У меня возникли проблемы с настройкой strongSwan 4.5.2 для работы с iOS 7 и OS X Mavericks. Я следовал этим двум руководствам, но все еще сталкиваюсь с проблемами. http://teebeenator.blogspot.com/2013/06/strongswan-for-raspberry-pi.html http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
Я подозреваю, что проблема связана со старой версией strongSwan; К сожалению, у меня сервер Raspberry Pi, и я не думаю, что есть простой способ получить strongSwan 5.x на Pi.
Это может быть отвлекающим маневром, но я подозреваю, что следующее сообщение об ошибке в моем /var/log/auth.log как-то связано с моей проблемой:
message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
Я не могу найти в Интернете ничего полезного об этом сообщении об ошибке (по крайней мере, ничего на английском; я видел несколько упоминаний об этом на немецком языке).
Вот содержимое /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
dhcp {
identity_lease = yes
}
}
# ...
}
pluto {
dns1 = 192.168.0.1
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
Далее содержимое /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
#charonstart=yes
plutostart=yes
# Add connections here.
conn %default
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
pfs=no
auto=add
conn rw-eap
dpdaction=clear
dpddelay=300s
leftauth=pubkey
leftcert=serverCert.pem
rightauth=eap-mschapv2
rightsendcert=never
include /var/lib/strongswan/ipsec.conf.inc
И я скопировал следующие файлы, как указано в руководствах:
cp caCert.pem /etc/ipsec.d/cacerts/
cp serverCert.pem /etc/ipsec.d/certs/
cp serverKey.pem /etc/ipsec.d/private/
cp clientCert.pem /etc/ipsec.d/certs/
cp clientKey.pem /etc/ipsec.d/private/
Я также отредактировал свой файл /usr/lib/ssl/openssl.cnf, чтобы он содержал соответствующий subjectAltName, перед созданием этих сертификатов.
Любая помощь будет очень благодарна, даже если я просто предложу, как я могу получить более новую версию strongSwan на моем Pi! Спасибо!
Ниже приводится более полный вывод auth.log с удаленными датами.
Стартовый сервер
sudo: pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/sbin/ipsec start
sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0)
ipsec_starter[22013]: Starting strongSwan 4.5.2 IPsec [starter]...
sudo: pam_unix(sudo:session): session closed for user root
pluto[22027]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID
ipsec_starter[22026]: pluto (22027) started after 20 ms
pluto[22027]: listening on interfaces:
pluto[22027]: eth0
pluto[22027]: 192.168.1.9
pluto[22027]: received netlink error: Address family not supported by protocol (97)
pluto[22027]: unable to create IPv6 routing table rule
pluto[22027]: loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink
pluto[22027]: including NAT-Traversal patch (Version 0.6c)
pluto[22027]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
ipsec_starter[22026]: charon (22028) started after 740 ms
pluto[22027]: loading ca certificates from '/etc/ipsec.d/cacerts'
pluto[22027]: loaded ca certificate from '/etc/ipsec.d/cacerts/caCert.pem'
pluto[22027]: loading aa certificates from '/etc/ipsec.d/aacerts'
pluto[22027]: loading ocsp certificates from '/etc/ipsec.d/ocspcerts'
pluto[22027]: Changing to directory '/etc/ipsec.d/crls'
pluto[22027]: loading attribute certificates from '/etc/ipsec.d/acerts'
pluto[22027]: spawning 4 worker threads
pluto[22027]: listening for IKE messages
pluto[22027]: adding interface eth0/eth0 192.168.1.9:500
pluto[22027]: adding interface eth0/eth0 192.168.1.9:4500
pluto[22027]: adding interface lo/lo 127.0.0.1:500
pluto[22027]: adding interface lo/lo 127.0.0.1:4500
pluto[22027]: loading secrets from "/etc/ipsec.secrets"
pluto[22027]: no secrets filename matched "/var/lib/strongswan/ipsec.secrets.inc"
pluto[22027]: loaded private key from 'serverKey.pem'
pluto[22027]: loaded XAUTH secret for peter.story
pluto[22027]: loaded host certificate from '/etc/ipsec.d/certs/serverCert.pem'
pluto[22027]: id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=storyzone.us.to'
pluto[22027]: loaded host certificate from '/etc/ipsec.d/certs/clientCert.pem'
pluto[22027]: id '%any' not confirmed by certificate, defaulting to 'C=CH, O=storyZone, CN=piclient'
pluto[22027]: added connection description "rw-eap"
Попытка подключения с iOS
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [RFC 3947]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [XAUTH]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [Cisco-Unity]
pluto[22027]: packet from 96.237.188.238:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
pluto[22027]: packet from 96.237.188.238:500: received Vendor ID payload [Dead Peer Detection]
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: responding to Main Mode from unknown peer 96.237.188.238
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #2: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #1: ignoring informational payload, type INVALID_PAYLOAD_TYPE
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_SA)
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: sending notification INVALID_PAYLOAD_TYPE to 96.237.188.238:500
pluto[22027]: "rw-eap"[1] 96.237.188.238 #3: ignoring informational payload, type INVALID_PAYLOAD_TYPE