Strongswan
“NO_PROPOSAL_CHOSEN”嘗試使用 swanctl 使用智能卡的證書進行身份驗證時
我正在嘗試
swanctl使用主機到主機配置(如此處所述)和用於 B 身份驗證的智能卡在兩個虛擬機(名為 A 和 B)之間使用 strongSwan(重要的是,我在這裡使用)創建 VPN 隧道我生成了 CA 證書,並用這個證書為 A 和 B 簽署了 CRT,它按預期工作。(隧道創建沒有問題)
在那之後,我決定在我的 yubikey 上生成一個 crt(使用
yubikey-manager),我用我的 CA 簽名並配置了 strongSwan 以使用 opensc 的模組來訪問這張卡。我的
swanctl --load-creds工作正常,我的也是swanctl --load-conns這是我的結果
swanctl --load-credsloaded certificate from '/etc/swanctl/x509ca/ca.crt' # loaded key tokenyubikey from token [keyid: "..."]但是當我嘗試啟動時,
swanctl --initiate我遇到了一些錯誤這是我在每次嘗試之前對每個主機的輸入
systemctl restart swanctl swanctl --load-conns swanctl --load-creds當我嘗試從 B(帶有 Yubikey 的那個)連接到 A 時,這裡是 A 上的輸出(使用
swanctl --log)我使用的命令是
swanctl --initiate --child host-host10[NET] sending packet: from <IP A>[500] to <IP B>[500] (273 bytes) 09[NET] received packet: from <IP B>[4500] to <IP A>[4500] (1104 bytes) 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 09[DMN] thread 9 received 11 09[LIB] dumping 20 stack frame addresses: 09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f0c30448000 [0x7f0c3045a890] 09[LIB] -> ??:? 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c3092b170] 09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/networking/host.c:84 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 (host_printf_hook+0x37) [0x7f0c3092b347] 09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/networking/host.c:114 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c309456a6] 09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c:118 09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 [0x7f0c300b0473] 09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/stdio-common/vfprintf.c:2004 09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (_IO_vfprintf+0x192a) [0x7f0c300b3cba] 09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/stdio-common/vfprintf.c:1688 09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (__vsnprintf_chk+0xa9) [0x7f0c30189169] 09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/debug/vsnprintf_chk.c:65 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30676c42] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:398 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30676e2a] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:441 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c3069ab36] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:973 09[LIB] /usr/lib/ipsec/plugins/libstrongswan-connmark.so @ 0x7f0c2f6ae000 [0x7f0c2f6af6bb] 09[LIB] -> ??:0 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30675a47] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:885 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30698e21] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:1114 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c306a875c] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ikev2/task_manager_v2.c:1585 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30697f47] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:1587 09[LIB] /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c3069182f] 09[LIB] -> /home/john/strongswan-5.8.1/src/libcharon/processing/jobs/process_message_job.c:74 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c30931806] 09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/processing/processor.c:235 09[LIB] /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c30943d7b] 09[LIB] -> /home/john/strongswan-5.8.1/src/libstrongswan/threading/thread.c:332 (discriminator 4) 09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f0c30448000 [0x7f0c3044f6db] 09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/nptl/pthread_create.c:463 09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (clone+0x3f) [0x7f0c3017888f] 09[LIB] -> /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:97 09[DMN] killing ourself, received critical signal從這裡開始,我的 StrongSwan 似乎已經死了,我必須重新啟動它。
當我嘗試從 A 初始化到 B 時遇到同樣的問題(因為它是主機-主機連接)
我嘗試使用與 A 不同的 VM,在嘗試從 B 到 A 時出現此輸出。新的 A 主機使用 sterongswan swanctl 版本 5.6.2(從 apt 安裝)
13[IKE] received cert request for "<CA's CN>" 13[IKE] received end entity cert "CN=<B's CN>" 13[CFG] looking for peer configs matching <New A's IP>[A]...<B's ip>[B] 13[CFG] selected peer config 'host-host' 13[IKE] no trusted RSA public key found for 'B' 13[IKE] peer supports MOBIKE 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 13[NET] sending packet: from <New A's IP>[4500] to <B's IP>[4500] (80 bytes)當我嘗試從新的 A 連接到 B 時,它如上所示崩潰
這裡有更多細節
這是我在 B 上的 swanctl.conf
connections { home { remote_addrs = <A's ip> local { auth = pubkey id = "B" certs = B.crt #It's the cert on my yubikey that i extracted and put onto /etc/swanctl/x509 } remote { auth = pubkey id = "A" } children { host-host { start_action = trap } } } } secrets { tokenyubikey { pin = <my pin> slot = 0 handle = 1 # From what i understood, it's here that my crt is module = opensc } }這是我的
pkcs11-tool -M命令的結果,顯示支持 RSA256(至少,據我了解)Supported mechanisms: SHA-1, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest GOSTR3411, digest ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000 ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000 ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000 RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify MD5-RSA-PKCS, keySize={1024,3072}, sign, verify RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify這是我的 pkcs11-tool -O 的結果
Using slot 0 with a present token (0x0) Public Key Object; RSA 1024 bits label: PIV AUTH pubkey ID: 01 Usage: encrypt, verify, wrap Certificate Object; type = X.509 cert label: Certificate for PIV Authentication ID: 01 Data object 2496313968 label: 'Card Capability Container' application: 'Card Capability Container' app_id: 2.16.840.1.101.3.7.1.219.0 flags: <empty> Data object 2496314064 label: 'Card Holder Unique Identifier' application: 'Card Holder Unique Identifier' app_id: 2.16.840.1.101.3.7.2.48.0 flags: <empty> Data object 2496314160 label: 'Unsigned Card Holder Unique Identifier' application: 'Unsigned Card Holder Unique Identifier' app_id: 2.16.840.1.101.3.7.2.48.2 flags: <empty> Data object 2496314256 label: 'X.509 Certificate for PIV Authentication' application: 'X.509 Certificate for PIV Authentication' app_id: 2.16.840.1.101.3.7.2.1.1 flags: <empty> Data object 2496314640 label: 'X.509 Certificate for Digital Signature' application: 'X.509 Certificate for Digital Signature' app_id: 2.16.840.1.101.3.7.2.1.0 flags: <empty> Data object 2496314736 label: 'X.509 Certificate for Key Management' application: 'X.509 Certificate for Key Management' app_id: 2.16.840.1.101.3.7.2.1.2 flags: <empty> Data object 2496314832 label: 'X.509 Certificate for Card Authentication' application: 'X.509 Certificate for Card Authentication' app_id: 2.16.840.1.101.3.7.2.5.0 flags: <empty> Data object 2496314928 label: 'Security Object' application: 'Security Object' app_id: 2.16.840.1.101.3.7.2.144.0 flags: <empty> Data object 2496315024 label: 'Discovery Object' application: 'Discovery Object' app_id: 2.16.840.1.101.3.7.2.96.80 flags: <empty>這是我的 /etc/strongswan.d/charon/pkcs11.conf 中的內容
pkcs11 { load = yes modules { opensc { path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so } } }我使用 Yubikey 在我的 Yubikey 上生成了一個 CSR
yubikey-manager,然後簽名如下:ipsec pki --issue --in b.csr --type pkcs10 --cacert <CA's crt> --dn "<CA's DN>CN=B" --san B --outform pem > b.crt然後使用將生成的 CRT 導入 Yubikey
yubikey-manager我在 Ubuntu 18.04 上 Swanctl 的版本是 5.8.1
編輯:這是結果
pkcs11-tool --test --loginUsing slot 0 with a present token (0x0) Logging in to "PIV Card Holder pin (PIV_II)". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only for RSA) testing key 0 (PIV AUTH key) all 4 signature functions seem to work testing signature mechanisms: RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK SHA256-RSA-PKCS: OK testing key 1 (1024 bits, label=SIGN key) with 1 signature mechanism Logging in to "PIV Card Holder pin (PIV_II)". Please enter context specific PIN: RSA-X-509: OK testing key 2 (1024 bits, label=KEY MAN key) with 1 signature mechanism -- can't be used to sign/verify, skipping Verify (currently only for RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK testing key 1 (SIGN key) with 1 mechanism Logging in to "PIV Card Holder pin (PIV_II)". Please enter context specific PIN: RSA-X-509: OK testing key 2 (KEY MAN key) with 1 mechanism -- can't be used to sign/verify, skipping Unwrap: not implemented Decryption (currently only for RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK testing key 1 (SIGN key) RSA-X-509: Logging in to "PIV Card Holder pin (PIV_II)". Please enter context specific PIN: OK RSA-PKCS: Logging in to "PIV Card Holder pin (PIV_II)". Please enter context specific PIN: OK testing key 2 (KEY MAN key) RSA-X-509: OK RSA-PKCS: OK No errors
感謝ecdsa,我終於讓它工作了。
對於像我這樣想知道如何使用 yubikey(在我的例子中是 Yubikey 5C)與 StrongSwan 建立主機-主機連接的人來說,我的 conf 工作正常。
我的問題是由於安裝錯誤(我安裝的不同 StrongSwan 版本之間存在一些衝突)
不要忘記將 crt 放到 x509 目錄上
/etc/swanctl/x509,它通常應該可以正常工作!