关于【strongswan】的问题- 第1页

alex

Asked: 2022-03-31 06:45:55 +0800 CST

如何将 ipsec 客户端与 StrongSwan 中的不同连接链接？

0

我使用 strongswan ipsec 作为移动设备 (Android) 的 VPN 网关。在 StrongSwan 配置中，我为 2 个不同的用户组设置了 2 个连接（两个不同的子网 10.10.10.0/24、10.10.20.0/24 具有不同的路由策略）。

而且我不明白（并且在手册和论坛中找不到）如何将用户与连接联系起来。在哪里以及如何设置严格的用户>连接关系？

谢谢！

我的 ipsec 配置：

cat /etc/ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no
conn any2ex
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=*.*.233.132 #I've masked server IP for this post. Certificate was issued for the ip address.
    left=*.*.233.132  
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

conn ex2loc
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=*.*.233.132
    leftid=*.*.233.132
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.20.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

我用这个配置Android客户端

https://docs.strongswan.org/strongswan-docs/5.9/os/androidVpnClientProfiles.html#_example

Flo

Asked: 2022-03-31 02:22:43 +0800 CST

Strongswan / Ipsec 多个 roadwarrior 连接不同的子网

1

我正在尝试设置一个 StrongSwan VPN 服务器，它应该托管多个（Windows 10 - 内部 vpn 客户端）roadwarrior 连接，但不同的子网，具体取决于客户端证书。

root@VPN:/# ipsec version

Linux strongSwan U5.8.2/K5.4.0-26-generic

我的设置有 2 对公钥和私钥，使用不同的 CN，比如说vpn-dev.mycom.com和vpn-liv.mycom.com. 使用的ipsec.conf看起来像这样：

conn vpn-dev
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    ikelifetime=25200s
    leftid=vpn-dev.mycom.com
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.100.0.0/16-10.100.254.254/16
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    rightcert=ca-cert.pem
    eap_identity=%identity
    ike=aes128-sha1-modp1024


conn vpn-liv
    also=vpn-dev
    leftid=vpn-liv.mycom.com
    leftcert=liv-server-cert.pem
    rightsourceip=10.200.0.0/16-10.200.254.254/16
    rightcert=liv-ca-cert.pem

两个证书密钥也存储在ipsec.secrets

vpn-dev.mycom.com : RSA "server-key.pem"
vpn-liv.mycom.com : RSA "liv-server-key.pem"

someuser : EAP "somepassword"

但是，一旦我尝试连接到 strongswan 实例，vpn-dev就会使用连接并且 strongswan 不会切换到 connvpn-liv

这是尝试期间的日志：

Mar 30 08:47:48 VPN charon: 16[NET] received packet: from X.X.X.X[64558] to X.X.X.X[500] (1084 bytes)
Mar 30 08:47:48 VPN charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] X.X.X.X is initiating an IKE_SA
Mar 30 08:47:48 VPN charon: 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 30 08:47:48 VPN charon: 16[IKE] local host is behind NAT, sending keep alives
Mar 30 08:47:48 VPN charon: 16[IKE] remote host is behind NAT
Mar 30 08:47:48 VPN charon: 16[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64558] (328 bytes)
Mar 30 08:47:48 VPN charon: 06[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 10[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 05[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 14[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (368 bytes)
Mar 30 08:47:48 VPN charon: 14[IKE] received cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:48 VPN charon: 14[IKE] received 69 cert requests for an unknown ca
Mar 30 08:47:48 VPN charon: 14[CFG] looking for peer configs matching X.X.X.X[%any]...X.X.X.X[192.168.0.117]

Mar 30 08:47:48 VPN charon: 14[CFG] selected peer config 'vpn-dev' # << here it has not selected vpn-live, even if the earlier provided private key is only matching vpn-live

Mar 30 08:47:48 VPN charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 30 08:47:48 VPN charon: 14[IKE] peer supports MOBIKE
Mar 30 08:47:48 VPN charon: 14[IKE] authentication of 'vpn-dev.mycom.com' (myself) with RSA     signature successful
Mar 30 08:47:48 VPN charon: 14[IKE] sending end entity cert "CN=vpn-dev.mycom.com"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN DEV CA"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:49 VPN charon: 14[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64548] (364 bytes)
Mar 30 08:47:49 VPN charon: 06[NET] received packet: from X.X.X.X[64618] to X.X.X.X[4500] (92 bytes)
Mar 30 08:47:49 VPN charon: 06[IKE] received (28) error notify

目标基本上是在一台机器上托管 2 个 vpn 端点，但根据登录/使用的证书提供不同的 IP 范围。

本地配置是用（powershell）完成的

Import-Certificate -FilePath liv-ca-cert.pem -CertStoreLocation 'Cert:\LocalMachine\Root'
Add-VpnConnection -Name 'LIV VPN' -ServerAddress 'vpn-live.mycom.com' -AuthenticationMethod Eap -IdleDisconnectSeconds 43200

我错过了什么吗？我的设置是否配置错误？或者这对于strongswan和Windows 10内部vpn客户端根本不可能？

m. vokhm

Asked: 2022-03-18 22:30:36 +0800 CST

Strongswan 和 Windows 客户端：连接在几分钟内冻结

-1

在 AWS VPS 上，我安装了 Strongswan 以将其用作 VPN。它适用于 iPhone 客户端。但是，当我尝试从 Windows 客户端连接时，SA 连接成功建立并在几分钟内正常工作，但几分钟后（2 到 10 分钟，在大多数情况下为 2 或更多）连接挂起并且停止通过交通。似乎双方都认为连接是有效的，至少我看不到任何错误迹象。

我花了几天时间试图找出问题所在。互联网上描述这种情况的材料似乎很少。另外，我是 Linux 管理和网络的新手，所以我可能看到了对此问题的描述和解决方案，但我就是无法理解。我将非常感谢任何帮助。

下面是ipsec.conf（这里服务器的真实外部IP替换为EXT.SRVR.IP.ADR）

config setup
    uniqueids=never
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    keyexchange=ikev2
    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1!
    fragmentation=yes
    rekey=no
    compress=yes
    dpdaction=clear
    left=%any
    leftauth=pubkey
    leftsourceip=EXT.SRVR.IP.ADR
    leftid=EXT.SRVR.IP.ADR
    leftcert=debian.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=pubkey
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
    auto=add

这里是摘录ipsec.log（真实IP替换为"EXT.SRVR.IP.ADR"，对于服务器的外部IP，分别是其内部IP和我的Windows客户端，省略了明显不相关的行"INT.SRVR.IP.ADR"）"MY.CLNT.IP.ADR"

Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i 0000000000000000_r
Mar 17 12:41:17 server-name charon: 07[MGR] created IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500] (536 bytes)
Mar 17 12:41:17 server-name charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 17 12:41:17 server-name charon: 07[CFG] looking for an ike config for INT.SRVR.IP.ADR...MY.CLNT.IP.ADR
Mar 17 12:41:17 server-name charon: 07[CFG]   candidate: %any...%any, prio 28
Mar 17 12:41:17 server-name charon: 07[CFG] found matching ike config: %any...%any with prio 28
Mar 17 12:41:17 server-name charon: 07[IKE] MY.CLNT.IP.ADR is initiating an IKE_SA
Mar 17 12:41:17 server-name charon: 07[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[IKE] local host is behind NAT, sending keep alives
Mar 17 12:41:17 server-name charon: 07[IKE] remote host is behind NAT
Mar 17 12:41:17 server-name charon: 07[IKE] sending cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 17 12:41:17 server-name charon: 07[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500] (465 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:17 server-name charon: 08[MGR] IKE_SA (unnamed)[1] successfully checked out
Mar 17 12:41:17 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (3408 bytes)
Mar 17 12:41:17 server-name charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 39:9e:66:a7:20:3c:4d:06:fb:62:6b:65:87:22:35:57:a0:a0:0a:22
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Mar 17 12:41:17 server-name charon: 08[IKE] received 67 cert requests for an unknown ca
Mar 17 12:41:17 server-name charon: 08[IKE] received end entity cert "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] looking for peer configs matching INT.SRVR.IP.ADR[%any]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey", match: 1/1/28 (me/other/ike)
Mar 17 12:41:17 server-name charon: 08[CFG] selected peer config 'ikev2-pubkey'
Mar 17 12:41:17 server-name charon: 08[CFG]   using certificate "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=me" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   using trusted ca certificate "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[CFG] checking certificate status of "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] ocsp check skipped, no ocsp found
Mar 17 12:41:17 server-name charon: 08[CFG] certificate status is not available
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=EXT.SRVR.IP.ADR" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   reached self-signed root ca with a path length of 0
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'CN=me' with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_SERVER attribute
Mar 17 12:41:17 server-name charon: 08[IKE] peer supports MOBIKE
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'EXT.SRVR.IP.ADR' (myself) with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] established between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] state change: CONNECTING => ESTABLISHED
Mar 17 12:41:17 server-name charon: 08[IKE] sending end entity cert "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] peer requested virtual IP %any
Mar 17 12:41:17 server-name charon: 08[CFG] assigning new lease to 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] assigning virtual IP 10.10.10.1 to peer 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[CFG] looking for a child config for 0.0.0.0/0 === 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey" with prio 5+1
Mar 17 12:41:17 server-name charon: 08[CFG] found matching child config "ikev2-pubkey" with prio 6
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 08[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[KNL] got SPI c6bcf84d
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 10.10.10.1/32, received: 0.0.0.0/0 => match: 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI c6bcf84d and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 32 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI b74162a4 and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 0 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] policy 0.0.0.0/0 === 10.10.10.1/32 out already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] getting a local address in traffic selector 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[KNL] using host %any
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface name for index 2
Mar 17 12:41:17 server-name charon: 08[KNL] using 172.26.0.1 as nexthop and eth0 as dev to reach MY.CLNT.IP.ADR/32
Mar 17 12:41:17 server-name charon: 08[KNL] installing route: 10.10.10.1/32 via 172.26.0.1 src %any dev eth0
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 in already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 fwd already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs c6bcf84d_i b74162a4_o and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Mar 17 12:41:17 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (2048 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:41:37 server-name charon: 10[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:37 server-name charon: 10[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:37 server-name charon: 10[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:37 server-name charon: 10[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:37 server-name charon: 10[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:41:47 server-name dhclient[358]: XMT: Renew on eth0, interval 9070ms.
Mar 17 12:41:47 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:41:47 server-name charon: 11[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 11[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 11[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name charon: 12[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 12[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:41:47 server-name charon: 12[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 12[MGR] checkin of IKE_SA successful
Mar 17 12:41:56 server-name charon: 13[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:56 server-name charon: 13[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:56 server-name charon: 13[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:56 server-name charon: 13[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:56 server-name charon: 13[MGR] checkin of IKE_SA successful
...
Mar 17 12:49:35 server-name charon: 16[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:35 server-name charon: 16[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:35 server-name charon: 16[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:35 server-name charon: 16[MGR] checkin of IKE_SA successful
Mar 17 12:49:51 server-name charon: 05[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:51 server-name charon: 05[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:51 server-name charon: 05[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:49:51 server-name charon: 05[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:51 server-name charon: 05[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 06[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 06[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:55 server-name charon: 06[IKE] sending DPD request
Mar 17 12:49:55 server-name charon: 06[IKE] queueing IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 06[IKE]   activating IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[ENC] generating INFORMATIONAL request 0 [ ]
Mar 17 12:49:55 server-name charon: 06[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 06[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 06[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:49:55 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 07[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 07[ENC] parsed INFORMATIONAL response 0 [ ]
Mar 17 12:49:55 server-name charon: 07[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 07[IKE] nothing to initiate
Mar 17 12:49:55 server-name charon: 07[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:49:57 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:49:57 server-name dhclient[358]: XMT: Renew on eth0, interval 10290ms.
Mar 17 12:49:57 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:49:59 server-name charon: 09[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:59 server-name charon: 09[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:59 server-name charon: 09[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:59 server-name charon: 09[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 08[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[ENC] parsed INFORMATIONAL request 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[IKE] closing CHILD_SA ikev2-pubkey{1} with SPIs c6bcf84d_i (1148939 bytes) b74162a4_o (21040410 bytes) and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:50:00 server-name charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[IKE] CHILD_SA closed
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[ENC] generating INFORMATIONAL response 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 11[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 11[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[ENC] parsed INFORMATIONAL request 3 [ D ]
Mar 17 12:50:00 server-name charon: 11[IKE] received DELETE for IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] deleting IKE_SA ikev2-pubkey[1] between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: ESTABLISHED => DELETING
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA deleted
Mar 17 12:50:00 server-name charon: 11[ENC] generating INFORMATIONAL response 3 [ ]
Mar 17 12:50:00 server-name charon: 11[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: DELETING => DESTROYING
Mar 17 12:50:00 server-name charon: 11[CFG] lease 10.10.10.1 by 'CN=me' went offline
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy of IKE_SA successful

Windows 报告的连接属性：

DataEncryption = Require maximum
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = Machine Certificate 
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
Dial-in User = admin
VpnStrategy = IKEv2

当连接被冻结（不通过流量）时，swanctl --list-sasreprts 如下

ikev2-pubkey: #1, ESTABLISHED, IKEv2, f77fbfbe7c371b32_i e0e250355a87db62_r*
   local  'EXT.SRVR.IP.ADR' @ INT.SRVR.IP.ADR[4500]
   remote 'CN=me' @ MY.CLNT.IP.ADR[4500] [10.10.10.1]
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   established 287s ago
   ikev2-pubkey: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
     installed 287s ago
     in  ce57563f, 792014 bytes,  4493 packets,   150s ago
     out 6b24b7fd, 10904301 bytes, 10680 packets,     1s ago
     local  0.0.0.0/0
     remote 10.10.10.1/32

Windows 还显示连接正常，事件查看器中没有错误迹象，SEP 防火墙日志中也没有相关的阻止数据包。

服务器：Debian 4.9.246-2，strongSwan 5.5.1。

客户端：Windows 2008 R2、Agile VPN（通过连接属性设置）

这种行为的原因可能是什么以及如何解决？

我该怎么做才能找出确切的原因？

如果有任何帮助，我将不胜感激。

UPD1：当传出流量变得相对较高时，连接最常（或可能总是）冻结。例如，当我访问时speedtest.net，连接在尝试测量上传速度时冻结。

UPD2：其他设备在同一个本地网络上工作正常，在同一个路由器后面，NAT，ISP等。这清楚地表明问题只与使用W2k8的特定机器有关。机器上有 SEP 防火墙，但这不是罪魁祸首——关闭它不会影响行为。Strongswan也几乎不相关，因为它是一个已经建立的冻结隧道。

Lasse Michael Mølgaard

Asked: 2022-02-21 06:10:24 +0800 CST

无法在 Strongswan 中使用拆分隧道

0

我正在尝试为 VPN 拆分隧道设置 Strongswan。

我想要的只是子网10.88.0.0/16，10.0.200.0/24可以通过 VPN 隧道访问。其他一切都default gateway通过网络处理。

所有客户端都分配了一个属于该10.0.201.0/24子网的 IP 地址。

在我的配置文件中，我有以下内容：

# Default login method
eap-defaults {
  remote {
   auth = eap-radius
   id = %any
   eap_id = %any
  }
}

connections
{
  conn-unix : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 10.0.200.0/24, 10.88.0.0/16
      }

      esp_proposals = aes128gcm128-x25519
    }

    pools = IkeVPN-ipv4
    proposals = aes128-sha256-x25519
  }

  conn-windows : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 10.0.200.0/24, 10.88.0.0/16
      }

      esp_proposals = aes256-sha256-prfsha256-modp1024
    }

    proposals = aes256-sha256-prfsha256-modp1024
    pools = IkeVPN-ipv4
  }
}

pools
{
  IkeVPN-ipv4 {
    addrs = 10.0.201.0/24
    dns = 10.0.88.2
  }
}

当我通过 VPN 登录时，可以 ping 属于10.88.0.0/16and的主机10.0.200.0/24，所以我知道我可以使用 VPN 隧道。

然而：

如果我在仍然连接到 VPN 的同时尝试访问 Internet 上的任何其他资源，那么我什至无法 ping 属于该资源的 IP 地址。

在我的 Windows 计算机上的路由表中，我可以找到以下条目：

我知道，当您有两条路由到给定子网（如0.0.0.0/0路由表中）时，任何具有最低度量的规则都会获胜，并使用该规则转发流量。

但是我不希望 VPN 服务器通过 VPN 安装默认路由，而只是告诉子网10.88.0.0/16并且10.0.200.0/24必须通过 VPN 路由。

我想要的是我看到一个更接近于此的路由表，而不必在每个 VPN 客户端上手动编辑路由表：

那么我该怎么做呢？

Realbitt

Asked: 2021-12-30 04:08:41 +0800 CST

为我的 VPN 用户屏蔽网站

0

我的strongswan运行良好，我需要通过它的域阻止一些不良网站被VPN用户访问，我尝试了很多方法但没有运气将流量从vpn重定向到像squid这样的代理服务器，但我发现转发流量到squid它完成了由于它的网站 IP 不是域名，所以这种技术没有成功。

也许这不是strongswan生意，但任何想法都会受到欢迎。

提前致谢

rBeal

Asked: 2021-11-12 07:25:22 +0800 CST

将 strongswan 与 pkcs11 和 yubikey 一起使用

0

我正在尝试在我的企业中部署新的 VPN 配置。

我已经在证书模式下成功地在我的计算机和我的 vpn ipsec 服务器之间建立了连接。

我在我的 yubikey 中上传了 p12 文件，其中包含我的私钥、服务器的 pub 密钥和 CA。

$ pkcs11-tool --test --login

Using slot 0 with a present token (0x0)
Logging in to "uid=r.beal,dc=ldap-...".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (PIV AUTH key) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Decryption (currently only for RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
No errors

我在 swanctl.conf 文件中添加了这一部分：

secrets {
    tokenyubikey {
        pin = 123456
        slot = 0
        handle = 1 # From what i understood, it's here that my crt is
        module = yubi-module
    }
}

在 /etc/strongswan.d/charon/pkcs11.conf 文件中的这一部分：

yubi-module {
    #path = /usr/lib/libykcs11.so
    path = /usr/lib/pkcs11/opensc-pkcs11.so
}

当我使用 yubikey pkcs11 模块时：

00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.40 library 'yubi-module' (/usr/lib/libykcs11.so)
00[CFG]   Yubico (www.yubico.com): PKCS#11 PIV Library (SP-800-73) v2.21
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     YubiKey PIV #16616360 (Yubico (www.yubico.com): YubiKey YK5)
00[CFG]     loaded untrusted cert 'X.509 Certificate for PIV Authentication'
00[CFG]     loaded untrusted cert 'X.509 Certificate for PIV Attestation'

当使用模块为 opensc 时：

00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG]   OpenSC Project: OpenSC smartcard framework v0.22
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'

我应该使用哪个模块？

当我运行 ipsec 守护进程时

# ipsec restart --nofork
Starting strongSwan 5.9.3 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.3, Linux 5.14.15-arch1-1, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG]   OpenSC Project: OpenSC smartcard framework v0.22
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'
00[CFG] attr-sql plugin: database URI not set
00[NET] using forecast interface wlan0
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]" from '/etc/ipsec.d/cacerts/ca.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] sql plugin: database URI not set
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
06[IKE] installed bypass policy for 172.17.0.0/16
06[IKE] installed bypass policy for 192.168.1.0/24
06[IKE] installed bypass policy for ::1/128
06[IKE] installed bypass policy for fe80::/64
02[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
02[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
02[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'
charon (10359) started after 120 ms
11[CFG] received stroke: add connection 'test'
11[CFG]   loaded certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]" from '/etc/swanctl/x509/r.beal.pem'
11[CFG]   id 'UID=r.beal, DC=ldap, DC=company, DC=fr' not confirmed by certificate, defaulting to 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]'
11[CFG] added configuration 'test'

智能卡存在！

现在我正在尝试连接到 VPN (/etc/ipsec.conf)：

conn test
     right=1.2.3.4 <= the public ip of my vpn server
     rightid=remote_id_of_the_server
     leftcert=/etc/swanctl/x509/r.beal.pem
     leftid=my_mail
     left=%defaultroute
     #leftcert=%smartcard
     auto=add

我把 CA 放在 /etc/ipsec.d/cacerts/

ipsec 日志：

01[CFG] received stroke: initiate 'test'
09[IKE] initiating IKE_SA test[1] to 1.2.3.4
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
09[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1000 bytes)
10[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (38 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
10[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
10[IKE] initiating IKE_SA test[1] to 1.2.3.4
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
10[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1192 bytes)
06[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (481 bytes)
06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) ]
06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] received cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]"
06[IKE] sending cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]"
06[IKE] no private key found for 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]'

连接开始了！我应该怎么做才能让 ipsec 使用我智能卡中的私钥？

我看到这篇文章：“NO_PROPOSAL_CHOSEN”尝试使用 swanctl 使用智能卡的证书进行身份验证时我有同样的问题吗？我试图复制 x509 目录中的所有证书，但我有同样的错误“找不到私钥”。

编辑 ===

现在，当我调用“swanctl --load-creds”时，ipsec 会找到私钥并使用它！

但是我现在有网络问题。

16[IKE] authentication of 'compagny.com' with RSA_EMSA_PKCS1_SHA2_256 successful
16[IKE] IKE_SA test[1] established between 192.168.1.199[[email protected]]...1.2.3.4[compagny.com]
16[IKE] scheduling reauthentication in 10059s
16[IKE] maximum IKE_SA lifetime 10599s
16[CFG] handling UNITY_SPLITDNS_NAME attribute failed
16[CFG] handling INTERNAL_IP4_NETMASK attribute failed
16[IKE] installing DNS server 172.22.0.17 to /etc/resolv.conf
16[IKE] installing new virtual IP 10.66.0.5
16[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[IKE] received AUTH_LIFETIME of 20278s, reauthentication already scheduled in 10059s

我添加到我的 conf 文件中：

leftsourceip=%config

我的 VPN 服务器配置为不路由客户端的互联网流量。所以我认为现在是网络配置问题。

Morse

Asked: 2021-11-05 12:14:52 +0800 CST

无法通过 NetworkManager 启动与 surfshark 的 IKEv2 VPN 连接

0

我尝试通过 IKEv2 手动连接到 surfshark VPN 提供商。这是日志

 charon-nm[5070]: 05[CFG] received initiate for NetworkManager connection Surfshark IKE2
 charon-nm[5070]: 05[CFG] using gateway identity 'ru-mos.prod.surfshark.com'
 charon-nm[5070]: 05[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
 charon-nm[5070]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
 charon-nm[5070]: 05[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1096 bytes)
 NetworkManager[4583]: <info>  [1636055533.4566] vpn-connection[0x56150178a510,6c89b390-d6ee-47d8-a547-346f75797487,"Surfshark IKE2",0]: VPN plugin: state changed: starting (3)
 charon-nm[5070]: 15[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (38 bytes)
 charon-nm[5070]: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
 charon-nm[5070]: 15[IKE] peer didn't accept DH group ECP_256, it requested ECP_521
 charon-nm[5070]: 15[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
 charon-nm[5070]: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
 charon-nm[5070]: 15[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1164 bytes)
 charon-nm[5070]: 01[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (332 bytes)
 charon-nm[5070]: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
 charon-nm[5070]: 01[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
 charon-nm[5070]: 01[IKE] local host is behind NAT, sending keep alives
 charon-nm[5070]: 01[IKE] sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
 charon-nm[5070]: 01[IKE] establishing CHILD_SA Surfshark IKE2{1}
 charon-nm[5070]: 01[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
 charon-nm[5070]: 01[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (438 bytes)
 charon-nm[5070]: 07[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
 charon-nm[5070]: 07[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
 charon-nm[5070]: 07[ENC] received fragment #1 of 3, waiting for complete IKE message
 charon-nm[5070]: 08[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
 charon-nm[5070]: 08[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
 charon-nm[5070]: 08[ENC] received fragment #2 of 3, waiting for complete IKE message
 charon-nm[5070]: 09[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (579 bytes)
 charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
 charon-nm[5070]: 09[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2949 bytes)
 charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
 charon-nm[5070]: 09[IKE] received end entity cert "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[IKE] received issuer cert "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG]   using certificate "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[CFG]   using untrusted intermediate certificate "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG] checking certificate status of "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[CFG] certificate status is not available
 charon-nm[5070]: 09[CFG]   using trusted ca certificate "C=VG, O=Surfshark, CN=Surfshark Root CA"
 charon-nm[5070]: 09[CFG] checking certificate status of "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG] certificate status is not available
 charon-nm[5070]: 09[CFG]   reached self-signed root ca with a path length of 1
 charon-nm[5070]: 09[IKE] authentication of 'ru-mos.prod.surfshark.com' with RSA_EMSA_PKCS1_SHA2_256 successful
 charon-nm[5070]: 09[IKE] server requested EAP_IDENTITY (id 0x00), sending 'mYidENtitY'
 charon-nm[5070]: 09[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
 charon-nm[5070]: 09[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (90 bytes)
 charon-nm[5070]: 10[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (67 bytes)
 charon-nm[5070]: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 10[IKE] server requested EAP_PEAP authentication (id 0x01)
 charon-nm[5070]: 10[TLS] EAP_PEAP version is v0
 charon-nm[5070]: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
 charon-nm[5070]: 10[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (275 bytes)
 charon-nm[5070]: 11[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1065 bytes)
 charon-nm[5070]: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 11[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 charon-nm[5070]: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
 charon-nm[5070]: 11[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
 charon-nm[5070]: 12[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1061 bytes)
 charon-nm[5070]: 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
 charon-nm[5070]: 12[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
 charon-nm[5070]: 13[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (747 bytes)
 charon-nm[5070]: 13[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 13[TLS] received TLS server certificate 'C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, [email protected]'
 charon-nm[5070]: 13[TLS] received TLS intermediate certificate 'C=FR, ST=Radius, L=Somewhere, O=Example Inc., [email protected], CN=Example Certificate Authority'
 charon-nm[5070]: 13[CFG]   using certificate "C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, [email protected]"
 charon-nm[5070]: 13[CFG]   using untrusted intermediate certificate "C=FR, ST=Radius, L=Somewhere, O=Example Inc., [email protected], CN=Example Certificate Authority"
 charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021)
 charon-nm[5070]: 13[TLS] no TLS public key found for server '%any'
 charon-nm[5070]: 13[TLS] sending fatal TLS alert 'certificate unknown'
 charon-nm[5070]: 13[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ]
 charon-nm[5070]: 13[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (74 bytes)
 charon-nm[5070]: 14[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (65 bytes)
 charon-nm[5070]: 14[ENC] parsed IKE_AUTH response 6 [ EAP/FAIL ]
 charon-nm[5070]: 14[IKE] received EAP_FAILURE, EAP authentication failed

一切看起来都很好，直到在响应 5 我得到一些奇怪的证书。我不知道 PEAP 协议到底是如何进行的，以及在该步骤中应该发生什么，但连接在 Windows 上有效，所以我认为我这边有问题。

user8385240

Asked: 2021-10-20 10:10:32 +0800 CST

VPS 上的 Strongswan IPSec 配置

0

请协助。我正在尝试在我的 VPS 上使用 strongswan 设置站点到站点 IPSec 隧道，但遗憾的是我的提供商无法为我启用以下内核模块：

ah4 ah6 esp4 esp6 xfrm4_tunnel xfrm6_tunnel xfrm_user ip_tunnel 隧道 tunnel6 xfrm4_mode_tunnel xfrm6_mode_tunnel

在我转移到我的启动负担不起的专用服务器之前，有没有办法以不依赖于在典型 VPS 配置上启用额外内核模块的替代方式配置 strongswan 或任何其他平台？

Theo

Asked: 2021-07-24 01:56:09 +0800 CST

使用我的 IPSec strongswan 隧道将特定端口上的传入流量镜像到另一个 IP

0

我想使用strongswan. 我strongswan在 docker 容器中运行。

为此，我希望我的内部服务器192.168.0.12监听其 25 端口并将流量转发到同一端口上的隧道服务器10.0.0.10:25。

到目前为止，我尝试使用 iptables，但没有成功。

net.ipv4.ip_forward在主机和 docker 容器上都启用了！

我iptables-save在192.168.0.12strongswan 连接到隧道后打开：（是的，我可以从 192.168.0.12 ping 10.0.0.10）

# Generated by iptables-save v1.8.4 on Fri Jul 23 09:55:05 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.0/16 -d 192.168.0.10/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s 192.168.0.10/32 -d 10.0.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Fri Jul 23 09:55:05 2021
# Generated by iptables-save v1.8.4 on Fri Jul 23 09:55:05 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2:1600]
:POSTROUTING ACCEPT [2:1600]
:DOCKER_OUTPUT - [0:0]
:DOCKER_POSTROUTING - [0:0]
-A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
-A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:45165
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:53306
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 45165 -j SNAT --to-source :53
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 53306 -j SNAT --to-source :53
COMMIT

命令ip r输出：

default via 192.168.16.1 dev eth0
192.168.16.0/20 dev eth0 proto kernel scope link src 192.168.16.10 # this is a docker internal network for my services
192.168.0.10/30 dev eth1 proto kernel scope link src 192.168.0.12

我尝试了以下各种命令：

iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 10.0.0.10:25
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.10 --dport 25 -j SNAT --to-source 192.168.0.12

但没有成功。

我无法提供有关ip r主机或iptables-save.

我究竟做错了什么？

Lasse Michael Mølgaard

Asked: 2021-06-14 13:20:36 +0800 CST

iPhone 用户不连接 StrongSwan VPN，而 Android 和 Windows 10 用户可以？

2

我有一个 StrongSwan VPN，由于某种我不知道的原因，它无法将 iOS 用户连接到我的 VPN 服务器。

一些快速说明：

我的 StrongSwan 服务器是连接到我的网络的 VPN 客户端的前端。我用于WireGuard我的后端站点到站点路由。
所有 StrongSwan VPN 用户都经过FreeRadius服务器验证。
StrongSwan 客户端在子网上被分配一个 IP 192.168.201.0/24，而 WireGuard 主干网络在192.168.200.0/24子网上运行。
所有客户端也都获得了一个公共 IPv6 地址，该地址属于分配给我的 /48 子网。

我在 Ubuntu 20.04 上运行 StrongSwan，我的配置文件位于该/etc/swanctl/config/文件夹中，由于文件名以.conf.

内容如下：

# Default VPN server settings for all connections
conn-defaults {
    local_addrs = PUBLIC_IPV4, PUBLIC_IPV6

    local {
      auth = pubkey
      certs = vpn-ecdsa.cer
      id = vpn.example.com
    }

    version = 2
    send_certreq = no
    send_cert = always
    unique = never
    fragmentation = yes
    encap = yes
    dpd_delay = 60s

    rekey_time = 0s
}

# Default login method
eap-defaults {
  remote {
   auth = eap-radius
   id = %any
   eap_id = %any
  }
}

connections
{
  # Generic Android configuration that is extended further down.
  #
  # Works with StrongSwan VPN client for Android
  conn-unix : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      net-unix : child-defaults {
      }

      esp_proposals = aes128gcm128-x25519
    }

    proposals = aes128-sha256-x25519
  }

  # All Windows klients matches this rule as username validation 
  # is done by 'eap_start = yes' in strongswan.conf. 
  #
  # Works with Windows 10 built-in VPN client.
  conn-windows : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha256-prfsha256-modp1024
    }

    proposals = aes256-sha256-prfsha256-modp1024
    pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6

  }

  # A very similar configuration to Windows clients 
  # configuration, except iOS uses 2048 bit keys, 
  # while Windows uses 1024 bit keys.
  #
  # Does NOT work in its current state.
  conn-ios : conn-defaults, eap-defaults {
    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha2_256
      pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6

    }

    proposals = aes256-sha256-prfsha256-modp2048
  }

  # Android users is matched against this connection as they are 
  # running the app StrongSwan VPN client. Username is passed in the
  # 'id' field to StrongSwan VPN server.
  conn-unix-site : connections.conn-unix {
    remote {
      id = *@site.example.com
    }
    pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6
  }
}

pools
{
   IkeVPN-site-ipv4 {
      addrs = 192.168.201.0/24
      dns = 192.168.200.1
   }

   IkeVPN-site-ipv6 {
      addrs = 2001:db8:cafe::/97
      dns = 2001:db8::1
   }
}

我的配置是使用以下网页给出的结构创建的：

https://wiki.strongswan.org/projects/strongswan/wiki/Strongswanconf#Referencing-other-Sections

我使用它的原因是避免在我的所有连接配置文件中重复相同的配置设置。

如果您不熟悉此设置，conn-ios则应将以下配置视为等效：

conn-ios {
   # Obtained from conn-default
   local_addrs = PUBLIC_IPV4, PUBLIC_IPV6

   local {
      auth = pubkey
      certs = vpn-ecdsa.cer
      id = vpn.example.com
   }

   version = 2
   send_certreq = no
   send_cert = always
   unique = never
   fragmentation = yes
   encap = yes
   dpd_delay = 60s

   rekey_time = 0s

   # Obtained from eap-defaults
   remote {
      auth = eap-radius
      id = %any
      eap_id = %any
   }

   # Obtained from original conn-ios profile above.
   children {
      net {
         local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha2_256
      pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6
   }

   proposals = aes256-sha256-prfsha256-modp2048
}

本conn-default节中列出的服务器证书是使用 Acme.sh 从 Let's Encrypt 获得的 ECDSA 证书。

proposalsiOS 配置中的加密值esp_proposals取自https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients中的提示。

在测试 Android 或 Windows 用户的所有组合时，连接没有任何问题，但是当有人尝试使用 iPhone 登录时，连接就会停止。

iPhone尝试连接时的日志输出如下：

10[IKE] CLIENT_IPV4 is initiating an IKE_SA
10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
10[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
10[IKE] no matching proposal found, trying alternative config
10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
10[IKE] no matching proposal found, trying alternative config
10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
10[IKE] remote host is behind NAT
10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
10[NET] sending packet: from PUBLIC_IPV4[500] to CLIENT_IPV4[6452] (456 bytes)
06[NET] received packet: from CLIENT_IPV4[13549] to PUBLIC_IPV4[4500] (512 bytes)
06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
06[CFG] looking for peer configs matching PUBLIC_IPV4[vpn.example.com]...CLIENT_IPV4[PRIVATE_CLASS_A_ADDRESS]
06[CFG] selected peer config 'conn-ios'
06[IKE] initiating EAP_IDENTITY method (id 0x00)
06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
06[IKE] peer supports MOBIKE
06[IKE] authentication of 'vpn.example.com' (myself) with ECDSA-256 signature successful
06[IKE] sending end entity cert "CN=vpn.example.com"
06[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
06[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
06[ENC] splitting IKE message (2816 bytes) into 3 fragments
06[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
06[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
06[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (1236 bytes)
06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (1236 bytes)
06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (500 bytes)
11[JOB] deleting half open IKE_SA with CLIENT_IPV4 after timeout

iPhone 用户使用以下设置使用内置 VPN 客户端进行连接：

类型 IKEv2
描述：VPN服务器
服务器：vpn.example.com
远程 ID：vpn.example.com
本地标识：空白
用户名和密码验证。
用户名：[email protected]
密码：ItIsASecret

有谁知道为什么 iOS 用户在加载conn-ios配置文件时连接会停止？

更新我们起飞了！:-)

根据@ecdsa 的建议，我已将证书切换为 2048 位 RSA 证书。

我的 Radius 服务器被调用。用户身份验证成功，客户端获得分配 IP 地址。我很开心。:-)

我conn-ios现在的配置是：

  conn-ios : conn-defaults, eap-defaults {

    # Overriding defaults from 'conn-default'
    local {
      auth = pubkey
      certs = vpn-rsa.cer
      id = vpn.example.com
    }

    children {
      net {
        local_ts = 0.0.0.0/0, ::/0
      }

      esp_proposals = aes256-sha256
    }

    pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6
    proposals = aes256-sha256-prfsha256-modp2048
  }

其他一切都与我的初始配置一样。

如何将 ipsec 客户端与 StrongSwan 中的不同连接链接？

Strongswan / Ipsec 多个 roadwarrior 连接不同的子网

Strongswan 和 Windows 客户端：连接在几分钟内冻结

无法在 Strongswan 中使用拆分隧道

为我的 VPN 用户屏蔽网站

将 strongswan 与 pkcs11 和 yubikey 一起使用

无法通过 NetworkManager 启动与 surfshark 的 IKEv2 VPN 连接

VPS 上的 Strongswan IPSec 配置

使用我的 IPSec strongswan 隧道将特定端口上的传入流量镜像到另一个 IP

iPhone 用户不连接 StrongSwan VPN，而 Android 和 Windows 10 用户可以？

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

问题[strongswan](server)