Vpn

OpenWRT StrongSwan IPsec 客戶端連接(“使用者”(我自己)的 XAuth 身份驗證失敗)

  • May 7, 2019

我正在嘗試配置我的 OpenWRT 路由器以連接到遠端 VPN 伺服器。我擁有的憑據是正確的,但由於某種原因,連接無法在路由器上進行身份驗證。這是我的配置

/etc/ipsec.conf

conn l2tpconn
 keyexchange=ikev1
 authby=xauthpsk
 xauth=client
 left=%defaultroute
 leftsourceip=%config
 leftfirewall=yes
 leftauth=psk
 leftauth2=xauth
 leftid=user
 right=<server_ip>
 rightsubnet=0.0.0.0/0
 rightauth=psk
 rightauth2=xauth
 auto=add

/etc/ipsec.secrets

%any <server_ip> : PSK 'secret'
'user' : XAUTH 'password'

日誌

initiating Main Mode IKE_SA l2tpconn[39] to <server_ip>
generating ID_PROT request 0 [ SA V V V V ] 
sending packet: from 192.168.1.18[500] to <server_ip>[500] (224 bytes)
received packet: from <server_ip>[500] to 192.168.1.18[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ] 
received DPD vendor ID
received FRAGMENTATION vendor ID
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.18[500] to <server_ip>[500] (372 bytes)
received packet: from <server_ip>[500] to 192.168.1.18[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT 
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.1.18[4500] to <server_ip>[4500] (92 bytes)
received packet: from <server_ip>[4500] to 192.168.1.18[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
received packet: from <server_ip>[4500] to 192.168.1.18[4500] (76 bytes)
parsed TRANSACTION request 2614881849 [ HASH CPRQ(X_USER X_PWD) ]
generating TRANSACTION response 2614881849 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.18[4500] to <server_ip>[4500] (108 bytes)
received packet: from <server_ip>[4500] to 192.168.1.18[4500] (76 bytes)
parsed TRANSACTION request 645236074 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'user' (myself) failed
generating TRANSACTION response 645236074 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.18[4500] to <server_ip>[4500] (76 bytes)                                                                                                                                                                                                                                                                                                 
establishing connection 'l2tpconn' failed

也許這很簡單,我很想念它,但是如果你們都有任何非常有幫助的建議。謝謝。

所以,我弄清楚了我的問題是什麼,它是不同事物的結合。

  1. 我沒有意識到伺服器正在將 XAUTH 請求記錄到 /var/log/auth.log 我以為它在 /var/log/syslog
  2. 閱讀日誌後,我注意到它正在檢查 /etc/ipsec.d/passwd 中的憑據,而不是像我想的那樣檢查 /etc/ppp/chap-secrets 中的憑據,無論出於何種原因。

然後我將我的使用者名和散列密碼(openssl passwd -1 “password”)添加到 /etc/ipconf.d/passwd 並且它起作用了。

引用自:https://serverfault.com/questions/866503