LINUX.ORG.RU

ipsec+ike2

 , , ,


0

1

настроил на сервере ipsec strongSwan, конфигурация сейчас такая

config setup
	
conn %default
	esp = aes-aes256-sha-modp1024,aes256-sha512-modp4096
	ike = aes-aes256-sha-modp1024,aes256-sha512-modp4096
 
	dpdaction = clear
	dpddelay = 35s
	dpdtimeout = 2000s
	fragmentation = yes
	rekey = no
 
	left = %any
	leftfirewall = yes
	leftsubnet = 0.0.0.0/0
	leftcert = vpn.crt
	leftsendcert = always
 
	right = %any
	rightsourceip = 192.168.200.0/24
	rightdns = 8.8.8.8,8.8.4.4
 
	eap_identity = %identity
 
# IKEv2
conn IPSec-IKEv2
	keyexchange = ikev2
	auto = add
 
# BlackBerry, Windows, Android
conn IPSec-IKEv2-EAP
	also = "IPSec-IKEv2"
	rightauth = eap-mschapv2
 
# macOS, iOS
conn IKEv2-MSCHAPv2-Apple
	also = "IPSec-IKEv2"
	ike = aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
	esp = aes256-sha256,3des-sha1,aes256-sha1!
	rightauth = eap-mschapv2
	leftid = "hostname vpn server"
 
# Android IPsec Hybrid RSA
conn IKEv1-Xauth
	keyexchange=ikev1
	rightauth=xauth
	auto=add

hostname vpn server - мой сервер при подключении через windows и android все работает хорошо, но при подключении через MacOS или iphone не подключается, идет соединении и потом обрывается, в логе вот такое

Nov  8 19:41:37 vpn charon: 09[NET] received packet: from 82.**.**.**[500] to 176.**.**.**[500] (604 bytes)
Nov  8 19:41:37 vpn charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Nov  8 19:41:37 vpn charon: 09[IKE] 82.**.**.** is initiating an IKE_SA
Nov  8 19:41:37 vpn charon: 09[IKE] remote host is behind NAT
Nov  8 19:41:37 vpn charon: 09[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Nov  8 19:41:37 vpn charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov  8 19:41:37 vpn charon: 09[NET] sending packet: from 176.**.**.**[500] to 82.**.**.**[500] (38 bytes)
Nov  8 19:41:37 vpn charon: 11[NET] received packet: from 82.**.**.**[500] to 176.**.**.**[500] (476 bytes)
Nov  8 19:41:37 vpn charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Nov  8 19:41:37 vpn charon: 11[IKE] 82.**.**.** is initiating an IKE_SA
Nov  8 19:41:37 vpn charon: 11[IKE] remote host is behind NAT
Nov  8 19:41:37 vpn charon: 11[IKE] sending cert request for "CN=vpn.example.com"
Nov  8 19:41:37 vpn charon: 11[IKE] sending cert request for "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=vpn"
Nov  8 19:41:37 vpn charon: 11[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Nov  8 19:41:37 vpn charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov  8 19:41:37 vpn charon: 11[NET] sending packet: from 176.**.**.**[500] to 82.**.**.**[500] (377 bytes)
Nov  8 19:41:37 vpn charon: 14[NET] received packet: from 82.**.**.**[4500] to 176.**.**.**[4500] (508 bytes)
Nov  8 19:41:37 vpn charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Nov  8 19:41:37 vpn charon: 14[CFG] looking for peer configs matching 176.**.**.**[vpn.example.com]...82.**.**.**[vadim]
Nov  8 19:41:37 vpn charon: 14[CFG] selected peer config 'IKEv2-MSCHAPv2-Apple'
Nov  8 19:41:37 vpn charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Nov  8 19:41:37 vpn charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov  8 19:41:37 vpn charon: 14[IKE] peer supports MOBIKE
Nov  8 19:41:37 vpn charon: 14[IKE] authentication of 'vpn.example.com' (myself) with RSA signature successful
Nov  8 19:41:37 vpn charon: 14[IKE] sending end entity cert "CN=vpn.example.com"
Nov  8 19:41:37 vpn charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov  8 19:41:37 vpn charon: 14[NET] sending packet: from 176.**.**.**[4500] to 82.**.**.**[4500] (1276 bytes)
кто подскажет что не так?


А покажи три строчки, соответствующие последним в приведенном логе, но для работающего клиента. ВДРУГ там по какой-то мистической причине размер пакета меньше, и поэтому он долетает куда надо. Еще я бы глянул логи макоса, там же raccoon вроде. Если он хмуро рвет процедуру подключения после получения сертификата, то может, ему не хватает какого-то OID'а, или какие-то еще яблочные требования к полям не выполнены.

thesis ★★★★★
()
Последнее исправление: thesis (всего исправлений: 1)
Ответ на: комментарий от thesis

вот весь лог подключения с android

Nov  8 21:21:25 vpn charon: 06[NET] received packet: from 77.**.**.**[49607] to 176.**.**.**[500] (732 bytes)
Nov  8 21:21:25 vpn charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]
Nov  8 21:21:25 vpn charon: 06[IKE] 77.**.**.** is initiating an IKE_SA
Nov  8 21:21:25 vpn charon: 06[IKE] remote host is behind NAT
Nov  8 21:21:25 vpn charon: 06[IKE] DH group ECP_256 inacceptable, requesting MODP_1024
Nov  8 21:21:25 vpn charon: 06[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov  8 21:21:25 vpn charon: 06[NET] sending packet: from 176.**.**.**[500] to 77.**.**.**[49607] (38 bytes)
Nov  8 21:21:25 vpn charon: 05[NET] received packet: from 77.**.**.**[49607] to 176.**.**.**[500] (796 bytes)
Nov  8 21:21:25 vpn charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]
Nov  8 21:21:25 vpn charon: 05[IKE] 77.**.**.** is initiating an IKE_SA
Nov  8 21:21:25 vpn charon: 05[IKE] remote host is behind NAT
Nov  8 21:21:25 vpn charon: 05[IKE] sending cert request for "CN=vpn.example.com"
Nov  8 21:21:25 vpn charon: 05[IKE] sending cert request for "C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=vpn"
Nov  8 21:21:25 vpn charon: 05[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Nov  8 21:21:25 vpn charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov  8 21:21:25 vpn charon: 05[NET] sending packet: from 176.**.**.**[500] to 77.**.**.**[49607] (377 bytes)
Nov  8 21:21:26 vpn charon: 08[NET] received packet: from 77.**.**.**[39003] to 176.**.**.**[4500] (3260 bytes)
Nov  8 21:21:26 vpn charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov  8 21:21:26 vpn charon: 08[IKE] received cert request for "CN=vpn.example.com"
Nov  8 21:21:26 vpn charon: 08[IKE] received 137 cert requests for an unknown ca
Nov  8 21:21:26 vpn charon: 08[CFG] looking for peer configs matching 176.**.**.**[%any]...77.**.**.**[server]
Nov  8 21:21:26 vpn charon: 08[CFG] selected peer config 'IPSec-IKEv2'
Nov  8 21:21:26 vpn charon: 08[IKE] peer requested EAP, config inacceptable
Nov  8 21:21:26 vpn charon: 08[CFG] switching to peer config 'IPSec-IKEv2-EAP'
Nov  8 21:21:26 vpn charon: 08[IKE] initiating EAP_IDENTITY method (id 0x00)
Nov  8 21:21:26 vpn charon: 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov  8 21:21:26 vpn charon: 08[IKE] peer supports MOBIKE
Nov  8 21:21:26 vpn charon: 08[IKE] authentication of 'CN=vpn.example.com' (myself) with RSA signature successful
Nov  8 21:21:26 vpn charon: 08[IKE] sending end entity cert "CN=vpn.example.com"
Nov  8 21:21:26 vpn charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Nov  8 21:21:26 vpn charon: 08[NET] sending packet: from 176.**.**.**[4500] to 77.**.**.**[39003] (1276 bytes)
Nov  8 21:21:26 vpn charon: 07[NET] received packet: from 77.**.**.**[39003] to 176.**.**.**[4500] (76 bytes)
Nov  8 21:21:26 vpn charon: 07[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Nov  8 21:21:26 vpn charon: 07[IKE] received EAP identity 'server'
Nov  8 21:21:26 vpn charon: 07[IKE] initiating EAP_MSCHAPV2 method (id 0x4B)
Nov  8 21:21:26 vpn charon: 07[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Nov  8 21:21:26 vpn charon: 07[NET] sending packet: from 176.**.**.**[4500] to 77.**.**.**[39003] (108 bytes)
Nov  8 21:21:26 vpn charon: 09[NET] received packet: from 77.**.**.**[39003] to 176.**.**.**[4500] (140 bytes)
Nov  8 21:21:26 vpn charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Nov  8 21:21:26 vpn charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Nov  8 21:21:26 vpn charon: 09[NET] sending packet: from 176.**.**.**[4500] to 77.**.**.**[39003] (140 bytes)
Nov  8 21:21:26 vpn charon: 04[NET] received packet: from 77.**.**.**[39003] to 176.**.**.**[4500] (76 bytes)
Nov  8 21:21:26 vpn charon: 04[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Nov  8 21:21:26 vpn charon: 04[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Nov  8 21:21:26 vpn charon: 04[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Nov  8 21:21:26 vpn charon: 04[NET] sending packet: from 176.**.**.**[4500] to 77.**.**.**[39003] (76 bytes)
Nov  8 21:21:26 vpn charon: 11[NET] received packet: from 77.**.**.**[39003] to 176.**.**.**[4500] (92 bytes)
Nov  8 21:21:26 vpn charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Nov  8 21:21:26 vpn charon: 11[IKE] authentication of 'server' with EAP successful
Nov  8 21:21:26 vpn charon: 11[IKE] authentication of 'CN=vpn.example.com' (myself) with EAP
Nov  8 21:21:26 vpn charon: 11[IKE] IKE_SA IPSec-IKEv2-EAP[2] established between 176.**.**.**[CN=vpn.example.com]...77.**.**.**[server]
Nov  8 21:21:26 vpn charon: 11[IKE] peer requested virtual IP %any
Nov  8 21:21:26 vpn charon: 11[CFG] assigning new lease to 'server'
Nov  8 21:21:26 vpn charon: 11[IKE] assigning virtual IP 192.168.200.1 to peer 'server'
Nov  8 21:21:26 vpn charon: 11[IKE] peer requested virtual IP %any6
Nov  8 21:21:26 vpn charon: 11[IKE] no virtual IP found for %any6 requested by 'server'
Nov  8 21:21:26 vpn charon: 11[IKE] CHILD_SA IPSec-IKEv2-EAP{1} established with SPIs c7f19eb9_i b0fc5d45_o and TS 0.0.0.0/0 === 192.168.200.1/32
Nov  8 21:21:26 vpn vpn: + server 192.168.200.1/32 == 77.**.**.** -- 176.**.**.** == %any/0
Nov  8 21:21:26 vpn charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Nov  8 21:21:26 vpn charon: 11[NET] sending packet: from 176.**.**.**[4500] to 77.**.**.**[39003] (332 bytes)

Garcia
() автор топика
Ответ на: комментарий от Garcia

Для потомков

Оказалось, что автор топика использовал самоподписанный сертификат, на который iOS / MacOS ругается. Впрочем как и другие ОС. Решается добавлением своего сертификата в корень нужной ОС (= геморрой) или просто сертификатом от Let's Encrypt / Comodo / etc. Собственно автор топика пришел сюда из моего поста: https://krasovsky.me/it/2016/08/strongswan-ikev2/#hypercomments_widget

Lord-Protector
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.