我正在从连接性开始评估 AWS。由于 AWS VPN 解决方案的累积成本很高,所以我想先用 Strongswan 开始 DIY。我已经让 Strongswan 满足了我们的站点到站点(到 Cisco ASA5506s)要求,但无法使用本机 Windows VPN 客户端让我们的移动远程访问正常工作。Windows 和 Strongswan 日志都表明证书存在一些问题,但它是由 letsencrypt 颁发的并且有效。
硬件:
类型:Amazon 系统:Amazon EC2 产品:t3.nano v:N/A 主板:Amazon EC2 型号:N/A 序列号:N/A BIOS:Amazon EC2 v:1.0 日期:2017 年 10 月 16 日
操作系统:
主机:aws-edge 内核:6.1.0-17-cloud-amd64 架构:x86_64 位数:64 控制台:pty pts/1 发行版:Debian GNU/Linux 12 (bookworm)
Strongswan U5.9.8/K6.1.0-17-cloud-amd64
# /etc/ipsec.secrets
edge.mydomain.com : ECDSA "/etc/ipsec.d/private/privkey.pem"
%any : EAP "Password27"
# /etc/ipsec.conf
config setup
strictcrlpolicy=yes
uniqueids=no
charondebug="ike 9"
#charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4, mgr 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
auto=route
ike=aes256-sha1-modp1536
esp=aes256-sha1
dpdaction=clear
dpddelay=30s
conn roadwarriors
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-prfsha384-ecp384!
esp=aes256gcm16-ecp384!
dpdaction=clear
dpddelay=900s
rekey=no
left=%any
[email protected]
#leftauth=pubkey
# Acquired via certbot/letsencrypt
leftcert=/etc/ipsec.d/certs/cert.pem
leftsendcert=always
leftsubnet=10.8.1.0/24
right=%any
rightid=%any
rightauth=eap-mschapv2
eap_identity=%any
rightsendcert=never
rightdns=8.8.8.8
rightsourceip=10.8.1.32/27
rightsendcert=never
Windows VPN 配置:
$Response = Invoke-WebRequest -UseBasicParsing -Uri https://valid-isrgrootx1.letsencrypt.org
Add-VpnConnection -Name edge.mydomain.com -ServerAddress "edge.mydomain.com" `
-TunnelType IKEv2 -EncryptionLevel Maximum -AuthenticationMethod Eap -RememberCredential
Set-VpnConnectionIPsecConfiguration -ConnectionName edge.mydomain.com `
-AuthenticationTransformConstants GCMAES256 `
-CipherTransformConstants GCMAES256 `
-EncryptionMethod GCMAES256 `
-IntegrityCheckMethod SHA384 -DHGroup ECP384 -PfsGroup ECP384 -Force
Set-VpnConnection -Name edge.mydomain.com -SplitTunneling $true
服务器证书;省略十六进制块,域名混淆:
# openssl x509 -in /etc/ipsec.d/certs/cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
<hex block>
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Jan 9 18:09:49 2024 GMT
Not After : Apr 8 18:09:48 2024 GMT
Subject: CN = edge.<mydomain>.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
<hex block>
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
<hex block>
X509v3 Authority Key Identifier:
<hex block>
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:edge.king-ent.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : <hex block>
Timestamp : Jan 9 19:09:49.433 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
<hex block>
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : <hex block>
Timestamp : Jan 9 19:09:49.437 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
<hex block>
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
<hex block>
转换为.p12 并在 Windows 中查看:
Windows RasClient 日志:
CoId={894815C0-439C-0000-0CA0-48899C43DA01}: The user <userid> has started dialing a VPN connection using a per-user connection profile named edge.mydomain.com. The connection settings are:
Dial-in User = <notmyname>
VpnStrategy = IKEv2
DataEncryption = Require maximum
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = EAP <Microsoft: Secured password (EAP-MSCHAP v2)>
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
...
The user <userid> dialed a connection named edge.mydomain.com which has failed. **The error code returned on failure is 13801**.
在服务器上,journalctl -S now -f:
Jan 10 18:58:39 aws-edge charon[1006]: 09[CFG] selected peer config 'roadwarriors'
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_NBNS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_SERVER attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP6_DNS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP6_SERVER attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] peer supports MOBIKE
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] **no private key found** for 'edge.mydomain.com'
Jan 10 18:58:39 aws-edge charon[1006]: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
答案1
该证书使用 ECDSA 密钥:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
<hex block>
ASN1 OID: prime256v1
NIST CURVE: P-256
因此,您不能加载私钥,RSA而必须使用ECDSA(您也不必为此使用任何身份):
: ECDSA "/etc/ipsec.d/private/privkey.pem"