我正在尝试在我的企业中部署新的 VPN 配置。
我已经在证书模式下成功地在我的计算机和我的 vpn ipsec 服务器之间建立了连接。
我在我的 yubikey 中上传了 p12 文件,其中包含我的私钥、服务器的 pub 密钥和 CA。
$ pkcs11-tool --test --login
Using slot 0 with a present token (0x0)
Logging in to "uid=r.beal,dc=ldap-...".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (PIV AUTH key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Decryption (currently only for RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
No errors
我在 swanctl.conf 文件中添加了这一部分:
secrets {
tokenyubikey {
pin = 123456
slot = 0
handle = 1 # From what i understood, it's here that my crt is
module = yubi-module
}
}
在 /etc/strongswan.d/charon/pkcs11.conf 文件中的这一部分:
yubi-module {
#path = /usr/lib/libykcs11.so
path = /usr/lib/pkcs11/opensc-pkcs11.so
}
当我使用 yubikey pkcs11 模块时:
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.40 library 'yubi-module' (/usr/lib/libykcs11.so)
00[CFG] Yubico (www.yubico.com): PKCS#11 PIV Library (SP-800-73) v2.21
00[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG] YubiKey PIV #16616360 (Yubico (www.yubico.com): YubiKey YK5)
00[CFG] loaded untrusted cert 'X.509 Certificate for PIV Authentication'
00[CFG] loaded untrusted cert 'X.509 Certificate for PIV Attestation'
当使用模块为 opensc 时:
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG] OpenSC Project: OpenSC smartcard framework v0.22
00[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG] loaded untrusted cert 'Certificate for PIV Authentication'
我应该使用哪个模块?
当我运行 ipsec 守护进程时
# ipsec restart --nofork
Starting strongSwan 5.9.3 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.3, Linux 5.14.15-arch1-1, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG] OpenSC Project: OpenSC smartcard framework v0.22
00[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG] loaded untrusted cert 'Certificate for PIV Authentication'
00[CFG] attr-sql plugin: database URI not set
00[NET] using forecast interface wlan0
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]" from '/etc/ipsec.d/cacerts/ca.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] sql plugin: database URI not set
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
06[IKE] installed bypass policy for 172.17.0.0/16
06[IKE] installed bypass policy for 192.168.1.0/24
06[IKE] installed bypass policy for ::1/128
06[IKE] installed bypass policy for fe80::/64
02[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
02[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
02[CFG] loaded untrusted cert 'Certificate for PIV Authentication'
charon (10359) started after 120 ms
11[CFG] received stroke: add connection 'test'
11[CFG] loaded certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]" from '/etc/swanctl/x509/r.beal.pem'
11[CFG] id 'UID=r.beal, DC=ldap, DC=company, DC=fr' not confirmed by certificate, defaulting to 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]'
11[CFG] added configuration 'test'
智能卡存在!
现在我正在尝试连接到 VPN (/etc/ipsec.conf):
conn test
right=1.2.3.4 <= the public ip of my vpn server
rightid=remote_id_of_the_server
leftcert=/etc/swanctl/x509/r.beal.pem
leftid=my_mail
left=%defaultroute
#leftcert=%smartcard
auto=add
我把 CA 放在 /etc/ipsec.d/cacerts/
ipsec 日志:
01[CFG] received stroke: initiate 'test'
09[IKE] initiating IKE_SA test[1] to 1.2.3.4
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
09[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1000 bytes)
10[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (38 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
10[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
10[IKE] initiating IKE_SA test[1] to 1.2.3.4
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
10[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1192 bytes)
06[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (481 bytes)
06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) ]
06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] received cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]"
06[IKE] sending cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]"
06[IKE] no private key found for 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]'
连接开始了!我应该怎么做才能让 ipsec 使用我智能卡中的私钥?
我看到这篇文章:“NO_PROPOSAL_CHOSEN”尝试使用 swanctl 使用智能卡的证书进行身份验证时 我有同样的问题吗?我试图复制 x509 目录中的所有证书,但我有同样的错误“找不到私钥”。
编辑 ===
现在,当我调用“swanctl --load-creds”时,ipsec 会找到私钥并使用它!
但是我现在有网络问题。
16[IKE] authentication of 'compagny.com' with RSA_EMSA_PKCS1_SHA2_256 successful
16[IKE] IKE_SA test[1] established between 192.168.1.199[[email protected]]...1.2.3.4[compagny.com]
16[IKE] scheduling reauthentication in 10059s
16[IKE] maximum IKE_SA lifetime 10599s
16[CFG] handling UNITY_SPLITDNS_NAME attribute failed
16[CFG] handling INTERNAL_IP4_NETMASK attribute failed
16[IKE] installing DNS server 172.22.0.17 to /etc/resolv.conf
16[IKE] installing new virtual IP 10.66.0.5
16[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[IKE] received AUTH_LIFETIME of 20278s, reauthentication already scheduled in 10059s
我添加到我的 conf 文件中:
leftsourceip=%config
我的 VPN 服务器配置为不路由客户端的互联网流量。所以我认为现在是网络配置问题。
解决方案是将 rightsubnet 设置为 0.0.0.0/0
感谢ecdsa!