Решение: IPsec VPN через Strongswan: ошибка авторизации (комментарий)
Решение, часть 2: IPsec VPN через Strongswan: ошибка авторизации (комментарий)
Пробую поднять IPsec IKEv2 VPN, на обоих концах Strongswan, авторизация через сертификаты X.509. При подключении приходит отлуп с AUTH_FAILED на IKE_AUTH request 1. Со стороны сервера CA сертификат подгружается нормально, в логах нет явных сообщений про неизвестные сертификаты.
Как это всё пофиксить? IPsec настраиваю второй раз, мб что-то простое пропустил.
Ниже 1.2.3.4
– внешний IP сервера, 5.6.7.8
– внешний IP клиента, 192.168.0.2
– внутренний IP клиента, 192.168.0.100
– внутренний IP сервера.
Конфиг сервера:
connections {
client {
version = 2
proposals = aes256gcm16-aes256gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
rekey_time = 0s
pools = vpnpool
fragmentation = yes
dpd_delay = 30s
local {
certs = server.crt
}
remote {
}
children {
client {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals = aes256gcm16-aes256gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
}
}
}
}
pools {
vpnpool {
addrs = 10.1.1.0/30
dns = 8.8.8.8
}
}
secrets {
private {
file = server.key
}
}
Конфиг клиента:
conn server
keyexchange=ikev2
rekey=no
leftsourceip=%modeconfig
leftauth=rsa
leftcert=/etc/ipsec.d/client.crt
leftfirewall=yes
right=1.2.3.4
rightsubnet=0.0.0.0/0
auto=add
ca server-ca
auto=add
cacert=/etc/ipsec.d/ca.crt
Лог на клиенте:
% sudo ipsec up server
initiating IKE_SA server[2] to 1.2.3.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.0.2[500] to 1.2.3.4[500] (972 bytes)
received packet: from 1.2.3.4[500] to 192.168.0.2[500] (317 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "CN=VPN CA"
received 1 cert requests for an unknown ca
sending cert request for "CN=VPN CA"
authentication of 'CN=client' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
sending end entity cert "CN=client"
establishing CHILD_SA server{2}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message (2131 bytes) into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from 192.168.0.2[4500] to 1.2.3.4[4500] (1248 bytes)
sending packet: from 192.168.0.2[4500] to 1.2.3.4[4500] (948 bytes)
received packet: from 1.2.3.4[4500] to 192.168.0.2[4500] (65 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'server' failed
Лог с сервера:
server charon[994]: 08[CFG] loaded certificate 'CN=1.2.3.4'
server charon[994]: 13[CFG] loaded certificate 'CN=VPN CA'
server charon[994]: 15[CFG] loaded RSA private key
server charon[994]: 12[CFG] added vici pool client: 10.1.1.0, 2 entries
server charon[994]: 13[CFG] id not specified, defaulting to cert subject 'CN=1.2.3.4'
server charon[994]: 13[CFG] added vici connection: client
server charon[994]: 11[NET] received packet: from 5.6.7.8[500] to 192.168.0.100[500] (972 bytes)
server charon[994]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
server charon[994]: 11[IKE] 5.6.7.8 is initiating an IKE_SA
server charon[994]: 11[IKE] 5.6.7.8 is initiating an IKE_SA
server charon[994]: 11[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_256
server charon[994]: 11[IKE] local host is behind NAT, sending keep alives
server charon[994]: 11[IKE] remote host is behind NAT
server charon[994]: 11[IKE] sending cert request for "CN=VPN CA"
server charon[994]: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
server charon[994]: 11[NET] sending packet: from 192.168.0.100[500] to 5.6.7.8[500] (297 bytes)
server charon[994]: 12[NET] received packet: from 5.6.7.8[4500] to 192.168.0.100[4500] (1248 bytes)
server charon[994]: 12[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
server charon[994]: 12[ENC] received fragment #1 of 2, waiting for complete IKE message
server charon[994]: 15[NET] received packet: from 5.6.7.8[4500] to 192.168.0.100[4500] (948 bytes)
server charon[994]: 15[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
server charon[994]: 15[ENC] received fragment #2 of 2, reassembled fragmented IKE message (2131 bytes)
server charon[994]: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
server charon[994]: 15[IKE] received cert request for "CN=VPN CA"
server charon[994]: 15[IKE] received end entity cert "CN=client"
server charon[994]: 15[CFG] looking for peer configs matching 192.168.0.100[1.2.3.4]...5.6.7.8[CN=client]
server charon[994]: 15[CFG] no matching peer config found
server charon[994]: 15[IKE] peer supports MOBIKE
server charon[994]: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
server charon[994]: 15[NET] sending packet: from 192.168.0.100[4500] to 5.6.7.8[4500] (65 bytes)
edit: добавил лог с сервера