我们开发业务的客户已经提供了访问他们的IPSec VPN的权限(匿名):
他们还提供了configuration的参数:
阶段1
- 身份validation:SHA1
- encryption:AES 256
- SA寿命:1小时
- 重点组:迪菲·赫尔曼组2
- NAT Traversal&DPD已启用
- 保持活动时间间隔:20秒
阶段2
- types:ESP
- 身份validation:SHA1
- encryption:AES 256
- 强制密钥过期:1小时
连接types为IKEv1,并且只通过特定IP 1.2.3.4通过VPN隧道configuration访问权限,因为这是我们必须达到的唯一一台机器。
我想弄清楚如何configurationStrongSwan连接到他们的VPN。 我需要这个与Ubuntu服务器16.04 VPS的工作。
我试图按照一堆指南,但有些是为了StrongSwan的旧版本,所以他们没有工作。 最后我编辑了/etc/ipsec.conf并进行了以下尝试的configuration:
config setup conn myconn authby=xauthpsk dpdaction=restart esp=aes256-sha1 ike=aes256-sha1-dh2 ikelifetime=1h keyexchange=ikev1 leftauth=psk leftauth2=xauth leftgroups=MYGROUP leftid=@MYUSER right=example.fake rightsubnet=1.2.3.4/32
我创build了/etc/ipsec.secrets :
: PSK "MYPSK" MYUSER: XAUTH "MYPASSWORD"
所需的最终状态是我们的机器连接到客户的VPN,我们可以达到单一的IP 1.2.3.4。 其余的stream量应该被拆分,而不是通过VPN。
尽pipe在/etc/ipsec.conf定义了myconn ,但尝试连接时出现此错误消息:
# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.3.5 IPsec [starter]... # ipsec up myconn no config named 'myconn'
运行ipsec restart后,这些行被添加到/var/log/syslog :
Jun 5 16:45:01 server charon: 00[DMN] signal of type SIGINT received. Shutting down Jun 5 16:45:03 server charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.8.0-53-generic, x86_64) Jun 5 16:45:03 server charon: 00[CFG] disabling load-tester plugin, not configured Jun 5 16:45:03 server charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Jun 5 16:45:03 server charon: 00[CFG] dnscert plugin is disabled Jun 5 16:45:03 server charon: 00[CFG] ipseckey plugin is disabled Jun 5 16:45:03 server charon: 00[CFG] attr-sql plugin: database URI not set Jun 5 16:45:03 server charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jun 5 16:45:03 server charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jun 5 16:45:03 server charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jun 5 16:45:03 server charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jun 5 16:45:03 server charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jun 5 16:45:03 server charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jun 5 16:45:03 server charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/myKey.der' Jun 5 16:45:03 server charon: 00[CFG] sql plugin: database URI not set Jun 5 16:45:03 server charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Jun 5 16:45:03 server charon: 00[CFG] eap-simaka-sql database URI missing Jun 5 16:45:03 server charon: 00[CFG] loaded 0 RADIUS server configurations Jun 5 16:45:03 server charon: 00[CFG] no threshold configured for systime-fix, disabled Jun 5 16:45:03 server charon: 00[CFG] coupling file path unspecified Jun 5 16:45:03 server charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity Jun 5 16:45:03 server charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Jun 5 16:45:03 server charon: 00[JOB] spawning 16 worker threads
这些在运行ipsec up myconn添加ipsec up myconn :
Jun 5 16:45:21 server charon: 15[CFG] received stroke: initiate 'myconn' Jun 5 16:45:21 server charon: 15[CFG] no config named 'myconn'
他们看起来与上述错误信息一致。
为什么ipsec up myconn说没有这样的configuration? 这是我第一次尝试处理IPSec VPN …我试图写的configuration是否有意义?
我需要改变什么才能使它工作?
auto=add后更新 正如在评论中所build议的,我添加了auto=add到我的configuration中。 我现在得到这个:
# ipsec up myconn initiating Main Mode IKE_SA myconn[1] to <IP of example.fake> configuration uses unsupported authentication tried to check-in and delete nonexisting IKE_SA establishing connection 'myconn' failed
这些行被追加到日志文件中:
Jun 5 17:07:19 server charon: 12[CFG] received stroke: initiate 'myconn' Jun 5 17:07:19 server charon: 14[IKE] initiating Main Mode IKE_SA myconn[2] to <IP of example.fake> Jun 5 17:07:19 server charon: 14[CFG] configuration uses unsupported authentication Jun 5 17:07:19 server charon: 14[MGR] tried to check-in and delete nonexisting IKE_SA
esp= , ike=和keyexchange=后更新 删除上面提到的三行后,连接尝试是这样的,连续三次(代码片段只显示第一个,另一个完全相同):
Jun 5 17:18:44 server charon: 06[CFG] received stroke: initiate 'myconn' Jun 5 17:18:45 server charon: 04[IKE] initiating IKE_SA myconn[1] to <IP of example.fake> Jun 5 17:18:45 server charon: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Jun 5 17:18:45 server charon: 04[NET] sending packet: from <our server IP>[500] to <IP of example.fake>[500] (1500 bytes) Jun 5 17:18:49 server charon: 03[IKE] retransmit 1 of request with message ID 0 Jun 5 17:18:49 server charon: 03[NET] sending packet: from <our server IP>[500] to <IP of example.fake>[500] (1500 bytes) Jun 5 17:18:56 server charon: 15[IKE] retransmit 2 of request with message ID 0 Jun 5 17:18:56 server charon: 15[NET] sending packet: from <our server IP>[500] to <IP of example.fake>[500] (1500 bytes) Jun 5 17:19:09 server charon: 01[IKE] retransmit 3 of request with message ID 0 Jun 5 17:19:09 server charon: 01[NET] sending packet: from <our server IP>[500] to <IP of example.fake>[500] (1500 bytes) Jun 5 17:19:32 server charon: 16[IKE] retransmit 4 of request with message ID 0 Jun 5 17:19:32 server charon: 16[NET] sending packet: from <our server IP>[500] to <IP of example.fake>[500] (1500 bytes) Jun 5 17:20:14 server charon: 05[IKE] retransmit 5 of request with message ID 0 Jun 5 17:20:14 server charon: 05[NET] sending packet: from <our server IP>[500] to <IP of example.fake>[500] (1500 bytes) Jun 5 17:21:30 server charon: 13[IKE] giving up after 5 retransmits Jun 5 17:21:30 server charon: 13[IKE] peer not responding, trying again (2/3)
与客户的VPN的连接已经在办公室的台式机上使用ShrewSoft VPN进行了testing,但是这不适合在开发VPS上使用。 该程序导出如下configuration:
n:version:4 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:1 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:network-notify-enable:1 n:client-banner-enable:1 n:client-dns-used:1 n:client-dns-auto:1 n:client-dns-suffix-auto:1 b:auth-mutual-psk:****REMOVED**** n:phase1-dhgroup:2 n:phase1-keylen:0 n:phase1-life-secs:86400 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-keylen:0 n:phase2-pfsgroup:-1 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:1 s:network-host:example.fake s:client-auto-mode:pull s:client-iface:virtual s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk-xauth s:ident-client-type:keyid s:ident-client-data:MYGROUP s:ident-server-type:any s:phase1-exchange:aggressive s:phase1-cipher:auto s:phase1-hash:auto s:phase2-transform:auto s:phase2-hmac:auto s:ipcomp-transform:disabled s:policy-level:auto
这是否表示应对ipsec.conf文件进行任何更改以使其与ipsec.conf一起使用?