Я пытаюсь протестировать новый (в процессе) VPN-сервер StrongSwan IPSec, подключившись с OS X 10.10.
Это очень расстраивает, потому что журналы показывают серию сообщений об успехе, но затем система выходит из строя. Я также не понимаю, почему Ассоциация безопасности "(unnamed)[3]
".
Эта страница шаг за шагом, как захватить racoon
config, который выглядит примерно так:
remote myvpc.mydomain.com {
doi ipsec_doi;
situation identity_only;
exchange_mode main;
verify_identifier off;
shared_secret keychain "SOME-HASH.SS";
local_address 10.0.0.149;
nonce_size 16;
dpd_delay 20;
dpd_retry 5;
dpd_maxfail 5;
dpd_algorithm dpd_blackhole_detect;
initial_contact on;
support_proxy on;
proposal_check obey;
xauth_login "staff";
mode_cfg on;
proposal {
authentication_method xauth_psk_client;
hash_algorithm sha1;
encryption_algorithm aes 256;
lifetime time 3600 sec;
dh_group 2;
}
...
}
Моя лучшая попытка перенести это на /etc/ipsec.conf
на сервере есть:
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1536
esp=aes256-sha1
authby=psk
ikelifetime=24h
lifetime=1h
leftid=myvpc.mydomain.com
auto=start
conn osx
keyexchange=ikev1
authby=xauthpsk
xauth=server
ike=aes256-sha1-modp1024
left=10.200.0.32/27
leftsubnet=10.200.0.96/27
right=1.2.3.4
rightid=staff
Когда я пытаюсь подключиться с Mac с помощью Cisco IPSec
VPN введите логи сервера:
charon: 16[MGR] checkout IKE_SA by message
charon: 16[MGR] created IKE_SA (unnamed)[3]
charon: 16[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
charon: 16[CFG] looking for an ike config for 10.200.0.50...1.2.3.4
charon: 16[CFG] candidate: 10.200.0.32/27...1.2.3.4, prio 2292
charon: 16[CFG] found matching ike config: 10.200.0.32/27...1.2.3.4 with prio 2292
charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 16[IKE] received XAuth vendor ID
charon: 16[IKE] received Cisco Unity vendor ID
charon: 16[IKE] received FRAGMENTATION vendor ID
charon: 16[IKE] received DPD vendor ID
charon: 16[IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
charon: 16[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
charon: 16[CFG] selecting proposal:
charon: 16[CFG] proposal matches
charon: 16[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
charon: 16[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_1024/MODP_1536/MODP_2048/MODP_3072/MODP_4096/MODP_8192/ECP_256/ECP_384/ECP_521/MODP_1024_160/MODP_2048_224/MODP_2048_256/ECP_192/ECP_224/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
charon: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 16[IKE] sending XAuth vendor ID
charon: 16[IKE] sending DPD vendor ID
charon: 16[IKE] sending NAT-T (RFC 3947) vendor ID
charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 16[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 16[MGR] checkin IKE_SA (unnamed)[3]
charon: 16[MGR] check-in of IKE_SA successful.
charon: 07[MGR] checkout IKE_SA by message
charon: 07[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 07[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 07[IKE] received retransmit of request with ID 0, retransmitting response
charon: 07[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 07[MGR] checkin IKE_SA (unnamed)[3]
charon: 07[MGR] check-in of IKE_SA successful.
charon: 09[MGR] checkout IKE_SA by message
charon: 09[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 09[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 09[IKE] received retransmit of request with ID 0, retransmitting response
charon: 09[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 09[MGR] checkin IKE_SA (unnamed)[3]
charon: 09[MGR] check-in of IKE_SA successful.
charon: 08[MGR] checkout IKE_SA by message
charon: 08[MGR] IKE_SA (unnamed)[3] successfully checked out
charon: 08[NET] received packet: from 1.2.3.4[29646] to 10.200.0.50[500] (596 bytes)
charon: 08[IKE] received retransmit of request with ID 0, retransmitting response
charon: 08[NET] sending packet: from 10.200.0.50[500] to 1.2.3.4[29646] (136 bytes)
charon: 08[MGR] checkin IKE_SA (unnamed)[3]
charon: 08[MGR] check-in of IKE_SA successful.
Локальные журналы не так уж и полезны для меня, но на случай, если они пригодятся кому-то еще:
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: Received a start command from SystemUIServer[503]
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to connecting
nesessionmanager[25701]: IPSec connecting to server myvpc.mydomain.com
nesessionmanager[25701]: IPSec Phase1 starting.
racoon[27001]: accepted connection on vpn control socket.
--- last message repeated 1 time ---
racoon[27001]: IPSec connecting to server myvpc.mydomain.com
--- last message repeated 1 time ---
racoon[27001]: Connecting.
racoon[27001]: IPSec Phase 1 started (Initiated by me).
--- last message repeated 1 time ---
racoon[27001]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
racoon[27001]: >>>>> phase change status = Phase 1 started by us
--- last message repeated 1 time ---
racoon[27001]: IKE Packet: transmit success. (Phase 1 Retransmit).
--- last message repeated 2 times ---
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnecting
nesessionmanager[25701]: IPSec disconnecting from server myvpc.mydomain.com
racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com
--- last message repeated 1 time ---
racoon[27001]: failed to send vpn_control message: Broken pipe
--- last message repeated 1 time ---
racoon[27001]: glob found no matches for path "/var/run/racoon/*.conf"
--- last message repeated 1 time ---
racoon[27001]: IPSec disconnecting from server myvpc.mydomain.com
--- last message repeated 1 time ---
nesessionmanager[25701]: NESMLegacySession[VPN (Cisco IPSec)]: status changed to disconnected, last stop reason 0
UserNotificationCenter[27003]: *** WARNING: Method userSpaceScaleFactor in class NSWindow is deprecated on 10.7 and later. It should not be used in new applications. Use convertRectToBacking: instead.
Когда я бегу ipsec statusall
на сервере шлюза VPN, когда OS X пытается подключиться, он говорит:
Listening IP addresses:
10.200.0.50
Connections:
osx: 10.200.0.32/27...<public ip> IKEv1
osx: local: [my-server.my-domain.com] uses pre-shared key authentication
osx: remote: [staff] uses pre-shared key authentication
osx: remote: uses XAuth authentication: any
osx: child: 10.200.0.96/27 === dynamic TUNNEL
Security Associations (0 up, 1 connecting):
(unnamed)[3]: CONNECTING, 10.200.0.50[%any]...1.2.3.4[%any]
(unnamed)[3]: IKEv1 SPIs: HEX_CHARS_i HEX_CHARS_r*
(unnamed)[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
(unnamed)[3]: Tasks passive: ISAKMP_VENDOR MAIN_MODE ISAKMP_NATD
Это мой рабочий конфиг:
ipsec.conf:
conn rw-ikev1
left=%any
leftsubnet=0.0.0.0/0,::0/0
leftauth=pubkey
leftcert="hubud2.pem"
leftid=@xxx.atw.hu
right=%any
rightauth=pubkey
rightauth2=xauth-radius
rightgroups="cn=vpn_users_trusted/ou=roles/dc=y7/dc=hu"
rightsourceip=192.168.100.0/28,2a01:270:1035:ff::/120
leftupdown=/etc/ipsec.d/up.d/debug
keyexchange=ikev1
auto=add
#ike=aes256-sha1-modp1024!
#esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
racoon.conf на стороне OS X:
remote 1.2.3.4 {
doi ipsec_doi;
situation identity_only;
exchange_mode main;
my_identifier asn1dn;
peers_identifier address "1.2.3.4";
verify_identifier off;
certificate_type x509 in_keychain "c3N1aQ[...]5QRU=";
verify_cert on;
certificate_verification sec_framework use_peers_identifier;
local_address 192.168.213.102;
nonce_size 16;
dpd_delay 20;
dpd_retry 5;
dpd_maxfail 5;
dpd_algorithm dpd_blackhole_detect;
initial_contact on;
support_proxy on;
proposal_check obey;
xauth_login "vpn.mbp";
mode_cfg on;
proposal {
[... all the proposals...]
}
}
статус ipsec показывает:
Security Associations (1 up, 0 connecting):
rw-ikev1[807]: ESTABLISHED 8 minutes ago, 1.2.3.4[xxx.atw.hu]...178.129.52.79[CN=xxx]
rw-ikev1[807]: Remote XAuth identity: vpn.mbp
rw-ikev1[807]: IKEv1 SPIs: 1581b804f3aaa79d_i 00c78ea635a7fbe9_r*, rekeying disabled
rw-ikev1[807]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
rw-ikev1{279}: INSTALLED, TUNNEL, ESP in UDP SPIs: cda86008_i 0f272fa7_o
rw-ikev1{279}: AES_CBC_128/HMAC_SHA1_96, 205529 bytes_i (1346 pkts, 3s ago), 925037 bytes_o (1563 pkts, 3s ago), rekeying disabled
rw-ikev1{279}: 0.0.0.0/0 === 192.168.100.2/32