Ich versuche, XAuth mit IPSec-Tools auf OpenWRT einzurichten. Meine Einstellungen werden unten angezeigt:
cat /etc/racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/cert";
listen {
adminsock disabled;
}
timer
{
natt_keepalive 10 sec;
}
remote anonymous
{
exchange_mode aggressive,main; #必须添加main,否则苹果的vpn client无法连接
initial_contact on ;
passive on ;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server ;
dh_group 2 ;
}
proposal_check obey;
generate_policy on;
dpd_delay 20;
nat_traversal force;
ike_frag on;
esp_frag 552;
}
mode_cfg
{
network4 211.153.68.231; #VPN地址池
pool_size 4;
netmask4 255.255.255.0;
auth_source system; #使用pam作为xauth的用户认证
dns4 211.153.19.1;
pfs_group 2;
banner "/etc/racoon/motd" ;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm aes ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
Katze /etc/setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P in ipsec esp/transport//require;
Katze /etc/racoon/psk.txt
test test
Katze /etc/Waschbär/motd
welcome!
Katze /etc/init.d/Racoon
#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2011 OpenWrt.org
# Copyright (C) 2011 Artem Makhutov
START=49
SERVICE_USE_PID=1
start() {
mkdir -m 0700 -p /var/racoon
[ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/setkey.conf
service_start /usr/sbin/racoon -f /etc/racoon.conf
}
stop() {
service_stop /usr/sbin/racoon
}
dann starten Sie den Server:
root@OpenWrt:~# setkey -f /etc/setkey.conf
root@OpenWrt:~# racoon -F -f /etc/racoon.conf
Foreground mode.
2013-09-06 15:52:19: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-09-06 15:52:19: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
2013-09-06 15:52:19: INFO: Reading configuration from "/etc/racoon.conf"
2013-09-06 15:52:19: WARNING: /etc/racoon.conf:33: "552" Your kernel does not support esp_frag
2013-09-06 15:52:19: INFO: Resize address pool from 0 to 4
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used as isakmp port (fd=6)
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used as isakmp port (fd=7)
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used as isakmp port (fd=8)
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used as isakmp port (fd=9)
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used as isakmp port (fd=11)
2013-09-06 15:52:19: INFO: ::1[500] used as isakmp port (fd=12)
2013-09-06 15:52:19: INFO: ::1[4500] used as isakmp port (fd=13)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[500] used as isakmp port (fd=14)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[4500] used as isakmp port (fd=15)
Ich führe es nur zum Debuggen im Vordergrund aus und verbinde es dann mit VPN von einem anderen System mit Ubuntu 12.04.2:
liunx@ubuntu:~$ sudo vpnc
[sudo] password for liunx:
Enter IPSec gateway address: 10.129.228.201
Enter IPSec ID for 10.129.228.201: test
Enter IPSec secret for [email protected]:(test)
Enter username for 10.129.228.201: root
Enter password for [email protected]:(123456)
vpnc: authentication unsuccessful
Ich habe Fehlermeldungen von Racoon erhalten:
2013-09-06 15:55:14: INFO: respond new phase 1 negotiation: 10.129.228.201[500]<=>10.129.228.200[500]
2013-09-06 15:55:14: INFO: begin Aggressive mode.
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: received Vendor ID: RFC 3947
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-09-06 15:55:14: INFO: received Vendor ID: DPD
2013-09-06 15:55:14: [10.129.228.200] INFO: Selected NAT-T version: RFC 3947
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: INFO: Adding remote and local NAT-D payloads.
2013-09-06 15:55:14: [10.129.228.200] INFO: Hashing 10.129.228.200[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: [10.129.228.201] INFO: Hashing 10.129.228.201[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: INFO: Adding xauth VID payload.
2013-09-06 15:55:14: INFO: NAT-T: ports changed to: 10.129.228.200[4500]<->10.129.228.201[4500]
2013-09-06 15:55:14: [10.129.228.200] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: NAT-D payload #0 doesn't match
2013-09-06 15:55:14: INFO: NAT-D payload #1 doesn't match
2013-09-06 15:55:14: INFO: NAT detected: ME PEER
2013-09-06 15:55:14: INFO: Sending Xauth request
2013-09-06 15:55:14: INFO: ISAKMP-SA established 10.129.228.201[4500]-10.129.228.200[4500] spi:5f0e764b2ee4a7bd:a65bc2a2089f47f3
2013-09-06 15:55:14: INFO: Using port 0
2013-09-06 15:55:14: INFO: Released port 0
2013-09-06 15:55:14: INFO: login failed for user "root"
2013-09-06 15:55:14: ERROR: Attempt to release an unallocated address (port 0)
2013-09-06 15:55:14: ERROR: mode config 6 from 10.129.228.200[4500], but we have no ISAKMP-SA.
Ich bin sicher, dass ich das Root-Passwort auf „123456“ eingestellt hatte, aber es ist fehlgeschlagen. Irgendwelche Tipps?
Antwort1
Es ist das Problem mit dem Shadow-Passwort. Während der Konfiguration erkennen die IPSec-Tools, ob das Shadow-Passwort des Systems vorhanden ist oder nicht. Wenn die IPSec-Tools mit _HAVE_SHADOW_H_ kompiliert werden, können sie das richtige Passwort nicht mit einem Nicht-Shadow-Passwort analysieren und es schlägt fehl, oder umgekehrt. Ich habe es mit dem Ubuntu-System und Buildroot verglichen, sie funktionieren alle gut.