OpenWrt上的IPsec IKEv2无法建立隧道


0

请按照以下说明在OpenWRT上配置IPSec IKEv2 VPN服务器(15.05 Chaos Calmer)

路由器:Linksys AC1900-WRT

# uname -a
Linux OpenWrt 3.18.23 #1 SMP Sun Jan 31 12:53:24 CET 2016 armv7l GNU/Linux

客户端-Android Strongswan.app。还在Macbook上进行测试,并与同一Android设备上的热点绑定在一起。

CONFIG

证书和密钥到位:

root@OpenWrt:/etc# ls -l /etc/ipsec.d/cacerts/
-r--r--r--    1 root     root          4342 Apr 28 18:18 ca-chain.cert.pem
-r--r--r--    1 root     root          2187 Apr 28 18:18 ca.cert.pem
-r--r--r--    1 root     root          2155 Apr 28 18:17 intermediate.cert.pem
root@OpenWrt:/etc# ls -l /etc/ipsec.d/certs/
-rw-r--r--    1 root     root          2346 Apr 28 18:17 ikev2.drew.cert.pem
-rw-r--r--    1 root     root          2561 Apr 28 18:17 ikev2.server.cert.pem
root@OpenWrt:/etc# ls -l /etc/ipsec.d/private/
-r--------    1 root     root          3326 Apr 28 18:20 ca.key.pem
-r--------    1 root     root          3326 Apr 28 18:17 ikev2.drew.key.pem
-r--r-----    1 root     root          3243 Apr 28 18:17 ikev2.server.key.pem
-r--------    1 root     root          3326 Apr 28 18:20 intermediate.key.pem

/etc/ipsec.conf:

config setup

conn %default
        keyexchange=ikev2

conn roadwarrior
        left=%any
        leftauth=pubkey
        leftcert=ikev2.server.cert.pem
        leftid=MY-ROUTER.DDNS
        leftsubnet=0.0.0.0/0,::/0
        right=%any
        rightsourceip=10.0.1.0/24
        rightauth=pubkey
        rightcert=ikev2.drew.cert.pem
        rightauth2=eap-mschapv2
        auto=add

/etc/ipsec.secrets

: RSA ikev2.server.key.pem
drew : EAP "Secret_password"

/etc/strongswan.conf

charon {
    load_modular = yes
    dns1 = 192.168.1.1
    dns2 = 192.168.1.254
    plugins {
            include strongswan.d/charon/*.conf
    }
}

FIREWALL

/etc/firewall.user:

iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT

的/ etc /配置/防火墙

# IPSEC
config rule
        option src 'wan'
        option name 'IPSec ESP'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'IPSec IKE'
        option proto 'udp'
        option dest_port '500'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'IPSec NAT-T'
        option proto 'udp'
        option dest_port '4500'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'Auth Header'
        option proto 'ah'
        option target 'ACCEPT'

日志

OpenWrt网站日志:

# logread && logread -f

Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (704 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 authpriv.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] local host is behind NAT, sending keep alives
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] remote host is behind NAT
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] DH group ECP_256 inacceptable, requesting MODP_2048
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (38 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (896 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 authpriv.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] local host is behind NAT, sending keep alives
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] remote host is behind NAT
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (501 bytes)
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] received packet: from XXX.XXX.XXX.XXX[33490] to 192.168.0.2[4500] (2828 bytes)
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] looking for peer configs matching 192.168.0.2[MY-ROUTER.DDNS]...XXX.XXX.XXX.XXX[C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] no matching peer config found
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] peer supports MOBIKE
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] sending packet: from 192.168.0.2[4500] to XXX.XXX.XXX.XXX[33490] (76 bytes)

192.168.0.2 -路由器的WAN IP(位于ISP的防火墙/路由器后面)

XXX.XXX.XXX.XXX -服务器的公共IP

YYY.YYY.YYY.YYY -Android客户端的公共IP

Android Strongswan.app日志:

Apr 28 19:01:16 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G935FXXU2DRC4/2018-03-01, SM-G935F - samsung/hero2ltexx/samsung, Linux 3.18.14-12365438, aarch64)
Apr 28 19:01:16 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Apr 28 19:01:16 00[JOB] spawning 16 worker threads
Apr 28 19:01:16 08[CFG] loaded user certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' and private key
Apr 28 19:01:16 08[CFG] loaded CA certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM'
Apr 28 19:01:16 08[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX
Apr 28 19:01:16 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 28 19:01:16 08[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (704 bytes)
Apr 28 19:01:16 11[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (38 bytes)
Apr 28 19:01:16 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 28 19:01:16 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Apr 28 19:01:16 11[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX
Apr 28 19:01:16 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 28 19:01:16 11[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (896 bytes)
Apr 28 19:01:16 12[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (501 bytes)
Apr 28 19:01:16 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Apr 28 19:01:16 12[IKE] local host is behind NAT, sending keep alives
Apr 28 19:01:16 12[IKE] remote host is behind NAT
Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:19 12[IKE] authentication of 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Apr 28 19:01:19 12[IKE] sending end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:19 12[IKE] establishing CHILD_SA android{6}
Apr 28 19:01:19 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Apr 28 19:01:19 12[NET] sending packet: from YYY.YYY.YYY.YYY[55262] to XXX.XXX.XXX.XXX[4500] (2828 bytes)
Apr 28 19:01:19 15[NET] received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[55262] (76 bytes)
Apr 28 19:01:19 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 28 19:01:19 15[IKE] received AUTHENTICATION_FAILED notify error

你们看到我做错了什么吗?任何帮助。


您的服务器证书是否包含MY-ROUTER.DDNSas subjectAltName扩展名?如果没有,请添加它。
ecdsa

嗨,谢谢您的回复。是的,服务器证书确实有MY-ROUTER.DDNS作为subjectAltName扩展
德鲁

您能否添加的输出ipsec statusall
ecdsa
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.