Windows 7 和 8.1 無法連線到 Ubuntu 22 上的 StrongSwan 5.9 VPN 伺服器

tag-icon tag-icon strongswan
Windows 7 和 8.1 無法連線到 Ubuntu 22 上的 StrongSwan 5.9 VPN 伺服器

我使用 Ubuntu 22.04 和 StrongSwan 5.9.5 在 Oracle 的 OCI 上設定 VPN 伺服器。當我嘗試從不同的 roadwarrior 連線時,Android 運作良好,Win10 運作良好,甚至古老的 Blackberry10 運作良好,但不適用於 Win7 和 Win8.1 筆記型電腦:它們停留在第一階段:

mytestcloud charon[968]: 05[NET] received packet: from <MYIP>[500] to 10.0.0.64[500] (616 bytes)
mytestcloud charon[968]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
mytestcloud charon[968]: 05[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
mytestcloud charon[968]: 05[IKE] received MS-Negotiation Discovery Capable vendor ID
mytestcloud charon[968]: 05[IKE] received Vid-Initial-Contact vendor ID
mytestcloud charon[968]: 05[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
mytestcloud charon[968]: 05[IKE] <MYIP> is initiating an IKE_SA
mytestcloud charon[968]: 05[IKE] <MYIP> is initiating an IKE_SA
mytestcloud charon[968]: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
mytestcloud charon[968]: 05[IKE] local host is behind NAT, sending keep alives
mytestcloud charon[968]: 05[IKE] remote host is behind NAT
mytestcloud charon[968]: 05[IKE] sending cert request for "C=<MYCOUNTRY>, O=<MYFIRM>, CN=<MYNAME>"
mytestcloud charon[968]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(CHDLESS_SUP) N(MULT_AUTH) ]
mytestcloud charon[968]: 05[NET] sending packet: from 10.0.0.64[500] to <MYIP>[500] (345 bytes)
mytestcloud charon[968]: 08[IKE] sending keep alive to <MYIP>[500]
mytestcloud charon[968]: 09[JOB] deleting half open IKE_SA with <MYIP> after timeout

我的 ipsec.conf 是:

config setup
    charondebug="ike 1, knl 1, cfg 1"
    strictcrlpolicy=no
    # uniqueids = no

conn %default
   ikelifetime=24h
   keylife=24h
   keyexchange=ikev2
   dpdaction=clear
   dpdtimeout=3600s
   dpddelay=3600s
   compress=yes
   leftfirewall=yes
   left=%any
   leftsubnet=0.0.0.0/0
   right=%any
   rightsourceip=192.168.2.100/28
#   rightdns=8.8.8.8, 8.8.4.4
#   leftsendcert=always
#   fragmentation=yes
#   rightsendcert=never
#   forceencaps=yes
   rekey=no
   auto=add
   ike=aes256-sha1-modp1024,3des-sha1-modp1024!
   esp=aes256-sha1,3des-sha1!

conn roadwarrior
   leftauth=pubkey
   leftcert=VPNCert.pem
   leftid=<SERVERIP>
   rightauth=pubkey

狀態為(Win10筆記型電腦已連線):

ubuntu@mytestcloud:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-1025-oracle, aarch64):
  uptime: 36 minutes, since Dec 12 09:05:21 2022
  malloc: sbrk 2605056, mmap 0, used 1670848, free 934208
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac ccm gcm drbg curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs dhcp counters
Virtual IP pools (size/online/offline):
  192.168.2.100/28: 11/1/0
Listening IP addresses:
  10.0.0.64
Connections:
 roadwarrior:  %any...%any  IKEv2, dpddelay=3600s
 roadwarrior:   local:  [<SERVERIP>] uses public key authentication
 roadwarrior:    cert:  "C=<MYCOUNTRY>, O=<MYFIRM>, CN=<SERVERIP>"
 roadwarrior:   remote: uses public key authentication
 roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
 roadwarrior[3]: ESTABLISHED 7 minutes ago, 10.0.0.64[150.136.154.215]...<MYIP>[C=<MYCOUNTRY>, O=<MYFIRM>, CN=Win10]
 roadwarrior[3]: IKEv2 SPIs: 250f9e9db620a7e7_i 29b6ebbdb66a922a_r*, rekeying disabled
 roadwarrior[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 roadwarrior{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c084f973_i 5daafdba_o
 roadwarrior{1}:  AES_CBC_256/HMAC_SHA1_96, 30958 bytes_i (122 pkts, 80s ago), 14517 bytes_o (50 pkts, 80s ago), rekeying disabled
 roadwarrior{1}:   0.0.0.0/0 === 192.168.2.100/32

我懷疑這是某種碎片問題,因為添加後

fragmentation=no

在 ipsec.conf 中,Win10 設備以同樣的方式下降。我補充說,我相信一切都是必要的;我是說

net/ipv4/ip_no_pmtu_disc=1

在 sysctl.conf 中和

FORWARD -t mangle --match policy --pol ipsec --dir in -o enp0s3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

在 iptables 規則中。請記住,我可以在 AWS 上的 Ubuntu 16.04/strongSwan 5.2.2 中使用幾乎相同的配置,沒有任何問題。小差異是預設密碼套件和不同的伺服器憑證。那麼,我可以強制以某種方式連接這些 Windows 野獸嗎?

答案1

嗯,問題似乎出在資料包碎片上。一方面,我相信 Oracle 已將碎片硬編碼到其公共介面;另一方面,舊版 Windows 作業系統(Windows 7、Windows 8/8.1、Windows 10 pre 1803、Ubuntu 16)不支援碎片。因此,沒有任何方法可以使用此類作業系統上的客戶端來連接在 Oracle OCI 上執行的 StrongSwan。有 3 種解決方法可以克服這個限制:

  1. 遠離遺留客戶端(對於使用它們的人來說不是很令人印象深刻)。
  2. 更換雲端供應商 - 我在 Amazon AWS 和 DigitalOcean 上測試了 StrongSwan:一切都完美運作。
  3. 更改 VPN 類型 - 我個人以該解決方案結束:WireGuard 在 Oracle OCI 上沒有任何問題。我解決了 DNS 洩漏問題,這是一個很好的補充。

相關內容