Vpn
無法通過 NetworkManager 啟動與 surfshark 的 IKEv2 VPN 連接
我嘗試通過 IKEv2 手動連接到 surfshark VPN 提供商。這是日誌
charon-nm[5070]: 05[CFG] received initiate for NetworkManager connection Surfshark IKE2 charon-nm[5070]: 05[CFG] using gateway identity 'ru-mos.prod.surfshark.com' charon-nm[5070]: 05[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139 charon-nm[5070]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] charon-nm[5070]: 05[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1096 bytes) NetworkManager[4583]: <info> [1636055533.4566] vpn-connection[0x56150178a510,6c89b390-d6ee-47d8-a547-346f75797487,"Surfshark IKE2",0]: VPN plugin: state changed: starting (3) charon-nm[5070]: 15[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (38 bytes) charon-nm[5070]: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] charon-nm[5070]: 15[IKE] peer didn't accept DH group ECP_256, it requested ECP_521 charon-nm[5070]: 15[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139 charon-nm[5070]: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] charon-nm[5070]: 15[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1164 bytes) charon-nm[5070]: 01[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (332 bytes) charon-nm[5070]: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] charon-nm[5070]: 01[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521 charon-nm[5070]: 01[IKE] local host is behind NAT, sending keep alives charon-nm[5070]: 01[IKE] sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA" charon-nm[5070]: 01[IKE] establishing CHILD_SA Surfshark IKE2{1} charon-nm[5070]: 01[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] charon-nm[5070]: 01[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (438 bytes) charon-nm[5070]: 07[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes) charon-nm[5070]: 07[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ] charon-nm[5070]: 07[ENC] received fragment #1 of 3, waiting for complete IKE message charon-nm[5070]: 08[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes) charon-nm[5070]: 08[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ] charon-nm[5070]: 08[ENC] received fragment #2 of 3, waiting for complete IKE message charon-nm[5070]: 09[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (579 bytes) charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ] charon-nm[5070]: 09[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2949 bytes) charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] charon-nm[5070]: 09[IKE] received end entity cert "CN=ru-mos.prod.surfshark.com" charon-nm[5070]: 09[IKE] received issuer cert "C=VG, O=Surfshark, CN=Surfshark Intermediate CA" charon-nm[5070]: 09[CFG] using certificate "CN=ru-mos.prod.surfshark.com" charon-nm[5070]: 09[CFG] using untrusted intermediate certificate "C=VG, O=Surfshark, CN=Surfshark Intermediate CA" charon-nm[5070]: 09[CFG] checking certificate status of "CN=ru-mos.prod.surfshark.com" charon-nm[5070]: 09[CFG] certificate status is not available charon-nm[5070]: 09[CFG] using trusted ca certificate "C=VG, O=Surfshark, CN=Surfshark Root CA" charon-nm[5070]: 09[CFG] checking certificate status of "C=VG, O=Surfshark, CN=Surfshark Intermediate CA" charon-nm[5070]: 09[CFG] certificate status is not available charon-nm[5070]: 09[CFG] reached self-signed root ca with a path length of 1 charon-nm[5070]: 09[IKE] authentication of 'ru-mos.prod.surfshark.com' with RSA_EMSA_PKCS1_SHA2_256 successful charon-nm[5070]: 09[IKE] server requested EAP_IDENTITY (id 0x00), sending 'mYidENtitY' charon-nm[5070]: 09[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] charon-nm[5070]: 09[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (90 bytes) charon-nm[5070]: 10[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (67 bytes) charon-nm[5070]: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ] charon-nm[5070]: 10[IKE] server requested EAP_PEAP authentication (id 0x01) charon-nm[5070]: 10[TLS] EAP_PEAP version is v0 charon-nm[5070]: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ] charon-nm[5070]: 10[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (275 bytes) charon-nm[5070]: 11[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1065 bytes) charon-nm[5070]: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ] charon-nm[5070]: 11[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 charon-nm[5070]: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ] charon-nm[5070]: 11[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes) charon-nm[5070]: 12[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1061 bytes) charon-nm[5070]: 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ] charon-nm[5070]: 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] charon-nm[5070]: 12[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes) charon-nm[5070]: 13[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (747 bytes) charon-nm[5070]: 13[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ] charon-nm[5070]: 13[TLS] received TLS server certificate 'C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org' charon-nm[5070]: 13[TLS] received TLS intermediate certificate 'C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority' charon-nm[5070]: 13[CFG] using certificate "C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org" charon-nm[5070]: 13[CFG] using untrusted intermediate certificate "C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority" charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021) charon-nm[5070]: 13[TLS] no TLS public key found for server '%any' charon-nm[5070]: 13[TLS] sending fatal TLS alert 'certificate unknown' charon-nm[5070]: 13[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ] charon-nm[5070]: 13[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (74 bytes) charon-nm[5070]: 14[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (65 bytes) charon-nm[5070]: 14[ENC] parsed IKE_AUTH response 6 [ EAP/FAIL ] charon-nm[5070]: 14[IKE] received EAP_FAILURE, EAP authentication failed
一切看起來都很好,直到在響應 5 我得到一些奇怪的證書。我不知道 PEAP 協議到底是如何進行的,以及在該步驟中應該發生什麼,但連接在 Windows 上有效,所以我認為我這邊有問題。
charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021)
顯然,請求 EAP-PEAP 的 RADIUS 伺服器的證書已經過期,但是帶有所有“範例”內容的主題看起來很奇怪(除非你修改了它)。為什麼 Windows 會接受這一點,如果它實際上使用 EAP-PEAP,我不知道。
您可以嘗試禁用eap-peap外掛並希望伺服器支持其他 EAP 方法(例如 EAP-MD5 或 EAP-MSCHAPv2)。為此,請將以下內容添加到
strongswan.conf
:charon-nm { plugins { eap-peap { load = no } } }