Windows
Strongswan / Ipsec 多個 roadwarrior 連接不同的子網
我正在嘗試設置一個 StrongSwan VPN 伺服器,它應該託管多個(Windows 10 - 內部 vpn 客戶端)roadwarrior 連接,但不同的子網,具體取決於客戶端證書。
root@VPN:/# ipsec version Linux strongSwan U5.8.2/K5.4.0-26-generic
我的設置有 2 對公鑰和私鑰,使用不同的 CN,比如說
vpn-dev.mycom.com
和vpn-liv.mycom.com
. 使用的ipsec.conf
看起來像這樣:conn vpn-dev auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no ikelifetime=25200s leftid=vpn-dev.mycom.com leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.100.0.0/16-10.100.254.254/16 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never rightcert=ca-cert.pem eap_identity=%identity ike=aes128-sha1-modp1024 conn vpn-liv also=vpn-dev leftid=vpn-liv.mycom.com leftcert=liv-server-cert.pem rightsourceip=10.200.0.0/16-10.200.254.254/16 rightcert=liv-ca-cert.pem
兩個證書密鑰也儲存在
ipsec.secrets
vpn-dev.mycom.com : RSA "server-key.pem" vpn-liv.mycom.com : RSA "liv-server-key.pem" someuser : EAP "somepassword"
但是,一旦我嘗試連接到 strongswan 實例,
vpn-dev
就會使用連接並且 strongswan 不會切換到 connvpn-liv
這是嘗試期間的日誌:
Mar 30 08:47:48 VPN charon: 16[NET] received packet: from X.X.X.X[64558] to X.X.X.X[500] (1084 bytes) Mar 30 08:47:48 VPN charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Mar 30 08:47:48 VPN charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID Mar 30 08:47:48 VPN charon: 16[IKE] X.X.X.X is initiating an IKE_SA Mar 30 08:47:48 VPN charon: 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 30 08:47:48 VPN charon: 16[IKE] local host is behind NAT, sending keep alives Mar 30 08:47:48 VPN charon: 16[IKE] remote host is behind NAT Mar 30 08:47:48 VPN charon: 16[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64558] (328 bytes) Mar 30 08:47:48 VPN charon: 06[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes) Mar 30 08:47:48 VPN charon: 10[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes) Mar 30 08:47:48 VPN charon: 05[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes) Mar 30 08:47:48 VPN charon: 14[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (368 bytes) Mar 30 08:47:48 VPN charon: 14[IKE] received cert request for "CN=PRIV VPN LIV CA" Mar 30 08:47:48 VPN charon: 14[IKE] received 69 cert requests for an unknown ca Mar 30 08:47:48 VPN charon: 14[CFG] looking for peer configs matching X.X.X.X[%any]...X.X.X.X[192.168.0.117] Mar 30 08:47:48 VPN charon: 14[CFG] selected peer config 'vpn-dev' # << here it has not selected vpn-live, even if the earlier provided private key is only matching vpn-live Mar 30 08:47:48 VPN charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00) Mar 30 08:47:48 VPN charon: 14[IKE] peer supports MOBIKE Mar 30 08:47:48 VPN charon: 14[IKE] authentication of 'vpn-dev.mycom.com' (myself) with RSA signature successful Mar 30 08:47:48 VPN charon: 14[IKE] sending end entity cert "CN=vpn-dev.mycom.com" Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN DEV CA" Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN LIV CA" Mar 30 08:47:49 VPN charon: 14[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64548] (364 bytes) Mar 30 08:47:49 VPN charon: 06[NET] received packet: from X.X.X.X[64618] to X.X.X.X[4500] (92 bytes) Mar 30 08:47:49 VPN charon: 06[IKE] received (28) error notify
目標基本上是在一台機器上託管 2 個 vpn 端點,但根據登錄/使用的證書提供不同的 IP 範圍。
本地配置是用(powershell)完成的
Import-Certificate -FilePath liv-ca-cert.pem -CertStoreLocation 'Cert:\LocalMachine\Root' Add-VpnConnection -Name 'LIV VPN' -ServerAddress 'vpn-live.mycom.com' -AuthenticationMethod Eap -IdleDisconnectSeconds 43200
我錯過了什麼嗎?我的設置是否配置錯誤?或者這對於strongswan和Windows 10內部vpn客戶端根本不可能?
事實證明,無法使用證書,因為它們不用於辨識伺服器上的使用者。
所以我最終使用了這個答案中描述的解決方法,這有助於評估
eap_identiy
.現在我的客戶使用相同的證書,但根據登錄我可以決定他們將使用哪個子網。
我的 ipsec.conf 現在看起來像這樣:
conn eap-shared type=tunnel ike=aes128-sha1-modp1024 rightauth=eap-mschapv2 leftcert=server-cert.pem conn eap-init also=eap-shared # this config is used to do the EAP-Identity exchange and the # authentication of client and server eap_identity=%identity # the following is used to force a connection switch after # the authentication completed rightgroups=thisseemsirrelevant auto=add conn eap-liv also=eap-shared eap_identity=*@liv-some-domain.com rightsourceip=10.200.0.0/16-10.200.254.254/16 auto=add conn eap-dev also=eap-shared eap_identity=*@dev-some-domain.com rightsourceip=10.100.0.0/16-10.100.254.254/16 auto=add
可能不是最優雅的解決方案,但在我的情況下有效。
只能根據伺服器身份/證書切換連接,如果有的話
- 客戶端在其 IKE_AUTH 請求中發送遠端身份 (IDr),許多客戶端不會(尤其是 Windows),否則,沒有身份匹配,因此將使用第一個連接
或者
- 如果 FQDN 映射到不同的 IP 地址,可以將其配置為連接的本地地址,以便儘早選擇正確的連接