Windows 10 中的 Strongswan VPN:未找到私钥 / 13801

Windows 10 中的 Strongswan VPN:未找到私钥 / 13801

我正在从连接性开始评估 AWS。由于 AWS VPN 解决方案的累积成本很高,所以我想先用 Strongswan 开始 DIY。我已经让 Strongswan 满足了我们的站点到站点(到 Cisco ASA5506s)要求,但无法使用本机 Windows VPN 客户端让我们的移动远程访问正常工作。Windows 和 Strongswan 日志都表明证书存在一些问题,但它是由 letsencrypt 颁发的并且有效。

硬件:

类型:Amazon 系统:Amazon EC2 产品:t3.nano v:N/A 主板:Amazon EC2 型号:N/A 序列号:N/A BIOS:Amazon EC2 v:1.0 日期:2017 年 10 月 16 日

操作系统:

主机:aws-edge 内核:6.1.0-17-cloud-amd64 架构:x86_64 位数:64 控制台:pty pts/1 发行版:Debian GNU/Linux 12 (bookworm)

Strongswan U5.9.8/K6.1.0-17-cloud-amd64

# /etc/ipsec.secrets

edge.mydomain.com : ECDSA "/etc/ipsec.d/private/privkey.pem"
%any : EAP "Password27"
# /etc/ipsec.conf

config setup
    strictcrlpolicy=yes
    uniqueids=no
    charondebug="ike 9"
    #charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4,  mgr 4"

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    auto=route
    ike=aes256-sha1-modp1536
    esp=aes256-sha1
    dpdaction=clear
    dpddelay=30s

conn roadwarriors
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256gcm16-prfsha384-ecp384!
    esp=aes256gcm16-ecp384!
    dpdaction=clear
    dpddelay=900s
    rekey=no
    left=%any
    [email protected]
    #leftauth=pubkey

    # Acquired via certbot/letsencrypt
    leftcert=/etc/ipsec.d/certs/cert.pem

    leftsendcert=always
    leftsubnet=10.8.1.0/24
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    eap_identity=%any
    rightsendcert=never
    rightdns=8.8.8.8
    rightsourceip=10.8.1.32/27
    rightsendcert=never

Windows VPN 配置:

$Response = Invoke-WebRequest -UseBasicParsing -Uri https://valid-isrgrootx1.letsencrypt.org

Add-VpnConnection -Name edge.mydomain.com  -ServerAddress "edge.mydomain.com" `
-TunnelType IKEv2 -EncryptionLevel Maximum -AuthenticationMethod Eap -RememberCredential

Set-VpnConnectionIPsecConfiguration -ConnectionName edge.mydomain.com `
-AuthenticationTransformConstants GCMAES256 `
-CipherTransformConstants GCMAES256 `
-EncryptionMethod GCMAES256 `
-IntegrityCheckMethod SHA384 -DHGroup ECP384 -PfsGroup ECP384 -Force

Set-VpnConnection -Name edge.mydomain.com -SplitTunneling $true

服务器证书;省略十六进制块,域名混淆:

# openssl x509 -in /etc/ipsec.d/certs/cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <hex block>
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jan  9 18:09:49 2024 GMT
            Not After : Apr  8 18:09:48 2024 GMT
        Subject: CN = edge.<mydomain>.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    <hex block>
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                <hex block>
            X509v3 Authority Key Identifier: 
                <hex block>
            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name: 
                DNS:edge.king-ent.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : <hex block>
                    Timestamp : Jan  9 19:09:49.433 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                <hex block>
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : <hex block>
                    Timestamp : Jan  9 19:09:49.437 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                <hex block>
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        <hex block>

转换为.p12 并在 Windows 中查看: 在此处输入图片描述

Windows RasClient 日志:

CoId={894815C0-439C-0000-0CA0-48899C43DA01}: The user <userid> has started dialing a VPN connection using a per-user connection profile named edge.mydomain.com. The connection settings are: 
Dial-in User = <notmyname>
VpnStrategy = IKEv2
DataEncryption = Require maximum
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = EAP <Microsoft: Secured password (EAP-MSCHAP v2)>
Ipv4DefaultGateway = No
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = No
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = 
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.

...

The user <userid> dialed a connection named edge.mydomain.com which has failed. **The error code returned on failure is 13801**.

在服务器上,journalctl -S now -f:

Jan 10 18:58:39 aws-edge charon[1006]: 09[CFG] selected peer config 'roadwarriors'
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_NBNS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP4_SERVER attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP6_DNS attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] processing INTERNAL_IP6_SERVER attribute
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] peer supports MOBIKE
Jan 10 18:58:39 aws-edge charon[1006]: 09[IKE] **no private key found** for 'edge.mydomain.com'
Jan 10 18:58:39 aws-edge charon[1006]: 09[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

答案1

该证书使用 ECDSA 密钥:

    Subject Public Key Info:
        Public Key Algorithm: id-ecPublicKey
            Public-Key: (256 bit)
            pub:
                <hex block>
            ASN1 OID: prime256v1
            NIST CURVE: P-256

因此,您不能加载私钥,RSA而必须使用ECDSA(您也不必为此使用任何身份):

: ECDSA "/etc/ipsec.d/private/privkey.pem"

答案2

你需要指定私钥ipsec.secrets

P12 /etc/ipsec.d/certs/cert.key

您只指定了证书,但要使用该证书,您需要私钥。

相关内容