Установка и настройка клиента StrongSwan в Ubuntu

Question

У меня возникли проблемы с установкой клиента StrongSwan в Ubuntu.

Вот шаги, которые я выполняю:

Экспорт сертификата пользователя:

openssl pkcs12 -in cert_export_username@domain.com.p12 -out username-cert.pem -clcerts -nokeys

Экспорт закрытого ключа пользователя:

openssl pkcs12 -in cert_export_username@domain.com.p12 -out username-key.pem -nocerts -nodes

Переименование сертификата ЦС:

mv cert_export_CA.crt cacert.pem

Копирование сертификатов и файлов ключей в соответствующие каталоги:

cp username-cert.pem /etc/ipsec.d/certs
cp username-key.pem /etc/ipsec.d/private
cp cacert.pem /etc/ipsec.d/cacerts

Редактировать / файл etc/ipsec.conf:

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
conn "DOMAIN"
    leftsourceip=%config
    leftcert=username-cert.pem
    leftid=username@domain.com
    leftfirewall=yes
    right=vpn.domain.com
    rightid=cvpn.domain.com
    rightsubnet=0.0.0.0/0
    auto=start

Редактировать /etc/ipsec.secrets:

: RSA username-key.pem "passphrase"

Перезапустить демон ipsec:

sudo ipsec restart

Проверить, установлено ли соединение:

sudo ipsec status

возврат: Сопоставления безопасности (0 up, 0 connection ): none

ip a

возвращает:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000   
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    
    inet 127.0.0.1/8 scope host lo   
       valid_lft forever preferred_lft forever    
    inet6 ::1/128 scope host     
       valid_lft forever preferred_lft forever    
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000    
    link/ether 8c:8c:aa:49:56:b0 brd ff:ff:ff:ff:ff:ff    
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000   
    link/ether b0:a4:60:d9:2c:a4 brd ff:ff:ff:ff:ff:ff  
    inet <ip>/24 brd <ip> scope global dynamic noprefixroute wlp3s0 
       valid_lft 168sec preferred_lft 168sec    
    inet6 <ip>/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Что означает, что я не могу подключиться.

Когда я запускаю ipsec up DOMAIN, я получаю следующий вывод:

initiating IKE_SA DOMAIN[2] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (936 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA DOMAIN[2] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (1128 bytes)
received packet: from 1xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (437 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
sending cert request for "O=domain.com, CN=vpn.domain.com"
authentication of 'username@domain.com' (myself) with RSA signature successful
sending end entity cert "O=domain.com, CN=Template-User"
establishing CHILD_SA DOMAIN{2}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message (1536 bytes) into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (1236 bytes)
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (372 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (1204 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (564 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembled fragmented IKE message (1408 bytes)
parsed IKE_AUTH response 1 [ CERT IDr AUTH CPRP(ADDR MASK SUBNET) TSi TSr SA ]
received end entity cert "O=domain.com, CN=vpn.domain.com"
  using trusted certificate "O=domain.com, CN=vpn.domain.com"
signature validation failed, looking for another key
  using certificate "O=domain.com, CN=vpn.domain.com"
  using trusted ca certificate "O=domain.com, CN=vpn.domain.com"
checking certificate status of "O=domain.com, CN=vpn.domain.com"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'vpn.domain.com' with RSA signature successful
constraint check failed: identity 'cvpn.domain.com' required 
selected peer config 'DOMAIN' unacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (80 bytes)
establishing connection 'DOMAIN' failed

Установка и настройка клиента StrongSwan в Ubuntu

0 ответов

Другие вопросы по тегам:

Похожие вопросы: