一 过程
参考:https://blog.youkuaiyun.com/gaojinshan/article/details/50820513
1.1 生成证书
1)生成CA的密钥和证书:
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --outform pem --in caKey.pem --dn "C=CN, O=TJ, CN=Test CA" --ca > caCert.pem2)生成服务端的密钥和证书:
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --outform pem --in serverKey.pem > serverPub.pem
ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in serverPub.pem --dn "C=CN, O=TJ, CN=Test Server" --san="192.168.3.51" --san="192.168.3.38" --flag serverAuth --flag ikeIntermediate > serverCert.pem3)生成客户端的密钥和证书:
ipsec pki --gen --outform pem > clientKey.pem
ipsec pki --pub --outform pem --in clientKey.pem > clientPub.pem
ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in clientPub.pem --dn "C=CN, O=TJ, CN=Test Client" > clientCert.pem4)复制安装证书到相应路径:
注意:默认生成的der格式,无法直接导入到手机中,所以,这里用pem格式。
参考:https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
mac中路径:
cp caCert.pem /usr/local/etc/ipsec.d/cacerts/
cp serverCert.pem /usr/local/etc/ipsec.d/certs/
cp serverKey.pem /usr/local/etc/ipsec.d/private/
cp clientCert.pem /usr/local/etc/ipsec.d/certs/
cp clientKey.pem /usr/local/etc/ipsec.d/private/sudo cp caCert.pem /etc/ipsec.d/cacerts/
sudo cp serverCert.pem /etc/ipsec.d/certs/
sudo cp serverKey.pem /etc/ipsec.d/private/
sudo cp clientCert.pem /etc/ipsec.d/certs/
sudo cp clientKey.pem /etc/ipsec.d/private/5)用于Android客户端:将客户端证书pem转换为p12
openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12在三星手机中尝试,提示“您可从带有.pfx或.p12文件扩展名的PKCS#12文件中安装证书。”,如果直接选pem的证书,提示导入成功,但是还是找不到证书,因此需要生成p12证书。
1.2 修改各个配置文件
1) etc/ipsec.conf
参考: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never #允许多个客户端使用同一个证书
conn IKEv2-EAP
keyexchange=ikev2 #密钥交换算法
left=%any #服务器端标识,%any表示任意
leftid=222 #服务器端ID标识
leftsubnet=0.0.0.0/0 #服务器端虚拟ip, 0.0.0.0/0表示通配.
#leftsubnet=11.11.0.0/24
leftcert=serverCert.pem #服务器端证书
leftauth=pubkey #服务器校验方式,使用证书
right=%any #客户端标识,%any表示任意
rightsourceip=11.11.0.0/24 #客户端IP地址分配范围
rightauth=eap-mschapv2 #eap-md5#客户端校验方式#KEv2 EAP(Username/Password)
#rightauth=rsa #客户端校验方式,使用证书#IKEv2 Certificate
#rightcert=clientCert.pem #客户端端证书#IKEv2 Certificate
#eap_identity=%any #
auto=add 2) strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
duplicheck.enable = no
compress = yes
dns1 = 114.114.114.114
dns2 = 8.8.8.8
dns3 = 8.8.4.4
multiple_authentication = no
signature_authentication = no
flush_auth_cfg = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/usr/local/etc/strongswan.charon.log {
time_format = %b %e %T
default = 4
append = no
flush_line = yes
}
}
}
include strongswan.d/*.conf3) ipsec.secrets
参考:https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets# ipsec.secrets - strongSwan IPsec secrets file
: RSA serverKey.pem
: PSK "12345678"
test : EAP "pass"
e : EAP "e"
d : EAP "d"
a : EAP "a" 1.3 执行开始
运行下面命令开始:
sudo ipsec startsudo ipsec start
sudo ipsec stop
sudo ipsec restart
sudo ipsec statusall1.4 运行结果
成功连接了两个使用StrongSwan的Android客户端(参考:https://wiki.strongswan.org/projects/strongswan/wiki/Android),使用sudo ipsec statusall查看成功状态如下:
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Darwin 17.5.0, x86_64):
uptime: 28 minutes, since Apr 19 14:56:01 2018
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9
loaded plugins: charon nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp sshkey pem openssl curve25519 kernel-libipsec kernel-pfroute socket-default stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic osx-attr unity counters
Virtual IP pools (size/online/offline):
11.168.0.0/24: 254/2/0
Listening IP addresses:
192.168.3.51
172.16.19.1
172.16.36.1
Connections:
android_xauth_psk: %any...%any IKEv1
android_xauth_psk: local: uses pre-shared key authentication
android_xauth_psk: remote: uses pre-shared key authentication
android_xauth_psk: remote: uses XAuth authentication: any
android_xauth_psk: child: dynamic === 0.0.0.0/0 TUNNEL
IKEv2-EAP: %any...%any IKEv2
IKEv2-EAP: local: [C=CN, O=TJ, CN=Test Server] uses public key authentication
IKEv2-EAP: cert: "C=CN, O=TJ, CN=Test Server"
IKEv2-EAP: remote: uses EAP_MSCHAPV2 authentication
IKEv2-EAP: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (2 up, 0 connecting):
IKEv2-EAP[2]: ESTABLISHED 10 seconds ago, 192.168.3.51[C=CN, O=TJ, CN=Test Server]...192.168.3.28[e]
IKEv2-EAP[2]: IKEv2 SPIs: 978d573d1e478fd3_i b0732d2a963df511_r*, public key reauthentication in 2 hours
IKEv2-EAP[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
IKEv2-EAP{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 98098eeb_i 46523990_o
IKEv2-EAP{2}: AES_CBC_128/HMAC_SHA2_256_128, 1200 bytes_i (20 pkts, 0s ago), 0 bytes_o, rekeying in 48 minutes
IKEv2-EAP{2}: 0.0.0.0/0 === 11.168.0.2/32
IKEv2-EAP[1]: ESTABLISHED 28 minutes ago, 192.168.3.51[C=CN, O=TJ, CN=Test Server]...192.168.3.12[a]
IKEv2-EAP[1]: IKEv2 SPIs: ccfe7d1457d773ac_i 929341305be0e1cd_r*, public key reauthentication in 2 hours
IKEv2-EAP[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
IKEv2-EAP{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 667a9da5_i b97425ec_o
IKEv2-EAP{1}: AES_CBC_128/HMAC_SHA2_256_128, 33036 bytes_i (549 pkts, 63s ago), 0 bytes_o, rekeying in 18 minutes
IKEv2-EAP{1}: 0.0.0.0/0 === 11.168.0.1/32搭建环境验证是否通过了VPN,参考:https://blog.youkuaiyun.com/lllkey/article/details/80069219
二 问题
2.1 配置错误
Apr 18 09:42:24 07[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Apr 18 09:42:24 07[IKE] received NO_PROPOSAL_CHOSEN notify error原因:服务器配置错误
2.2 ca验证失败
Apr 18 10:57:31 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 18 10:57:31 12[IKE] received AUTHENTICATION_FAILED notify error原因:证书不在ca中
解决方法:将ca证书放入手机,并导入配置
2.3 服务未开启
Apr 18 11:48:11 13[IKE] giving up after 3 retransmits
Apr 18 11:48:11 13[IKE] peer not responding, trying again (2/0)
Apr 18 11:48:11 13[IKE] initiating IKE_SA android[9] to 192.168.3.51
Apr 18 11:48:11 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 18 11:48:11 13[NET] sending packet: from 192.168.3.12[51487] to 192.168.3.51[500] (716 bytes)
Apr 18 11:48:11 15[IKE] destroying IKE_SA in state CONNECTING without notification2.4 证书验证失败
Apr 18 14:47:13 06[CFG] checking certificate status of "C=CN, O=TJ, CN=StrongSwanTest1"
Apr 18 14:47:13 06[CFG] certificate status is not available
Apr 18 14:47:13 06[CFG] reached self-signed root ca with a path length of 0
Apr 18 14:47:13 06[IKE] authentication of 'C=CN, O=TJ, CN=StrongSwanTest1' with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 18 14:47:13 06[CFG] constraint check failed: identity '192.168.3.51' required
Apr 18 14:47:13 06[CFG] selected peer config 'android' inacceptable: constraint checking failed
Apr 18 14:47:13 06[CFG] no alternative config found
Apr 18 14:47:13 06[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Apr 18 14:47:13 06[NET] sending packet: from 192.168.3.12[41900] to 192.168.3.51[4500] (80 bytes)服务器证书证书san要求192.168.3.51服务器地址标识,也就是生成服务器证书的时候加上--san,可以加多个
ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in serverPub.pem --dn "C=CN, O=TJ, CN=Test Server" --san="192.168.3.51" --san="192.168.3.38" --flag serverAuth --flag ikeIntermediate > serverCert.pem
从issue中可以看出已经可以在app上面配置,但是还未找到配置方法,因此只能在证书上添加san
2.5 用户名密码错误
Apr 18 15:36:00 12[IKE] authentication of '192.168.3.51' with RSA_EMSA_PKCS1_SHA2_256 successful
Apr 18 15:36:00 12[IKE] server requested EAP_MSCHAPV2 authentication (id 0x4D)
Apr 18 15:36:00 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Apr 18 15:36:00 12[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (144 bytes)
Apr 18 15:36:02 08[IKE] retransmit 1 of request with message ID 2
Apr 18 15:36:02 08[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (144 bytes)
Apr 18 15:36:02 15[NET] received packet: from 192.168.3.51[4500] to 192.168.3.12[56129] (128 bytes)
Apr 18 15:36:02 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 18 15:36:02 15[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Apr 18 15:36:02 15[IKE] EAP_MSCHAPV2 method failed
Apr 18 15:36:02 15[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Apr 18 15:36:02 15[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (80 bytes)
Apr 18 15:36:02 16[MGR] ignoring request with ID 2, already processing2.6 连接成功 不能上网
参考: https://blog.youkuaiyun.com/ficksong/article/details/792484071) ubuntu
1 修改转发权限
$ sudo vim /etc/sysctl.conf
$ sudo sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1$ sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE修改后可以上网
2) mac尝试方法
其实最终还是无法上网,已经尝试在pf.conf中配置各种nat了,不知道要怎么配置才能让客户端上网,如果有人知道,希望告诉我
1 没有打开ip包转发sudo sysctl -a | grep forward // 查看与forward相关的配置,如果都为0,需要打开转发
sudo sysctl net.inet.ip.forwarding=1
sudo sysctl net.inet6.ip6.forwarding=1$ sudo vim /etc/pf.anchors/http
$ sudo pfctl -vnf /etc/pf.conf
$ sudo vim /etc/pf.conf
#验证规则,并设置为pf.conf文件,更新
$ sudo pfctl -ef /etc/pf.conf
#重启
$ sudo pfctl -E
#查看状态
$ sudo pfctl -s nat
配置pf:https://www.cnblogs.com/EasonJim/p/7819478.html
pf详解:https://www.cnblogs.com/apexchu/p/4133040.html
2.7 服务端没有日志
原因:Ubuntu由于apparmor配置导致日志文件无法读写
参考:https://blog.youkuaiyun.com/lllkey/article/details/80067687
扫一扫
9798
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
