客户端设备(运行 Windows 10 和 Android,带有 StrongSwan 应用程序)无法连接。证书由一个机构签署,CN 被设置为服务器公共 IP。这是 ipsec.conf:
config setup
include /var/lib/strongswan/ipsec.conf.inc
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
ike=aes128gcm16-sha2_256-prfsha256-ecp256!
esp=aes128gcm16-sha2_256-ecp256!
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=18.193.252.13
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
这是系统日志:
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[NET] received packet: from 202.160.39.38[48240] to 172.26.11.47[500] (716 bytes)
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[IKE] 202.160.39.38 is initiating an IKE_SA
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[IKE] local host is behind NAT, sending keep alives
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[IKE] remote host is behind NAT
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 07:03:03 ip-172-26-11-47 charon: 10[NET] sending packet: from 172.26.11.47[500] to 202.160.39.38[48240] (264 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[NET] received packet: from 202.160.39.38[39128] to 172.26.11.47[4500] (421 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] peer supports MOBIKE
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] authentication of 'CN=public ip' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[IKE] sending end entity cert "CN=public ip"
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] splitting IKE message (1942 bytes) into 2 fragments
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[NET] sending packet: from 172.26.11.47[4500] to 202.160.39.38[39128] (1248 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 11[NET] sending packet: from 172.26.11.47[4500] to 202.160.39.38[39128] (759 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[NET] received packet: from 202.160.39.38[39128] to 172.26.11.47[4500] (65 bytes)
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
Feb 19 07:03:04 ip-172-26-11-47 charon: 12[NET] sending packet: from 172.26.11.47[4500] to 202.160.39.38[39128] (65 bytes)
并从 Android 设备记录:
Feb 19 09:27:42 00[DMN] Starting IKE service (strongSwan 5.9.1rc1, Android 8.0.0 - OPR1.170623.026/2019-04-01, LG-H930 - lge/joan_global_com/LGE, Linux 4.4.78-perf+, aarch64)
Feb 19 09:27:42 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 09:27:42 00[JOB] spawning 16 worker threads
Feb 19 09:27:42 13[IKE] initiating IKE_SA android[10] to public ip
Feb 19 09:27:42 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 09:27:42 13[NET] sending packet: from 192.168.100.27[58880] to public ip[500] (716 bytes)
Feb 19 09:27:43 08[NET] received packet: from public ip[500] to 192.168.100.27[58880] (264 bytes)
Feb 19 09:27:43 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 09:27:43 08[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Feb 19 09:27:43 08[IKE] local host is behind NAT, sending keep alives
Feb 19 09:27:43 08[IKE] remote host is behind NAT
Feb 19 09:27:43 08[IKE] establishing CHILD_SA android{10}
Feb 19 09:27:43 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:27:43 08[NET] sending packet: from 192.168.100.27[55399] to public ip[4500] (421 bytes)
Feb 19 09:27:43 09[NET] received packet: from public ip[4500] to 192.168.100.27[55399] (1248 bytes)
Feb 19 09:27:43 09[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:27:43 09[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 09:27:43 10[NET] received packet: from public ip[4500] to 192.168.100.27[55399] (759 bytes)
Feb 19 09:27:43 10[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:27:43 10[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1942 bytes)
Feb 19 09:27:43 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 09:27:43 10[IKE] received end entity cert "CN=public ip"
Feb 19 09:27:43 10[CFG] using trusted certificate "CN=public ip"
Feb 19 09:27:43 10[IKE] signature validation failed, looking for another key
Feb 19 09:27:43 10[CFG] using certificate "CN=public ip"
Feb 19 09:27:43 10[CFG] using trusted ca certificate "CN=public ip"
Feb 19 09:27:43 10[CFG] checking certificate status of "CN=public ip"
Feb 19 09:27:43 10[CFG] certificate status is not available
Feb 19 09:27:43 10[CFG] reached self-signed root ca with a path length of 0
Feb 19 09:27:43 10[IKE] authentication of 'CN=public ip' with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 09:27:43 10[CFG] constraint check failed: identity 'public ip' required
Feb 19 09:27:43 10[CFG] selected peer config 'android' unacceptable: constraint checking failed
Feb 19 09:27:43 10[CFG] no alternative config found
Feb 19 09:27:43 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 09:27:43 10[NET] sending packet: from 192.168.100.27[55399] to public ip[4500] (65 bytes)
这两台设备都曾与 StrongSwan 配合使用,我一年前就配置好了,一点问题都没有。这是 AWS 上的新 VM,实际上对于客户端设备,我刚刚更改了密码(根据新的 /ipsec.secrets)并相应地导入了新的 CA 证书。我的错误可能出在哪里?提前感谢大家。
答案1
Feb 19 09:27:43 10[CFG] constraint check failed: identity 'public ip' required
您的服务器证书显然不包含您在客户端上配置的 IP 地址主题替代名称(SAN)扩展。您可以颁发一个新证书,其中包含您在客户端上配置为 SAN 的 IP 或主机名,或者在客户端上明确配置服务器的身份(对于 strongSwan Android 客户端,您可以在高级 VPN 配置文件设置中执行此操作)。