IPSec с strongswan не соединяется
Я пытаюсь настроить и сервер IPSEC с сильным лебедем на 18,04
Мой ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2"
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=no
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@domain.com
leftcert=/etc/ssl/certs/domain.com.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=192.168.1.1
rightsourceip=10.11.12.0/24
rightsendcert=never
eap_identity=%identity
Мой ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
domain.com : RSA /etc/ssl/private/strongswan.key
user %any% : EAP "pass"
У меня есть ufw, настроенный для разрешения трафика через, насколько я знаю:
administrator@fserver:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
80,443/tcp (Apache Full) ALLOW IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
137,138/udp (Samba) ALLOW IN Anywhere
139,445/tcp (Samba) ALLOW IN Anywhere
3389/tcp ALLOW IN Anywhere
8085/tcp ALLOW IN Anywhere
35000:36000/tcp ALLOW IN Anywhere # deluge
10000:20000/tcp ALLOW IN Anywhere # ftp passive
20:21/tcp ALLOW IN Anywhere # ftp
990/tcp ALLOW IN Anywhere # ftp tls
192.168.1.2/esp ALLOW IN Anywhere
500 ALLOW IN Anywhere # ipsec
4500 ALLOW IN Anywhere # ipsec
192.168.1.2/ah ALLOW IN Anywhere
80,443/tcp (Apache Full (v6)) ALLOW IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6)
139,445/tcp (Samba (v6)) ALLOW IN Anywhere (v6)
3389/tcp (v6) ALLOW IN Anywhere (v6)
8085/tcp (v6) ALLOW IN Anywhere (v6)
35000:36000/tcp (v6) ALLOW IN Anywhere (v6) # deluge
10000:20000/tcp (v6) ALLOW IN Anywhere (v6) # ftp passive
20:21/tcp (v6) ALLOW IN Anywhere (v6) # ftp
990/tcp (v6) ALLOW IN Anywhere (v6) # ftp tls
500 (v6) ALLOW IN Anywhere (v6) # ipsec
4500 (v6) ALLOW IN Anywhere (v6) # ipsec
К сожалению, я не могу соединиться на окнах 10. Когда я пытаюсь соединиться на окнах, это находится при "Проверке, что Ваша Информация о Входе в систему" затем останавливается с сообщением об ошибке, что связь не могла быть установлена, потому что сервер прекратил отвечать.
Мои шоу системного журнала:
Jul 3 11:20:51 fserver charon: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 06[ENC] generating INFORMATIONAL_V1 request 3859798652 [ N(NO_PROP) ]
Jul 3 11:20:51 fserver ipsec[4349]: 06[NET] sending packet: from 192.168.1.2[500] to 216.218.206.70[50231] (40 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 08[NET] received packet: from 216.218.206.98[28703] to 192.168.1.2[500] (64 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 08[ENC] parsed ID_PROT request 0 [ SA ]
Jul 3 11:20:51 fserver ipsec[4349]: 08[CFG] looking for an ike config for 192.168.1.2...216.218.206.98
Jul 3 11:20:51 fserver ipsec[4349]: 08[IKE] no IKE config found for 192.168.1.2...216.218.206.98, sending NO_PROPOSAL_CHOSEN
Jul 3 11:20:51 fserver ipsec[4349]: 08[ENC] generating INFORMATIONAL_V1 request 1302012061 [ N(NO_PROP) ]
Jul 3 11:20:51 fserver ipsec[4349]: 08[NET] sending packet: from 192.168.1.2[500] to 216.218.206.98[28703] (40 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 10[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] received Vid-Initial-Contact vendor ID
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] 142.68.61.15 is initiating an IKE_SA
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selecting proposal:
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] proposal matches
Jul 3 11:20:51 fserver charon: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] local host is behind NAT, sending keep alives
Jul 3 11:20:51 fserver ipsec[4349]: 10[IKE] remote host is behind NAT
Jul 3 11:20:51 fserver ipsec[4349]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 3 11:20:51 fserver ipsec[4349]: 10[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 11[IKE] sending keep alive to 142.68.61.15[500]
Jul 3 11:20:51 fserver ipsec[4349]: 12[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Jul 3 11:20:51 fserver ipsec[4349]: 13[NET] received packet: from 142.68.61.15[500] to 192.168.1.2[500] (1144 bytes)
Jul 3 11:20:51 fserver ipsec[4349]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] looking for an ike config for 192.168.1.2...142.68.61.15
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 13[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver charon: 13[CFG] candidate: %any...%any, prio 28
Jul 3 11:20:51 fserver ipsec[4349]: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver charon: 13[CFG] found matching ike config: %any...%any with prio 28
Jul 3 11:20:51 fserver charon: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jul 3 11:20:51 fserver charon: 13[IKE] received MS-Negotiation Discovery Capable vendor ID
Jul 3 11:20:51 fserver charon: 13[IKE] received Vid-Initial-Contact vendor ID
Jul 3 11:20:51 fserver charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 3 11:20:51 fserver charon: 13[IKE] 142.68.61.15 is initiating an IKE_SA
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
Jul 3 11:20:51 fserver charon: 13[CFG] selecting proposal:
Jul 3 11:20:51 fserver charon: 13[CFG] proposal matches
Jul 3 11:20:51 fserver charon: 13[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Jul 3 11:20:51 fserver charon: 13[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 3 11:20:51 fserver charon: 13[IKE] local host is behind NAT, sending keep alives
Jul 3 11:20:51 fserver charon: 13[IKE] remote host is behind NAT
Jul 3 11:20:51 fserver charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 3 11:20:51 fserver charon: 13[NET] sending packet: from 192.168.1.2[500] to 142.68.61.15[500] (312 bytes)
Jul 3 11:21:11 fserver charon: 15[IKE] sending keep alive to 142.68.61.15[500]
Jul 3 11:21:21 fserver charon: 01[JOB] deleting half open IKE_SA with 142.68.61.15 after timeout
Похоже, что окна больше не отправляют пакеты. Я передал порты 500 и 4500.
Возможно, случается так, что ufw не настраивается правильно, и я готов вырыть в iptables, но быть бы, если я не имею к.
1
задан Kayson
3 July 2018 в 22:24
поделиться
3 ответа
Первоначальной проблемой, как упоминалось в комментариях, была опечатка в переадресации портов. Последующая проблема возникла из-за того, что промежуточные сертификаты Let's Encrypt не пересылались, несмотря на то, что они были частью файла цепочки. Пришлось вручную поместить его в /etc/ipsec.d/cacerts.
Я настоятельно рекомендую использовать мобильное приложение Strongswan для отладки, так как оно содержит очень полезную информацию журнала, по сравнению с Windows, которая была в основном бесполезна.
0
ответ дан Kayson
5 June 2020 в 16:44
поделиться
Если вы можете исключить брандмауэр, блокирующий запросы, возможной причиной этого является фрагментация IP (вы можете проверить с помощью tcpdump / Wireshark, чтобы увидеть, отправляются / принимаются сообщения).
Если сообщение IKE_AUTH становится слишком большим (например, из-за больших клиентских сертификатов или большого количества запросов на сертификаты), оно разделяется на несколько фрагментов IP. Такие фрагменты часто сбрасываются брандмауэрами / маршрутизаторами.
Существует возможность избежать фрагментации IKEv2, но пока не все клиенты поддерживают это расширение. Например, Windows 10 не поддерживала его до весеннего обновления 2018 года. Но если вы обновите свой клиент, вы сможете установить fragmentation=yes для использования фрагментации IKEv2.
0
ответ дан ecdsa
3 July 2018 в 22:24
поделиться
Похоже, вам не хватает некоторых плагинов. Попробуйте установить libcharon-extra-plugins в свою Ubuntu.
sudo apt-get install libcharon-extra-plugins
0
ответ дан Community
4 June 2020 в 04:32
поделиться