Я установил vpn-сервер IKEv2 strongswan на ubuntu 18.04, а также использую для этого действующий CA Let's encrypte. Я хочу использовать его в приложении для iOS. Итак, вот IPSec.conf:
config setup
charondebug="all"
# keep_alive=24h
uniqueids=never
conn %default
auto=route
type=tunnel
keyexchange=ikev2
fragmentation=no
forceencaps=no
mobike=yes
ike=aes256-sha256-modp1024,aes256-sha256-modp2048, aes256-aes128-sha1-modp1024-3des!
esp=aes256-sha256-sha1-3des!
dpdaction=clear
dpddelay=20s
dpdtimeout=1800s
rekey=no
reauth=no
left=%any
#leftallowany=yes
leftcert=cert.crt
leftca=%same
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any4
#rightallowany=yes
rightid=%any
rightsourceip=172.26.0.0/16
rightdns=8.8.8.8,8.8.4.4
eap_identity=%identity
rightauth=pubkey
keyingtries=%forever
conn ikev2-mschapv2
rightauth=eap-mschapv2
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
leftid=@sec.mydomain.com
и вот содержимое IPSec.sercets:
sec.mydomain.com : RSA key.pem
vpnusername %any% : EAP "pass"
проблема в когда я хочу подключиться к серверу, он остается в состоянии подключения, а через 20 секунд он меняется на отключение и отображение тайм-аута на сервере журналов. вот сервер журнала на tail -f /var/log/syslog
:
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Timers.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG network certificate management daemon.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Listening on GnuPG cryptographic agent and passphrase cache.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Sockets.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Basic System.
Sep 3 07:25:25 vps-10d57688 systemd[1]: Started User Manager for UID 1000.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Reached target Default.
Sep 3 07:25:25 vps-10d57688 systemd[7908]: Startup finished in 33ms.
Sep 3 07:25:38 vps-10d57688 charon: 13[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep 3 07:25:38 vps-10d57688 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 3 07:25:38 vps-10d57688 charon: 13[IKE] 151.243.253.166 is initiating an IKE_SA
Sep 3 07:25:38 vps-10d57688 charon: 13[IKE] remote host is behind NAT
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-99-generic, x86_64)
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] PKCS11 module '<name>' lacks library path
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] disabling load-tester plugin, not configured
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] dnscert plugin is disabled
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] ipseckey plugin is disabled
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] attr-sql plugin: database URI not set
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded ca certificate "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" from '/etc/ipsec.d/cacerts/chain.pem'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/key.pem'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded EAP secret for vpnusername %any%
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] sql plugin: database URI not set
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] eap-simaka-sql database URI missing
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] loaded 0 RADIUS server configurations
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] HA config misses local/remote address
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] no threshold configured for systime-fix, disabled
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[CFG] coupling file path unspecified
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 00[JOB] spawning 16 worker threads
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] received stroke: add connection 'ikev2-mschapv2'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] adding virtual IP address pool 172.26.0.0/16
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] id '%any' not confirmed by certificate, defaulting to 'OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 05[CFG] added configuration 'ikev2-mschapv2'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] received stroke: route 'ikev2-mschapv2'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 07[CFG] installing trap failed, remote address unknown
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] received stroke: add connection 'ikev2-mschapv2-apple'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] reusing virtual IP address pool 172.26.0.0/16
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] loaded certificate "OU=Domain Control Validated, OU=EssentialSSL, CN=sec.mydomain.com" from 'cert.crt'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 09[CFG] added configuration 'ikev2-mschapv2-apple'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] received stroke: route 'ikev2-mschapv2-apple'
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 11[CFG] installing trap failed, remote address unknown
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] received packet: from 151.243.253.166[500] to x.x.x.x[500] (604 bytes)
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] 151.243.253.166 is initiating an IKE_SA
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] remote host is behind NAT
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 16[NET] sending packet: from x.x.x.x[500] to 151.243.253.166[500] (473 bytes)
Sep 3 07:25:38 vps-10d57688 ipsec[7723]: 07[JOB] deleting half open IKE_SA with 151.243.253.166 after timeout
больше журнала: Я использовал tcpdump и nc для проверки порта 4500, и он работал, но когда я пытаюсь подключиться к vpn, он не получает и не отправляет никаких пакетов:
вот результат для звонка с NC
ubuntu@vps-10d57688:~$ sudo tcpdump -i ens3 udp port 4500 -vv -X
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:49:46.754565 IP (tos 0x0, ttl 52, id 31208, offset 0, flags [none], proto UDP (17), length 31)
192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] [|isakmp]
0x0000: 4500 001f 79e8 0000 3411 f82a c040 5354 E...y...4..*.@ST
0x0010: 4246 bee0 c855 1194 000b 9ec9 6869 0a BF...U......hi.
15:50:00.565036 IP (tos 0x0, ttl 52, id 4681, offset 0, flags [none], proto UDP (17), length 33)
192.64.83.84.51285 > vps-10d57688.vps.ovh.ca.ipsec-nat-t: [udp sum ok] UDP-encap: [|ESP]
0x0000: 4500 0021 1249 0000 3411 5fc8 c040 5354 E..!.I..4._..@ST
0x0010: 4246 bee0 c855 1194 000d 1f55 7465 7374 BF...U.....Utest
0x0020: 0a .