strongswan 配置过程与问题 「爱情、让人受尽委屈。」 2022-05-26 03:51 347阅读 0赞 # 一 过程 # 参考:[https://blog.csdn.net/gaojinshan/article/details/50820513][https_blog.csdn.net_gaojinshan_article_details_50820513] ## 1.1 生成证书 ## ### 1)生成CA的密钥和证书: ### ipsec pki --gen --outform pem > caKey.pem ipsec pki --self --outform pem --in caKey.pem --dn "C=CN, O=TJ, CN=Test CA" --ca > caCert.pem ### 2)生成服务端的密钥和证书: ### ipsec pki --gen --outform pem > serverKey.pem ipsec pki --pub --outform pem --in serverKey.pem > serverPub.pem ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in serverPub.pem --dn "C=CN, O=TJ, CN=Test Server" --san="192.168.3.51" --san="192.168.3.38" --flag serverAuth --flag ikeIntermediate > serverCert.pem 注意:san(SubjectAltName),是服务器地址或域名,直接影响到连接是否成功。san后面跟的应该是服务器地址或者域名,可以设置多个 ### 3)生成客户端的密钥和证书: ### ipsec pki --gen --outform pem > clientKey.pem ipsec pki --pub --outform pem --in clientKey.pem > clientPub.pem ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in clientPub.pem --dn "C=CN, O=TJ, CN=Test Client" > clientCert.pem ### 4)复制安装证书到相应路径: ### 注意:默认生成的der格式,无法直接导入到手机中,所以,这里用pem格式。 参考:[https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA][https_wiki.strongswan.org_projects_strongswan_wiki_SimpleCA] mac中路径: cp caCert.pem /usr/local/etc/ipsec.d/cacerts/ cp serverCert.pem /usr/local/etc/ipsec.d/certs/ cp serverKey.pem /usr/local/etc/ipsec.d/private/ cp clientCert.pem /usr/local/etc/ipsec.d/certs/ cp clientKey.pem /usr/local/etc/ipsec.d/private/ Ubuntu中路径: sudo cp caCert.pem /etc/ipsec.d/cacerts/ sudo cp serverCert.pem /etc/ipsec.d/certs/ sudo cp serverKey.pem /etc/ipsec.d/private/ sudo cp clientCert.pem /etc/ipsec.d/certs/ sudo cp clientKey.pem /etc/ipsec.d/private/ ### 5)用于Android客户端:将客户端证书pem转换为p12 ### openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12 在三星手机中尝试,提示“您可从带有.pfx或.p12文件扩展名的PKCS\#12文件中安装证书。”,如果直接选pem的证书,提示导入成功,但是还是找不到证书,因此需要生成p12证书。 ## 1.2 修改各个配置文件 ## ### 1) etc/ipsec.conf ### 参考: [https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf][https_wiki.strongswan.org_projects_strongswan_wiki_IpsecConf] # ipsec.conf - strongSwan IPsec configuration file config setup uniqueids=never #允许多个客户端使用同一个证书 conn IKEv2-EAP keyexchange=ikev2 #密钥交换算法 left=%any #服务器端标识,%any表示任意 leftid=222 #服务器端ID标识 leftsubnet=0.0.0.0/0 #服务器端虚拟ip, 0.0.0.0/0表示通配. #leftsubnet=11.11.0.0/24 leftcert=serverCert.pem #服务器端证书 leftauth=pubkey #服务器校验方式,使用证书 right=%any #客户端标识,%any表示任意 rightsourceip=11.11.0.0/24 #客户端IP地址分配范围 rightauth=eap-mschapv2 #eap-md5#客户端校验方式#KEv2 EAP(Username/Password) #rightauth=rsa #客户端校验方式,使用证书#IKEv2 Certificate #rightcert=clientCert.pem #客户端端证书#IKEv2 Certificate #eap_identity=%any # auto=add ### 2) strongswan.conf ### # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes duplicheck.enable = no compress = yes dns1 = 114.114.114.114 dns2 = 8.8.8.8 dns3 = 8.8.4.4 multiple_authentication = no signature_authentication = no flush_auth_cfg = yes plugins { include strongswan.d/charon/*.conf } filelog { /usr/local/etc/strongswan.charon.log { time_format = %b %e %T default = 4 append = no flush_line = yes } } } include strongswan.d/*.conf ### 3) ipsec.secrets ### 参考:https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets # ipsec.secrets - strongSwan IPsec secrets file : RSA serverKey.pem : PSK "12345678" test : EAP "pass" e : EAP "e" d : EAP "d" a : EAP "a" ## 1.3 执行开始 ## 运行下面命令开始: sudo ipsec start 下面的命令分别为:开始,停止,重启,查看状态 sudo ipsec start sudo ipsec stop sudo ipsec restart sudo ipsec statusall ## 1.4 运行结果 ## 成功连接了两个使用StrongSwan的Android客户端(参考:[https://wiki.strongswan.org/projects/strongswan/wiki/Android][https_wiki.strongswan.org_projects_strongswan_wiki_Android]),使用sudo ipsec statusall查看成功状态如下: $ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Darwin 17.5.0, x86_64): uptime: 28 minutes, since Apr 19 14:56:01 2018 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9 loaded plugins: charon nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp sshkey pem openssl curve25519 kernel-libipsec kernel-pfroute socket-default stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic osx-attr unity counters Virtual IP pools (size/online/offline): 11.168.0.0/24: 254/2/0 Listening IP addresses: 192.168.3.51 172.16.19.1 172.16.36.1 Connections: android_xauth_psk: %any...%any IKEv1 android_xauth_psk: local: uses pre-shared key authentication android_xauth_psk: remote: uses pre-shared key authentication android_xauth_psk: remote: uses XAuth authentication: any android_xauth_psk: child: dynamic === 0.0.0.0/0 TUNNEL IKEv2-EAP: %any...%any IKEv2 IKEv2-EAP: local: [C=CN, O=TJ, CN=Test Server] uses public key authentication IKEv2-EAP: cert: "C=CN, O=TJ, CN=Test Server" IKEv2-EAP: remote: uses EAP_MSCHAPV2 authentication IKEv2-EAP: child: 0.0.0.0/0 === dynamic TUNNEL Security Associations (2 up, 0 connecting): IKEv2-EAP[2]: ESTABLISHED 10 seconds ago, 192.168.3.51[C=CN, O=TJ, CN=Test Server]...192.168.3.28[e] IKEv2-EAP[2]: IKEv2 SPIs: 978d573d1e478fd3_i b0732d2a963df511_r*, public key reauthentication in 2 hours IKEv2-EAP[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 IKEv2-EAP{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 98098eeb_i 46523990_o IKEv2-EAP{2}: AES_CBC_128/HMAC_SHA2_256_128, 1200 bytes_i (20 pkts, 0s ago), 0 bytes_o, rekeying in 48 minutes IKEv2-EAP{2}: 0.0.0.0/0 === 11.168.0.2/32 IKEv2-EAP[1]: ESTABLISHED 28 minutes ago, 192.168.3.51[C=CN, O=TJ, CN=Test Server]...192.168.3.12[a] IKEv2-EAP[1]: IKEv2 SPIs: ccfe7d1457d773ac_i 929341305be0e1cd_r*, public key reauthentication in 2 hours IKEv2-EAP[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 IKEv2-EAP{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 667a9da5_i b97425ec_o IKEv2-EAP{1}: AES_CBC_128/HMAC_SHA2_256_128, 33036 bytes_i (549 pkts, 63s ago), 0 bytes_o, rekeying in 18 minutes IKEv2-EAP{1}: 0.0.0.0/0 === 11.168.0.1/32 搭建环境验证是否通过了VPN,参考:[https://blog.csdn.net/lllkey/article/details/80069219][https_blog.csdn.net_lllkey_article_details_80069219] # 二 问题 # ## 2.1 配置错误 ## Apr 18 09:42:24 07[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] Apr 18 09:42:24 07[IKE] received NO_PROPOSAL_CHOSEN notify error 原因:服务器配置错误 ## 2.2 ca验证失败 ## Apr 18 10:57:31 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Apr 18 10:57:31 12[IKE] received AUTHENTICATION_FAILED notify error 原因:证书不在ca中 解决方法:将ca证书放入手机,并导入配置 ## 2.3 服务未开启 ## Apr 18 11:48:11 13[IKE] giving up after 3 retransmits Apr 18 11:48:11 13[IKE] peer not responding, trying again (2/0) Apr 18 11:48:11 13[IKE] initiating IKE_SA android[9] to 192.168.3.51 Apr 18 11:48:11 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Apr 18 11:48:11 13[NET] sending packet: from 192.168.3.12[51487] to 192.168.3.51[500] (716 bytes) Apr 18 11:48:11 15[IKE] destroying IKE_SA in state CONNECTING without notification 原因:strongswan服务器未开启,连接失败,需要检查strongswan是否启动,或者ip地址是否有问题 ## 2.4 证书验证失败 ## Apr 18 14:47:13 06[CFG] checking certificate status of "C=CN, O=TJ, CN=StrongSwanTest1" Apr 18 14:47:13 06[CFG] certificate status is not available Apr 18 14:47:13 06[CFG] reached self-signed root ca with a path length of 0 Apr 18 14:47:13 06[IKE] authentication of 'C=CN, O=TJ, CN=StrongSwanTest1' with RSA_EMSA_PKCS1_SHA2_256 successful Apr 18 14:47:13 06[CFG] constraint check failed: identity '192.168.3.51' required Apr 18 14:47:13 06[CFG] selected peer config 'android' inacceptable: constraint checking failed Apr 18 14:47:13 06[CFG] no alternative config found Apr 18 14:47:13 06[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] Apr 18 14:47:13 06[NET] sending packet: from 192.168.3.12[41900] to 192.168.3.51[4500] (80 bytes) 原因:参考: [https://wiki.strongswan.org/issues/813][https_wiki.strongswan.org_issues_813] 和 [https://blog.csdn.net/gaojinshan/article/details/51015569][https_blog.csdn.net_gaojinshan_article_details_51015569] 服务器证书证书san要求192.168.3.51服务器地址标识,也就是生成服务器证书的时候加上--san,可以加多个 ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in serverPub.pem --dn "C=CN, O=TJ, CN=Test Server" --san="192.168.3.51" --san="192.168.3.38" --flag serverAuth --flag ikeIntermediate > serverCert.pem 从issue中可以看出已经可以在app上面配置,但是还未找到配置方法,因此只能在证书上添加san ## 2.5 用户名密码错误 ## Apr 18 15:36:00 12[IKE] authentication of '192.168.3.51' with RSA_EMSA_PKCS1_SHA2_256 successful Apr 18 15:36:00 12[IKE] server requested EAP_MSCHAPV2 authentication (id 0x4D) Apr 18 15:36:00 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ] Apr 18 15:36:00 12[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (144 bytes) Apr 18 15:36:02 08[IKE] retransmit 1 of request with message ID 2 Apr 18 15:36:02 08[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (144 bytes) Apr 18 15:36:02 15[NET] received packet: from 192.168.3.51[4500] to 192.168.3.12[56129] (128 bytes) Apr 18 15:36:02 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Apr 18 15:36:02 15[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)' Apr 18 15:36:02 15[IKE] EAP_MSCHAPV2 method failed Apr 18 15:36:02 15[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ] Apr 18 15:36:02 15[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (80 bytes) Apr 18 15:36:02 16[MGR] ignoring request with ID 2, already processing 原因:用户名密码错误 ## ## ## 2.6 连接成功 不能上网 ## 参考: [https://blog.csdn.net/ficksong/article/details/79248407][https_blog.csdn.net_ficksong_article_details_79248407] 1) ubuntu 1 修改转发权限 $ sudo vim /etc/sysctl.conf $ sudo sysctl -p net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 2 修改iptables $ sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE ens33为虚拟机网卡,可以使用ifconfig,查看自己客户端连接的相应网卡。 修改后可以上网 2) mac尝试方法 **其实最终还是无法上网,已经尝试在pf.conf中配置各种nat了,不知道要怎么配置才能让客户端上网,如果有人知道,希望告诉我** 1 没有打开ip包转发 sudo sysctl -a | grep forward // 查看与forward相关的配置,如果都为0,需要打开转发 sudo sysctl net.inet.ip.forwarding=1 sudo sysctl net.inet6.ip6.forwarding=1 2 没有设置iptables,在mac中设置pf $ sudo vim /etc/pf.anchors/http $ sudo pfctl -vnf /etc/pf.conf $ sudo vim /etc/pf.conf \#验证规则,并设置为pf.conf文件,更新 $ sudo pfctl -ef /etc/pf.conf \#重启 $ sudo pfctl -E \#查看状态 $ sudo pfctl -s nat 配置pf:https://www.cnblogs.com/EasonJim/p/7819478.html pf详解:https://www.cnblogs.com/apexchu/p/4133040.html ## 2.7 服务端没有日志 ## 原因:Ubuntu由于apparmor配置导致日志文件无法读写 参考:[https://blog.csdn.net/lllkey/article/details/80067687][https_blog.csdn.net_lllkey_article_details_80067687] [https_blog.csdn.net_gaojinshan_article_details_50820513]: https://blog.csdn.net/gaojinshan/article/details/50820513 [https_wiki.strongswan.org_projects_strongswan_wiki_SimpleCA]: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA [https_wiki.strongswan.org_projects_strongswan_wiki_IpsecConf]: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf [https_wiki.strongswan.org_projects_strongswan_wiki_Android]: https://wiki.strongswan.org/projects/strongswan/wiki/Android [https_blog.csdn.net_lllkey_article_details_80069219]: https://blog.csdn.net/lllkey/article/details/80069219 [https_wiki.strongswan.org_issues_813]: https://wiki.strongswan.org/issues/813 [https_blog.csdn.net_gaojinshan_article_details_51015569]: https://blog.csdn.net/gaojinshan/article/details/51015569 [https_blog.csdn.net_ficksong_article_details_79248407]: https://blog.csdn.net/ficksong/article/details/79248407 [https_blog.csdn.net_lllkey_article_details_80067687]: https://blog.csdn.net/lllkey/article/details/80067687
相关 Java动态代理实现过程与问题示例 Java动态代理是通过字节码技术,动态生成一个类来实现特定功能。以下是一步详细的实现过程和常见问题: 1. **需求分析**:明确需要被代理的类(目标类),以及代理的目标行为 一时失言乱红尘/ 2024年09月10日 19:45/ 0 赞/ 11 阅读
相关 openwrt strongswan IPSec IKEV2 目录 前言 一、理论知识储备 1.什么是VPN(Virtual Private Network)? 2.什么是IPsec 雨点打透心脏的1/2处/ 2022年11月01日 14:58/ 0 赞/ 1302 阅读
相关 nacos配置远程无法访问问题处理过程记录 背景 换了台电脑,用Java环境开发很多环境都需要自己配置。于是就想偷个懒,很多配置都使用阿里ECS 上的测试环境。这样就不需要进行很多的配置和开机启动了,毕竟每个服务和 迈不过友情╰/ 2022年10月16日 15:29/ 0 赞/ 1520 阅读
相关 Tomcat配置与常见问题 从Git上新下的代码是java,不是web项目,所以我们首先需要转成web项目。 详细步骤如下图: Tomcat配置 1、项目右键–>properties: ![ 爱被打了一巴掌/ 2022年06月05日 00:35/ 0 赞/ 151 阅读
相关 mac 上配置nginx过程中的问题记录 1、访问项目代码的时候报出500错误,但是在查看接口返回数据时,没有什么信息,打开nginx的日志,显示: "GET / HTTP/1.1" 500 5 "-" "Mozil 旧城等待,/ 2022年06月03日 00:53/ 0 赞/ 553 阅读
相关 strongswan android编译过程 一 过程 过程参考:[https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClientBuild Bertha 。/ 2022年05月27日 12:16/ 0 赞/ 494 阅读
相关 JDK配置过程出现问题 1.安装版JDK后,修改环境变量,也无法生效的原因和解决办法 ![这里写图片描述][70] 参考来自: [https://blog.csdn.net/tooky\_ 红太狼/ 2022年05月27日 04:11/ 0 赞/ 125 阅读
相关 strongswan 配置过程与问题 一 过程 参考:[https://blog.csdn.net/gaojinshan/article/details/50820513][https_blog.csdn.n 「爱情、让人受尽委屈。」/ 2022年05月26日 03:51/ 0 赞/ 348 阅读
相关 cartographer 配置过程 cartographer 配置过程 1. 安装 系统配置: ubuntu16.04 ROS Kinetic Intel® Core™ i7-9700K CP Love The Way You Lie/ 2022年03月16日 08:58/ 0 赞/ 194 阅读
还没有评论,来说两句吧...