iPhone 使用者不連接 StrongSwan VPN,而 Android 和 Windows 10 使用者可以?
我有一個 StrongSwan VPN,由於某種我不知道的原因,它無法將 iOS 使用者連接到我的 VPN 伺服器。
一些快速說明:
- 我的 StrongSwan 伺服器是連接到我的網路的 VPN 客戶端的前端。我用於
WireGuard
我的後端站點到站點路由。- 所有 StrongSwan VPN 使用者都經過
FreeRadius
伺服器驗證。- StrongSwan 客戶端在子網上被分配一個 IP
192.168.201.0/24
,而 WireGuard 主幹網路在192.168.200.0/24
子網上執行。- 所有客戶端也都獲得了一個公共 IPv6 地址,該地址屬於分配給我的 /48 子網。
我在 Ubuntu 20.04 上執行 StrongSwan,我的配置文件位於該
/etc/swanctl/config/
文件夾中,由於文件名以.conf
.內容如下:
# Default VPN server settings for all connections conn-defaults { local_addrs = PUBLIC_IPV4, PUBLIC_IPV6 local { auth = pubkey certs = vpn-ecdsa.cer id = vpn.example.com } version = 2 send_certreq = no send_cert = always unique = never fragmentation = yes encap = yes dpd_delay = 60s rekey_time = 0s } # Default login method eap-defaults { remote { auth = eap-radius id = %any eap_id = %any } } connections { # Generic Android configuration that is extended further down. # # Works with StrongSwan VPN client for Android conn-unix : conn-defaults, eap-defaults { children { net { local_ts = 0.0.0.0/0, ::/0 } net-unix : child-defaults { } esp_proposals = aes128gcm128-x25519 } proposals = aes128-sha256-x25519 } # All Windows klients matches this rule as username validation # is done by 'eap_start = yes' in strongswan.conf. # # Works with Windows 10 built-in VPN client. conn-windows : conn-defaults, eap-defaults { children { net { local_ts = 0.0.0.0/0, ::/0 } esp_proposals = aes256-sha256-prfsha256-modp1024 } proposals = aes256-sha256-prfsha256-modp1024 pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6 } # A very similar configuration to Windows clients # configuration, except iOS uses 2048 bit keys, # while Windows uses 1024 bit keys. # # Does NOT work in its current state. conn-ios : conn-defaults, eap-defaults { children { net { local_ts = 0.0.0.0/0, ::/0 } esp_proposals = aes256-sha2_256 pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6 } proposals = aes256-sha256-prfsha256-modp2048 } # Android users is matched against this connection as they are # running the app StrongSwan VPN client. Username is passed in the # 'id' field to StrongSwan VPN server. conn-unix-site : connections.conn-unix { remote { id = *@site.example.com } pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6 } } pools { IkeVPN-site-ipv4 { addrs = 192.168.201.0/24 dns = 192.168.200.1 } IkeVPN-site-ipv6 { addrs = 2001:db8:cafe::/97 dns = 2001:db8::1 } }
我的配置是使用以下網頁給出的結構創建的:
https://wiki.strongswan.org/projects/strongswan/wiki/Strongswanconf#Referencing-other-Sections
我使用它的原因是避免在我的所有連接配置文件中重複相同的配置設置。
如果您不熟悉此設置,
conn-ios
則應將以下配置視為等效:conn-ios { # Obtained from conn-default local_addrs = PUBLIC_IPV4, PUBLIC_IPV6 local { auth = pubkey certs = vpn-ecdsa.cer id = vpn.example.com } version = 2 send_certreq = no send_cert = always unique = never fragmentation = yes encap = yes dpd_delay = 60s rekey_time = 0s # Obtained from eap-defaults remote { auth = eap-radius id = %any eap_id = %any } # Obtained from original conn-ios profile above. children { net { local_ts = 0.0.0.0/0, ::/0 } esp_proposals = aes256-sha2_256 pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6 } proposals = aes256-sha256-prfsha256-modp2048 }
本
conn-default
節中列出的伺服器證書是使用 Acme.sh 從 Let’s Encrypt 獲得的 ECDSA 證書。
proposals
iOS 配置中的加密值esp_proposals
取自https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients中的提示。在測試 Android 或 Windows 使用者的所有組合時,連接沒有任何問題,但是當有人嘗試使用 iPhone 登錄時,連接就會停止。
iPhone嘗試連接時的日誌輸出如下:
10[IKE] CLIENT_IPV4 is initiating an IKE_SA 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 10[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519 10[IKE] no matching proposal found, trying alternative config 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 10[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 10[IKE] no matching proposal found, trying alternative config 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 10[IKE] remote host is behind NAT 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ] 10[NET] sending packet: from PUBLIC_IPV4[500] to CLIENT_IPV4[6452] (456 bytes) 06[NET] received packet: from CLIENT_IPV4[13549] to PUBLIC_IPV4[4500] (512 bytes) 06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ] 06[CFG] looking for peer configs matching PUBLIC_IPV4[vpn.example.com]...CLIENT_IPV4[PRIVATE_CLASS_A_ADDRESS] 06[CFG] selected peer config 'conn-ios' 06[IKE] initiating EAP_IDENTITY method (id 0x00) 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 06[IKE] peer supports MOBIKE 06[IKE] authentication of 'vpn.example.com' (myself) with ECDSA-256 signature successful 06[IKE] sending end entity cert "CN=vpn.example.com" 06[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3" 06[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] 06[ENC] splitting IKE message (2816 bytes) into 3 fragments 06[ENC] generating IKE_AUTH response 1 [ EF(1/3) ] 06[ENC] generating IKE_AUTH response 1 [ EF(2/3) ] 06[ENC] generating IKE_AUTH response 1 [ EF(3/3) ] 06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (1236 bytes) 06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (1236 bytes) 06[NET] sending packet: from PUBLIC_IPV4[4500] to CLIENT_IPV4[13549] (500 bytes) 11[JOB] deleting half open IKE_SA with CLIENT_IPV4 after timeout
iPhone 使用者使用以下設置使用內置 VPN 客戶端進行連接:
- 類型 IKEv2
- 描述:VPN伺服器
- 伺服器:vpn.example.com
- 遠端 ID:vpn.example.com
- 本地標識:空白
- 使用者名和密碼驗證。
- 使用者名:user@site.example.com
- 密碼:ItIsASecret
有誰知道為什麼 iOS 使用者在載入
conn-ios
配置文件時連接會停止?更新 我們起飛了!:-)
根據@ecdsa 的建議,我已將證書切換為 2048 位 RSA 證書。
我的 Radius 伺服器被呼叫。使用者身份驗證成功,客戶端獲得分配 IP 地址。我很開心。:-)
我
conn-ios
現在的配置是:conn-ios : conn-defaults, eap-defaults { # Overriding defaults from 'conn-default' local { auth = pubkey certs = vpn-rsa.cer id = vpn.example.com } children { net { local_ts = 0.0.0.0/0, ::/0 } esp_proposals = aes256-sha256 } pools = IkeVPN-site-ipv4, IkeVPN-site-ipv6 proposals = aes256-sha256-prfsha256-modp2048 }
其他一切都與我的初始配置一樣。
正如我們在日誌中看到的,客戶端不支持RFC 7427(否則,雜湊算法通知將在 期間交換
IKE_SA_INIT
),它定義了靈活的基於簽名的身份驗證。雖然 IKEv2 也支持沒有該擴展的 ECDSA,但RFC 4754只增加了對它的有限支持(只能使用三個 NIST 曲線,並且每個曲線都分配了特定的雜湊算法)。因此,如果在配置文件中明確配置,Apple 客戶端可能只接受/使用 ECDSA (有一個選項
CertificateType
可以設置為 egECDSA256
)。如果使用配置文件不是一個選項,唯一的選擇是使用RSA 伺服器證書,至少在 Apple 在其 IKEv2 客戶端中實現對 RFC 7427 的支持之前。