cert requests for an unknown ca
charon[12236]: 07[CFG] looking for peer configs matching SERVER_IP_HERE[%any]...CLIENT_IP_HERE[CLIENT_LOCAL_IP_HERE]
charon[12236]: 07[CFG] selected peer config 'ikev2-vpn'
charon[12236]: 07[IKE] initiating EAP_IDENTITY method (id 0x00)
charon[12236]: 07[IKE] authentication of 'vpn.autouncle.com' (myself) with RSA signature successful
charon[12236]: 07[IKE] sending end entity cert "CN=vpn.autouncle.com"
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[12236]: 07[ENC] splitting IKE message with length of 1740 bytes into 2 fragments
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
charon[12236]: 07[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (1248 bytes)
charon[12236]: 07[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44743] (560 bytes)

答案1

可能是 IP 碎片问题。由于证书,IKE_AUTH响应大于 MTU(1744 字节):

charon[11943]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
charon[11943]: 09[NET] sending packet: from SERVER_IP_HERE[4500] to CLIENT_IP_HERE[44710] (1744 bytes)

因此,它会被分割成多个 IP 片段。有些路由器会丢弃这些片段,客户端可能无法收到完整的数据包。

幸运的是,客户端支持 IKEv2 分片(FRAG_SUP通知):

charon[11943]: 08[NET] received packet: from CLIENT_IP_HERE[44709] to SERVER_IP_HERE[500] (604 bytes)
charon[11943]: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]

因此,请尝试在服务器上启用 IKEv2 碎片,即启用该fragmentation选项,或将其删除(因为它默认启用)。

答案2

除了叶证书之外,您确实需要安装 Letsencrypt 的中级证书!将其链式PEM早在ipsec.d/cacerts

您希望在 strongswan 日志中看到它同时发送了它们两个:

charon:07[IKE] 发送最终实体证书“CN=vpn.example.com” charon:07[IKE] 发送颁发者证书“C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3”

在 Windows 上,我强烈建议通过 PowerShell 创建和配置 VPN 条目,这样您就可以调整参数,远远超出 GUI 允许的范围。例如,

Add-VpnConnection -Name "My VPN" -ServerAddress vpn.example.com -TunnelType IKEv2 -AuthenticationMethod EAP -EncryptionLevel Maximum -RememberCredential:$True -SplitTunnel:$False -PassThru
Set-VpnConnectionIPsecConfiguration -ConnectionName "My VPN" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup Pfs2048 -PassThru -Force

文档在这里:添加 VpnConnection 设置 VpnConnectionIPsec 配置

如果仍有问题,请检查 Windows 事件日志。使用 strongswan/letsencrypt 证书设置,它绝对可以正常工作。

相关内容