帶有 RADIUS 的 Amazon Linux 上的 StrongSwan
我正在嘗試在具有針對 RADIUS 的身份驗證的 Amazon Linux 實例上執行 strongSwan,但在嘗試啟動 strongSwan 時收到錯誤消息
charon[9518]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required
安裝 strongSwan 我跑了
yum install strongswan
# swanctl --version strongSwan swanctl 5.7.1
# swanctl --stats loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
cat <<EOF > /etc/strongswan/strongswan.d/charon/eap-radius.conf eap-radius { load = yes nas_identifier = ${DNSNAME} retransmit_timeout = 30 retransmit_tries = 1 servers { primary { preference = 99 address = ${RADIUSFQDN} auth_port = 1812 secret = ${RADIUSPSWD} sockets = 5 } } } EOF
完整的啟動日誌
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[MGR] tried to checkin and delete nonexisting IKE_SA Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[IKE] unable to resolve %any, initiate aborted Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[CFG] received stroke: initiate 'pod' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] added configuration 'pod' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] loaded certificate "CN=vpn.test.dev.poddev.naimuri.uk" from 'vpnserver.crt' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] adding virtual IP address pool 192.168.250.0/24 Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] received stroke: add connection 'pod' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: charon (10493) started after 60 ms Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: charon (10493) started after 60 ms Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[JOB] spawning 16 worker threads Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation const Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] no script for ext-auth script defined, disabled Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] HA config misses local/remote address Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded 0 RADIUS server configurations Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading RADIUS server 'primary' failed, skipped Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] sql plugin: database URI not set Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/vpnserver.key' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" from '/etc/strongswan/ipsec.d/ Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts' Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] openssl FIPS mode(2) - enabled Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] PKCS11 module '<name>' lacks library path Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 4.14.72-73.55.amzn2.x86_64, x86_64) Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: Starting strongSwan 5.7.1 IPsec [starter]... Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: Starting strongSwan 5.7.1 IPsec [starter]...
問題是您在 FIPS 模式下使用 OpenSSL,這會禁用 MD5,因為它未經 FIPS 批准。
雖然您確實同時載入了md5和hmac外掛,但後者在openssl外掛之後排序,它仍然註冊自己的
HMAC_MD5_128
. 這個實現甚至可以被實例化,因為外掛的 HMAC 建構子實際上只檢查是否存在EVP_MD
給定雜湊算法的靜態實例,不幸的是,即使在 FIPS 模式下,MD5 也是如此。但是,HMAC_INIT_ex()
稍後使用該實例會失敗(觸發錯誤的原因是嘗試在 HMAC 實例上設置密鑰)。為避免這種情況,您可以禁用 FIPS 模式(通過charon.plugins.openssl.fips_mode),或者確保使用hmac外掛提供的 HMAC 實現而不是openssl外掛的實現。
後者可以通過在它們各自的配置片段中修改這些外掛中的任何一個的載入
/etc/strongswan/strongswan.d/charon
設置來實現,以便降級openssl外掛(將其設置為負數值),或通過提升hmac外掛(將其設置為值 > 1)。重啟後,看到的外掛順序swanctl --stats
應該相應改變,輸出swanctl --list-algs
應該顯示hmac外掛正在提供HMAC_MD5_128
.