Perfil .sswan de Android en ipsec.conf

tag-icon tag-icon vpn ipsec strongswan watchguard
Perfil .sswan de Android en ipsec.conf

Tengo un perfil .sswan con un certificado integrado y un nombre de usuario/contraseña de un administrador del servidor. Se conecta a una VPN Watchguard sin ningún problema. El administrador del servidor me dijo que puedo conectarme con mi servidor Ubuntu "de forma nativa". No he podido encontrar que eso sea cierto, pero en mi investigación descubrí que la aplicación Linux Strongswan se puede conectar. ¿Cuáles son los parámetros correctos para que la conexión sea exitosa?

Estoy usando Linux strongSwan U5.9.5/K5.19.0-1025-aws

La conexión está fallando. Errores que recibo: 'username_from_admin' not confirmed by certificate yno private key found for 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA'

Adjunté mis registros y parámetros de conexión a continuación.

archivo .sswan

SYSLOG:

ipsec[421754]: 00[NET] using forecast interface ens5
ipsec[421754]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
ipsec[421754]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
ipsec[421754]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
ipsec[421754]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
ipsec[421754]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
ipsec[421754]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
ipsec[421754]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
ipsec[421754]: 00[CFG]   loaded EAP secret for username_from_admin
ipsec[421754]: 00[CFG] loaded 0 RADIUS server configurations
ipsec[421754]: 00[CFG] HA config misses local/remote address
ipsec[421754]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
ipsec[421754]: 00[LIB] dropped capabilities, running as uid 0, gid 0
ipsec[421754]: 00[JOB] spawning 16 worker threads
ipsec[421750]: charon (421754) started after 60 ms
ipsec[421754]: 05[CFG] received stroke: add connection 'XYZ-IKEv2-VPN'
ipsec[421754]: 05[KNL] 8.x.x.x is not a local address or the interface is down
ipsec[421754]: 05[CFG]   loaded certificate "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN XYZ 2023-03-14 13:57:23 UTC) CA" from '/etc/ipsec.d/certs/rootca.pem'
ipsec[421754]: 05[CFG]   id 'username_from_admin' not confirmed by certificate, defaulting to 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN XYZ 2023-03-14 13:57:23 UTC) CA'
ipsec[421754]: 05[CFG] added configuration 'XYZ-IKEv2-VPN'

RESULTADO DE correr: sudo ipsec up XYZ-IKEv2-VPN COMMAND

ubuntu@ip-xxxx:/$ sudo systemctl restart strongswan-starter
ubuntu@ip-xxxx:/$ sudo ipsec up XYZ-IKEv2-VPN
initiating IKE_SA XYZ-IKEv2-VPN[1] to 8.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.31.x.x[500] to 8.x.x.x[500] (1164 bytes)
received packet: from 8.x.x.x[500] to 172.31.x.x[500] (496 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4f:53:34:79:49:45:4a:4f:50:54:59:33:4e:54:67:78:4e:77:3d:3d
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
sending cert request for "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA"
no private key found for 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA'
establishing connection 'XYZ-IKEv2-VPN' failed

ipsec.conf:

conn XYZ-IKEv2-VPN
     leftsourceip=%config
     auto=add
     ike=aes256gmac-prfsha256-modp2048
     esp=aes256gmac-modp2048
     keyexchange=ikev2
     right=8.x.x.x
     rightsubnet=172.30.x.x
     rightid=8.x.x.x
     leftid=username_from_admin
     leftcert=/etc/ipsec.d/certs/rootca.pem

ipsec.secretos:

username_from_admin : EAP "password_from_admin"

ubicación del archivo de certificado: ipsec.d/certs/

Respuesta1

Hay varios problemas que puedo ver:

  • leftcertes tu propio certificado, no el del servidor, que estaría en rightcert, pero...
  • ...dado que parece ser un certificado de CA, no es necesario configurarlo en ipsec.conf, simplemente muévalo a/etc/ipsec.d/cacerts
  • Dado que el perfil está configurado para la autenticación del cliente a través de EAP y no un certificado, también desea configurarleftauth=eap

información relacionada