Linux
xauth 在 openwrt 上使用 ipsec-tools:身份驗證失敗?
我正在嘗試在 openwrt 上使用 ipsec-tools 設置 xauth,我的設置如下所示:
cat /etc/racoon.conf:
path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/cert"; listen { adminsock disabled; } timer { natt_keepalive 10 sec; } remote anonymous { exchange_mode aggressive,main; #必须添加main,否则苹果的vpn client无法连接 initial_contact on ; passive on ; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_psk_server ; dh_group 2 ; } proposal_check obey; generate_policy on; dpd_delay 20; nat_traversal force; ike_frag on; esp_frag 552; } mode_cfg { network4 211.153.68.231; #VPN地址池 pool_size 4; netmask4 255.255.255.0; auth_source system; #使用pam作为xauth的用户认证 dns4 211.153.19.1; pfs_group 2; banner "/etc/racoon/motd" ; } sainfo anonymous { pfs_group 2; lifetime time 1 hour ; encryption_algorithm aes ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; }
貓 /etc/setkey.conf
flush; spdflush; spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P out ipsec esp/transport//require; spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P in ipsec esp/transport//require;
貓 /etc/racoon/psk.txt
test test
貓 /etc/racoon/motd
welcome!
貓 /etc/init.d/racoon
#!/bin/sh /etc/rc.common # Copyright (C) 2009-2011 OpenWrt.org # Copyright (C) 2011 Artem Makhutov START=49 SERVICE_USE_PID=1 start() { mkdir -m 0700 -p /var/racoon [ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/setkey.conf service_start /usr/sbin/racoon -f /etc/racoon.conf } stop() { service_stop /usr/sbin/racoon }
然後啟動伺服器:
root@OpenWrt:~# setkey -f /etc/setkey.conf root@OpenWrt:~# racoon -F -f /etc/racoon.conf Foreground mode. 2013-09-06 15:52:19: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) 2013-09-06 15:52:19: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/) 2013-09-06 15:52:19: INFO: Reading configuration from "/etc/racoon.conf" 2013-09-06 15:52:19: WARNING: /etc/racoon.conf:33: "552" Your kernel does not support esp_frag 2013-09-06 15:52:19: INFO: Resize address pool from 0 to 4 2013-09-06 15:52:19: INFO: 10.129.228.201[500] used for NAT-T 2013-09-06 15:52:19: INFO: 10.129.228.201[500] used as isakmp port (fd=6) 2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used for NAT-T 2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used as isakmp port (fd=7) 2013-09-06 15:52:19: INFO: 127.0.0.0[500] used for NAT-T 2013-09-06 15:52:19: INFO: 127.0.0.0[500] used as isakmp port (fd=8) 2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used for NAT-T 2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used as isakmp port (fd=9) 2013-09-06 15:52:19: INFO: 127.0.0.1[500] used for NAT-T 2013-09-06 15:52:19: INFO: 127.0.0.1[500] used as isakmp port (fd=10) 2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used for NAT-T 2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used as isakmp port (fd=11) 2013-09-06 15:52:19: INFO: ::1[500] used as isakmp port (fd=12) 2013-09-06 15:52:19: INFO: ::1[4500] used as isakmp port (fd=13) 2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[500] used as isakmp port (fd=14) 2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[4500] used as isakmp port (fd=15)
我在前台執行它只是為了調試,然後讓我們將它與另一個 ubuntu12.04.2 系統的 vpnc 連接:
liunx@ubuntu:~$ sudo vpnc [sudo] password for liunx: Enter IPSec gateway address: 10.129.228.201 Enter IPSec ID for 10.129.228.201: test Enter IPSec secret for test@10.129.228.201:(test) Enter username for 10.129.228.201: root Enter password for root@10.129.228.201:(123456) vpnc: authentication unsuccessful
我收到來自 racoon 的錯誤消息:
2013-09-06 15:55:14: INFO: respond new phase 1 negotiation: 10.129.228.201[500]<=>10.129.228.200[500] 2013-09-06 15:55:14: INFO: begin Aggressive mode. 2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY 2013-09-06 15:55:14: INFO: received Vendor ID: RFC 3947 2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 2013-09-06 15:55:14: INFO: received Vendor ID: DPD 2013-09-06 15:55:14: [10.129.228.200] INFO: Selected NAT-T version: RFC 3947 2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0. 2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0. 2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0. 2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0. 2013-09-06 15:55:14: INFO: Adding remote and local NAT-D payloads. 2013-09-06 15:55:14: [10.129.228.200] INFO: Hashing 10.129.228.200[500] with algo #2 (NAT-T forced) 2013-09-06 15:55:14: [10.129.228.201] INFO: Hashing 10.129.228.201[500] with algo #2 (NAT-T forced) 2013-09-06 15:55:14: INFO: Adding xauth VID payload. 2013-09-06 15:55:14: INFO: NAT-T: ports changed to: 10.129.228.200[4500]<->10.129.228.201[4500] 2013-09-06 15:55:14: [10.129.228.200] ERROR: notification INITIAL-CONTACT received in aggressive exchange. 2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY 2013-09-06 15:55:14: INFO: NAT-D payload #0 doesn't match 2013-09-06 15:55:14: INFO: NAT-D payload #1 doesn't match 2013-09-06 15:55:14: INFO: NAT detected: ME PEER 2013-09-06 15:55:14: INFO: Sending Xauth request 2013-09-06 15:55:14: INFO: ISAKMP-SA established 10.129.228.201[4500]-10.129.228.200[4500] spi:5f0e764b2ee4a7bd:a65bc2a2089f47f3 2013-09-06 15:55:14: INFO: Using port 0 2013-09-06 15:55:14: INFO: Released port 0 2013-09-06 15:55:14: INFO: login failed for user "root" 2013-09-06 15:55:14: ERROR: Attempt to release an unallocated address (port 0) 2013-09-06 15:55:14: ERROR: mode config 6 from 10.129.228.200[4500], but we have no ISAKMP-SA.
我確定我已將 root 的密碼設置為“123456”,但我失敗了,有什麼提示嗎?
是影子密碼的問題,配置的時候ipsec-tools會檢測系統的影子密碼與否,如果ipsec-tools編譯時使用了_HAVE_SHADOW_H_,那麼就不會用非影子密碼解析正確的密碼,所以失敗了,反之亦然。我與 ubuntu 系統 buildroot 進行了比較,它們都執行良好。