两天来,我一直在尝试在我的个人 VPS(Ubuntu 19.10)上创建一个 IKEv2 Strongswan VPN 服务器(U5.7.2/K5.3.0-42-generic),以便在工作使用的 Unifi 设备上实施之前进行一些测试(我希望这是可能的)
我使用了不同的教程和故障排除页面来制作我的配置
我正在为用户使用 radius 身份验证(使用本地 freeradius 服务器)
我正面临这个愚蠢的问题,我希望你们能花两分钟来帮助我:)
我会尽量说得详细些,如果需要的话,请随时询问更多信息
我的ipsec.conf:
config setup
strictcrlpolicy=yes
uniqueids=never
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,aes256gcm16-sha256-ecp521,aes256-sha256-ecp384
esp=aes256-sha1,aes128-sha256-modp3072,aes256gcm16-sha256,aes256gcm16-ecp384
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
leftid=vpsXXXXXX.ovh.net
leftcert=vpn.example.com.crt.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%identity
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
我的ipsec.secrets:
vpsXXXXXX.ovh.net : RSA vpn.example.com.key.der
我的 ipsec.d/ 文件:
~$ sudo ls /etc/ipsec.d/private/
vpn.example.com.key.der
~$ sudo ls /etc/ipsec.d/certs/
vpn.example.com.crt.pem
~$ sudo ls /etc/ipsec.d/cacerts/
vpnca.crt.der
我已经将 vpnca.crt.der 导入到我的 Mac、Android(Strongswan 客户端)、Windows 10 Enterprise 和朋友的 Windows 10 Standard 上
我的 Mac 和 Android 运行正常,但无法与 Windows 建立连接
在 swanctl --log 中:
14[CFG] selected peer config 'roadwarrior'
14[IKE] initiating EAP_IDENTITY method (id 0x00)
14[IKE] peer supports MOBIKE
14[IKE] authentication of 'vpsXXXXXX.ovh.net' (myself) with RSA signature successful
14[IKE] sending end entity cert "C=FR, O=Test Company, CN=vpsXXXXXX.ovh.net"
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
14[ENC] splitting IKE message (1996 bytes) into 2 fragments
14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
14[NET] sending packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (1248 bytes)
14[NET] sending packet: from XX.XX.XX.XX[4500] to YY.YY.YY.YY[4500] (816 bytes)
在 Windows 端,显示的错误是常见的:
"IKE authentication credentials are unacceptable"
在事件查看器中:
CoId={6C88B9D2-54F0-4671-A12D-B506DE75630F}: The user MYWORKDOMAIN\myuser dialed a connection named VPN Connection which has failed. The error code returned on failure is 13801.
我在Windows端所做的操作:
- 在本地计算机证书 -> 受信任的根证书颁发机构 -> 证书中导入 CA 证书
- 在 VPN 设置下创建 VPN 连接:
- 服务器名称或地址:vpsXXXXXX.ovh.net
- VPN 类型:IKEv2
- 登录信息类型:用户和密码
- 在 ncpa.cpl addaptator 属性中:
- 安全:
- 数据加密:可选加密
- 身份验证:使用可扩展身份验证协议 (EAP):Microsoft:安全密码 (EAP-MSCHAPv2)(已启用加密)
- 网络:未选中 IPv6
- 安全:
CA具有以下属性:
Verison:
V3
Serial Number:
73fbd6a8d90a33db
Signature algorithm:
sha1RSA
Signature hash algorithm:
sha1
Issuer:
CN = TEST VPS CA
O = Test Company
C = FR
Valid from:
Friday, March 27, 2020 3:15:29 PM
Valid to:
Monday, March 27, 2023 3:15:29 PM
Subject:
CN = TEST VPS CA
O = Test Company
C = FR
Pulic key:
RSA (4096 bits)
Pulic key parameters:
05 00
Subject key identifier:
214851f1fe79e3719be0139fab1799a9d4a08561
Enhanced Key Usage:
Server Authentication (1.3.6.1.5.5.7.3.1)
Basic Constraints:
Subject Type=CA
Path Length Constraint=None
Key Usage:
Information Not Available
Thumbprint:
78e8cc49ab508b8f477b419d369873036be488b4
VPS 证书属性:
Version:
3
Serial Number:
3611432227629166526
Signature Algorithm:
sha1WithRSAEncryption
Issuer:
C = FR, O = Test Company, CN = TEST VPS CA
Validity:
Not Before: Mar 27 14:15:31 2020 GMT
Not After : Mar 27 14:15:31 2023 GMT
Subject:
C = FR, O = Test Company, CN = vpsXXXXXX.ovh.net
Public Key Algorithm:
rsaEncryption
RSA Public-Key:
(4096 bit)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:21:48:51:F1:FE:79:E3:71:9B:E0:13:9F:AB:17:99:A9:D4:A0:85:61
X509v3 Subject Alternative Name:
DNS:vpsXXXXXX.ovh.net
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm:
sha1WithRSAEncryption
用于创建证书的命令:
ipsec pki --gen --type rsa --size 4096 --outform pem > vpnca.key.pem
ipsec pki --self --flag serverAuth --in vpnca.key.pem --type rsa --digest sha1 \
--dn "C=FR, O=Test Company, CN=TEST VPS CA" --ca > vpnca.crt.der
ipsec pki --gen --type rsa --size 4096 --outform pem > vpn.example.com.key.pem
ipsec pki --pub --in vpn.example.com.key.pem --type rsa > vpn.example.com.csr
ipsec pki --issue --cacert vpnca.crt.der --cakey vpnca.key.pem --digest sha1 \
--dn "C=FR, O=Test Company, CN=vpsXXXXXX.ovh.net" \
--san "vps807542.ovh.net" --flag serverAuth --outform pem \
< vpn.example.com.csr > vpn.example.com.crt.pem
openssl rsa -in vpn.example.com.key.pem -out vpn.example.com.key.der -outform DER
cp vpnca.crt.der /etc/ipsec.d/cacerts
cp vpn.example.com.crt.pem /etc/ipsec.d/certs
cp vpn.example.com.key.der /etc/ipsec.d/private
我希望您有足够的信息并且能够帮助我,因为我真的不明白为什么我的 Windows 不回复 IKE_AUTH 数据包......
谢谢您的帮助,多保重!