如何使用 PSK(预共享密钥)设置 StrongSwan(NAT 后面)IKEv2/IPSec?

tag-icon tag-icon nat strongswan ubuntu-22.04 ikev2
如何使用 PSK(预共享密钥)设置 StrongSwan(NAT 后面)IKEv2/IPSec?

我在 NAT 后面的虚拟 Ubuntu 22 上设置了我的 strongswan 服务器。对于使用登录密码的 RCA,它运行良好。但我需要仅使用 PSK 密钥来工作。我尝试了很多选项,但我无法从我的 android 连接。目前的配置是:

cat /etc/ipsec.secrets
: PSK 6VvBHiM3vZlaY4elIgiKhuD/6aAWo5c2


cat /etc/ipsec.conf
config setup
    charondebug="all"
    uniqueids=yes

conn ikev2-ipsec-psk
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
#    authby=secret
    authby=psk
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=%any
#    [email protected]
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightdns=1.1.1.1,1.0.0.1
    rightsourceip=10.101.0.0/16


cat rules.v4
# Generated by iptables-save v1.8.7 on Fri Jul  7 17:37:44 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -s 10.101.0.0/16 -o ens33 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Jul  7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul  7 17:37:44 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83911:86155655]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens33 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i ens33 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens33 -p esp -j ACCEPT
-A INPUT -i ens33 -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.101.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.101.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o ens33 -p esp -j ACCEPT
-A OUTPUT -o ens33 -p ah -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
COMMIT
# Completed on Fri Jul  7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul  7 17:37:44 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -j MASQUERADE
COMMIT
# Completed on Fri Jul  7 17:37:44 2023

NAT 上转发的端口:

# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 401M packets, 47G bytes)
 pkts bytes target     prot opt in     out     source               destination
 ...
   84 23694 DNAT       udp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500 to:10.5.23.88:4500
  904  363K DNAT       udp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 to:10.5.23.88:500
  483 26400 DNAT       tcp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:88 to:10.5.23.88:80
   16  1568 DNAT       udp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 to:10.5.23.88:1701

Chain INPUT (policy ACCEPT 77M packets, 5830M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 34M packets, 3513M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 31M packets, 3036M bytes)
 pkts bytes target     prot opt in     out     source               destination
1094M  182G SNAT       all  --  *      *       10.0.0.0/8           0.0.0.0/0            to:x.y.z.b

在 Ubuntu 服务器上,当我尝试连接到日志时,我得到了这个(178.168.214.112 ip 用户,10.5.23.88 LAN ip 服务器):

Jul 11 18:22:16 ubuntu22 charon: 01[NET] received packet: from 178.168.214.112[64102] to 10.5.23.88[500] (1072 bytes)
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] 178.168.214.112 is initiating an IKE_SA
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] received proposals: IKE:AES_CTR_256/AES_CBC_256/AES_CTR_192/AES_CBC_192/AES_CTR_128/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048, IKE:CHACHA20_POLY1305/AES_GCM_16_256/AES_GCM_12_256/AES_GCM_8_256/AES_GCM_16_192/AES_GCM_12_192/AES_GCM_8_192/AES_GCM_16_128/AES_GCM_12_128/AES_GCM_8_128/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] local host is behind NAT, sending keep alives
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] remote host is behind NAT
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] received proposals unacceptable
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jul 11 18:22:16 ubuntu22 charon: 01[NET] sending packet: from 10.5.23.88[500] to 178.168.214.112[64102] (36 bytes)

相关内容