Публикация обновлена: 26.06 11:22
Я пытаюсь использовать rasperry pi на Arch Linux в качестве сервера strongswan ikev2 для моего смартфона с Windows Phone 8.1. Я хочу использовать клиентский сертификат для аутентификации. Мой текущий результат - установленное соединение. Я вижу, как пакеты данных покидают туннель, но не входят в туннель ответные пакеты. Может кто поможет? В целях тестирования смартфон подключен к локальному Wi-Fi (позже я хотел бы использовать соединение GSM)
Локальная сеть: 192.168.178.0/24 IP для туннеля: 192.168.250.0/24
ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
# uniqueids = no
# Add connections here.
# Connection from window phone 8.1 with client certificate
conn eap-tls
keyexchange=ikev2
left=%any
leftsubnet=0.0.0.0/0
leftid=@fischefr.ddns.net
leftcert=vpnHostCert.pem
leftauth=pubkey
leftfirewall=yes
right=%any
rightauth=eap-tls
# rightsourceip=%dhcp
rightsourceip=192.168.250.0/24
eap_identity=%any
forceencaps = yes
auto=start
# rightsendcert=never
# compress=yes
# rightcert=FranzCert.pem
# esp=aes256-sha1_160-ecp512bp!
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
iptables-save:
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*filter
:INPUT ACCEPT [33:2276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:2872]
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*raw
:PREROUTING ACCEPT [34:2328]
:OUTPUT ACCEPT [28:3264]
-A PREROUTING -s 192.168.250.0/24 -j LOG
-A PREROUTING -d 192.168.250.0/24 -j LOG
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
Все еще нет идей?
после запуска strongswan iptables-save имеет следующие правила:
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*nat
:PREROUTING ACCEPT [4:2319]
:INPUT ACCEPT [4:2319]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*filter
:INPUT ACCEPT [17:1708]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:1960]
-A FORWARD -s 192.168.250.1/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -d 192.168.250.1/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*raw
:PREROUTING ACCEPT [271:22907]
:OUTPUT ACCEPT [191:25761]
-A PREROUTING -s 192.168.250.0/24 -j LOG
-A PREROUTING -d 192.168.250.0/24 -j LOG
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
Один тест: я запустил strongswan, подключил телефон и ввел 192.168.178.1 (Fritzbox, маршрутизатор) в поле URL. journalctl показывает следующие строки:
Jun 26 09:17:27 alarmpi ipsec_starter[858]: Starting strongSwan 5.3.2 IPsec [starter]...
Jun 26 09:17:27 alarmpi ipsec_starter[867]: charon (868) started after 480 ms
Jun 26 09:17:34 alarmpi vpn[893]: + 192.168.178.23 192.168.250.1/32 == 87.154.185.133 -- 192.168.178.25 == 0.0.0.0/0
Jun 26 09:17:37 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:91:00:00:80:11:3a:6a SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17553 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 26 09:17:38 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:92:00:00:80:11:3a:69 SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17554 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 26 09:17:40 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:34:1e:d7:40:00:80:06:ae:98 SRC=192.168.250.1 DST=192.168.178.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7895 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 26 09:17:41 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:34:1e:d8:40:00:80:06:ae:97 SRC=192.168.250.1 DST=192.168.178.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7896 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 26 09:17:43 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:93:00:00:80:11:3a:68 SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17555 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 26 09:17:43 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:30:1e:d9:40:00:80:06:ae:9a SRC=192.168.250.1 DST=192.168.178.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=7897 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
К сожалению, пакетов с 192.168.178.1 на 192.168.250.0 нет. Что-то идет не так. Я не уверен насчет конфигурации strongswan, но туннель установлен ...