在 Android - IKEv2 - StrongSwan - VPN 服务器上未找到受信任的 RSA 公钥...

在 Android - IKEv2 - StrongSwan - VPN 服务器上未找到受信任的 RSA 公钥...

我正在 Ubuntu 上使用 strongSwan 设置 IKEv2 VPN 服务器,并且由于 CA 证书错误导致客户端身份验证出现问题。

这是基础:https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-20-04

我的设置如下:

VPN 服务器:Ubuntu 24 LTS,带有 strongSwan 6.6 证书详细信息:主题:CN = vpn.mydomain.com 主题备用名称 (SAN):DNS:vpn.mydomain.com,DNS:www。 vpn.mydomain.com 服务器的 SSL 证书已正确配置,其 SAN 涵盖 vpn.mydomain.com 和www.vpn.mydomain.com。但是,当客户端(Android 14 Pixel 7A)尝试连接时,连接失败并显示错误:无法建立 VPN 验证服务器身份验证失败

用户身份验证:EAP

问题似乎在于 CA 证书无法被识别或无法在客户端设备上使用,尽管服务器证书似乎已正确设置并链接到其颁发者。

客户端登录android strongSwan客户端展示:

May  2 14:20:13 12[IKE] received end entity cert "CN=vpn.mydomain.com"
May  2 14:20:13 12[CFG]   using certificate "CN=vpn.mydomain.com"
May  2 14:20:13 12[CFG] no issuer certificate found for "CN=vpn.mydomain.com"
May  2 14:20:13 12[CFG]   issuer is "C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA"
May  2 14:20:13 12[IKE] **no trusted RSA public key found for **'vpn.mydomain.com'
May  2 14:20:13 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

我的服务器证书:我在 GoGetSSL 网站上获得了此证书。我的想法是不使用自签名证书,这样我就不需要在任何设备上安装根证书。GoGetSSL 是USERTrust RSA 认证机构并且它存在于我的设备上。所以我的服务器证书应该是信任的。是的,我的域名不是 vpn.mydomain.com,这只是一个例子。我也尝试了 Lets encrypt,结果相同。但在我的 MacOs 和 iPhone 上一切都运行正常。

ertificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            83:fc:58:44:59:f9:27:63:12:a2:23:57:5f:df:7a:54
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = LV, L = Riga, O = GoGetSSL, CN = GoGetSSL RSA DV CA
        Validity
            Not Before: May  2 00:00:00 2024 GMT
            Not After : Jul 31 23:59:59 2024 GMT
        Subject: CN = **vpn.mydomain.com**
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:97:d8:74:fb:66:a9:e8:95:61:91:8b:50:85:c5:
                    04:23:c0:09:0a:d6:ad:a5:0e:71:e5:76:69:c9:3a:
                    59:96:31:1f:7c:2f:ea:a1:27:14:6e:49:f2:f3:53:
                    af:e1:d3:1a:da:8c:d3:7e:53:ba:49:8f:50:bf:6f:
                    a7:1a:1b:1c:ce:c3:a7:9a:2d:71:cd:df:de:03:13:
                    23:53:04:6c:72:cb:69:8c:14:d9:63:40:5b:38:ca:
                    e9:b2:3a:bf:88:a6:39:fa:fe:03:85:2f:37:a8:7d:
                    c1:1c:ba:4d:69:ee:e1:bb:b1:49:71:d1:d7:4f:2c:
                    94:8a:91:39:6e:e7:41:b8:9d:f8:45:65:7c:93:c3:
                    45:4b:92:39:a5:25:d9:a4:8a:5f:33:37:85:c6:56:
                    83:a0:a9:c3:09:3d:5b:fd:2d:17:d3:94:25:2a:c2:
                    6e:71:aa:21:8c:25:91:be:ec:30:7f:b4:da:3d:43:
                    9c:1c:53:b9:55:45:dc:b9:97:e3:4c:c0:a6:9a:c9:
                    f0:42:67:14:dc:5d:c4:b8:3a:eb:8b:17:c5:92:f3:
                    1c:5d:7e:be:5e:e1:74:9f:f6:63:8c:06:b2:a6:08:
                    02:b3:d5:75:97:d9:63:01:e2:13:6d:5f:52:f9:0b:
                    9d:36:2e:ef:1b:59:3f:b5:bd:a6:f6:0c:5d:cc:fd:
                    f2:d3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                F9:FB:50:C4:8B:67:BB:67:64:FE:83:21:A6:A9:CE:3F:55:84:93:99
            X509v3 Subject Key Identifier: 
                C5:D5:1A:C2:81:B3:84:11:B3:90:4E:FC:1E:11:B1:5B:9C:DF:A1:61
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.64
                  CPS: https://cps.usertrust.com
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.usertrust.com/GoGetSSLRSADVCA.crl
            Authority Information Access: 
                CA Issuers - URI:http://crt.usertrust.com/GoGetSSLRSADVCA.crt
                OCSP - URI:http://ocsp.usertrust.com
            X509v3 Subject Alternative Name: 
                DNS:vpn.mydomain.com, DNS:www.vpn.mydomain.com
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
                                B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
                    Timestamp : May  2 20:33:32.442 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:97:26:B7:25:08:D3:C8:02:91:40:5D:
                                B8:80:7A:99:0D:E9:94:A7:10:C6:B9:AC:00:C0:F8:39:
                                E2:D3:74:50:A3:02:20:10:42:A4:0A:03:EF:A6:38:3D:
                                65:09:98:ED:72:0D:C0:AD:F8:EB:61:AD:4E:DB:A5:4C:
                                CE:30:7D:78:0D:15:85
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:
                                ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
                    Timestamp : May  2 20:33:32.415 2024 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:A4:51:BD:EE:AF:51:4A:88:37:9A:2E:
                                BA:E4:08:36:49:2A:55:3E:39:C5:FB:1C:21:2D:9D:30:
                                5C:F5:BD:AE:58:02:21:00:BE:D3:A0:6A:06:4D:B9:0C:
                                9E:48:7D:8F:FF:93:3E:EB:4C:CF:F9:57:00:D2:84:41:
                                D1:43:BB:F2:F5:8A:3A:13
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        14:36:32:d4:9b:b3:d4:ab:9e:ed:87:e5:5e:28:aa:e7:5d:15:
        56:eb:ca:f7:b0:ca:09:d9:2b:af:35:92:38:0f:c6:f9:89:c7:
        85:36:63:28:a4:c7:10:f9:02:23:76:0e:cb:78:80:08:1b:3c:
        74:ec:b2:98:92:e9:a2:80:52:98:7d:95:36:ac:28:a3:01:62:
        ba:08:f6:8d:d4:ac:18:51:7c:20:31:03:22:ff:76:69:10:65:
        8e:ba:5f:4b:86:12:69:21:2a:78:41:f4:7b:cd:89:af:48:2c:
        09:40:a7:8f:c6:5e:1e:ee:a9:26:2e:61:c6:65:3a:aa:67:de:
        6c:15:93:d6:6d:09:0a:35:72:2c:81:88:aa:38:99:72:bb:1e:
        5d:ae:1f:78:6a:7d:1a:3b:4d:03:8b:12:af:c2:4e:13:14:42:
        0a:d5:6d:20:39:fd:1c:70:47:6f:39:19:35:a3:1a:35:d3:25:
        d0:3f:81:9b:a7:e9:48:98:76:51:6f:f7:1b:90:20:0c:61:e8:
        0c:bc:7d:d9:66:06:6a:5c:a3:1b:c6:ad:6d:20:02:f0:d6:1e:
        9e:03:4c:40:71:81:ec:d3:db:57:33:ec:71:34:53:4d:6c:9e:
        9f:61:bc:72:2f:59:4e:bd:27:0b:cd:2d:f2:5e:30:a1:8c:5b:
        8f:3c:c0:99

这是我的配置

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no


conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=dinochain.pem
    
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
   
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha25>
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sh>

和秘密

: RSA dinopriv.pem
user : EAP "password"

以下是我的问题:

如何确保 CA 证书在客户端设备上正确安装或识别?服务器端是否有特定的配置步骤可以解决此身份验证问题?

由于此服务器身份验证错误,我目前无法建立 VPN 连接,因此非常感谢任何帮助或建议。

我试过让我们加密然后尝试了 GOGETSSL。我找不到让我们加密 在我的 Android 系统证书中。但 GOGETSSL 存在。但它从来没有帮助。

答案1

这就是答案!

对于任何 CA,您都必须确保颁发服务器证书的中间 CA 证书也已发送。因此,请将其安装在

/etc/ipsec.d/cacerts

相关内容