Назад | Перейти на главную страницу

OS X 10.10 для StrongSwan VPN

Я пытаюсь протестировать новый (в процессе) VPN-сервер StrongSwan IPSec, подключившись с OS X 10.10.

Это очень расстраивает, потому что журналы показывают серию сообщений об успехе, но затем система выходит из строя. Я также не понимаю, почему Ассоциация безопасности "(unnamed)[3]".

Эта страница шаг за шагом, как захватить racoon config, который выглядит примерно так:

remote myvpc.mydomain.com {
   doi ipsec_doi;
   situation identity_only;
   exchange_mode main;
   verify_identifier off;
   shared_secret keychain "SOME-HASH.SS";
   local_address 10.0.0.149;
   nonce_size 16;
   dpd_delay 20;
   dpd_retry 5;
   dpd_maxfail 5;
   dpd_algorithm dpd_blackhole_detect;
   initial_contact on;
   support_proxy on;
   proposal_check obey;
   xauth_login "staff";
   mode_cfg on;

   proposal {
      authentication_method xauth_psk_client;
      hash_algorithm sha1;
      encryption_algorithm aes 256;
      lifetime time 3600 sec;
      dh_group 2;
   }
   ...
}

Моя лучшая попытка перенести это на /etc/ipsec.conf на сервере есть:

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp1536
    esp=aes256-sha1
    authby=psk
    ikelifetime=24h
    lifetime=1h
    leftid=myvpc.mydomain.com
    auto=start

conn osx
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    ike=aes256-sha1-modp1024
    left=10.200.0.32/27
    leftsubnet=10.200.0.96/27
    right=1.2.3.4
    rightid=staff

Когда я пытаюсь подключиться с Mac с помощью Cisco IPSec VPN введите логи сервера:

charon: 16[MGR] checkout IKE_SA by message
charon: 16[MGR] created IKE_SA (unnamed)[3]
charon: 16[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
charon: 16[CFG] looking for an ike config for 10.200.0.50...1.2.3.4
charon: 16[CFG]   candidate: 10.200.0.32/27...1.2.3.4, prio 2292
charon: 16[CFG] found matching ike config: 10.200.0.32/27...1.2.3.4 with prio 2292
charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 16[IKE] received XAuth vendor ID
charon: 16[IKE] received Cisco Unity vendor ID
charon: 16[IKE] received FRAGMENTATION vendor ID
charon: 16[IKE] received DPD vendor ID
charon: 16[IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
charon: 16[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
charon: 16[CFG] selecting proposal:
charon: 16[CFG]   proposal matches
charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
charon: 16[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
charon: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 16[IKE] sending XAuth vendor ID
charon: 16[IKE] sending DPD vendor ID
charon: 16[IKE] sending NAT-T (RFC 3947) vendor ID
charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 16[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 16[MGR] checkin IKE_SA (unnamed)[3]
charon: 16[MGR] check-in of IKE_SA successful.
charon: 07[MGR] checkout IKE_SA by message
charon: 07[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 07[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 07[IKE] received retransmit of request with ID 0, retransmitting response
charon: 07[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 07[MGR] checkin IKE_SA (unnamed)[3]
charon: 07[MGR] check-in of IKE_SA successful.
charon: 09[MGR] checkout IKE_SA by message
charon: 09[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 09[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
charon: 09[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 09[MGR] checkin IKE_SA (unnamed)[3]
charon: 09[MGR] check-in of IKE_SA successful.
charon: 08[MGR] checkout IKE_SA by message
charon: 08[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 08[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
charon: 08[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 08[MGR] checkin IKE_SA (unnamed)[3]
charon: 08[MGR] check-in of IKE_SA successful.

Локальные журналы не так уж и полезны для меня, но на случай, если они пригодятся кому-то еще:

nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: Received a start command from SystemUIServer[503]
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to connecting
nesessionmanager[25701]: IPSec connecting to server myvpc.mydomain.com
nesessionmanager[25701]: IPSec Phase1 starting.
racoon[27001]: accepted connection on vpn control socket.
--- last message repeated 1 time ---
racoon[27001]: IPSec connecting to server myvpc.mydomain.com
--- last message repeated 1 time ---
racoon[27001]: Connecting.
racoon[27001]: IPSec Phase 1 started (Initiated by me).
--- last message repeated 1 time ---
racoon[27001]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
racoon[27001]: >>>>> phase change status = Phase 1 started by us
--- last message repeated 1 time ---
racoon[27001]: IKE Packet: transmit success. (Phase 1 Retransmit).
--- last message repeated 2 times ---
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnecting
nesessionmanager[25701]: IPSec disconnecting from server myvpc.mydomain.com
racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com
--- last message repeated 1 time ---
racoon[27001]: failed to send vpn_control message: Broken pipe
--- last message repeated 1 time ---
racoon[27001]: glob found no matches for path "/var/run/racoon/*.conf"
--- last message repeated 1 time ---
racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com
--- last message repeated 1 time ---
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnected, last stop reason 0
UserNotificationCenter[27003]: *** WARNING: Method userSpaceScaleFactor in class NSWindow is deprecated on 10.7 and later. It should not be used in new applications. Use convertRectToBacking: instead.

Когда я бегу ipsec statusall на сервере шлюза VPN, когда OS X пытается подключиться, он говорит:

Listening IP addresses:
  10.200.0.50
Connections:
         osx:  10.200.0.32/27...<public ip>  IKEv1
         osx:   local:  [my-server.my-domain.com] uses pre-shared key authentication
         osx:   remote: [staff] uses pre-shared key authentication
         osx:   remote: uses XAuth authentication: any
         osx:   child:  10.200.0.96/27 === dynamic TUNNEL
Security Associations (0 up, 1 connecting):
   (unnamed)[3]: CONNECTING, 10.200.0.50[%any]...1.2.3.4[%any]
   (unnamed)[3]: IKEv1 SPIs: HEX_CHARS_i HEX_CHARS_r*
   (unnamed)[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   (unnamed)[3]: Tasks passive: ISAKMP_VENDOR MAIN_MODE ISAKMP_NATD 

Это мой рабочий конфиг:

ipsec.conf:

conn rw-ikev1
    left=%any
    leftsubnet=0.0.0.0/0,::0/0
    leftauth=pubkey
    leftcert="hubud2.pem"
    leftid=@xxx.atw.hu
    right=%any
    rightauth=pubkey
    rightauth2=xauth-radius
    rightgroups="cn=vpn_users_trusted/ou=roles/dc=y7/dc=hu"
    rightsourceip=192.168.100.0/28,2a01:270:1035:ff::/120
    leftupdown=/etc/ipsec.d/up.d/debug
    keyexchange=ikev1
    auto=add
    #ike=aes256-sha1-modp1024!
    #esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no

racoon.conf на стороне OS X:

remote 1.2.3.4 {
    doi ipsec_doi;
    situation identity_only;
    exchange_mode main;
    my_identifier asn1dn;
    peers_identifier address "1.2.3.4";
    verify_identifier off;
    certificate_type x509 in_keychain "c3N1aQ[...]5QRU=";
    verify_cert on;
    certificate_verification sec_framework use_peers_identifier;
    local_address 192.168.213.102;
    nonce_size 16;
    dpd_delay 20;
    dpd_retry 5;
    dpd_maxfail 5;
    dpd_algorithm dpd_blackhole_detect;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    xauth_login "vpn.mbp";
    mode_cfg on;

    proposal {
       [... all the proposals...]
    }
 }

статус ipsec показывает:

Security Associations (1 up, 0 connecting):
rw-ikev1[807]: ESTABLISHED 8 minutes ago, 1.2.3.4[xxx.atw.hu]...178.129.52.79[CN=xxx]
rw-ikev1[807]: Remote XAuth identity: vpn.mbp
rw-ikev1[807]: IKEv1 SPIs: 1581b804f3aaa79d_i 00c78ea635a7fbe9_r*, rekeying disabled
rw-ikev1[807]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
rw-ikev1{279}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cda86008_i 0f272fa7_o
rw-ikev1{279}:  AES_CBC_128/HMAC_SHA1_96, 205529 bytes_i (1346 pkts, 3s ago), 925037 bytes_o (1563 pkts, 3s ago), rekeying disabled
rw-ikev1{279}:   0.0.0.0/0 === 192.168.100.2/32