xauth con ipsec-tools en openwrt: ¿falla la autenticación?

2024-6-20 • tag-icon

xauth con ipsec-tools en openwrt: ¿falla la autenticación?

Estoy intentando configurar xauth con ipsec-tools en openwrt, mi configuración se muestra a continuación:
cat /etc/racoon.conf:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/cert";

listen {
    adminsock disabled;
}

timer
{
        natt_keepalive 10 sec;
}

remote anonymous
{
        exchange_mode aggressive,main;          #必须添加main，否则苹果的vpn client无法连接

        initial_contact on ;
        passive on ;

        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method xauth_psk_server ;
                dh_group 2 ;
        }

        proposal_check obey;
        generate_policy on;
        dpd_delay 20;
        nat_traversal force;
        ike_frag on;
        esp_frag 552;
}

mode_cfg
{
        network4 211.153.68.231;              #VPN地址池
        pool_size 4;
        netmask4 255.255.255.0;
        auth_source system;                      #使用pam作为xauth的用户认证
        dns4 211.153.19.1;
        pfs_group 2;
        banner "/etc/racoon/motd" ;
}

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm aes ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}

gato /etc/setkey.conf

flush;
spdflush;

spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P in ipsec esp/transport//require;

gato /etc/racoon/psk.txt

test test

gato /etc/mapache/motd

welcome!

gato /etc/init.d/racoon

#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2011 OpenWrt.org
# Copyright (C) 2011 Artem Makhutov

START=49

SERVICE_USE_PID=1

start() {
    mkdir -m 0700 -p /var/racoon
    [ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/setkey.conf
    service_start /usr/sbin/racoon -f /etc/racoon.conf
}

stop() {
    service_stop /usr/sbin/racoon
}

luego enciende el servidor:

root@OpenWrt:~# setkey -f /etc/setkey.conf
root@OpenWrt:~# racoon -F -f /etc/racoon.conf
Foreground mode.
2013-09-06 15:52:19: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-09-06 15:52:19: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
2013-09-06 15:52:19: INFO: Reading configuration from "/etc/racoon.conf"
2013-09-06 15:52:19: WARNING: /etc/racoon.conf:33: "552" Your kernel does not support esp_frag
2013-09-06 15:52:19: INFO: Resize address pool from 0 to 4
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used as isakmp port (fd=6)
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used as isakmp port (fd=7)
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used as isakmp port (fd=8)
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used as isakmp port (fd=9)
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used as isakmp port (fd=11)
2013-09-06 15:52:19: INFO: ::1[500] used as isakmp port (fd=12)
2013-09-06 15:52:19: INFO: ::1[4500] used as isakmp port (fd=13)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[500] used as isakmp port (fd=14)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[4500] used as isakmp port (fd=15)

Lo ejecuto en primer plano solo para depurar, luego lo conectamos con vpnc desde otro sistema de ubuntu12.04.2:

liunx@ubuntu:~$ sudo vpnc
[sudo] password for liunx:
Enter IPSec gateway address: 10.129.228.201
Enter IPSec ID for 10.129.228.201: test
Enter IPSec secret for [email protected]:(test)
Enter username for 10.129.228.201: root
Enter password for [email protected]:(123456)
vpnc: authentication unsuccessful

Recibí mensajes de error de mapache:

2013-09-06 15:55:14: INFO: respond new phase 1 negotiation: 10.129.228.201[500]<=>10.129.228.200[500]
2013-09-06 15:55:14: INFO: begin Aggressive mode.
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: received Vendor ID: RFC 3947
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-09-06 15:55:14: INFO: received Vendor ID: DPD
2013-09-06 15:55:14: [10.129.228.200] INFO: Selected NAT-T version: RFC 3947
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: INFO: Adding remote and local NAT-D payloads.
2013-09-06 15:55:14: [10.129.228.200] INFO: Hashing 10.129.228.200[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: [10.129.228.201] INFO: Hashing 10.129.228.201[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: INFO: Adding xauth VID payload.
2013-09-06 15:55:14: INFO: NAT-T: ports changed to: 10.129.228.200[4500]<->10.129.228.201[4500]
2013-09-06 15:55:14: [10.129.228.200] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: NAT-D payload #0 doesn't match
2013-09-06 15:55:14: INFO: NAT-D payload #1 doesn't match
2013-09-06 15:55:14: INFO: NAT detected: ME PEER
2013-09-06 15:55:14: INFO: Sending Xauth request
2013-09-06 15:55:14: INFO: ISAKMP-SA established 10.129.228.201[4500]-10.129.228.200[4500] spi:5f0e764b2ee4a7bd:a65bc2a2089f47f3
2013-09-06 15:55:14: INFO: Using port 0
2013-09-06 15:55:14: INFO: Released port 0
2013-09-06 15:55:14: INFO: login failed for user "root"
2013-09-06 15:55:14: ERROR: Attempt to release an unallocated address (port 0)
2013-09-06 15:55:14: ERROR: mode config 6 from 10.129.228.200[4500], but we have no ISAKMP-SA.

Estoy seguro de que configuré la contraseña de root como "123456", pero fallé, ¿algún consejo?

Respuesta1

Es el problema de la contraseña oculta, cuando es el momento de la configuración, las herramientas ipsec detectarán o no la contraseña oculta del sistema, si las herramientas ipsec se compilan con _HAVE_SHADOW_H_, entonces no analizará la contraseña correcta con la contraseña que no es oculta, por lo que falló. o viceversa. Lo comparé con el sistema ubuntu, buildroot, todos funcionan bien.

Respuesta1

información relacionada