Algo VPN strongSwan 客户端“未找到颁发者证书”

tag-icon tag-icon vpn ipsec strongswan pki
Algo VPN strongSwan 客户端“未找到颁发者证书”

我使用官方 Ansible 剧本在 AWS Lightsail 上设置了一个 Algo VPN 实例。我可以使用 Wireguard 建立 VPN 连接,但无法让它与 strongSwan 配合使用。

我根据官方说明配置了两个不同的 Ubuntu 客户端:https://github.com/trailofbits/algo/blob/master/docs/client-linux-ipsec.md

尽管我在 /etc/ipsec.d/cacerts 中提供了服务器公钥,但我总是收到错误“未找到“CN=”的颁发者证书”。此证书似乎是自签名的。

$ cat /etc/ipsec.d/cacerts/cacert.pem

-----BEGIN CERTIFICATE----- <...> -----END CERTIFICATE-----

$ ipsec listcacerts

<no output>

以下是我尝试启动隧道时发生的情况:

$ ipsec up algovpn-35.180.123.456
initiating IKE_SA algovpn-35.180.123.456[1] to 35.180.123.456
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.5.196[500] to 35.180.123.456[500] (294 bytes)
received packet: from 35.180.123.456[500] to 192.168.5.196[500] (319 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_384
local host is behind NAT, sending keep alives
remote host is behind NAT
received 1 cert requests for an unknown ca
authentication of 'CN=remote1' (myself) with ECDSA_WITH_SHA384_DER successful
sending end entity cert "CN=remote1"
establishing CHILD_SA algovpn-35.180.123.456{1}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.5.196[4500] to 35.180.123.456[4500] (973 bytes)
received packet: from 35.180.123.456[4500] to 192.168.5.196[4500] (883 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
received end entity cert "CN=35.180.123.456"
using certificate "CN=35.180.123.456"
no issuer certificate found for "CN=35.180.123.456"
issuer is "CN=35.180.123.456"
no trusted ECDSA public key found for '35.180.123.456'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 192.168.5.196[4500] to 35.180.123.456[4500] (65 bytes)
establishing connection 'algovpn-35.180.123.456' failed

有人知道我怎样才能让它工作吗?

此致,

约纳

答案1

仅自动加载 CA 证书/etc/ipsec.d/cacerts(具有 CA 基本约束集的证书),不会加载终端实体/服务器证书(除非您强制中风插件通过ignore_missing_ca_basic_constraint选项来做到这一点,但我不建议这样做)。

如果您想直接使用(自签名)服务器证书,请将其放入并通过conn 部分中的选项/etc/ipsec.d/certs加载。rightcert

答案2

这最终归结为 algo 配置 CA 证书的方式与 strongswan 不兼容。请参阅https://github.com/trailofbits/algo/issues/1758寻求解决方法。

相关内容