Windows

Strongswan / Ipsec 多個 roadwarrior 連接不同的子網

  • May 12, 2022

我正在嘗試設置一個 StrongSwan VPN 伺服器,它應該託管多個(Windows 10 - 內部 vpn 客戶端)roadwarrior 連接,但不同的子網,具體取決於客戶端證書。

root@VPN:/# ipsec version

Linux strongSwan U5.8.2/K5.4.0-26-generic

我的設置有 2 對公鑰和私鑰,使用不同的 CN,比如說vpn-dev.mycom.comvpn-liv.mycom.com. 使用的ipsec.conf看起來像這樣:

conn vpn-dev
   auto=add
   compress=no
   type=tunnel
   keyexchange=ikev2
   fragmentation=yes
   forceencaps=yes
   dpdaction=clear
   dpddelay=300s
   rekey=no
   ikelifetime=25200s
   leftid=vpn-dev.mycom.com
   leftcert=server-cert.pem
   leftsendcert=always
   leftsubnet=0.0.0.0/0
   right=%any
   rightid=%any
   rightauth=eap-mschapv2
   rightsourceip=10.100.0.0/16-10.100.254.254/16
   rightdns=8.8.8.8,8.8.4.4
   rightsendcert=never
   rightcert=ca-cert.pem
   eap_identity=%identity
   ike=aes128-sha1-modp1024


conn vpn-liv
   also=vpn-dev
   leftid=vpn-liv.mycom.com
   leftcert=liv-server-cert.pem
   rightsourceip=10.200.0.0/16-10.200.254.254/16
   rightcert=liv-ca-cert.pem

兩個證書密鑰也儲存在ipsec.secrets

vpn-dev.mycom.com : RSA "server-key.pem"
vpn-liv.mycom.com : RSA "liv-server-key.pem"

someuser : EAP "somepassword"

但是,一旦我嘗試連接到 strongswan 實例,vpn-dev就會使用連接並且 strongswan 不會切換到 connvpn-liv

這是嘗試期間的日誌:

Mar 30 08:47:48 VPN charon: 16[NET] received packet: from X.X.X.X[64558] to X.X.X.X[500] (1084 bytes)
Mar 30 08:47:48 VPN charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] X.X.X.X is initiating an IKE_SA
Mar 30 08:47:48 VPN charon: 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 30 08:47:48 VPN charon: 16[IKE] local host is behind NAT, sending keep alives
Mar 30 08:47:48 VPN charon: 16[IKE] remote host is behind NAT
Mar 30 08:47:48 VPN charon: 16[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64558] (328 bytes)
Mar 30 08:47:48 VPN charon: 06[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 10[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 05[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 14[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (368 bytes)
Mar 30 08:47:48 VPN charon: 14[IKE] received cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:48 VPN charon: 14[IKE] received 69 cert requests for an unknown ca
Mar 30 08:47:48 VPN charon: 14[CFG] looking for peer configs matching X.X.X.X[%any]...X.X.X.X[192.168.0.117]

Mar 30 08:47:48 VPN charon: 14[CFG] selected peer config 'vpn-dev' # << here it has not selected vpn-live, even if the earlier provided private key is only matching vpn-live

Mar 30 08:47:48 VPN charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 30 08:47:48 VPN charon: 14[IKE] peer supports MOBIKE
Mar 30 08:47:48 VPN charon: 14[IKE] authentication of 'vpn-dev.mycom.com' (myself) with RSA     signature successful
Mar 30 08:47:48 VPN charon: 14[IKE] sending end entity cert "CN=vpn-dev.mycom.com"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN DEV CA"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:49 VPN charon: 14[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64548] (364 bytes)
Mar 30 08:47:49 VPN charon: 06[NET] received packet: from X.X.X.X[64618] to X.X.X.X[4500] (92 bytes)
Mar 30 08:47:49 VPN charon: 06[IKE] received (28) error notify

目標基本上是在一台機器上託管 2 個 vpn 端點,但根據登錄/使用的證書提供不同的 IP 範圍。

本地配置是用(powershell)完成的

Import-Certificate -FilePath liv-ca-cert.pem -CertStoreLocation 'Cert:\LocalMachine\Root'
Add-VpnConnection -Name 'LIV VPN' -ServerAddress 'vpn-live.mycom.com' -AuthenticationMethod Eap -IdleDisconnectSeconds 43200

我錯過了什麼嗎?我的設置是否配置錯誤?或者這對於strongswan和Windows 10內部vpn客戶端根本不可能?

事實證明,無法使用證書,因為它們不用於辨識伺服器上的使用者。

所以我最終使用了這個答案中描述的解決方法,這有助於評估eap_identiy.

現在我的客戶使用相同的證書,但根據登錄我可以決定他們將使用哪個子網。

我的 ipsec.conf 現在看起來像這樣:

conn eap-shared
  type=tunnel
  ike=aes128-sha1-modp1024
  rightauth=eap-mschapv2
  leftcert=server-cert.pem

conn eap-init
  also=eap-shared
  # this config is used to do the EAP-Identity exchange and the
  # authentication of client and server
  eap_identity=%identity
  # the following is used to force a connection switch after
  # the authentication completed
  rightgroups=thisseemsirrelevant
  auto=add

conn eap-liv
  also=eap-shared
  eap_identity=*@liv-some-domain.com
  rightsourceip=10.200.0.0/16-10.200.254.254/16
  auto=add

conn eap-dev
  also=eap-shared
  eap_identity=*@dev-some-domain.com
  rightsourceip=10.100.0.0/16-10.100.254.254/16
  auto=add

可能不是最優雅的解決方案,但在我的情況下有效。

只能根據伺服器身份/證書切換連接,如果有的話

  • 客戶端在其 IKE_AUTH 請求中發送遠端身份 (IDr),許多客戶端不會(尤其是 Windows),否則,沒有身份匹配,因此將使用第一個連接

或者

  • 如果 FQDN 映射到不同的 IP 地址,可以將其配置為連接的本地地址,以便儘早選擇正確的連接

引用自:https://serverfault.com/questions/1097369