我遇到了以下问题:我设置了 Kerio Control 9.4.4 build 8365 并尝试通过 Android 14+ 设备连接到 VPN 服务器。我为此使用了 Strongswan(Android),但在日志中收到以下错误:
Mar 26 09:51:38 09[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Mar 26 09:51:38 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
Mar 26 09:51:38 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Mar 26 09:51:38 09[IKE] sending cert request for "CN=localcontrol, OU=it, O=test, L=test, ST=test, C=test"
Mar 26 09:51:38 09[IKE] authentication of 'CN=192.168.88.253, OU=it, O=test, L=test, ST=test, C=test' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Mar 26 09:51:38 09[IKE] sending end entity cert "CN=192.168.88.253, OU=test, O=test, L=test, ST=test, C=test"
Mar 26 09:51:38 09[IKE] establishing CHILD_SA android{3}
Mar 26 09:51:38 09[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Mar 26 09:51:38 09[ENC] splitting IKE message (4428 bytes) into 4 fragments
Mar 26 09:51:38 09[ENC] generating IKE_AUTH request 1 [ EF(1/4) ]
Mar 26 09:51:38 09[ENC] generating IKE_AUTH request 1 [ EF(2/4) ]
Mar 26 09:51:38 09[ENC] generating IKE_AUTH request 1 [ EF(3/4) ]
Mar 26 09:51:38 09[ENC] generating IKE_AUTH request 1 [ EF(4/4) ]
Mar 26 09:51:38 09[NET] sending packet: from 192.168.88.10[49811] to 192.168.88.253[4500] (1360 bytes)
Mar 26 09:51:38 09[NET] sending packet: from 192.168.88.10[49811] to 192.168.88.253[4500] (1360 bytes)
Mar 26 09:51:38 09[NET] sending packet: from 192.168.88.10[49811] to 192.168.88.253[4500] (1360 bytes)
Mar 26 09:51:38 09[NET] sending packet: from 192.168.88.10[49811] to 192.168.88.253[4500] (544 bytes)
Mar 26 09:51:38 11[NET] received packet: from 192.168.88.253[4500] to 192.168.88.10[49811] (1248 bytes)
Mar 26 09:51:38 11[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 26 09:51:38 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 26 09:51:38 11[NET] received packet: from 192.168.88.253[4500] to 192.168.88.10[49811] (192 bytes)
Mar 26 09:51:38 11[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 26 09:51:38 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1372 bytes)
Mar 26 09:51:38 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH ]
Mar 26 09:51:38 11[IKE] received end entity cert "CN=192.168.88.253, OU=it, O=test, L=test, ST=test, C=test"
Mar 26 09:51:38 11[CFG] using trusted certificate "CN=192.168.88.253, OU=it, O=test, L=test, ST=test, C=test"
Mar 26 09:51:38 11[CFG] using trusted ca certificate "CN=localcontrol, OU=it, O=test, L=test, ST=test, C=test"
Mar 26 09:51:38 11[CFG] reached self-signed root ca with a path length of 0
Mar 26 09:51:38 11[CFG] checking certificate status of "CN=192.168.88.253, OU=it, O=test, L=test, ST=test, C=test"
Mar 26 09:51:38 11[CFG] certificate status is not available
Mar 26 09:51:38 11[IKE] authentication of 'CN=192.168.88.253, OU=it, O=test, L=test, ST=test, C=test' with RSA_EMSA_PKCS1_SHA2_256 successful
Mar 26 09:51:38 11[ENC] generating IKE_AUTH request 2 [ IDi ]
Mar 26 09:51:38 11[NET] sending packet: from 192.168.88.10[49811] to 192.168.88.253[4500] (76 bytes)
Mar 26 09:51:38 12[NET] received packet: from 192.168.88.253[4500] to 192.168.88.10[49811] (76 bytes)
Mar 26 09:51:38 12[ENC] parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
Mar 26 09:51:38 12[IKE] received AUTHENTICATION_FAILED notify error
我的拓扑:
- 充当 Kerio 控制服务器的 PC
- 交换机充当 DHCP 服务器
- 路由器(无互联网连接)
- 主 PC,我可以从这里访问 Kerio Control Web 面板
我几乎确信我的证书是正确的,并且我可以使用带有证书的 Windows IKEv2 正常连接。
我做错了什么?
编辑:这是我从 openssl 获得的证书信息。出于某种原因,我无法打开 pkcs12 证书,但我能够打开 pem 证书和密钥
答案1
如果你IKEv2 Certificate + EAP (Username/Password)
在客户端上配置为 VPN 类型,它将期望服务器在客户端的初始证书身份验证后启动 EAP 身份验证(这使用在RFC 4739,但未得到广泛支持)。
服务器显然没有配置为这样做(如果它甚至支持这一点),因此当客户端发送第二个 IKE_AUTH 请求时身份验证会失败。如果您想使用证书对客户端进行身份验证,请配置IKEv2 Certificate
为 VPN 类型。