我有一個 .sswan 配置文件,其中包含來自伺服器管理員的嵌入式證書和用戶名/密碼。它可以毫無問題地連接到 Watchguard VPN。伺服器管理員告訴我我可以「本地」連接我的 ubuntu 伺服器。我還沒有發現這一點,但在我的研究中,我發現 linux Strongswan 應用程式可以連接。使連線成功的正確參數是什麼?
我使用 Linux StrongSwan U5.9.5/K5.19.0-1025-aws
連線失敗。我收到的錯誤:'username_from_admin' not confirmed by certificate
和no private key found for 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA'
我在下面附上了我的日誌和連接參數。
系統日誌:
ipsec[421754]: 00[NET] using forecast interface ens5
ipsec[421754]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
ipsec[421754]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
ipsec[421754]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
ipsec[421754]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
ipsec[421754]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
ipsec[421754]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
ipsec[421754]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
ipsec[421754]: 00[CFG] loaded EAP secret for username_from_admin
ipsec[421754]: 00[CFG] loaded 0 RADIUS server configurations
ipsec[421754]: 00[CFG] HA config misses local/remote address
ipsec[421754]: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
ipsec[421754]: 00[LIB] dropped capabilities, running as uid 0, gid 0
ipsec[421754]: 00[JOB] spawning 16 worker threads
ipsec[421750]: charon (421754) started after 60 ms
ipsec[421754]: 05[CFG] received stroke: add connection 'XYZ-IKEv2-VPN'
ipsec[421754]: 05[KNL] 8.x.x.x is not a local address or the interface is down
ipsec[421754]: 05[CFG] loaded certificate "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN XYZ 2023-03-14 13:57:23 UTC) CA" from '/etc/ipsec.d/certs/rootca.pem'
ipsec[421754]: 05[CFG] id 'username_from_admin' not confirmed by certificate, defaulting to 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN XYZ 2023-03-14 13:57:23 UTC) CA'
ipsec[421754]: 05[CFG] added configuration 'XYZ-IKEv2-VPN'
運行結果: sudo ipsec up XYZ-IKEv2-VPN COMMAND
ubuntu@ip-xxxx:/$ sudo systemctl restart strongswan-starter
ubuntu@ip-xxxx:/$ sudo ipsec up XYZ-IKEv2-VPN
initiating IKE_SA XYZ-IKEv2-VPN[1] to 8.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.31.x.x[500] to 8.x.x.x[500] (1164 bytes)
received packet: from 8.x.x.x[500] to 172.31.x.x[500] (496 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4f:53:34:79:49:45:4a:4f:50:54:59:33:4e:54:67:78:4e:77:3d:3d
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
sending cert request for "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA"
no private key found for 'O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN xxx 2023-03-14 13:57:23 UTC) CA'
establishing connection 'XYZ-IKEv2-VPN' failed
ipsec.conf:
conn XYZ-IKEv2-VPN
leftsourceip=%config
auto=add
ike=aes256gmac-prfsha256-modp2048
esp=aes256gmac-modp2048
keyexchange=ikev2
right=8.x.x.x
rightsubnet=172.30.x.x
rightid=8.x.x.x
leftid=username_from_admin
leftcert=/etc/ipsec.d/certs/rootca.pem
ipsec.秘密:
username_from_admin : EAP "password_from_admin"
證書檔案位置: ipsec.d/憑證/
答案1
我可以看到幾個問題:
leftcert
是您自己的證書,而不是伺服器的證書,它位於 中rightcert
,但是...- ……由於這似乎是一個 CA 證書,因此您不必在 ipsec.conf 中配置它,只需將其移至
/etc/ipsec.d/cacerts
- 由於設定檔設定為透過 EAP 而不是憑證進行用戶端身份驗證,因此您還需要設定
leftauth=eap