我有一台托管在 ip 上的服务器<server_ip>
我在家里有一台个人电脑,在路由器后面。盒子公网ip是<router_ip>。客户端在路由器的子网上有一个本地 ip,称为<local_ip>.
服务器在 ubuntu 18.04,本地计算机在 ubuntu 20.04。每个都是最新的并使用以下命令安装 strongswan
apt install strongswan strongswan-swanctl
服务器获得 strongswan 5.6.2 客户端获得 Strongswan 5.8.2
我使用以下命令和包 strongswan-pki 创建了一个 CA、serv 和 enduser crt
ipsec pki --gen --outform pem > ca.key
ipsec pki –self --in ca.key –dn “C=FR, O=Test, CN=Test CA” –ca –outform pe > ca.crt
ipsec pki --self --in ca.key --dn "C=FR,O=Test,CN=Test CA" --ca --outform pem > ca.crt
ipsec pki --gen --outform pem > serv.key
ipsec pki --issue --in serv.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=serv" --san serv --outform pem > serv.crt
ipsec pki --gen --outform pem > enduser.key
ipsec pki --issue --in enduser.key --type priv --cacert ca.crt --cakey ca.key --dn "C=FR,O=Test,CN=enduser" --san enduser --outform pem > enduser.crt
除了/etc/swanctl/swanctl.conf两边我什么都没修改
服务器/etc/swanctl/swanctl.conf
connections {
server {
local {
auth = pubkey
certs = serv.crt
id = "serv"
}
remote {
auth = pubkey
id = "enduser"
}
children {
host {
start_action = trap
}
}
}
}
客户/etc/swanctl/swanctl.conf
connections {
client-server {
remote_addrs = <server_ip>
local {
auth = pubkey
certs = enduser.crt
id = "enduser"
}
remote {
auth = pubkey
id = "serv"
}
children {
to-host {
start_action = trap
}
}
}
}
在服务器上,我将证书放在以下位置
/etc/swanctl/x509/serv.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/serv.key
在客户端,我得到了那些证书
/etc/swanctl/x509/enduser.crt
/etc/swanctl/x509ca/ca.crt
/etc/swanctl/private/enduser.key
然后我在服务器和客户端上都使用以下命令
swanctl --load-conns && swanctl --load-creds
并在客户端
swanctl --initiate --child to-host
但它在客户端失败并出现以下错误
[IKE] establishing CHILD_SA to-host{7}
[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
[NET] sending packet: from <local_ip>[4500] to <server_ip>[4500] (256 bytes)
[NET] received packet: from <server_ip>[4500] to <local_ip>[4500] (80 bytes)
[ENC] parsed CREATE_CHILD_SA response 3 [ N(TS_UNACCEPT) ]
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
服务器端日志(使用swanctl -T)如下
08[IKE] traffic selectors <server_ip>/32[tcp/ssh] <server_ip>/32 === <local_ip>/32[tcp/55592] <local_ip>/32 inacceptable
08[IKE] failed to establish CHILD_SA, keeping IKE_SA
08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
08[NET] sending packet: from <server_ip>[4500] to <routeur_ip>[59527] (1184 bytes)
16[NET] received packet: from 86.234.97.45[59527] to <server_ip>[4500] (256 bytes)
16[ENC] parsed CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
16[IKE] traffic selectors <server_ip>/32 === <local_ip>/32 inacceptable
谁能向我解释我做错了什么?正如我认为应该自动协商 TS
所以,多亏了ecdsa,我得到了答案。
swanctl.conf我必须在服务器文件上添加一个 remote_ts 。所以现在服务器
swanctl.conf如下但老实说,我不知道它是如何修复的。我骑了https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal和https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp但我不是 100% 确定我做了什么。我相信这是因为服务器自然不知道如何将数据寻址到客户端(因为客户端从公共 ip 询问但想用他的本地 ip 回答),我们必须强迫他做我们想做的事。但我不确定。是否有任何文档可以帮助我理解流量选择器固有的概念?