Ipsec
StrongSwan VPN 伺服器未與客戶端連接
Linux 伺服器是在Google云中執行的 Ubuntu 18.04。我按照以下優秀教程配置 StrongSwan 伺服器:
我在Google云中打開了 UDP 500 和 4500 埠,並啟用了 charon 守護程序的日誌記錄。大多數事情似乎都按計劃進行,直到我嘗試從 Windows 10 VPN 連接進行連接,該連接失敗並出現錯誤“策略匹配錯誤”。連接嘗試失敗後,charon 日誌文件(級別 1)包含以下內容:
Jan 22 17:17:40 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1034-gcp, x86_64) Jan 22 17:17:40 00[CFG] PKCS11 module '<name>' lacks library path Jan 22 17:17:40 00[CFG] disabling load-tester plugin, not configured Jan 22 17:17:40 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Jan 22 17:17:40 00[CFG] dnscert plugin is disabled Jan 22 17:17:40 00[CFG] ipseckey plugin is disabled Jan 22 17:17:40 00[CFG] attr-sql plugin: database URI not set Jan 22 17:17:40 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 22 17:17:40 00[CFG] loaded ca certificate "CN=VPN root CA" from '/etc/ipsec.d/cacerts/ca-cert.pem' Jan 22 17:17:40 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 22 17:17:40 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 22 17:17:40 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 22 17:17:40 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 22 17:17:40 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 22 17:17:40 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/server-key.pem' Jan 22 17:17:40 00[CFG] loaded EAP secret for ejohanson Jan 22 17:17:40 00[CFG] sql plugin: database URI not set Jan 22 17:17:40 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Jan 22 17:17:40 00[CFG] eap-simaka-sql database URI missing Jan 22 17:17:40 00[CFG] loaded 0 RADIUS server configurations Jan 22 17:17:40 00[CFG] HA config misses local/remote address Jan 22 17:17:40 00[CFG] no threshold configured for systime-fix, disabled Jan 22 17:17:40 00[CFG] coupling file path unspecified Jan 22 17:17:40 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Jan 22 17:17:40 00[LIB] dropped capabilities, running as uid 0, gid 0 Jan 22 17:17:40 00[JOB] spawning 16 worker threads Jan 22 16:50:23 05[CFG] received stroke: add connection 'ikev2-vpn' Jan 22 16:50:23 05[CFG] adding virtual IP address pool 10.10.11.0/16 Jan 22 16:50:23 05[CFG] loaded certificate "CN=devsrv.valmarc.com" from 'server-cert.pem' Jan 22 16:50:23 05[CFG] added configuration 'ikev2-vpn' Jan 22 16:50:32 07[KNL] interface ens7 activated Jan 22 16:50:32 10[KNL] interface ens6 activated Jan 22 16:50:32 13[KNL] interface ens5 activated Jan 22 16:50:32 10[KNL] 10.4.1.2 appeared on ens7 Jan 22 16:50:32 07[KNL] 10.3.1.2 appeared on ens6 Jan 22 16:50:33 12[KNL] 10.2.1.2 appeared on ens5 Jan 22 16:50:33 06[KNL] fe80::4001:aff:fe04:102 appeared on ens7 Jan 22 16:50:33 16[KNL] fe80::4001:aff:fe02:102 appeared on ens5 Jan 22 16:50:34 08[KNL] fe80::4001:aff:fe03:102 appeared on ens6 Jan 22 16:53:42 01[NET] received packet: from 73.249.XXX.YYY[500] to 10.1.1.2[500] (1104 bytes) Jan 22 16:53:42 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ] Jan 22 16:53:42 01[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Jan 22 16:53:42 01[IKE] received MS-Negotiation Discovery Capable vendor ID Jan 22 16:53:42 01[IKE] received Vid-Initial-Contact vendor ID Jan 22 16:53:42 01[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Jan 22 16:53:42 01[IKE] 73.249.XXX.YYY is initiating an IKE_SA Jan 22 16:53:42 01[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_1024 Jan 22 16:53:42 01[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Jan 22 16:53:42 01[IKE] local host is behind NAT, sending keep alives Jan 22 16:53:42 01[IKE] remote host is behind NAT Jan 22 16:53:42 01[IKE] received proposals inacceptable Jan 22 16:53:42 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] Jan 22 16:53:42 01[NET] sending packet: from 10.1.1.2[500] to 73.249.XXX.YYY[500] (36 bytes)
作為參考,這是我的 /etc/ipsec.conf 文件:
config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@ZZZZZ.example.com leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.10.11.0/16 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity
有人可以建議如何解決這個問題嗎?
問題是 IKE 提議不匹配:
Jan 22 16:53:42 01[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_1024 Jan 22 16:53:42 01[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Jan 22 16:53:42 01[IKE] local host is behind NAT, sending keep alives Jan 22 16:53:42 01[IKE] remote host is behind NAT Jan 22 16:53:42 01[IKE] received proposals inacceptable Jan 22 16:53:42 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
這是因為 Windows 客戶端預設提出的唯一 Diffie-Hellman 組是弱 MODP_1024,strongSwan 幾年前從其預設提案中刪除了它。
您可以修改客戶端,使其使用更強的 DH 組(首選),或者修改伺服器的配置,使其接受客戶端提出的弱組。詳情請參考我之前的回答。