Linux

xauth 在 openwrt 上使用 ipsec-tools:身份驗證失敗?

  • September 11, 2013

我正在嘗試在 openwrt 上使用 ipsec-tools 設置 xauth,我的設置如下所示:

cat /etc/racoon.conf:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/cert";

listen {
   adminsock disabled;
}

timer
{
       natt_keepalive 10 sec;
}

remote anonymous
{
       exchange_mode aggressive,main;          #必须添加main,否则苹果的vpn client无法连接

       initial_contact on ;
       passive on ;

       proposal {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method xauth_psk_server ;
               dh_group 2 ;
       }

       proposal_check obey;
       generate_policy on;
       dpd_delay 20;
       nat_traversal force;
       ike_frag on;
       esp_frag 552;
}

mode_cfg
{
       network4 211.153.68.231;              #VPN地址池
       pool_size 4;
       netmask4 255.255.255.0;
       auth_source system;                      #使用pam作为xauth的用户认证
       dns4 211.153.19.1;
       pfs_group 2;
       banner "/etc/racoon/motd" ;
}

sainfo anonymous
{
       pfs_group 2;
       lifetime time 1 hour ;
       encryption_algorithm aes ;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate ;
}

貓 /etc/setkey.conf

flush;
spdflush;

spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P in ipsec esp/transport//require;

貓 /etc/racoon/psk.txt

test test

貓 /etc/racoon/motd

welcome!

貓 /etc/init.d/racoon

#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2011 OpenWrt.org
# Copyright (C) 2011 Artem Makhutov

START=49

SERVICE_USE_PID=1

start() {
   mkdir -m 0700 -p /var/racoon
   [ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/setkey.conf
   service_start /usr/sbin/racoon -f /etc/racoon.conf
}

stop() {
   service_stop /usr/sbin/racoon
}

然後啟動伺服器:

root@OpenWrt:~# setkey -f /etc/setkey.conf
root@OpenWrt:~# racoon -F -f /etc/racoon.conf
Foreground mode.
2013-09-06 15:52:19: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-09-06 15:52:19: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
2013-09-06 15:52:19: INFO: Reading configuration from "/etc/racoon.conf"
2013-09-06 15:52:19: WARNING: /etc/racoon.conf:33: "552" Your kernel does not support esp_frag
2013-09-06 15:52:19: INFO: Resize address pool from 0 to 4
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used as isakmp port (fd=6)
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used as isakmp port (fd=7)
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used as isakmp port (fd=8)
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used as isakmp port (fd=9)
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used as isakmp port (fd=11)
2013-09-06 15:52:19: INFO: ::1[500] used as isakmp port (fd=12)
2013-09-06 15:52:19: INFO: ::1[4500] used as isakmp port (fd=13)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[500] used as isakmp port (fd=14)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[4500] used as isakmp port (fd=15)

我在前台執行它只是為了調試,然後讓我們將它與另一個 ubuntu12.04.2 系統的 vpnc 連接:

liunx@ubuntu:~$ sudo vpnc
[sudo] password for liunx:
Enter IPSec gateway address: 10.129.228.201
Enter IPSec ID for 10.129.228.201: test
Enter IPSec secret for test@10.129.228.201:(test)
Enter username for 10.129.228.201: root
Enter password for root@10.129.228.201:(123456)
vpnc: authentication unsuccessful

我收到來自 racoon 的錯誤消息:

2013-09-06 15:55:14: INFO: respond new phase 1 negotiation: 10.129.228.201[500]<=>10.129.228.200[500]
2013-09-06 15:55:14: INFO: begin Aggressive mode.
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: received Vendor ID: RFC 3947
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-09-06 15:55:14: INFO: received Vendor ID: DPD
2013-09-06 15:55:14: [10.129.228.200] INFO: Selected NAT-T version: RFC 3947
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: INFO: Adding remote and local NAT-D payloads.
2013-09-06 15:55:14: [10.129.228.200] INFO: Hashing 10.129.228.200[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: [10.129.228.201] INFO: Hashing 10.129.228.201[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: INFO: Adding xauth VID payload.
2013-09-06 15:55:14: INFO: NAT-T: ports changed to: 10.129.228.200[4500]<->10.129.228.201[4500]
2013-09-06 15:55:14: [10.129.228.200] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: NAT-D payload #0 doesn't match
2013-09-06 15:55:14: INFO: NAT-D payload #1 doesn't match
2013-09-06 15:55:14: INFO: NAT detected: ME PEER
2013-09-06 15:55:14: INFO: Sending Xauth request
2013-09-06 15:55:14: INFO: ISAKMP-SA established 10.129.228.201[4500]-10.129.228.200[4500] spi:5f0e764b2ee4a7bd:a65bc2a2089f47f3
2013-09-06 15:55:14: INFO: Using port 0
2013-09-06 15:55:14: INFO: Released port 0
2013-09-06 15:55:14: INFO: login failed for user "root"
2013-09-06 15:55:14: ERROR: Attempt to release an unallocated address (port 0)
2013-09-06 15:55:14: ERROR: mode config 6 from 10.129.228.200[4500], but we have no ISAKMP-SA.

我確定我已將 root 的密碼設置為“123456”,但我失敗了,有什麼提示嗎?

是影子密碼的問題,配置的時候ipsec-tools會檢測系統的影子密碼與否,如果ipsec-tools編譯時使用了_HAVE_SHADOW_H_,那麼就不會用非影子密碼解析正確的密碼,所以失敗了,反之亦然。我與 ubuntu 系統 buildroot 進行了比較,它們都執行良好。

引用自:https://serverfault.com/questions/536565