我正在尝试使用 strongSwan(就我在这里使用而言swanctl)在两个虚拟机(名为 A 和 B)之间创建 VPN 隧道,使用主机到主机配置(如所述这里)以及用于 B 身份验证的智能卡
我生成了 CA 证书并用该证书为 A 和 B 签署了 CRT,一切按预期工作。(隧道创建没有问题)
之后,我决定在我的 yubikey 上生成一个 crt(使用yubikey-manager),我用我的 CA 对其进行签名,并且我配置 strongSwan 以使用 opensc 的模块来访问此卡。
我的swanctl --load-creds工作正常,我的也是swanctl --load-conns
这是我的结果swanctl --load-creds
loaded certificate from '/etc/swanctl/x509ca/ca.crt' #
loaded key tokenyubikey from token [keyid: "..."]
但是当我尝试启动时,swanctl --initiate出现了一些错误
每次尝试之前,我都会在每个主机上输入以下内容
systemctl restart swanctl
swanctl --load-conns
swanctl --load-creds
当我尝试从 B(带有 Yubikey 的那个)连接到 A 时,这是 A 上的输出(使用swanctl --log)
我使用的命令是swanctl --initiate --child host-host
10[NET] sending packet: from <IP A>[500] to <IP B>[500] (273 bytes)
09[NET] received packet: from <IP B>[4500] to <IP A>[4500] (1104 bytes)
09[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
09[DMN] thread 9 received 11
09[LIB] dumping 20 stack frame addresses:
09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f0c30448000 [0x7f0c3045a890]
09[LIB] -> ??:?
09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c3092b170]
09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/networking/host.c:84
09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 (host_printf_hook+0x37) [0x7f0c3092b347]
09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/networking/host.c:114
09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c309456a6]
09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c:118
09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 [0x7f0c300b0473]
09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/stdio-common/vfprintf.c:2004
09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (_IO_vfprintf+0x192a) [0x7f0c300b3cba]
09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/stdio-common/vfprintf.c:1688
09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (__vsnprintf_chk+0xa9) [0x7f0c30189169]
09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/debug/vsnprintf_chk.c:65
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30676c42]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:398
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30676e2a]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:441
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c3069ab36]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:973
09[LIB] /usr/lib/ipsec/plugins/libstrongswan-connmark.so @ 0x7f0c2f6ae000 [0x7f0c2f6af6bb]
09[LIB] -> ??:0
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30675a47]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:885
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30698e21]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:1114
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c306a875c]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ikev2/task_manager_v2.c:1585
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30697f47]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:1587
09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c3069182f]
09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/processing/jobs/process_message_job.c:74
09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c30931806]
09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/processing/processor.c:235
09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c30943d7b]
09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/threading/thread.c:332 (discriminator 4)
09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f0c30448000 [0x7f0c3044f6db]
09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/nptl/pthread_create.c:463
09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (clone+0x3f) [0x7f0c3017888f]
09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:97
09[DMN] killing ourself, received critical signal
从这里开始,我的 StrongSwan 似乎已经死机了,我必须重新启动它。
当我尝试从 A 初始化到 B 时遇到了同样的问题(因为它是主机到主机的连接)
我尝试使用另一个虚拟机 A,当尝试从 B 到 A 时,出现了此输出。新的 A 主机使用 sterongswan swanctl 版本 5.6.2(从 apt 安装)
13[IKE] received cert request for "<CA's CN>"
13[IKE] received end entity cert "CN=<B's CN>"
13[CFG] looking for peer configs matching <New A's IP>[A]...<B's ip>[B]
13[CFG] selected peer config 'host-host'
13[IKE] no trusted RSA public key found for 'B'
13[IKE] peer supports MOBIKE
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13[NET] sending packet: from <New A's IP>[4500] to <B's IP>[4500] (80 bytes)
当我尝试从新的 A 连接到 B 时,它崩溃了,如上所示
更多详细信息
这是我在 B 上的 swanctl.conf
connections {
home {
remote_addrs = <A's ip>
local {
auth = pubkey
id = "B"
certs = B.crt #It's the cert on my yubikey that i extracted and put onto /etc/swanctl/x509
}
remote {
auth = pubkey
id = "A"
}
children {
host-host {
start_action = trap
}
}
}
}
secrets {
tokenyubikey {
pin = <my pin>
slot = 0
handle = 1 # From what i understood, it's here that my crt is
module = opensc
}
}
这是我的命令的结果pkcs11-tool -M,显示支持 RSA256(至少据我所知)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify
MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify
这是我的 pkcs11-tool -O 的结果
Using slot 0 with a present token (0x0)
Public Key Object; RSA 1024 bits
label: PIV AUTH pubkey
ID: 01
Usage: encrypt, verify, wrap
Certificate Object; type = X.509 cert
label: Certificate for PIV Authentication
ID: 01
Data object 2496313968
label: 'Card Capability Container'
application: 'Card Capability Container'
app_id: 2.16.840.1.101.3.7.1.219.0
flags: <empty>
Data object 2496314064
label: 'Card Holder Unique Identifier'
application: 'Card Holder Unique Identifier'
app_id: 2.16.840.1.101.3.7.2.48.0
flags: <empty>
Data object 2496314160
label: 'Unsigned Card Holder Unique Identifier'
application: 'Unsigned Card Holder Unique Identifier'
app_id: 2.16.840.1.101.3.7.2.48.2
flags: <empty>
Data object 2496314256
label: 'X.509 Certificate for PIV Authentication'
application: 'X.509 Certificate for PIV Authentication'
app_id: 2.16.840.1.101.3.7.2.1.1
flags: <empty>
Data object 2496314640
label: 'X.509 Certificate for Digital Signature'
application: 'X.509 Certificate for Digital Signature'
app_id: 2.16.840.1.101.3.7.2.1.0
flags: <empty>
Data object 2496314736
label: 'X.509 Certificate for Key Management'
application: 'X.509 Certificate for Key Management'
app_id: 2.16.840.1.101.3.7.2.1.2
flags: <empty>
Data object 2496314832
label: 'X.509 Certificate for Card Authentication'
application: 'X.509 Certificate for Card Authentication'
app_id: 2.16.840.1.101.3.7.2.5.0
flags: <empty>
Data object 2496314928
label: 'Security Object'
application: 'Security Object'
app_id: 2.16.840.1.101.3.7.2.144.0
flags: <empty>
Data object 2496315024
label: 'Discovery Object'
application: 'Discovery Object'
app_id: 2.16.840.1.101.3.7.2.96.80
flags: <empty>
以下是我的 /etc/strongswan.d/charon/pkcs11.conf 中的内容
pkcs11 {
load = yes
modules {
opensc {
path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
}
}
}
我在我的 Yubikey 上生成了一个 CSR yubikey-manager,然后按如下方式签名:
ipsec pki --issue --in b.csr --type pkcs10 --cacert <CA's crt> --dn "<CA's DN>CN=B" --san B --outform pem > b.crt
然后使用以下方式将生成的 CRT 导入 Yubikeyyubikey-manager
我在 Ubuntu 18.04 上,Swanctl 是版本 5.8.1
编辑:这是结果pkcs11-tool --test --login
Using slot 0 with a present token (0x0)
Logging in to "PIV Card Holder pin (PIV_II)".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (PIV AUTH key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
testing key 1 (1024 bits, label=SIGN key) with 1 signature mechanism
Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN:
RSA-X-509: OK
testing key 2 (1024 bits, label=KEY MAN key) with 1 signature mechanism -- can't be used to sign/verify, skipping
Verify (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (SIGN key) with 1 mechanism
Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN:
RSA-X-509: OK
testing key 2 (KEY MAN key) with 1 mechanism -- can't be used to sign/verify, skipping
Unwrap: not implemented
Decryption (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
testing key 1 (SIGN key)
RSA-X-509: Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN:
OK
RSA-PKCS: Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN:
OK
testing key 2 (KEY MAN key)
RSA-X-509: OK
RSA-PKCS: OK
No errors
答案1
感谢 ecdsa,我终于让它工作了。
对于像我这样想知道如何使用 yubikey(在我的情况下是 Yubikey 5C)与 StrongSwan 建立主机 - 主机连接的人来说,我的配置正在运行。
我的问题是由于安装不当(我安装的不同 StrongSwan 版本之间存在一些冲突)
不要忘记将 crt 放到 x509 目录上,/etc/swanctl/x509这样它就可以正常工作了!