サーバー管理者からの証明書とユーザー名/パスワードが埋め込まれた .sswan プロファイルがあります。問題なく Watchguard VPN に接続します。サーバー管理者から、Ubuntu サーバーに「ネイティブ」に接続できると言われました。それが本当かどうかはわかりませんが、調査したところ、Linux Strongswan アプリケーションは接続できることがわかりました。接続を成功させるための正しいパラメータは何ですか?
Linux strongSwan U5.9.5/K5.19.0-1025-awsを使用しています
接続に失敗しました。次のエラーが発生しています'username_from_admin' not confirmed by certificate
:no private key found for 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA'
ログと接続パラメータを以下に添付しました。
SYSLOG:
ipsec[421754]: 00[NET] using forecast interface ens5
ipsec[421754]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
ipsec[421754]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
ipsec[421754]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
ipsec[421754]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
ipsec[421754]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
ipsec[421754]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
ipsec[421754]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
ipsec[421754]: 00[CFG] loaded EAP secret for username_from_admin
ipsec[421754]: 00[CFG] loaded 0 RADIUS server configurations
ipsec[421754]: 00[CFG] HA config misses local/remote address
ipsec[421754]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
ipsec[421754]: 00[LIB] dropped capabilities, running as uid 0, gid 0
ipsec[421754]: 00[JOB] spawning 16 worker threads
ipsec[421750]: charon (421754) started after 60 ms
ipsec[421754]: 05[CFG] received stroke: add connection 'XYZ-IKEv2-VPN'
ipsec[421754]: 05[KNL] 8.x.x.x is not a local address or the interface is down
ipsec[421754]: 05[CFG] loaded certificate "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN XYZ 2023-03-14 13:57:23 UTC) CA" from '/etc/ipsec.d/certs/rootca.pem'
ipsec[421754]: 05[CFG] id 'username_from_admin' not confirmed by certificate, defaulting to 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN XYZ 2023-03-14 13:57:23 UTC) CA'
ipsec[421754]: 05[CFG] added configuration 'XYZ-IKEv2-VPN'
実行の結果: sudo ipsec up XYZ-IKEv2-VPN COMMAND
ubuntu@ip-xxxx:/$ sudo systemctl restart strongswan-starter
ubuntu@ip-xxxx:/$ sudo ipsec up XYZ-IKEv2-VPN
initiating IKE_SA XYZ-IKEv2-VPN[1] to 8.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.31.x.x[500] to 8.x.x.x[500] (1164 bytes)
received packet: from 8.x.x.x[500] to 172.31.x.x[500] (496 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4f:53:34:79:49:45:4a:4f:50:54:59:33:4e:54:67:78:4e:77:3d:3d
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
sending cert request for "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA"
no private key found for 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA'
establishing connection 'XYZ-IKEv2-VPN' failed
ipsec.conf:
conn XYZ-IKEv2-VPN
leftsourceip=%config
auto=add
ike=aes256gmac-prfsha256-modp2048
esp=aes256gmac-modp2048
keyexchange=ikev2
right=8.x.x.x
rightsubnet=172.30.x.x
rightid=8.x.x.x
leftid=username_from_admin
leftcert=/etc/ipsec.d/certs/rootca.pem
ipsec.シークレット:
username_from_admin : EAP "password_from_admin"
証明書ファイルの場所: ipsec.d/証明書/
答え1
いくつかの問題が見られます:
leftcertは、サーバーの証明書ではなく、あなた自身の証明書です。サーバーの証明書は、 にありますrightcertが...- ...これはCA証明書のようですので、ipsec.confで設定する必要はなく、単に
/etc/ipsec.d/cacerts - プロファイルは証明書ではなくEAPによるクライアント認証に設定されているため、
leftauth=eap