我有一个托管在 ip 上的服务器<server_ip>
我家里有一台个人电脑,位于路由器后面。盒子的公共 ip 是<router_ip>。客户端在路由器的子网上有一个本地 ip,称为<local_ip>。
服务器在 ubuntu 18.04 上,本地计算机在 ubuntu 20.04 上。每个都是最新的,并使用以下命令安装了 strongswan
apt install strongswan strongswan-swanctl
服务器获得了 Strongswan 5.6.2 客户端获得了 Strongswan 5.8.2
我使用以下命令和软件包 strongswan-pki 创建了 CA、服务和最终用户 crt
ipsec pki --gen --outform pem > ca.key
ipsec pki –self --in ca.key –dn “C=FR, O=Test, CN=Test CA” –ca –outform pe > ca.crt
ipsec pki --self --in ca.key --dn "C=FR,O=Test,CN=Test CA" --ca --outform pem > ca.crt
ipsec pki --gen --outform pem > serv.key
ipsec pki --issue --in serv.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=serv" --san serv --outform pem > serv.crt
ipsec pki --gen --outform pem > enduser.key
ipsec pki --issue --in enduser.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=enduser" --san enduser --outform pem > enduser.crt
/etc/swanctl/swanctl.conf除了两边以外我没有做任何修改
服务器/etc/swanctl/swanctl.conf
connections {
server {
local {
auth = pubkey
certs = serv.crt
id = "serv"
}
remote {
auth = pubkey
id = "enduser"
}
children {
host {
start_action = trap
}
}
}
}
客户/etc/swanctl/swanctl.conf
connections {
client-server {
remote_addrs = <server_ip>
local {
auth = pubkey
certs = enduser.crt
id = "enduser"
}
remote {
auth = pubkey
id = "serv"
}
children {
to-host {
start_action = trap
}
}
}
}
在服务器上,我将证书放在以下位置
/etc/swanctl/x509/serv.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/serv.key
在客户端,我获得了这些证书
/etc/swanctl/x509/enduser.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/enduser.key
然后我在服务器和客户端上使用以下命令
swanctl --load-conns && swanctl --load-creds
在客户端上
swanctl --initiate --child to-host
但它失败了,客户端出现以下错误
[IKE] establishing CHILD_SA to-host{7}
[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
[NET] sending packet: from <local_ip>[4500] to <server_ip>[4500] (256 bytes)
[NET] received packet: from <server_ip>[4500] to <local_ip>[4500] (80 bytes)
[ENC] parsed CREATE_CHILD_SA response 3 [ N(TS_UNACCEPT) ]
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
服务器端日志(使用swanctl -T)如下
08[IKE] traffic selectors <server_ip>/32[tcp/ssh] <server_ip>/32 === <local_ip>/32[tcp/55592] <local_ip>/32 inacceptable
08[IKE] failed to establish CHILD_SA, keeping IKE_SA
08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
08[NET] sending packet: from <server_ip>[4500] to <routeur_ip>[59527] (1184 bytes)
16[NET] received packet: from 86.234.97.45[59527] to <server_ip>[4500] (256 bytes)
16[ENC] parsed CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
16[IKE] traffic selectors <server_ip>/32 === <local_ip>/32 inacceptable
有人能解释一下我哪里做错了吗?我以为 TS 应该自动协商
答案1
因此,感谢 ecdsa,我得到了答案。
我必须在服务器swanctl.conf文件上添加一个 remote_ts。
现在服务器swanctl.conf如下
connections {
server {
local {
auth = pubkey
certs = serv.crt
id = "serv"
}
remote {
auth = pubkey
id = "enduser"
}
children {
host {
start_action = trap
remote_ts = <local_subnet>/24
}
}
}
}
但说实话,我不知道它是怎么修好的。我骑过https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal和https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp但我不确定我做了什么。我相信这是因为服务器自然不知道如何将数据发送给客户端(因为客户端从公共 IP 请求,但希望用他的本地 IP 回答),我们必须强迫他按照我们的意愿做。但我不确定。是否有任何文档可以帮助我理解流量选择器固有的概念?