26
2019
10
01:04:51

strongswan 配置过程与问题 (p12证书问题)

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

本文链接:https://blog.csdn.net/lllkey/article/details/80068461

一 过程

参考:https://blog.csdn.net/gaojinshan/article/details/50820513


1.1 生成证书

1)生成CA的密钥和证书:

ipsec pki --gen --outform pem > caKey.pem

ipsec pki --self --outform pem --in caKey.pem --dn "C=CN, O=TJ, CN=Test CA" --ca > caCert.pem

2)生成服务端的密钥和证书:

ipsec pki --gen --outform pem > serverKey.pem

ipsec pki --pub --outform pem --in serverKey.pem > serverPub.pem

ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in serverPub.pem --dn "C=CN, O=TJ, CN=Test Server" --san="192.168.3.51" --san="192.168.3.38" --flag serverAuth --flag ikeIntermediate  > serverCert.pem

注意:san(SubjectAltName),是服务器地址或域名,直接影响到连接是否成功。san后面跟的应该是服务器地址或者域名,可以设置多个


3)生成客户端的密钥和证书:

ipsec pki --gen --outform pem > clientKey.pem

ipsec pki --pub --outform pem --in clientKey.pem > clientPub.pem

ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in clientPub.pem --dn "C=CN, O=TJ, CN=Test Client" > clientCert.pem

4)复制安装证书到相应路径:

注意:默认生成的der格式,无法直接导入到手机中,所以,这里用pem格式。

参考:https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA


mac中路径:


cp caCert.pem /usr/local/etc/ipsec.d/cacerts/

cp serverCert.pem /usr/local/etc/ipsec.d/certs/

cp serverKey.pem /usr/local/etc/ipsec.d/private/

cp clientCert.pem /usr/local/etc/ipsec.d/certs/

cp clientKey.pem /usr/local/etc/ipsec.d/private/

Ubuntu中路径:

sudo cp caCert.pem /etc/ipsec.d/cacerts/

sudo cp serverCert.pem /etc/ipsec.d/certs/

sudo cp serverKey.pem /etc/ipsec.d/private/

sudo cp clientCert.pem /etc/ipsec.d/certs/

sudo cp clientKey.pem /etc/ipsec.d/private/

5)用于Android客户端:将客户端证书pem转换为p12

openssl pkcs12 -export -inkey clientKey.pem -in clientCert.pem -name "client" -certfile caCert.pem -caname "strongSwan CA" -out clientCert.p12

在三星手机中尝试,提示“您可从带有.pfx或.p12文件扩展名的PKCS#12文件中安装证书。”,如果直接选pem的证书,提示导入成功,但是还是找不到证书,因此需要生成p12证书。




1.2 修改各个配置文件

1) etc/ipsec.conf

参考:https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf

# ipsec.conf - strongSwan IPsec configuration file

config setup

    uniqueids=never #允许多个客户端使用同一个证书  


conn IKEv2-EAP  

    keyexchange=ikev2       #密钥交换算法  

    left=%any       #服务器端标识,%any表示任意  

    leftid=222     #服务器端ID标识  

    leftsubnet=0.0.0.0/0        #服务器端虚拟ip, 0.0.0.0/0表示通配.  

    #leftsubnet=11.11.0.0/24

    leftcert=serverCert.pem     #服务器端证书  

    leftauth=pubkey     #服务器校验方式,使用证书  

    right=%any      #客户端标识,%any表示任意  

    rightsourceip=11.11.0.0/24    #客户端IP地址分配范围  

    rightauth=eap-mschapv2  #eap-md5#客户端校验方式#KEv2 EAP(Username/Password)  

    #rightauth=rsa      #客户端校验方式,使用证书#IKEv2 Certificate  

    #rightcert=clientCert.pem       #客户端端证书#IKEv2 Certificate  

    #eap_identity=%any      #  

    auto=add 

2) strongswan.conf

# strongswan.conf - strongSwan configuration file

#

# Refer to the strongswan.conf(5) manpage for details

#

# Configuration changes should be made in the included files


charon {  

        load_modular = yes  

        duplicheck.enable = no  

         compress = yes  

        dns1 = 114.114.114.114  

        dns2 = 8.8.8.8  

        dns3 = 8.8.4.4  



multiple_authentication = no

signature_authentication = no

flush_auth_cfg = yes





     plugins {  

        include strongswan.d/charon/*.conf  

    } 



     filelog {  

            /usr/local/etc/strongswan.charon.log {  

                time_format = %b %e %T  

                    default = 4  

                    append = no  

                    flush_line = yes  

            }

}  

}

include strongswan.d/*.conf

3) ipsec.secrets

参考:https://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets

# ipsec.secrets - strongSwan IPsec secrets file


: RSA serverKey.pem  

: PSK "12345678"  

test : EAP "pass"  

e : EAP "e"  

d : EAP "d"  

a : EAP "a" 

1.3 执行开始

运行下面命令开始:


sudo ipsec start

下面的命令分别为:开始,停止,重启,查看状态

sudo ipsec start

sudo ipsec stop

sudo ipsec restart

sudo ipsec statusall

1.4 运行结果

成功连接了两个使用StrongSwan的Android客户端(参考:https://wiki.strongswan.org/projects/strongswan/wiki/Android),使用sudo ipsec statusall查看成功状态如下:


$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.6.2, Darwin 17.5.0, x86_64):

  uptime: 28 minutes, since Apr 19 14:56:01 2018

  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 9

  loaded plugins: charon nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp sshkey pem openssl curve25519 kernel-libipsec kernel-pfroute socket-default stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic osx-attr unity counters

Virtual IP pools (size/online/offline):

  11.168.0.0/24: 254/2/0

Listening IP addresses:

  192.168.3.51

  172.16.19.1

  172.16.36.1

Connections:

android_xauth_psk:  %any...%any  IKEv1

android_xauth_psk:   local:  uses pre-shared key authentication

android_xauth_psk:   remote: uses pre-shared key authentication

android_xauth_psk:   remote: uses XAuth authentication: any

android_xauth_psk:   child:  dynamic === 0.0.0.0/0 TUNNEL

   IKEv2-EAP:  %any...%any  IKEv2

   IKEv2-EAP:   local:  [C=CN, O=TJ, CN=Test Server] uses public key authentication

   IKEv2-EAP:    cert:  "C=CN, O=TJ, CN=Test Server"

   IKEv2-EAP:   remote: uses EAP_MSCHAPV2 authentication

   IKEv2-EAP:   child:  0.0.0.0/0 === dynamic TUNNEL

Security Associations (2 up, 0 connecting):

   IKEv2-EAP[2]: ESTABLISHED 10 seconds ago, 192.168.3.51[C=CN, O=TJ, CN=Test Server]...192.168.3.28[e]

   IKEv2-EAP[2]: IKEv2 SPIs: 978d573d1e478fd3_i b0732d2a963df511_r*, public key reauthentication in 2 hours

   IKEv2-EAP[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256

   IKEv2-EAP{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 98098eeb_i 46523990_o

   IKEv2-EAP{2}:  AES_CBC_128/HMAC_SHA2_256_128, 1200 bytes_i (20 pkts, 0s ago), 0 bytes_o, rekeying in 48 minutes

   IKEv2-EAP{2}:   0.0.0.0/0 === 11.168.0.2/32

   IKEv2-EAP[1]: ESTABLISHED 28 minutes ago, 192.168.3.51[C=CN, O=TJ, CN=Test Server]...192.168.3.12[a]

   IKEv2-EAP[1]: IKEv2 SPIs: ccfe7d1457d773ac_i 929341305be0e1cd_r*, public key reauthentication in 2 hours

   IKEv2-EAP[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256

   IKEv2-EAP{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 667a9da5_i b97425ec_o

   IKEv2-EAP{1}:  AES_CBC_128/HMAC_SHA2_256_128, 33036 bytes_i (549 pkts, 63s ago), 0 bytes_o, rekeying in 18 minutes

   IKEv2-EAP{1}:   0.0.0.0/0 === 11.168.0.1/32

搭建环境验证是否通过了VPN,参考:https://blog.csdn.net/lllkey/article/details/80069219




二 问题

2.1 配置错误

Apr 18 09:42:24 07[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]

Apr 18 09:42:24 07[IKE] received NO_PROPOSAL_CHOSEN notify error

原因:服务器配置错误



2.2 ca验证失败

Apr 18 10:57:31 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Apr 18 10:57:31 12[IKE] received AUTHENTICATION_FAILED notify error

原因:证书不在ca中


解决方法:将ca证书放入手机,并导入配置



2.3 服务未开启

Apr 18 11:48:11 13[IKE] giving up after 3 retransmits

Apr 18 11:48:11 13[IKE] peer not responding, trying again (2/0)

Apr 18 11:48:11 13[IKE] initiating IKE_SA android[9] to 192.168.3.51

Apr 18 11:48:11 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

Apr 18 11:48:11 13[NET] sending packet: from 192.168.3.12[51487] to 192.168.3.51[500] (716 bytes)

Apr 18 11:48:11 15[IKE] destroying IKE_SA in state CONNECTING without notification

原因:strongswan服务器未开启,连接失败,需要检查strongswan是否启动,或者ip地址是否有问题


2.4 证书验证失败

Apr 18 14:47:13 06[CFG] checking certificate status of "C=CN, O=TJ, CN=StrongSwanTest1"

Apr 18 14:47:13 06[CFG] certificate status is not available

Apr 18 14:47:13 06[CFG]   reached self-signed root ca with a path length of 0

Apr 18 14:47:13 06[IKE] authentication of 'C=CN, O=TJ, CN=StrongSwanTest1' with RSA_EMSA_PKCS1_SHA2_256 successful

Apr 18 14:47:13 06[CFG] constraint check failed: identity '192.168.3.51' required 

Apr 18 14:47:13 06[CFG] selected peer config 'android' inacceptable: constraint checking failed

Apr 18 14:47:13 06[CFG] no alternative config found

Apr 18 14:47:13 06[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

Apr 18 14:47:13 06[NET] sending packet: from 192.168.3.12[41900] to 192.168.3.51[4500] (80 bytes)

原因:参考:https://wiki.strongswan.org/issues/813 和 https://blog.csdn.net/gaojinshan/article/details/51015569

服务器证书证书san要求192.168.3.51服务器地址标识,也就是生成服务器证书的时候加上--san,可以加多个

ipsec pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem --in serverPub.pem --dn "C=CN, O=TJ, CN=Test Server" --san="192.168.3.51" --san="192.168.3.38" --flag serverAuth --flag ikeIntermediate  > serverCert.pem

从issue中可以看出已经可以在app上面配置,但是还未找到配置方法,因此只能在证书上添加san


2.5 用户名密码错误

Apr 18 15:36:00 12[IKE] authentication of '192.168.3.51' with RSA_EMSA_PKCS1_SHA2_256 successful

Apr 18 15:36:00 12[IKE] server requested EAP_MSCHAPV2 authentication (id 0x4D)

Apr 18 15:36:00 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]

Apr 18 15:36:00 12[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (144 bytes)

Apr 18 15:36:02 08[IKE] retransmit 1 of request with message ID 2

Apr 18 15:36:02 08[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (144 bytes)

Apr 18 15:36:02 15[NET] received packet: from 192.168.3.51[4500] to 192.168.3.12[56129] (128 bytes)

Apr 18 15:36:02 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]

Apr 18 15:36:02 15[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'

Apr 18 15:36:02 15[IKE] EAP_MSCHAPV2 method failed

Apr 18 15:36:02 15[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]

Apr 18 15:36:02 15[NET] sending packet: from 192.168.3.12[56129] to 192.168.3.51[4500] (80 bytes)

Apr 18 15:36:02 16[MGR] ignoring request with ID 2, already processing

原因:用户名密码错误


2.6 连接成功 不能上网

参考:https://blog.csdn.net/ficksong/article/details/79248407

1) ubuntu 

1 修改转发权限

$ sudo vim /etc/sysctl.conf

$ sudo sysctl -p

net.ipv4.ip_forward = 1

net.ipv6.conf.all.forwarding = 1

2 修改iptables

$ sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE

ens33为虚拟机网卡,可以使用ifconfig,查看自己客户端连接的相应网卡。

修改后可以上网


2) mac尝试方法


其实最终还是无法上网,已经尝试在pf.conf中配置各种nat了,不知道要怎么配置才能让客户端上网,如果有人知道,希望告诉我


1  没有打开ip包转发

sudo sysctl -a | grep forward  // 查看与forward相关的配置,如果都为0,需要打开转发

sudo sysctl net.inet.ip.forwarding=1

sudo sysctl net.inet6.ip6.forwarding=1

2 没有设置iptables,在mac中设置pf

$ sudo vim /etc/pf.anchors/http

$ sudo pfctl -vnf /etc/pf.conf

$ sudo vim /etc/pf.conf

#验证规则,并设置为pf.conf文件,更新

$ sudo pfctl -ef /etc/pf.conf

#重启

$ sudo pfctl -E

#查看状态

$ sudo pfctl -s nat  

配置pf:https://www.cnblogs.com/EasonJim/p/7819478.html

pf详解:https://www.cnblogs.com/apexchu/p/4133040.html


2.7 服务端没有日志

原因:Ubuntu由于apparmor配置导致日志文件无法读写


参考:https://blog.csdn.net/lllkey/article/details/80067687

————————————————

版权声明:本文为CSDN博主「琪花亿草」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。

原文链接:https://blog.csdn.net/lllkey/article/details/80068461




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://hqyman.cn/post/951.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: