主页 / ubuntu / 问题 / 1051909
Accepted
Kayson
Asked: 2018-07-04 11:24:54 +0800 CST

使用 strongswan 的 IPSec 无法连接

  • 772

我正在尝试在 18.04 上使用强大的天鹅设置 IPSEC 服务器

我的 ipsec.conf 是:

# ipsec.conf - strongSwan IPsec configuration file
config setup
   charondebug="cfg 2"

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=no
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=/etc/ssl/certs/domain.com.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=192.168.1.1
    rightsourceip=10.11.12.0/24
    rightsendcert=never
    eap_identity=%identity

我的 ipsec.secrets 是

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.

domain.com : RSA /etc/ssl/private/strongswan.key
user %any% : EAP "pass"

据我所知,我已经设置了 ufw 以允许流量通过:

administrator@fserver:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80,443/tcp (Apache Full)   ALLOW IN    Anywhere
22/tcp (OpenSSH)           ALLOW IN    Anywhere
137,138/udp (Samba)        ALLOW IN    Anywhere
139,445/tcp (Samba)        ALLOW IN    Anywhere
3389/tcp                   ALLOW IN    Anywhere
8085/tcp                   ALLOW IN    Anywhere
35000:36000/tcp            ALLOW IN    Anywhere                   # deluge
10000:20000/tcp            ALLOW IN    Anywhere                   # ftp passive
20:21/tcp                  ALLOW IN    Anywhere                   # ftp
990/tcp                    ALLOW IN    Anywhere                   # ftp tls
192.168.1.2/esp            ALLOW IN    Anywhere
500                        ALLOW IN    Anywhere                   # ipsec
4500                       ALLOW IN    Anywhere                   # ipsec
192.168.1.2/ah             ALLOW IN    Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)
137,138/udp (Samba (v6))   ALLOW IN    Anywhere (v6)
139,445/tcp (Samba (v6))   ALLOW IN    Anywhere (v6)
3389/tcp (v6)              ALLOW IN    Anywhere (v6)
8085/tcp (v6)              ALLOW IN    Anywhere (v6)
35000:36000/tcp (v6)       ALLOW IN    Anywhere (v6)              # deluge
10000:20000/tcp (v6)       ALLOW IN    Anywhere (v6)              # ftp passive
20:21/tcp (v6)             ALLOW IN    Anywhere (v6)              # ftp
990/tcp (v6)               ALLOW IN    Anywhere (v6)              # ftp tls
500 (v6)                   ALLOW IN    Anywhere (v6)              # ipsec
4500 (v6)                  ALLOW IN    Anywhere (v6)              # ipsec

不幸的是,我无法在 Windows 10 上连接。当我尝试在 Windows 上连接时,它位于“验证您的登录信息”上,然后停止并显示由于服务器停止响应而无法建立连接的错误消息。

我的系统日志显示:

Jul  3 11:20:51 fserver charon: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 06[ENC] generating INFORMATIONAL_V1 request 3859798652 [ N(NO_PROP) ]
Jul  3 11:20:51 fserver ipsec[4349]: 06[NET] sending packet: from 192.168.1.2[500] to 216.218.206.70[50231] (40 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 08[NET] received packet: from 216.218.206.98[28703] to 192.168.1.2[500] (64 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 08[ENC] parsed ID_PROT request 0 [ SA ]
Jul  3 11:20:51 fserver ipsec[4349]: 08[CFG] looking for an ike config for 192.168.1.2...216.218.206.98
Jul  3 11:20:51 fserver ipsec[4349]: 08[IKE] no IKE config found for 192.168.1.2...216.218.206.98, sending NO_PROPOSAL_CHOSEN
Jul  3 11:20:51 fserver ipsec[4349]: 08[ENC] generating INFORMATIONAL_V1 request 1302012061 [ N(NO_PROP) ]
Jul  3 11:20:51 fserver ipsec[4349]: 08[NET] sending packet: from 192.168.1.2[500] to 216.218.206.98[28703] (40 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 10[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] received Vid-Initial-Contact vendor ID
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] 142.68.61.15 is initiating an IKE_SA
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG]   proposal matches
Jul  3 11:20:51 fserver charon: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] local host is behind NAT, sending keep alives
Jul  3 11:20:51 fserver ipsec[4349]: 10[IKE] remote host is behind NAT
Jul  3 11:20:51 fserver ipsec[4349]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul  3 11:20:51 fserver ipsec[4349]: 10[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 11[IKE] sending keep alive to 142.68.61.15[500]
Jul  3 11:20:51 fserver ipsec[4349]: 12[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Jul  3 11:20:51 fserver ipsec[4349]: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul  3 11:20:51 fserver ipsec[4349]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 13[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver charon: 13[CFG]   candidate: %any...%any, prio 28
Jul  3 11:20:51 fserver ipsec[4349]: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver charon: 13[CFG] found matching ike config: %any...%any with prio 28
Jul  3 11:20:51 fserver charon: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul  3 11:20:51 fserver charon: 13[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul  3 11:20:51 fserver charon: 13[IKE] received Vid-Initial-Contact vendor ID
Jul  3 11:20:51 fserver charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul  3 11:20:51 fserver charon: 13[IKE] 142.68.61.15 is initiating an IKE_SA
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jul  3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul  3 11:20:51 fserver charon: 13[CFG]   proposal matches
Jul  3 11:20:51 fserver charon: 13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul  3 11:20:51 fserver charon: 13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  3 11:20:51 fserver charon: 13[IKE] local host is behind NAT, sending keep alives
Jul  3 11:20:51 fserver charon: 13[IKE] remote host is behind NAT
Jul  3 11:20:51 fserver charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul  3 11:20:51 fserver charon: 13[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul  3 11:21:11 fserver charon: 15[IKE] sending keep alive to 142.68.61.15[500]
Jul  3 11:21:21 fserver charon: 01[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout

看起来windows不再发送任何数据包。我已经转发了端口 500 和 4500。

也许是ufw设置不正确,我愿意深入研究iptables,但如果没有必要,我宁愿不去。

networking server ipsec

3 个回答

  1. 如果您可以排除防火墙阻止请求,则可能的原因是 IP 碎片(您可以检查 tcpdump/Wireshark 以查看是否发送/接收了消息)。

    如果 IKE_AUTH 消息变得太大(例如,由于客户端证书过大,或者证书请求过多),它会被分成多个 IP 片段。此类片段通常会被防火墙/路由器丢弃。

    避免这种情况的一个选项是使用 IKEv2 分段,但并非所有客户端都支持此扩展。例如,Windows 10 直到 2018 年春季更新才支持它。但是,如果您更新您的客户端,您应该能够设置fragmentation=yes为使用 IKEv2 分片。

    • 0

  2. 您似乎缺少一些插件。尝试在您的 ubuntu 中安装 libcharon-extra-plugins。

    sudo apt-get install libcharon-extra-plugins
    • 0
  3. Best Answer

    正如评论中提到的,最初的问题是端口转发中的一个错字。随后的问题是由于 Let's Encrypt 中间证书没有被发送,尽管它是链文件的一部分。必须手动将其放入/etc/ipsec.d/cacerts.

    我强烈建议使用 Strongswan 移动应用程序进行调试,因为它具有非常有用的日志信息,而 Windows 则大多无用。

    • 0

相关问题