Ipsec

StrongSwan VPN 伺服器未與客戶端連接

  • January 25, 2021

Linux 伺服器是在Google云中執行的 Ubuntu 18.04。我按照以下優秀教程配置 StrongSwan 伺服器:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2

我在Google云中打開了 UDP 500 和 4500 埠,並啟用了 charon 守護程序的日誌記錄。大多數事情似乎都按計劃進行,直到我嘗試從 Windows 10 VPN 連接進行連接,該連接失敗並出現錯誤“策略匹配錯誤”。連接嘗試失敗後,charon 日誌文件(級別 1)包含以下內容:

Jan 22 17:17:40 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.4.0-1034-gcp, x86_64)
Jan 22 17:17:40 00[CFG] PKCS11 module '<name>' lacks library path
Jan 22 17:17:40 00[CFG] disabling load-tester plugin, not configured
Jan 22 17:17:40 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Jan 22 17:17:40 00[CFG] dnscert plugin is disabled
Jan 22 17:17:40 00[CFG] ipseckey plugin is disabled
Jan 22 17:17:40 00[CFG] attr-sql plugin: database URI not set
Jan 22 17:17:40 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 22 17:17:40 00[CFG]   loaded ca certificate "CN=VPN root CA" from '/etc/ipsec.d/cacerts/ca-cert.pem'
Jan 22 17:17:40 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 22 17:17:40 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 22 17:17:40 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 22 17:17:40 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 22 17:17:40 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 22 17:17:40 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server-key.pem'
Jan 22 17:17:40 00[CFG]   loaded EAP secret for ejohanson
Jan 22 17:17:40 00[CFG] sql plugin: database URI not set
Jan 22 17:17:40 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Jan 22 17:17:40 00[CFG] eap-simaka-sql database URI missing
Jan 22 17:17:40 00[CFG] loaded 0 RADIUS server configurations
Jan 22 17:17:40 00[CFG] HA config misses local/remote address
Jan 22 17:17:40 00[CFG] no threshold configured for systime-fix, disabled
Jan 22 17:17:40 00[CFG] coupling file path unspecified
Jan 22 17:17:40 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Jan 22 17:17:40 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 22 17:17:40 00[JOB] spawning 16 worker threads
Jan 22 16:50:23 05[CFG] received stroke: add connection 'ikev2-vpn'
Jan 22 16:50:23 05[CFG] adding virtual IP address pool 10.10.11.0/16
Jan 22 16:50:23 05[CFG]   loaded certificate "CN=devsrv.valmarc.com" from 'server-cert.pem'
Jan 22 16:50:23 05[CFG] added configuration 'ikev2-vpn'
Jan 22 16:50:32 07[KNL] interface ens7 activated
Jan 22 16:50:32 10[KNL] interface ens6 activated
Jan 22 16:50:32 13[KNL] interface ens5 activated
Jan 22 16:50:32 10[KNL] 10.4.1.2 appeared on ens7
Jan 22 16:50:32 07[KNL] 10.3.1.2 appeared on ens6
Jan 22 16:50:33 12[KNL] 10.2.1.2 appeared on ens5
Jan 22 16:50:33 06[KNL] fe80::4001:aff:fe04:102 appeared on ens7
Jan 22 16:50:33 16[KNL] fe80::4001:aff:fe02:102 appeared on ens5
Jan 22 16:50:34 08[KNL] fe80::4001:aff:fe03:102 appeared on ens6
Jan 22 16:53:42 01[NET] received packet: from 73.249.XXX.YYY[500] to 10.1.1.2[500] (1104 bytes)
Jan 22 16:53:42 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jan 22 16:53:42 01[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jan 22 16:53:42 01[IKE] received MS-Negotiation Discovery Capable vendor ID
Jan 22 16:53:42 01[IKE] received Vid-Initial-Contact vendor ID
Jan 22 16:53:42 01[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jan 22 16:53:42 01[IKE] 73.249.XXX.YYY is initiating an IKE_SA
Jan 22 16:53:42 01[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_1024
Jan 22 16:53:42 01[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan 22 16:53:42 01[IKE] local host is behind NAT, sending keep alives
Jan 22 16:53:42 01[IKE] remote host is behind NAT
Jan 22 16:53:42 01[IKE] received proposals inacceptable
Jan 22 16:53:42 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 22 16:53:42 01[NET] sending packet: from 10.1.1.2[500] to 73.249.XXX.YYY[500] (36 bytes)

作為參考,這是我的 /etc/ipsec.conf 文件:

config setup
       charondebug="ike 1, knl 1, cfg 0"
       uniqueids=no

conn ikev2-vpn
       auto=add
       compress=no
       type=tunnel
       keyexchange=ikev2
       fragmentation=yes
       forceencaps=yes
       dpdaction=clear
       dpddelay=300s
       rekey=no
       left=%any
       leftid=@ZZZZZ.example.com
       leftcert=server-cert.pem
       leftsendcert=always
       leftsubnet=0.0.0.0/0
       right=%any
       rightid=%any
       rightauth=eap-mschapv2
       rightsourceip=10.10.11.0/16
       rightdns=8.8.8.8,8.8.4.4
       rightsendcert=never
       eap_identity=%identity

有人可以建議如何解決這個問題嗎?

問題是 IKE 提議不匹配:

Jan 22 16:53:42 01[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA1/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/MODP_1024
Jan 22 16:53:42 01[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan 22 16:53:42 01[IKE] local host is behind NAT, sending keep alives
Jan 22 16:53:42 01[IKE] remote host is behind NAT
Jan 22 16:53:42 01[IKE] received proposals inacceptable
Jan 22 16:53:42 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

這是因為 Windows 客戶端預設提出的唯一 Diffie-Hellman 組是弱 MODP_1024,strongSwan 幾年前從其預設提案中刪除了它。

您可以修改客戶端,使其使用更強的 DH 組(首選),或者修改伺服器的配置,使其接受客戶端提出的弱組。詳情請參考我之前的回答

引用自:https://serverfault.com/questions/1050838