L2TP/IPsec VPN 的智能卡 (EAP) 身份验证

我在智能卡中有一个证书，用于通过 Windows 上的 VPN 进行连接。

VPN 是 L2TP/IPsec，并使用 EAP 进行身份验证。

我尝试了多种连接方法，一些使用 UI（网络管理器），其他使用 StrongSwan：

网络管理器

唯一允许我使用智能卡的选项是 IPSec/IKEV2。它失败并显示“未选择提案错误”。当我启用自定义提案并将 IKE 添加为 aes256-sha1-modp1024 并将 ESP 添加为 aes256-sha1 时，系统日志显示它已通过身份验证，但随后超时。

强天鹅

我使用以下链接作为参考：

1. https://www.strongswan.org/docs/readme4.htm#section_8.1
2. https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards

这是我在 /etc/ipsec.conf 上创建的添加的连接

conn aa
        left=%defaultroute
        keyexchange=ike
        leftsourceip=%config
        #leftcert=%smartcard:0
        [email protected]
        leftfirewall=yes
        right=server.com
        keyexchange=ikev2
        ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048
        esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256
        auto=add

我还配置了 /etc/ipsec.secrets 和 /etc/strongswan.d/charon/pkcs11.conf

当我尝试执行以下命令时：

sudo ipsec up aa

我得到这个结果：

initiating IKE_SA aa[1] to <server>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.228.65.143[500] to <server>[500] (1312 bytes)
received packet: from <server>[500] to 10.228.65.143[500] (320 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
local host is behind NAT, sending keep alives
authentication of '[email protected]' (myself) with RSA signature successful
establishing CHILD_SA aa{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.228.65.143[4500] to <server>[4500] (780 bytes)
received packet: from <server>[4500] to 10.228.65.143[4500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'aa' failed

故障排除信息

IKE 扫描 (https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues）

$ sudo ./ike-scan.sh 服务器| grep SA=

SA=（Enc=3DES Hash=MD5 组=2：modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration（4）=0x0000708 SA=（Enc=3DES Hash=SHA1 组=2：modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration（4）=0x00007080） SA=（Enc=AES KeyLength=128 Hash=SHA1 组=19 Auth=RSA_Sig LifeType=Seconds LifeDuration（4）=0x00007080） SA=（Enc=AES KeyLength=256 Hash=SHA1 组=20 Auth=RSA_Sig LifeType=Seconds LifeDuration（4）=0x00007080）

编辑

当使用 leftauth=eap-tls 并在 /etc/ipsec.d/cacerts 安装根证书后，出现错误：

parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=<server>"
received issuer cert "DC=..."
  using certificate "CN=<server>"
  using untrusted intermediate certificate "DC=.."
checking certificate status of "CN=<server>"
  fetching crl from 'http://anotherserver.crl' ...
libcurl request failed [28]: Resolving timed out after 10521 milliseconds
crl fetching failed
  fetching crl from 'ldap:///CN=...' ...
LDAP bind to 'ldap:///CN=..' failed: Can't contact LDAP server
crl fetching failed
certificate status is not available
  reached self-signed root ca with a path length of 1
authentication of 'CN=...' with RSA signature successful
constraint check failed: identity '<server>' required 
selected peer config 'aa' inacceptable: constraint checking failed