IPsec IKEv2 в OpenWrt не может установить туннель
1122
Drew
Следуйте этим инструкциям для настройки VPN-сервера IPSec IKEv2 на OpenWRT (15.05 Chaos Calmer)
Маршрутизатор: Linksys AC1900-WRT
# uname -a Linux OpenWrt 3.18.23 #1 SMP Sun Jan 31 12:53:24 CET 2016 armv7l GNU/Linux
Клиент - Android Strongswan.app. Также тестирование с Macbook, привязанным к точке доступа на том же Android-устройстве.
CONFIG
Сертификаты и ключи на месте:
root@OpenWrt:/etc# ls -l /etc/ipsec.d/cacerts/ -r--r--r-- 1 root root 4342 Apr 28 18:18 ca-chain.cert.pem -r--r--r-- 1 root root 2187 Apr 28 18:18 ca.cert.pem -r--r--r-- 1 root root 2155 Apr 28 18:17 intermediate.cert.pem root@OpenWrt:/etc# ls -l /etc/ipsec.d/certs/ -rw-r--r-- 1 root root 2346 Apr 28 18:17 ikev2.drew.cert.pem -rw-r--r-- 1 root root 2561 Apr 28 18:17 ikev2.server.cert.pem root@OpenWrt:/etc# ls -l /etc/ipsec.d/private/ -r-------- 1 root root 3326 Apr 28 18:20 ca.key.pem -r-------- 1 root root 3326 Apr 28 18:17 ikev2.drew.key.pem -r--r----- 1 root root 3243 Apr 28 18:17 ikev2.server.key.pem -r-------- 1 root root 3326 Apr 28 18:20 intermediate.key.pem
/etc/ipsec.conf:
config setup conn %default keyexchange=ikev2 conn roadwarrior left=%any leftauth=pubkey leftcert=ikev2.server.cert.pem leftid=MY-ROUTER.DDNS leftsubnet=0.0.0.0/0,::/0 right=%any rightsourceip=10.0.1.0/24 rightauth=pubkey rightcert=ikev2.drew.cert.pem rightauth2=eap-mschapv2 auto=add
/etc/ipsec.secrets
: RSA ikev2.server.key.pem drew : EAP "Secret_password"
/etc/strongswan.conf
charon { load_modular = yes dns1 = 192.168.1.1 dns2 = 192.168.1.254 plugins { include strongswan.d/charon/*.conf } }
БРАНДМАУЭР
/etc/firewall.user:
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
/ И т.д. / конфигурации / брандмауэр
# IPSEC config rule option src 'wan' option name 'IPSec ESP' option proto 'esp' option target 'ACCEPT' config rule option src 'wan' option name 'IPSec IKE' option proto 'udp' option dest_port '500' option target 'ACCEPT' config rule option src 'wan' option name 'IPSec NAT-T' option proto 'udp' option dest_port '4500' option target 'ACCEPT' config rule option src 'wan' option name 'Auth Header' option proto 'ah' option target 'ACCEPT'
ЖУРНАЛОВ
Журнал сайта OpenWrt:
# logread && logread -f Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (704 bytes) Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 authpriv.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] local host is behind NAT, sending keep alives Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] remote host is behind NAT Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] DH group ECP_256 inacceptable, requesting MODP_2048 Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (38 bytes) Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (896 bytes) Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 authpriv.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] local host is behind NAT, sending keep alives Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] remote host is behind NAT Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (501 bytes) Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] received packet: from XXX.XXX.XXX.XXX[33490] to 192.168.0.2[4500] (2828 bytes) Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ] Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] looking for peer configs matching 192.168.0.2[MY-ROUTER.DDNS]...XXX.XXX.XXX.XXX[C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM] Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] no matching peer config found Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] peer supports MOBIKE Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] sending packet: from 192.168.0.2[4500] to XXX.XXX.XXX.XXX[33490] (76 bytes)
192.168.0.2
- IP-адрес маршрутизатора WAN (он находится за брандмауэром / маршрутизатором интернет-провайдера)
XXX.XXX.XXX.XXX
- публичный IP-адрес сервера
YYY.YYY.YYY.YYY
- общедоступный IP-адрес клиента Android
Журнал Android Strongswan.app:
Apr 28 19:01:16 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G935FXXU2DRC4/2018-03-01, SM-G935F - samsung/hero2ltexx/samsung, Linux 3.18.14-12365438, aarch64) Apr 28 19:01:16 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509 Apr 28 19:01:16 00[JOB] spawning 16 worker threads Apr 28 19:01:16 08[CFG] loaded user certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' and private key Apr 28 19:01:16 08[CFG] loaded CA certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' Apr 28 19:01:16 08[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX Apr 28 19:01:16 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Apr 28 19:01:16 08[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (704 bytes) Apr 28 19:01:16 11[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (38 bytes) Apr 28 19:01:16 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Apr 28 19:01:16 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 Apr 28 19:01:16 11[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX Apr 28 19:01:16 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Apr 28 19:01:16 11[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (896 bytes) Apr 28 19:01:16 12[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (501 bytes) Apr 28 19:01:16 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ] Apr 28 19:01:16 12[IKE] local host is behind NAT, sending keep alives Apr 28 19:01:16 12[IKE] remote host is behind NAT Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:19 12[IKE] authentication of 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful Apr 28 19:01:19 12[IKE] sending end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM" Apr 28 19:01:19 12[IKE] establishing CHILD_SA android Apr 28 19:01:19 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ] Apr 28 19:01:19 12[NET] sending packet: from YYY.YYY.YYY.YYY[55262] to XXX.XXX.XXX.XXX[4500] (2828 bytes) Apr 28 19:01:19 15[NET] received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[55262] (76 bytes) Apr 28 19:01:19 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Apr 28 19:01:19 15[IKE] received AUTHENTICATION_FAILED notify error
Ребята, вы видите что-нибудь, что я делаю неправильно? Все помогает.
Содержит ли сертификат вашего сервера `MY-ROUTER.DDNS` в качестве расширения subjectAltName? Если нет, добавьте это.
ecdsa 5 лет назад
0
Привет, спасибо за ответ. Да, у сертификата сервера действительно есть MY-ROUTER.DDNS в качестве расширения subjectAltName
Drew 5 лет назад
0
Не могли бы вы добавить вывод `ipsec statusall`.
ecdsa 5 лет назад
0
0 ответов на вопрос
Похожие вопросы
-
12
Какие маршрутизаторы вы предпочитаете для DD-WRT или OpenWRT?
-
5
64-битная ОС и программное обеспечение VPN
-
4
Как выборочно маршрутизировать сетевой трафик через VPN на Mac OS X Leopard?
-
-
3
VPN-соединение не может найти беспроводное соединение
-
1
Установка Cisco VPN Client в Ubuntu
-
2
Хамачи за корпоративным брандмауэром, блокирующим мои хамачи
-
4
Как настроить сетевой менеджер Ubuntu / Linux для выборочной маршрутизации сетевого трафика через VP...
-
12
Как я могу сделать выборочный трафик Windows VPN по маршруту (по сети назначения)?
-
1
Как я могу запретить создание маршрута в Windows XP при подключении к Cisco VPN?
-
1
Безопасность переадресации портов с использованием UPnP и OS X