请按照以下说明在OpenWRT上配置IPSec IKEv2 VPN服务器(15.05 Chaos Calmer)
路由器:Linksys AC1900-WRT
# uname -a
Linux OpenWrt 3.18.23 #1 SMP Sun Jan 31 12:53:24 CET 2016 armv7l GNU/Linux
客户端-Android Strongswan.app。还在Macbook上进行测试,并与同一Android设备上的热点绑定在一起。
CONFIG
证书和密钥到位:
root@OpenWrt:/etc# ls -l /etc/ipsec.d/cacerts/
-r--r--r-- 1 root root 4342 Apr 28 18:18 ca-chain.cert.pem
-r--r--r-- 1 root root 2187 Apr 28 18:18 ca.cert.pem
-r--r--r-- 1 root root 2155 Apr 28 18:17 intermediate.cert.pem
root@OpenWrt:/etc# ls -l /etc/ipsec.d/certs/
-rw-r--r-- 1 root root 2346 Apr 28 18:17 ikev2.drew.cert.pem
-rw-r--r-- 1 root root 2561 Apr 28 18:17 ikev2.server.cert.pem
root@OpenWrt:/etc# ls -l /etc/ipsec.d/private/
-r-------- 1 root root 3326 Apr 28 18:20 ca.key.pem
-r-------- 1 root root 3326 Apr 28 18:17 ikev2.drew.key.pem
-r--r----- 1 root root 3243 Apr 28 18:17 ikev2.server.key.pem
-r-------- 1 root root 3326 Apr 28 18:20 intermediate.key.pem
/etc/ipsec.conf:
config setup
conn %default
keyexchange=ikev2
conn roadwarrior
left=%any
leftauth=pubkey
leftcert=ikev2.server.cert.pem
leftid=MY-ROUTER.DDNS
leftsubnet=0.0.0.0/0,::/0
right=%any
rightsourceip=10.0.1.0/24
rightauth=pubkey
rightcert=ikev2.drew.cert.pem
rightauth2=eap-mschapv2
auto=add
/etc/ipsec.secrets
: RSA ikev2.server.key.pem
drew : EAP "Secret_password"
/etc/strongswan.conf
charon {
load_modular = yes
dns1 = 192.168.1.1
dns2 = 192.168.1.254
plugins {
include strongswan.d/charon/*.conf
}
}
FIREWALL
/etc/firewall.user:
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
的/ etc /配置/防火墙
# IPSEC
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
日志
OpenWrt网站日志:
# logread && logread -f
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (704 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 authpriv.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] local host is behind NAT, sending keep alives
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] remote host is behind NAT
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] DH group ECP_256 inacceptable, requesting MODP_2048
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (38 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (896 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 authpriv.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] local host is behind NAT, sending keep alives
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] remote host is behind NAT
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (501 bytes)
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] received packet: from XXX.XXX.XXX.XXX[33490] to 192.168.0.2[4500] (2828 bytes)
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] looking for peer configs matching 192.168.0.2[MY-ROUTER.DDNS]...XXX.XXX.XXX.XXX[C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] no matching peer config found
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] peer supports MOBIKE
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] sending packet: from 192.168.0.2[4500] to XXX.XXX.XXX.XXX[33490] (76 bytes)
192.168.0.2 -路由器的WAN IP(位于ISP的防火墙/路由器后面)
XXX.XXX.XXX.XXX -服务器的公共IP
YYY.YYY.YYY.YYY -Android客户端的公共IP
Android Strongswan.app日志:
Apr 28 19:01:16 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G935FXXU2DRC4/2018-03-01, SM-G935F - samsung/hero2ltexx/samsung, Linux 3.18.14-12365438, aarch64)
Apr 28 19:01:16 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Apr 28 19:01:16 00[JOB] spawning 16 worker threads
Apr 28 19:01:16 08[CFG] loaded user certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' and private key
Apr 28 19:01:16 08[CFG] loaded CA certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM'
Apr 28 19:01:16 08[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX
Apr 28 19:01:16 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 28 19:01:16 08[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (704 bytes)
Apr 28 19:01:16 11[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (38 bytes)
Apr 28 19:01:16 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 28 19:01:16 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Apr 28 19:01:16 11[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX
Apr 28 19:01:16 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 28 19:01:16 11[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (896 bytes)
Apr 28 19:01:16 12[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (501 bytes)
Apr 28 19:01:16 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Apr 28 19:01:16 12[IKE] local host is behind NAT, sending keep alives
Apr 28 19:01:16 12[IKE] remote host is behind NAT
Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:19 12[IKE] authentication of 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Apr 28 19:01:19 12[IKE] sending end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:19 12[IKE] establishing CHILD_SA android{6}
Apr 28 19:01:19 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Apr 28 19:01:19 12[NET] sending packet: from YYY.YYY.YYY.YYY[55262] to XXX.XXX.XXX.XXX[4500] (2828 bytes)
Apr 28 19:01:19 15[NET] received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[55262] (76 bytes)
Apr 28 19:01:19 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 28 19:01:19 15[IKE] received AUTHENTICATION_FAILED notify error
你们看到我做错了什么吗?任何帮助。
嗨,谢谢您的回复。是的,服务器证书确实有
—
德鲁
MY-ROUTER.DDNS作为subjectAltName扩展
您能否添加的输出
—
ecdsa
ipsec statusall?
MY-ROUTER.DDNSas subjectAltName扩展名?如果没有,请添加它。