我尝试使用 Strongswan Android 应用程序在服务器和 Android 手机之间创建一个简单的 Strongswan 连接。
我的 Android 手机信息:
Android 8.0.0使用 Samsung Experience 9.0 这是 Galaxy A5 (2017) 型号
我尝试同时使用 4G 和 Wifi 我的 Strongswan 应用已开启version 2.3.0,2020 年 6 月更新
我的服务器信息:这是一个Ubuntu 18.04最新的 VPS
我的 Strongswan 服务器配置如下我手动下载Strongswan 5.9.0然后使用
./configure --prefix=/custompath/strongroot --disable-stroke --with-piddir=/custompath/strongroot/var/run --enable-eap-dynamic --enable-eap-mschapv2 --enable-eap-aka --enable-eap-identity --enable-md4
make
make install
我的 strongswan.conf 如下
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
我的服务器端 swanctl.conf 如下
connections {
server {
pools = primary-pool-ipv4, primary-pool-ipv6
local {
auth = pubkey
certs = <server_crt>
id = <server_id>
}
remote {
auth = eap-dynamic
id = %any
}
children {
client {
start_action = trap
local_ts = 0.0.0.0/0,::/0
}
}
}
}
secrets {
eap-test {
id = <user_id>
secret = <user_password>
}
}
pools {
primary-pool-ipv4 {
addrs = 127.0.0.0/8
dns = 8.8.8.8
}
primary-pool-ipv6 {
addrs = ::/24
}
}
服务器以 root 身份使用以下命令启动,并显示这些结果
/custompath/strongroot/libexec/ipsec/charon &
/custompath/strongroot/sbin/swanctl -q
loaded certificate from '/custompath/strongroot/etc/swanctl/x509/<server_crt'
loaded certificate from '/custompath/strongroot/etc/swanctl/x509ca/<CA_crt>'
loaded rsa key from '/custompath/strongroot/etc/swanctl/private/<server_key>'
loaded eap secret 'eap-test'
no authorities found, 0 unloaded
loaded pool 'primary-pool-ipv4'
loaded pool 'primary-pool-ipv6'
successfully loaded 2 pools, 0 unloaded
loaded connection 'server'
successfully loaded 1 connections, 0 unloaded
在我的安卓手机上,我在我的 Strongswan 应用程序上使用了以下参数
Server : <server ipv4>
VPN Type : IKEv2 EAP (Username/Password)
Username : <user_id>
Password <user_password>
CA certificate : <CA_crt>
Server identity : <server_id>
Client identity : <user_id>
其他所有字段都保留为默认值/空白值(除了 OCSP 检查我禁用的证书,因为它是本地生成的 CA 证书,不确定它是否会在这里产生任何影响)
在我的服务器端,一切都设置正确(尤其是 CA 和服务器 crt)
但是当我尝试建立连接时,我在客户端得到了这些日志(因为有
[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[DMN] Starting IKE service (strongSwan 5.8.4, Android 8.0.0 - R16NW.A520FXXSFCTG8/2020-08-01, SM-A520F - samsung/a5y17ltexx/samsung, Linux 3.18.14-13712092-QB33307948, aarch64)
Oct 23 16:11:53 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
[JOB] spawning 16 worker threads
[LIB] all OCSP validation disabled
[IKE] initiating IKE_SA android[15] to <server_ip>
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from <client_ip>[33144] to <server_ip>[500] (716 bytes)
[NET] received packet: from <server_ip>[500] to <client_ip>[33144] (38 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[IKE] peer didn't accept DH group ECP_256, it requested CURVE_25519
[IKE] initiating IKE_SA android[15] to <server_ip>
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from <client_ip>[33144] to <server_ip>[500] (684 bytes)
[NET] received packet: from <server_ip>[500] to <client_ip>[33144] (273 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=FR, O=Test, CN=Test CA"
[IKE] sending cert request for "C=FR, O=Test, CN=Test CA"
[IKE] establishing CHILD_SA android{15}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (480 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (1184 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ]
[IKE] received end entity cert "C=FR, O=Test, CN=<server_id>"
[CFG] using certificate "C=FR, O=Test, CN=<server_id>"
[CFG] using trusted ca certificate "C=FR, O=Test, CN=Test CA"
[CFG] checking certificate status of "C=FR, O=Test, CN=<server_id>"
[CFG] certificate status is not available
[CFG] reached self-signed root ca with a path length of 0
[IKE] authentication of 'serv' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] server requested EAP_AKA authentication (id 0xCA)
[IKE] EAP method not supported, sending EAP_NAK
[ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (80 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (112 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[IKE] server requested EAP_MSCHAPV2 authentication (id 0x7A)
[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (144 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (144 bytes)
[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (80 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (80 bytes)
[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
[IKE] authentication of <user_id> (myself) with EAP
[ENC] generating IKE_AUTH request 5 [ AUTH ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (96 bytes)
[NET] received packet: from <server_ip>[4500] to <client_ip>[56499] (336 bytes)
[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
[IKE] authentication of <server_id> with EAP successful
[IKE] IKE_SA android[15] established between <client_ip>[<user_id>]...<server_ip>[<server_id>]
[IKE] scheduling rekeying in 35468s
[IKE] maximum IKE_SA lifetime 37268s
[IKE] installing DNS server 8.8.8.8
[IKE] installing new virtual IP 127.0.0.1
[IKE] installing new virtual IP ::1
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
[IKE] CHILD_SA android{15} established with SPIs d1729f20_i cded7525_o and TS 127.0.0.1/32 ::1/128 === 0.0.0.0/0 ::/0
[DMN] setting up TUN device for CHILD_SA android{15}
[LIB] builder: failed to build TUN device
[DMN] failed to setup TUN device
[IKE] peer supports MOBIKE
[IKE] deleting IKE_SA android[15] between <client_ip>[<user_id>]...<server_ip>[<server_id>]
[IKE] sending DELETE for IKE_SA android[15]
[ENC] generating INFORMATIONAL request 6 [ D ]
[NET] sending packet: from <client_ip>[56499] to <server_ip>[4500] (80 bytes)
这里的重要线路似乎是
[LIB] builder: failed to build TUN device
[DMN] failed to setup TUN device
我只找到了关于 android 4.4 错误的在线资源,这里不是这种情况,关于如何解决它的任何想法?
我没有显示服务器端日志,因为它们非常冗长,但没有报告错误(如果需要,我仍然可以向您展示)。似乎服务器从客户端收到 DELETE 然后继续关闭连接,从 ESTABLISHED 到 DELETING 到 DESTROYING 如下所示
[IKE] <server|8> IKE_SA server[8] state change: ESTABLISHED => DELETING
[...]
[MGR] <server|8> checkin and destroy IKE_SA server[8]
[IKE] <server|8> IKE_SA server[8] state change: DELETING => DESTROYING
[CHD] <server|8> CHILD_SA client{4} state change: INSTALLED => DESTROYING
[KNL] <server|8> deleting policy 0.0.0.0/0 === 127.0.0.1/32 out
这里的答案是我分配的错误池地址。更改为
正常工作