我在智能卡中有一个证书,用于通过 Windows 上的 VPN 进行连接。
VPN 是 L2TP/IPsec,并使用 EAP 进行身份验证。
我尝试了多种连接方法,一些使用 UI(网络管理器),其他使用 StrongSwan:
网络管理器
唯一允许我使用智能卡的选项是 IPSec/IKEV2。它失败并显示“未选择提案错误”。当我启用自定义提案并将 IKE 添加为 aes256-sha1-modp1024 并将 ESP 添加为 aes256-sha1 时,系统日志显示它已通过身份验证,但随后超时。
强天鹅
我使用以下链接作为参考:
- https://www.strongswan.org/docs/readme4.htm#section_8.1
- https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards
这是我在 /etc/ipsec.conf 上创建的添加的连接
conn aa
left=%defaultroute
keyexchange=ike
leftsourceip=%config
#leftcert=%smartcard:0
[email protected]
leftfirewall=yes
right=server.com
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256
auto=add
我还配置了 /etc/ipsec.secrets 和 /etc/strongswan.d/charon/pkcs11.conf
当我尝试执行以下命令时:
sudo ipsec up aa
我得到这个结果:
initiating IKE_SA aa[1] to <server>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.228.65.143[500] to <server>[500] (1312 bytes)
received packet: from <server>[500] to 10.228.65.143[500] (320 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
local host is behind NAT, sending keep alives
authentication of '[email protected]' (myself) with RSA signature successful
establishing CHILD_SA aa{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.228.65.143[4500] to <server>[4500] (780 bytes)
received packet: from <server>[4500] to 10.228.65.143[4500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'aa' failed
故障排除信息
IKE 扫描 (https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues)
$ sudo ./ike-scan.sh 服务器| grep SA=
SA=(Enc=3DES Hash=MD5 组=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x0000708 SA=(Enc=3DES Hash=SHA1 组=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080) SA=(Enc=AES KeyLength=128 Hash=SHA1 组=19 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080) SA=(Enc=AES KeyLength=256 Hash=SHA1 组=20 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080)
编辑
当使用 leftauth=eap-tls 并在 /etc/ipsec.d/cacerts 安装根证书后,出现错误:
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=<server>"
received issuer cert "DC=..."
using certificate "CN=<server>"
using untrusted intermediate certificate "DC=.."
checking certificate status of "CN=<server>"
fetching crl from 'http://anotherserver.crl' ...
libcurl request failed [28]: Resolving timed out after 10521 milliseconds
crl fetching failed
fetching crl from 'ldap:///CN=...' ...
LDAP bind to 'ldap:///CN=..' failed: Can't contact LDAP server
crl fetching failed
certificate status is not available
reached self-signed root ca with a path length of 1
authentication of 'CN=...' with RSA signature successful
constraint check failed: identity '<server>' required
selected peer config 'aa' inacceptable: constraint checking failed