服务器 Gind.cn
  1. 服务器 Gind.cn
  3. CentOS + strongswan + iOS VPN API,hal
Intereting Posts
默认的Centos 5.4的iptables规则? Active Directory组和本地内置组:任何最佳实践? 黑客利用WordPress的安装 KVM guest和host之间的巨型帧? 在你的网站的脚本中遇到过这个“http://mattker.hu/images/image.php”? 追踪shell命令的来源 多个ldap服务器进行身份validation或其他posix数据 Linux控制台 – 防止意外删除文件 nagios xi和cacti进行监控有什么区别? 由于垃圾邮件状态,使用另一个邮件服务器和域 nginx spdy支持不起作用 在hostgator上设置蛋糕 出现只打印它的参数与“错误的海合会版本”消息 如何将Ubuntu服务器设置为路由器 Apache2 worker mpm太多的进程

CentOS + strongswan + iOS VPN API,hal

我正尝试在CentOS for iOS上用VPN API设置StrongSwan。 这个API使用IKEv2协议。 这是我的日志+configuration文件。 当我按下iOS设备中的连接时,它会在一会儿时间内closures。 它看起来像iOS不喜欢一些服务器信息,但我不明白哪一个。

PS我已经检查官方strongswan我的configuration看起来一样 

2015-09-16T14:20:13.881974+00:00 charon: 02[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500] 2015-09-16T14:20:13.881977+00:00 charon: 02[NET] waiting for data on sockets 2015-09-16T14:20:13.881980+00:00 charon: 06[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500] (316 bytes) 2015-09-16T14:20:13.882095+00:00 charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] 2015-09-16T14:20:13.882106+00:00 charon: 06[CFG] looking for peer configs matching 94.242.232.178[lu135.example.net]...178.159.28.49[VPN] 2015-09-16T14:20:13.882111+00:00 charon: 06[CFG] peer config match local: 20 (ID_FQDN -> 6c:75:31:33:35:2e:68:6d:6e:2e:6d:65) 2015-09-16T14:20:13.882115+00:00 charon: 06[CFG] peer config match remote: 1 (ID_FQDN -> 56:50:4e) 2015-09-16T14:20:13.882121+00:00 charon: 06[CFG] ike config match: 1052 (94.242.232.178 178.159.28.49 IKEv2) 2015-09-16T14:20:13.882127+00:00 charon: 06[CFG] candidate "ikev2", match: 20/1/1052 (me/other/ike) 2015-09-16T14:20:13.882134+00:00 charon: 06[CFG] selected peer config 'ikev2' 2015-09-16T14:20:13.882153+00:00 charon: 06[IKE] initiating EAP_IDENTITY method (id 0x00) 2015-09-16T14:20:13.882166+00:00 charon: 06[IKE] processing INTERNAL_IP4_ADDRESS attribute 2015-09-16T14:20:13.882171+00:00 charon: 06[IKE] processing INTERNAL_IP4_DHCP attribute 2015-09-16T14:20:13.882180+00:00 charon: 06[IKE] processing INTERNAL_IP4_DNS attribute 2015-09-16T14:20:13.882183+00:00 charon: 06[IKE] processing INTERNAL_IP4_NETMASK attribute 2015-09-16T14:20:13.882187+00:00 charon: 06[IKE] processing INTERNAL_IP6_ADDRESS attribute 2015-09-16T14:20:13.882196+00:00 charon: 06[IKE] processing INTERNAL_IP6_DHCP attribute 2015-09-16T14:20:13.882202+00:00 charon: 06[IKE] processing INTERNAL_IP6_DNS attribute 2015-09-16T14:20:13.882214+00:00 charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 2015-09-16T14:20:13.882266+00:00 charon: 06[IKE] IDx' => 16 bytes @ 0x7fa281236940 2015-09-16T14:20:13.882273+00:00 charon: 06[IKE] 0: 02 00 00 00 6C 75 31 33 35 2E 68 6D 6E 2E 6D 65 ....lu135.example.net 2015-09-16T14:20:13.882277+00:00 charon: 06[IKE] SK_p => 20 bytes @ 0x7fa24c003430 2015-09-16T14:20:13.882282+00:00 charon: 06[IKE] 0: 45 A5 6E C1 FA 17 82 BF 81 13 71 3A 94 EC 46 A1 En......q:..F. 2015-09-16T14:20:13.882288+00:00 charon: 06[IKE] 16: 73 A6 F7 47 s..G 2015-09-16T14:20:13.882318+00:00 charon: 06[IKE] octets = message + nonce + prf(Sk_px, IDx') => 344 bytes …. SOME BYTES HERE …. 2015-09-16T14:20:13.884696+00:00 charon: 06[IKE] authentication of 'lu135.example.net' (myself) with RSA signature successful 2015-09-16T14:20:13.884706+00:00 charon: 06[IKE] sending end entity cert "C=GB, O=COMPANY, CN=lu135.example.net" 2015-09-16T14:20:13.884718+00:00 charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] 2015-09-16T14:20:13.884897+00:00 charon: 06[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500] (1220 bytes) 2015-09-16T14:20:13.884924+00:00 charon: 03[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500] 2015-09-16T14:20:43.786966+00:00 charon: 09[JOB] deleting half open IKE_SA after timeout 2015-09-16T14:20:43.786983+00:00 charon: 09[IKE] IKE_SA ikev2[2] state change: CONNECTING => DESTROYING

服务器证书 

 Certificate: Data: Version: 3 (0x2) Serial Number: 6619988021187675067 (0x5bdeec07f43b83bb) Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, O=COMPANY, CN=CERTROOT Validity Not Before: Sep 16 13:57:53 2015 GMT Not After : Sep 15 13:57:53 2018 GMT Subject: C=GB, O=COMPANY, CN=lu135.example.net Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: … BYTES … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:8B:88:DA:1A:76:18:F4:F8:64:51:9C:BB:54:48:C6:3C:2E:5B:E9:8C X509v3 Subject Alternative Name: DNS:lu135.example.net, IP Address:94.242.232.178, DNS:94.242.232.178 X509v3 Extended Key Usage: TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2 Signature Algorithm: sha256WithRSAEncryption … BYTES ….

ipsec.conf文件 

 config setup charondebug="cfg 7, dmn 7, ike 7, net 7" uniqueids=no conn %default left=%defaultroute leftsubnet=0.0.0.0/0 right=%any auto=add dpdaction=clear dpddelay=300s conn ikev2 keyexchange=ikev2 fragmentation = yes forceencaps = yes ike=aes256-sha1-modp1024,aes256-sha1-modp2048 esp=aes256-sha1,aes128-sha1 left={{ ansible_default_ipv4.address }} leftid={{ dnsname }} leftcert=server_cert.pem leftsendcert=always leftauth=pubkey mobike=yes right=%any rightid=%any rightsendcert=never rightauth=eap-radius rightsourceip=172.16.198.0/24 rightfirewall=yes eap_identity=%identity rightdns=8.8.8.8,8.8.4.4 dpaction=clear auto=add

**可变variables+剧本** 

 cakey: /etc/strongswan/ipsec.d/private/ios.pem cacert: /etc/strongswan/ipsec.d/cacerts/ios.pem srvkey: /etc/strongswan/ipsec.d/private/server.pem srvcert: /etc/strongswan/ipsec.d/certs/server_cert.pem clnkey: /etc/strongswan/ipsec.d/private/client.pem clncert: /etc/strongswan/ipsec.d/certs/client.pem p12: /etc/strongswan/ipsec.d/private/client.p12 issuer: CERTROOT org: COMPANY

剧本 

 --- - name: Installing strongswan config template: src=ipsec.conf dest=/etc/strongswan/ipsec.conf - name: Ipsec secrets template: src=ipsec.secrets dest=/etc/strongswan/ipsec.secrets - name: Generating CA KEY shell: strongswan pki --gen --outform pem > {{ cakey }} creates={{ cakey }} - name: Generate CA Cert shell: strongswan pki --self --in {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ issuer }}" --ca --outform pem > {{ cacert }} creates={{ cacert }} - name: Generate server key shell: strongswan pki --gen --outform pem > {{ srvkey }} creates={{ srvkey }} - name: Create server cert shell: strongswan pki --pub --in {{ srvkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ dnsname }}" --san="{{ dnsname }}" --san {{ ansible_default_ipv4.address }} --san @{{ ansible_default_ipv4.address }} --flag serverAuth --flag ikeIntermediate --outform pem > {{ srvcert }} creates={{ srvcert }} - name: Generating client key shell: strongswan pki --gen --outform pem > {{ clnkey }} creates={{ clnkey }} - name: Create client cert shell: strongswan pki --pub --in {{ clnkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN=demo" --outform pem > {{ clncert }} creates={{ clncert }} - name: Generate p12 file for client shell: openssl pkcs12 -export -inkey {{ clnkey }} -in {{ clncert }} -name "demo" -certfile {{ cacert }} -caname "{{ issuer }}" -out {{ p12 }} -password pass:hello creates={{ p12 }} - name: Restarart strongswan service: name=strongswan state=restarted