Назад | Перейти на главную страницу

CentOS + strongswan + iOS VPN API, Hal

Я пытаюсь настроить StrongSwan на CentOS для iOS с помощью VPN API. Этот API использует протокол IKEv2. Вот мои логи + файлы конфигурации. Когда я нажимаю кнопку подключения на устройстве iOS, через несколько секунд он выключается. Похоже, iOS не нравится какая-то информация о сервере, но я не понимаю, какой именно.

P.S. я проверил официальный strongswan моя конфигурация выглядит так же

2015-09-16T14:20:13.881974+00:00  charon: 02[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500]
2015-09-16T14:20:13.881977+00:00  charon: 02[NET] waiting for data on sockets
2015-09-16T14:20:13.881980+00:00  charon: 06[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500] (316 bytes)
2015-09-16T14:20:13.882095+00:00  charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
2015-09-16T14:20:13.882106+00:00  charon: 06[CFG] looking for peer configs matching 94.242.232.178[lu135.example.net]...178.159.28.49[VPN]
2015-09-16T14:20:13.882111+00:00  charon: 06[CFG] peer config match local: 20 (ID_FQDN -> 6c:75:31:33:35:2e:68:6d:6e:2e:6d:65)
2015-09-16T14:20:13.882115+00:00  charon: 06[CFG] peer config match remote: 1 (ID_FQDN -> 56:50:4e)
2015-09-16T14:20:13.882121+00:00  charon: 06[CFG] ike config match: 1052 (94.242.232.178 178.159.28.49 IKEv2)
2015-09-16T14:20:13.882127+00:00  charon: 06[CFG]   candidate "ikev2", match: 20/1/1052 (me/other/ike)
2015-09-16T14:20:13.882134+00:00  charon: 06[CFG] selected peer config 'ikev2'
2015-09-16T14:20:13.882153+00:00  charon: 06[IKE] initiating EAP_IDENTITY method (id 0x00)
2015-09-16T14:20:13.882166+00:00  charon: 06[IKE] processing INTERNAL_IP4_ADDRESS attribute
2015-09-16T14:20:13.882171+00:00  charon: 06[IKE] processing INTERNAL_IP4_DHCP attribute
2015-09-16T14:20:13.882180+00:00  charon: 06[IKE] processing INTERNAL_IP4_DNS attribute
2015-09-16T14:20:13.882183+00:00  charon: 06[IKE] processing INTERNAL_IP4_NETMASK attribute
2015-09-16T14:20:13.882187+00:00  charon: 06[IKE] processing INTERNAL_IP6_ADDRESS attribute
2015-09-16T14:20:13.882196+00:00  charon: 06[IKE] processing INTERNAL_IP6_DHCP attribute
2015-09-16T14:20:13.882202+00:00  charon: 06[IKE] processing INTERNAL_IP6_DNS attribute
2015-09-16T14:20:13.882214+00:00  charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2015-09-16T14:20:13.882266+00:00  charon: 06[IKE] IDx' => 16 bytes @ 0x7fa281236940
2015-09-16T14:20:13.882273+00:00  charon: 06[IKE]    0: 02 00 00 00 6C 75 31 33 35 2E 68 6D 6E 2E 6D 65  ....lu135.example.net
2015-09-16T14:20:13.882277+00:00  charon: 06[IKE] SK_p => 20 bytes @ 0x7fa24c003430
2015-09-16T14:20:13.882282+00:00  charon: 06[IKE]    0: 45 A5 6E C1 FA 17 82 BF 81 13 71 3A 94 EC 46 A1  E.n.......q:..F.
2015-09-16T14:20:13.882288+00:00  charon: 06[IKE]   16: 73 A6 F7 47                                      s..G
2015-09-16T14:20:13.882318+00:00  charon: 06[IKE] octets = message + nonce + prf(Sk_px, IDx') => 344 bytes 
…. SOME BYTES HERE ….
2015-09-16T14:20:13.884696+00:00  charon: 06[IKE] authentication of 'lu135.example.net' (myself) with RSA signature successful
2015-09-16T14:20:13.884706+00:00  charon: 06[IKE] sending end entity cert "C=GB, O=COMPANY, CN=lu135.example.net"
2015-09-16T14:20:13.884718+00:00  charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2015-09-16T14:20:13.884897+00:00  charon: 06[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500] (1220 bytes)
2015-09-16T14:20:13.884924+00:00  charon: 03[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500]
2015-09-16T14:20:43.786966+00:00  charon: 09[JOB] deleting half open IKE_SA after timeout
2015-09-16T14:20:43.786983+00:00 charon: 09[IKE] IKE_SA ikev2[2] state change: CONNECTING => DESTROYING

Сертификат сервера

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 6619988021187675067 (0x5bdeec07f43b83bb)
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=GB, O=COMPANY, CN=CERTROOT
       Validity
           Not Before: Sep 16 13:57:53 2015 GMT
           Not After : Sep 15 13:57:53 2018 GMT
       Subject: C=GB, O=COMPANY, CN=lu135.example.net
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                     … BYTES …

   Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Authority Key Identifier:
               keyid:8B:88:DA:1A:76:18:F4:F8:64:51:9C:BB:54:48:C6:3C:2E:5B:E9:8C

           X509v3 Subject Alternative Name:
               DNS:lu135.example.net, IP Address:94.242.232.178, DNS:94.242.232.178
           X509v3 Extended Key Usage:
               TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
   Signature Algorithm: sha256WithRSAEncryption
                    … BYTES ….

Ipsec.conf

config setup
          charondebug="cfg 7, dmn 7, ike 7, net 7"
          uniqueids=no

  conn %default
          left=%defaultroute
          leftsubnet=0.0.0.0/0
          right=%any
          auto=add
         dpdaction=clear
         dpddelay=300s

  conn ikev2
          keyexchange=ikev2
          fragmentation = yes
          forceencaps = yes
          ike=aes256-sha1-modp1024,aes256-sha1-modp2048
         esp=aes256-sha1,aes128-sha1
         left={{ ansible_default_ipv4.address }}
         leftid={{ dnsname }}
         leftcert=server_cert.pem
         leftsendcert=always
         leftauth=pubkey
         mobike=yes
         right=%any
         rightid=%any
         rightsendcert=never
         rightauth=eap-radius
         rightsourceip=172.16.198.0/24
         rightfirewall=yes
         eap_identity=%identity
         rightdns=8.8.8.8,8.8.4.4
         dpaction=clear
         auto=add

** доступные переменные + playbook **

cakey:   /etc/strongswan/ipsec.d/private/ios.pem
cacert:  /etc/strongswan/ipsec.d/cacerts/ios.pem
srvkey:  /etc/strongswan/ipsec.d/private/server.pem
srvcert: /etc/strongswan/ipsec.d/certs/server_cert.pem
clnkey:  /etc/strongswan/ipsec.d/private/client.pem
clncert: /etc/strongswan/ipsec.d/certs/client.pem
p12:     /etc/strongswan/ipsec.d/private/client.p12
issuer: CERTROOT
org: COMPANY

учебник

---
- name: Installing strongswan config
 template: src=ipsec.conf dest=/etc/strongswan/ipsec.conf

- name: Ipsec secrets
 template: src=ipsec.secrets dest=/etc/strongswan/ipsec.secrets

- name: Generating CA KEY
 shell: strongswan pki --gen --outform pem > {{ cakey }} creates={{ cakey }}

- name: Generate CA Cert
 shell: strongswan pki --self --in {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ issuer }}" --ca --outform pem > {{ cacert }} creates={{ cacert }}

- name: Generate server key
 shell: strongswan pki --gen --outform pem > {{ srvkey }} creates={{ srvkey }}

- name: Create server cert
 shell: strongswan pki --pub --in {{ srvkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ dnsname }}" --san="{{ dnsname }}" --san {{ ansible_default_ipv4.address }} --san @{{ ansible_default_ipv4.address }} --flag serverAuth --flag ikeIntermediate --outform pem > {{ srvcert }} creates={{ srvcert }}

- name: Generating client key
 shell: strongswan pki --gen --outform pem > {{ clnkey }} creates={{ clnkey }}

- name: Create client cert
 shell: strongswan pki --pub --in {{ clnkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN=demo" --outform pem > {{ clncert }} creates={{ clncert }}

- name: Generate p12 file for client
 shell: openssl pkcs12 -export -inkey {{ clnkey }} -in {{ clncert }} -name "demo" -certfile {{ cacert }}  -caname "{{ issuer }}" -out {{ p12 }} -password pass:hello creates={{ p12 }}

- name: Restarart strongswan
 service: name=strongswan state=restarted