無法通過 NetworkManager 啟動與 surfshark 的 IKEv2 VPN 連接

November 11, 2021

我嘗試通過 IKEv2 手動連接到 surfshark VPN 提供商。這是日誌

charon-nm[5070]: 05[CFG] received initiate for NetworkManager connection Surfshark IKE2
charon-nm[5070]: 05[CFG] using gateway identity 'ru-mos.prod.surfshark.com'
charon-nm[5070]: 05[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
charon-nm[5070]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
charon-nm[5070]: 05[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1096 bytes)
NetworkManager[4583]: &lt;info&gt;  [1636055533.4566] vpn-connection[0x56150178a510,6c89b390-d6ee-47d8-a547-346f75797487,"Surfshark IKE2",0]: VPN plugin: state changed: starting (3)
charon-nm[5070]: 15[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (38 bytes)
charon-nm[5070]: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
charon-nm[5070]: 15[IKE] peer didn't accept DH group ECP_256, it requested ECP_521
charon-nm[5070]: 15[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
charon-nm[5070]: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
charon-nm[5070]: 15[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1164 bytes)
charon-nm[5070]: 01[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (332 bytes)
charon-nm[5070]: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
charon-nm[5070]: 01[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
charon-nm[5070]: 01[IKE] local host is behind NAT, sending keep alives
charon-nm[5070]: 01[IKE] sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
charon-nm[5070]: 01[IKE] establishing CHILD_SA Surfshark IKE2{1}
charon-nm[5070]: 01[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
charon-nm[5070]: 01[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (438 bytes)
charon-nm[5070]: 07[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
charon-nm[5070]: 07[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
charon-nm[5070]: 07[ENC] received fragment #1 of 3, waiting for complete IKE message
charon-nm[5070]: 08[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
charon-nm[5070]: 08[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
charon-nm[5070]: 08[ENC] received fragment #2 of 3, waiting for complete IKE message
charon-nm[5070]: 09[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (579 bytes)
charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
charon-nm[5070]: 09[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2949 bytes)
charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
charon-nm[5070]: 09[IKE] received end entity cert "CN=ru-mos.prod.surfshark.com"
charon-nm[5070]: 09[IKE] received issuer cert "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
charon-nm[5070]: 09[CFG]   using certificate "CN=ru-mos.prod.surfshark.com"
charon-nm[5070]: 09[CFG]   using untrusted intermediate certificate "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
charon-nm[5070]: 09[CFG] checking certificate status of "CN=ru-mos.prod.surfshark.com"
charon-nm[5070]: 09[CFG] certificate status is not available
charon-nm[5070]: 09[CFG]   using trusted ca certificate "C=VG, O=Surfshark, CN=Surfshark Root CA"
charon-nm[5070]: 09[CFG] checking certificate status of "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
charon-nm[5070]: 09[CFG] certificate status is not available
charon-nm[5070]: 09[CFG]   reached self-signed root ca with a path length of 1
charon-nm[5070]: 09[IKE] authentication of 'ru-mos.prod.surfshark.com' with RSA_EMSA_PKCS1_SHA2_256 successful
charon-nm[5070]: 09[IKE] server requested EAP_IDENTITY (id 0x00), sending 'mYidENtitY'
charon-nm[5070]: 09[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
charon-nm[5070]: 09[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (90 bytes)
charon-nm[5070]: 10[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (67 bytes)
charon-nm[5070]: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
charon-nm[5070]: 10[IKE] server requested EAP_PEAP authentication (id 0x01)
charon-nm[5070]: 10[TLS] EAP_PEAP version is v0
charon-nm[5070]: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
charon-nm[5070]: 10[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (275 bytes)
charon-nm[5070]: 11[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1065 bytes)
charon-nm[5070]: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
charon-nm[5070]: 11[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
charon-nm[5070]: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
charon-nm[5070]: 11[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
charon-nm[5070]: 12[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1061 bytes)
charon-nm[5070]: 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
charon-nm[5070]: 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
charon-nm[5070]: 12[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
charon-nm[5070]: 13[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (747 bytes)
charon-nm[5070]: 13[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]
charon-nm[5070]: 13[TLS] received TLS server certificate 'C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org'
charon-nm[5070]: 13[TLS] received TLS intermediate certificate 'C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority'
charon-nm[5070]: 13[CFG]   using certificate "C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org"
charon-nm[5070]: 13[CFG]   using untrusted intermediate certificate "C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority"
charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021)
charon-nm[5070]: 13[TLS] no TLS public key found for server '%any'
charon-nm[5070]: 13[TLS] sending fatal TLS alert 'certificate unknown'
charon-nm[5070]: 13[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ]
charon-nm[5070]: 13[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (74 bytes)
charon-nm[5070]: 14[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (65 bytes)
charon-nm[5070]: 14[ENC] parsed IKE_AUTH response 6 [ EAP/FAIL ]
charon-nm[5070]: 14[IKE] received EAP_FAILURE, EAP authentication failed

一切看起來都很好，直到在響應 5 我得到一些奇怪的證書。我不知道 PEAP 協議到底是如何進行的，以及在該步驟中應該發生什麼，但連接在 Windows 上有效，所以我認為我這邊有問題。

charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021)
顯然，請求 EAP-PEAP 的 RADIUS 伺服器的證書已經過期，但是帶有所有“範例”內容的主題看起來很奇怪（除非你修改了它）。為什麼 Windows 會接受這一點，如果它實際上使用 EAP-PEAP，我不知道。
您可以嘗試禁用eap-peap外掛並希望伺服器支持其他 EAP 方法（例如 EAP-MD5 或 EAP-MSCHAPv2）。為此，請將以下內容添加到strongswan.conf：
charon-nm {
 plugins {
   eap-peap {
     load = no
   }
 }
}

引用自：https://serverfault.com/questions/1082654

無法通過 NetworkManager 啟動與 surfshark 的 IKEv2 VPN 連接

相關問答

Strongswan 錯誤：沒有名為“foo”的配置

什麼會導致 iOS 設備能夠通過 LTE 連接到 IKEv2/IPsec VPN 但不能瀏覽大多數網站？

networkmanager-strongswan vpn - 通過 VPN 路由特定 IP

Windows 10 客戶端“策略匹配錯誤”上的 Strongswan IKEv2 vpn

Strongswan IKEv2 身份驗證 - 公鑰和 EAP

IKEV2 VPN 不會對 Windows 客戶端隱藏真實 IP