我正在尝试运行一个 strongswan VPN 服务器,以便使用其内置的 VPN 功能与 Windows-10 客户端一起使用(以方便客户端用户使用)
每次尝试连接时,Windows 都会显示用户/密码被接受,然后“连接”,然后失败。服务器日志显示错误“超时后删除半打开的 IDE_SA...”。
“sudo systemctl status strongswan.service”的输出,包含最后10行日志:
strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-12-04 13:15:05 GMT; 1min 38s ago
Main PID: 1859 (starter)
Tasks: 18 (limit: 4915)
CGroup: /system.slice/strongswan.service
ââ1859 /usr/lib/ipsec/starter --daemon charon --nofork
ââ1873 /usr/lib/ipsec/charon
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[IKE] authentication of 'CN=vpn.example.com' (myself) with RSA signature successful
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[IKE] sending end entity cert "CN=vpn.example.com"
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[ENC] splitting IKE message (1948 bytes) into 2 fragments
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[NET] sending packet: from 192.168.2.9[4500] to 109.41.64.240[6977] (1248 bytes)
Dec 04 13:15:34 raspberrypi ipsec[1859]: 09[NET] sending packet: from 192.168.2.9[4500] to 109.41.64.240[6977] (768 bytes)
Dec 04 13:15:34 raspberrypi charon[1873]: 14[IKE] sending keep alive to 109.41.64.240[6977]
Dec 04 13:15:43 raspberrypi charon[1873]: 15[JOB] deleting half open IKE_SA with 109.41.64.240 after timeout
反复查看了一些关于 strongswan 和 windows 的帖子,我找不到错误。现在重新思考了这个问题,因为似乎 systemctl restart 没有再次解析配置?无论我做了什么更改,我得到的输出都是一样的。停止并启动似乎有帮助。
(目前正在本地网络内尝试此操作,因此所有 IP 都在 192.168.* 中。VPN 范围应该是 172.17.0.0/16
/etc/ipsec.conf 是这样的:
# ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
uniqueids=never
# Add connections here.
# Sample VPN connections
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
dpdaction=clear
rekey=no
dpddelay=300s
fragmentation=yes
conn win7
compress=no
type=tunnel
left=%any
# leftid=192.168.2.9
leftcert=server.cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
leftsendcert=always
right=%any
rightip=%any
rightauth=eap-mschapv2
rightsourceip=172.17.0.128/25
rightdns=192.168.2.1
rightsendcert=never
# eap_identity=%identity
eap_identity=%any
auto=add
include /var/lib/strongswan/ipsec.conf.inc
在 Windows 10(家庭版)中,我选择连接名称“测试”、服务器地址 192.168.2.9、VPN 类型“自动”、登录类型“用户名和密码”。
文件 /etc/ipsec.secrets 有一个名为“user”的用户:# 此文件保存用于身份验证的共享秘密或 RSA 私钥。
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
# this file is managed with debconf and will contain the automatically created private key
#include /var/lib/strongswan/ipsec.secrets.inc
: RSA "server.key.pem"
user : EAP "testpassword_preliminary"
我使用以下命令行在服务器上生成了证书:
ipsec pki --gen --size 4096 --type rsa --outform pem > ca.key.pem
ipsec pki --self --in ca.key.pem --type rsa --dn "CN=VPN Server CA" --ca --lifetime 3650 --outform pem > ca.cert.pem
ipsec pki --gen --size 4096 --type rsa --outform pem > server.key.pem
ipsec pki --pub --in server.key.pem --type rsa | ipsec pki --issue --lifetime 2750 --cacert ca.cert.pem --cakey ca.key.pem --dn "CN=vpn.example.com" --san="vpn.example.com" --flag serverAuth --flag ikeIntermediate --outform pem > server.cert.pem