问题[ipsec](computer)

我有两个虚拟机

VM-1：我已经安装了 Strongswan 5.9。

VM-2：已安装 Strongswan 5.9，已安装freeradius（半径服务器）

我已经在两个 VM 上启动了 Strongswan systemctl start strongswan。

当我radtest <username> <password> <ipaddress> <NAS Port> <secretkey>从 VM-1 运行命令时，请求未经过 aaa 服务器的身份验证，但是当我停止时，strongswan.service我收到了Received Access-Accept来自 aaa 服务器的响应。

我的问题是为什么 VM-1 在活动时无法通信strongswan.service。我猜IPsec隧道没有建立。下面是我的swanctl.conf文件。任何人都可以在这里帮助我缺少什么。如何建立隧道并访问 AAA 服务器。

虚拟机-1

connections {

   conn1 {
    local_addrs  = x.x.x.83
    remote_addrs = x.x.x.171

    local {
     auth = psk
     id = x.x.x.83
    }
    remote {
       auth = psk
       id = x.x.x.171
    }
    children {
       vm1-to-aaa {
          local_ts  = x.x.x.83
          remote_ts = x.x.x.171

          start_action = trap
          esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
          mode = transport
       }
    }
    version = 2
    mobike = no
    reauth_time = 10800
    proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256- modp3072,default
 }
}

secrets {
  ike-1 {
    id-1 = x.x.x.83
    id-2 = x.x.x.171
    secret = "thisissecret"
 }
 }

虚拟机 - 2

  connections {

    conn2 {
     local_addrs  = x.x.x.171
     remote_addrs = x.x.x.83

     local {
       auth = psk
       id = x.x.x.171
    }
    remote {
       auth = psk
       id = x.x.x.83
    }
    children {
       aaa-to-vm1 {
          local_ts  = x.x.x.171
          remote_ts = x.x.x.83

          start_action = trap
          esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
          mode = transport
       }
    }
    version = 2
    mobike = no
    reauth_time = 10800
    proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
 }
 }

secrets {
  ike-1 {
    id-1 = x.x.x.171
    id-2 = x.x.x.83
    secret = "thisissecret"
 }
}

更新

当我启动命令swanctl -i conn1 -c vm1-to-aaa时，我得到 -

 [IKE] giving up after 5 retransmits
 [IKE] establishing IKE_SA failed, peer not responding
 initiate failed: establishing CHILD_SA 'vm1-to-aaa' failed

以下是我的防火墙设置 -

 public (active)
   target: default
   icmp-block-inversion: no
   interfaces: ens32
   sources:
   services: cockpit dhcpv6-client http https ipsec ssh
   ports: 443/tcp 8765/tcp 8088/tcp 1812/udp 1813/udp 500/udp  4500/udp
   protocols:
   forward: no
   masquerade: yes
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
     rule protocol value="ah" accept
     rule protocol value="esp" accept

我正在尝试使用 RADIUS 身份验证配置 strongSwan IPsec VPN。使用 OpenLDAP 对 FreeRadius 进行用户名/密码的实际 EAP-MSCHAPv2 身份验证是成功的，但随后我遇到以下错误消息：

Jul 15 21:31:04 odroidc4 charon-systemd[814594]: authentication of '100.80.129.171' with EAP successful
Jul 15 21:31:04 odroidc4 charon-systemd[814594]: constraint check failed: peer not authenticated by CA 'C=DE, O=ahpohl, CN=ahpohl Root CA'
Jul 15 21:31:04 odroidc4 charon-systemd[814594]: selected peer config 'eap-radius' unacceptable: non-matching authentication done
Jul 15 21:31:04 odroidc4 charon-systemd[814594]: no alternative config found

搜索约束检查失败消息并没有给出任何结论性的结果。我尝试了 Windows 10 Pro 和 iPhone iOS 15.5 客户端，两者都因相同的约束检查而失败。

如何使支票通过或禁用支票？谁是“对等体”、客户端或 RADIUS 服务器？

我使用以下内容swantctl.conf：

connections {
  eap-radius {
    pools = ipv4, ipv6
    send_cert = always
    local {
      auth = pubkey
      certs = vpnCert.pem
      id = vpn.ahpohl.com
    }
    remote {
      auth = eap-radius
      cacerts = ahpohlCert.pem
      eap_id = %any
    }
    children {
      eap-radius {
        local_ts = 0.0.0.0/0, ::/0
        esp_proposals = aes256-sha256-sha1-modp2048
      }
      version = 2
      proposals = aes256-sha256-modp2048
    }
  }
}

pools {
  ipv4 {
    addrs = 10.10.1.64/26
    dns = 192.168.178.1
  }
  ipv6 {
    addrs = 2a02:168:4407:1::/122
    dns = fd00::ca0e:14ff:fe0c:e6a5
  }
}

CA 和服务器证书是使用 strongSwanpki工具创建的：

# create CA
pki --gen --type rsa --size 3072 --outform pem > private/ahpohlKey.pem
pki --self --ca --lifetime 3652 --in private/ahpohlKey.pem --dn "C=DE, O=ahpohl, CN=ahpohl Root CA" --outform pem > x509ca/ahpohlCert.pem

# create server certificate:
pki --gen --type rsa --size 3072 --outform pem > private/vpnKey.pem
pki --req --type priv --in private/vpnKey.pem --dn "C=DE, O=ahpohl, CN=vpn.ahpohl.com" --san vpn.ahpohl.com --outform pem > vpnReq.pem
pki --issue --cacert x509ca/ahpohlCert.pem --cakey private/ahpohlKey.pem --type pkcs10 --in vpnReq.pem --serial 01 --lifetime 1826 --flag serverAuth --flag ikeIntermediate --crl https://www.ahpohl.com/crl/ahpohl.crl --outform pem > x509/vpnCert.pem

我按照 StrongSwan wiki上的 howtos进行 strongSwan 配置、证书创建和证书互操作性建议。strongSwan VPN 网关的完整连接日志和 FreeRadiusradiusd -X调试输出有点长，需要放在这里，但如果需要，可以使用。

当我尝试使用预共享密钥连接到我的 L2TP/IPsec vpn 时，我收到以下错误：

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer

我为尝试修复它所做的事情：

• 我检查了正确的端口在我的路由器上转发。
• 我检查了预共享密钥和帐户密码。
• 我在服务器端重新启动了 VPN，并确保设置了正确的预共享密钥。
• 我检查了 IKE 和 IPsec 服务是否正在运行
• 我尝试重新启动 IKE 和 IPsec 服务
• 我检查了网络适配器，在安全情况下允许 MS-CHAP v2
• 我在网络适配器中检查了选项下的 PPP 设置启用了 LCP 扩展

这些是我能找到解决此问题的唯一方法，但它们并没有帮助我解决问题。有关如何解决此问题的任何提示？

• 操作系统：Windows 10 v1909
• VPN：VPN Server 1.3.11-2777（来自synology 包中心）

如何将 nftables 配置为仅允许入站 ipsec 流量和解密后的处理规则。我有 nftable.conf：

#!/sbin/nft -f

flush ruleset

# ----- IPv4 -----
table ip filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "early drop of invalid packets"
        ct state {established, related} counter accept comment "accept all connections related to connections made by us"
        iif lo accept comment "accept loopback"
        iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
        ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"

        # Accept SSH incoming traffic
        tcp dport ssh counter accept comment "accept SSH"

        # Accept IPsec traffic
        udp dport { isakmp, ipsec-nat-t } counter accept comment "accept ISAKMP and IPsec NAT traversal"
        ip protocol { ah, esp } counter accept comment "accept AH and ESP"

        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
        counter comment "count accepted packets"
    }
}


# ----- IPv6 -----
table ip6 filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "early drop of invalid packets"
        ct state {established, related} counter accept comment "accept all connections related to connections made by us"
        iif lo accept comment "accept loopback"
        iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
        counter comment "count accepted packets"
    }
}

IPSec 配置了 StrongSwan，添加规则后 ping 通：

ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"