IPsec IKEv2 в OpenWrt не может установить туннель

Следуйте этим инструкциям для настройки VPN-сервера IPSec IKEv2 на OpenWRT (15.05 Chaos Calmer)

Маршрутизатор: Linksys AC1900-WRT

# uname -a Linux OpenWrt 3.18.23 #1 SMP Sun Jan 31 12:53:24 CET 2016 armv7l GNU/Linux 

Клиент - Android Strongswan.app. Также тестирование с Macbook, привязанным к точке доступа на том же Android-устройстве.

CONFIG

Сертификаты и ключи на месте:

root@OpenWrt:/etc# ls -l /etc/ipsec.d/cacerts/ -r--r--r-- 1 root root 4342 Apr 28 18:18 ca-chain.cert.pem -r--r--r-- 1 root root 2187 Apr 28 18:18 ca.cert.pem -r--r--r-- 1 root root 2155 Apr 28 18:17 intermediate.cert.pem root@OpenWrt:/etc# ls -l /etc/ipsec.d/certs/ -rw-r--r-- 1 root root 2346 Apr 28 18:17 ikev2.drew.cert.pem -rw-r--r-- 1 root root 2561 Apr 28 18:17 ikev2.server.cert.pem root@OpenWrt:/etc# ls -l /etc/ipsec.d/private/ -r-------- 1 root root 3326 Apr 28 18:20 ca.key.pem -r-------- 1 root root 3326 Apr 28 18:17 ikev2.drew.key.pem -r--r----- 1 root root 3243 Apr 28 18:17 ikev2.server.key.pem -r-------- 1 root root 3326 Apr 28 18:20 intermediate.key.pem 

/etc/ipsec.conf:

config setup  conn %default keyexchange=ikev2  conn roadwarrior left=%any leftauth=pubkey leftcert=ikev2.server.cert.pem leftid=MY-ROUTER.DDNS leftsubnet=0.0.0.0/0,::/0 right=%any rightsourceip=10.0.1.0/24 rightauth=pubkey rightcert=ikev2.drew.cert.pem rightauth2=eap-mschapv2 auto=add 

/etc/ipsec.secrets

: RSA ikev2.server.key.pem drew : EAP "Secret_password" 

/etc/strongswan.conf

charon { load_modular = yes dns1 = 192.168.1.1 dns2 = 192.168.1.254 plugins { include strongswan.d/charon/*.conf } } 

БРАНДМАУЭР

/etc/firewall.user:

iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT 

/ И т.д. / конфигурации / брандмауэр

# IPSEC config rule option src 'wan' option name 'IPSec ESP' option proto 'esp' option target 'ACCEPT'  config rule option src 'wan' option name 'IPSec IKE' option proto 'udp' option dest_port '500' option target 'ACCEPT'  config rule option src 'wan' option name 'IPSec NAT-T' option proto 'udp' option dest_port '4500' option target 'ACCEPT'  config rule option src 'wan' option name 'Auth Header' option proto 'ah' option target 'ACCEPT' 

ЖУРНАЛОВ

Журнал сайта OpenWrt:

# logread && logread -f  Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (704 bytes) Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 authpriv.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] local host is behind NAT, sending keep alives Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] remote host is behind NAT Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] DH group ECP_256 inacceptable, requesting MODP_2048 Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (38 bytes) Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (896 bytes) Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 authpriv.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] local host is behind NAT, sending keep alives Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] remote host is behind NAT Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (501 bytes) Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] received packet: from XXX.XXX.XXX.XXX[33490] to 192.168.0.2[4500] (2828 bytes) Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ] Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] looking for peer configs matching 192.168.0.2[MY-ROUTER.DDNS]...XXX.XXX.XXX.XXX[C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM] Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] no matching peer config found Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] peer supports MOBIKE Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] sending packet: from 192.168.0.2[4500] to XXX.XXX.XXX.XXX[33490] (76 bytes) 

192.168.0.2 - IP-адрес маршрутизатора WAN (он находится за брандмауэром / маршрутизатором интернет-провайдера)

XXX.XXX.XXX.XXX - публичный IP-адрес сервера

YYY.YYY.YYY.YYY - общедоступный IP-адрес клиента Android

Журнал Android Strongswan.app:

Apr 28 19:01:16 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G935FXXU2DRC4/2018-03-01, SM-G935F - samsung/hero2ltexx/samsung, Linux 3.18.14-12365438, aarch64) Apr 28 19:01:16 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509 Apr 28 19:01:16 00[JOB] spawning 16 worker threads Apr 28 19:01:16 08[CFG] loaded user certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' and private key Apr 28 19:01:16 08[CFG] loaded CA certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' Apr 28 19:01:16 08[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX Apr 28 19:01:16 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Apr 28 19:01:16 08[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (704 bytes) Apr 28 19:01:16 11[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (38 bytes) Apr 28 19:01:16 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Apr 28 19:01:16 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 Apr 28 19:01:16 11[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX Apr 28 19:01:16 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Apr 28 19:01:16 11[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (896 bytes) Apr 28 19:01:16 12[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (501 bytes) Apr 28 19:01:16 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Apr 28 19:01:16 12[IKE] local host is behind NAT, sending keep alives Apr 28 19:01:16 12[IKE] remote host is behind NAT Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:19 12[IKE] authentication of 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful Apr 28 19:01:19 12[IKE] sending end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:19 12[IKE] establishing CHILD_SA android Apr 28 19:01:19 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ] Apr 28 19:01:19 12[NET] sending packet: from YYY.YYY.YYY.YYY[55262] to XXX.XXX.XXX.XXX[4500] (2828 bytes) Apr 28 19:01:19 15[NET] received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[55262] (76 bytes) Apr 28 19:01:19 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Apr 28 19:01:19 15[IKE] received AUTHENTICATION_FAILED notify error 

Ребята, вы видите что-нибудь, что я делаю неправильно? Все помогает.