我正在 Ubuntu 上使用 strongSwan 设置 IKEv2 VPN 服务器,并且由于 CA 证书错误导致客户端身份验证出现问题。
我的设置如下:
VPN 服务器:Ubuntu 24 LTS,带有 strongSwan 6.6 证书详细信息:主题:CN = vpn.mydomain.com 主题备用名称 (SAN):DNS:vpn.mydomain.com,DNS:www。 vpn.mydomain.com 服务器的 SSL 证书已正确配置,其 SAN 涵盖 vpn.mydomain.com 和www.vpn.mydomain.com。但是,当客户端(Android 14 Pixel 7A)尝试连接时,连接失败并显示错误:无法建立 VPN 验证服务器身份验证失败
用户身份验证:EAP
问题似乎在于 CA 证书无法被识别或无法在客户端设备上使用,尽管服务器证书似乎已正确设置并链接到其颁发者。
客户端登录android strongSwan客户端展示:
May 2 14:20:13 12[IKE] received end entity cert "CN=vpn.mydomain.com"
May 2 14:20:13 12[CFG] using certificate "CN=vpn.mydomain.com"
May 2 14:20:13 12[CFG] no issuer certificate found for "CN=vpn.mydomain.com"
May 2 14:20:13 12[CFG] issuer is "C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA"
May 2 14:20:13 12[IKE] **no trusted RSA public key found for **'vpn.mydomain.com'
May 2 14:20:13 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
我的服务器证书:我在 GoGetSSL 网站上获得了此证书。我的想法是不使用自签名证书,这样我就不需要在任何设备上安装根证书。GoGetSSL 是USERTrust RSA 认证机构并且它存在于我的设备上。所以我的服务器证书应该是信任的。是的,我的域名不是 vpn.mydomain.com,这只是一个例子。我也尝试了 Lets encrypt,结果相同。但在我的 MacOs 和 iPhone 上一切都运行正常。
ertificate:
Data:
Version: 3 (0x2)
Serial Number:
83:fc:58:44:59:f9:27:63:12:a2:23:57:5f:df:7a:54
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = LV, L = Riga, O = GoGetSSL, CN = GoGetSSL RSA DV CA
Validity
Not Before: May 2 00:00:00 2024 GMT
Not After : Jul 31 23:59:59 2024 GMT
Subject: CN = **vpn.mydomain.com**
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:97:d8:74:fb:66:a9:e8:95:61:91:8b:50:85:c5:
04:23:c0:09:0a:d6:ad:a5:0e:71:e5:76:69:c9:3a:
59:96:31:1f:7c:2f:ea:a1:27:14:6e:49:f2:f3:53:
af:e1:d3:1a:da:8c:d3:7e:53:ba:49:8f:50:bf:6f:
a7:1a:1b:1c:ce:c3:a7:9a:2d:71:cd:df:de:03:13:
23:53:04:6c:72:cb:69:8c:14:d9:63:40:5b:38:ca:
e9:b2:3a:bf:88:a6:39:fa:fe:03:85:2f:37:a8:7d:
c1:1c:ba:4d:69:ee:e1:bb:b1:49:71:d1:d7:4f:2c:
94:8a:91:39:6e:e7:41:b8:9d:f8:45:65:7c:93:c3:
45:4b:92:39:a5:25:d9:a4:8a:5f:33:37:85:c6:56:
83:a0:a9:c3:09:3d:5b:fd:2d:17:d3:94:25:2a:c2:
6e:71:aa:21:8c:25:91:be:ec:30:7f:b4:da:3d:43:
9c:1c:53:b9:55:45:dc:b9:97:e3:4c:c0:a6:9a:c9:
f0:42:67:14:dc:5d:c4:b8:3a:eb:8b:17:c5:92:f3:
1c:5d:7e:be:5e:e1:74:9f:f6:63:8c:06:b2:a6:08:
02:b3:d5:75:97:d9:63:01:e2:13:6d:5f:52:f9:0b:
9d:36:2e:ef:1b:59:3f:b5:bd:a6:f6:0c:5d:cc:fd:
f2:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
F9:FB:50:C4:8B:67:BB:67:64:FE:83:21:A6:A9:CE:3F:55:84:93:99
X509v3 Subject Key Identifier:
C5:D5:1A:C2:81:B3:84:11:B3:90:4E:FC:1E:11:B1:5B:9C:DF:A1:61
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.64
CPS: https://cps.usertrust.com
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.usertrust.com/GoGetSSLRSADVCA.crl
Authority Information Access:
CA Issuers - URI:http://crt.usertrust.com/GoGetSSLRSADVCA.crt
OCSP - URI:http://ocsp.usertrust.com
X509v3 Subject Alternative Name:
DNS:vpn.mydomain.com, DNS:www.vpn.mydomain.com
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : May 2 20:33:32.442 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:97:26:B7:25:08:D3:C8:02:91:40:5D:
B8:80:7A:99:0D:E9:94:A7:10:C6:B9:AC:00:C0:F8:39:
E2:D3:74:50:A3:02:20:10:42:A4:0A:03:EF:A6:38:3D:
65:09:98:ED:72:0D:C0:AD:F8:EB:61:AD:4E:DB:A5:4C:
CE:30:7D:78:0D:15:85
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:
ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
Timestamp : May 2 20:33:32.415 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:A4:51:BD:EE:AF:51:4A:88:37:9A:2E:
BA:E4:08:36:49:2A:55:3E:39:C5:FB:1C:21:2D:9D:30:
5C:F5:BD:AE:58:02:21:00:BE:D3:A0:6A:06:4D:B9:0C:
9E:48:7D:8F:FF:93:3E:EB:4C:CF:F9:57:00:D2:84:41:
D1:43:BB:F2:F5:8A:3A:13
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:36:32:d4:9b:b3:d4:ab:9e:ed:87:e5:5e:28:aa:e7:5d:15:
56:eb:ca:f7:b0:ca:09:d9:2b:af:35:92:38:0f:c6:f9:89:c7:
85:36:63:28:a4:c7:10:f9:02:23:76:0e:cb:78:80:08:1b:3c:
74:ec:b2:98:92:e9:a2:80:52:98:7d:95:36:ac:28:a3:01:62:
ba:08:f6:8d:d4:ac:18:51:7c:20:31:03:22:ff:76:69:10:65:
8e:ba:5f:4b:86:12:69:21:2a:78:41:f4:7b:cd:89:af:48:2c:
09:40:a7:8f:c6:5e:1e:ee:a9:26:2e:61:c6:65:3a:aa:67:de:
6c:15:93:d6:6d:09:0a:35:72:2c:81:88:aa:38:99:72:bb:1e:
5d:ae:1f:78:6a:7d:1a:3b:4d:03:8b:12:af:c2:4e:13:14:42:
0a:d5:6d:20:39:fd:1c:70:47:6f:39:19:35:a3:1a:35:d3:25:
d0:3f:81:9b:a7:e9:48:98:76:51:6f:f7:1b:90:20:0c:61:e8:
0c:bc:7d:d9:66:06:6a:5c:a3:1b:c6:ad:6d:20:02:f0:d6:1e:
9e:03:4c:40:71:81:ec:d3:db:57:33:ec:71:34:53:4d:6c:9e:
9f:61:bc:72:2f:59:4e:bd:27:0b:cd:2d:f2:5e:30:a1:8c:5b:
8f:3c:c0:99
这是我的配置
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=dinochain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha25>
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sh>
和秘密
: RSA dinopriv.pem
user : EAP "password"
以下是我的问题:
如何确保 CA 证书在客户端设备上正确安装或识别?服务器端是否有特定的配置步骤可以解决此身份验证问题?
由于此服务器身份验证错误,我目前无法建立 VPN 连接,因此非常感谢任何帮助或建议。
我试过让我们加密然后尝试了 GOGETSSL。我找不到让我们加密 在我的 Android 系统证书中。但 GOGETSSL 存在。但它从来没有帮助。
答案1
这就是答案!
对于任何 CA,您都必须确保颁发服务器证书的中间 CA 证书也已发送。因此,请将其安装在
/etc/ipsec.d/cacerts