IPSEC VPN(巡回案件)错误:收到AUTHENTICATION_FAILED通知错误

时间:2019-11-23 16:06:53

标签: openssl vpn ipsec strongswan

我的系统是Debian10,该实验室是netkit实验室。以下是我的拓扑图。根据Strongswan Wiki(https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md)的说法,我在outClient和VPN路由上运行ipsec,如图所示。当我在externalClient中运行“ ipsec up home”时,发生“接收到的AUTHENTICATION_FAILED通知错误”。

Topological graph 

# server: ipsec.conf
```
config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=30m
    keyingtries=1
    keyexchange=ikev2

conn rw
    left=10.0.0.2
    leftcert=serverCert.pem
    leftid=server@warwick.com
    leftsubnet=213.1.133.0/27
    #leftfirewall=yes
    right=%any
    auto=add
```
# server: ipsec statusall
```

Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 47 minutes, since Nov 23 15:50:07 2019
  malloc: sbrk 1048576, mmap 0, used 144288, free 904288
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
Listening IP addresses:
  10.0.0.2
  213.1.133.2
Connections:
          rw:  10.0.0.2...%any
          rw:   local:  [C=UK, ST=England, L=Coventry, O=warwick, OU=warwick office, CN=server@warwick.com, E=server@warwick.com] uses public key authentication
          rw:    cert:  "C=UK, ST=England, L=Coventry, O=warwick, OU=warwick office, CN=server@warwick.com, E=server@warwick.com"
          rw:   remote: [%any] uses any authentication
          rw:   child:  213.1.133.0/27 === dynamic 
Security Associations:
  none
```
# server: /var/log/daemon.log
```
Nov 23 15:50:07 router charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Nov 23 15:50:07 router charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Nov 23 15:50:07 router charon: 00[LIB] plugin 'padlock': failed to load - padlock_plugin_create returned NULL
Nov 23 15:50:07 router charon: 00[KNL] listening on interfaces:
Nov 23 15:50:07 router charon: 00[KNL]   eth1
Nov 23 15:50:07 router charon: 00[KNL]     10.0.0.2
Nov 23 15:50:07 router charon: 00[KNL]     fe80::28c:8cff:fe8c:8c8c
Nov 23 15:50:07 router charon: 00[KNL]   eth3
Nov 23 15:50:07 router charon: 00[KNL]     213.1.133.2
Nov 23 15:50:07 router charon: 00[KNL]     fe80::282:82ff:fe82:8282
Nov 23 15:50:07 router charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 23 15:50:07 router charon: 00[CFG]   loaded ca certificate "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk" from '/etc/ipsec.d/cacerts/caCert.pem'
Nov 23 15:50:07 router charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 23 15:50:07 router charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 23 15:50:07 router charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 23 15:50:07 router charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 23 15:50:07 router charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 23 15:50:07 router charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/serverKey.pem'
Nov 23 15:50:07 router charon: 00[CFG] sql plugin: database URI not set
Nov 23 15:50:07 router charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Nov 23 15:50:07 router charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 23 15:50:07 router charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Nov 23 15:50:07 router charon: 00[CFG] mediation client database URI not defined, skipped
Nov 23 15:50:07 router charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Nov 23 15:50:07 router charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
Nov 23 15:50:07 router charon: 00[CFG] HA config misses local/remote address
Nov 23 15:50:07 router charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Nov 23 15:50:07 router charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
Nov 23 15:50:07 router charon: 00[JOB] spawning 16 worker threads
Nov 23 15:50:07 router charon: 10[CFG] received stroke: add connection 'rw'
Nov 23 15:50:07 router charon: 10[CFG]   loaded certificate "C=UK, ST=England, L=Coventry, O=warwick, OU=warwick office, CN=server@warwick.com, E=server@warwick.com" from 'serverCert.pem'
Nov 23 15:50:07 router charon: 10[CFG]   id 'server@warwick.com' not confirmed by certificate, defaulting to 'C=UK, ST=England, L=Coventry, O=warwick, OU=warwick office, CN=server@warwick.com, E=server@warwick.com'
Nov 23 15:50:07 router charon: 10[CFG] added configuration 'rw'
Nov 23 15:50:28 router charon: 04[NET] received packet: from 1.0.0.1[500] to 10.0.0.2[500]
Nov 23 15:50:28 router charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 23 15:50:28 router charon: 04[IKE] 1.0.0.1 is initiating an IKE_SA
Nov 23 15:50:28 router charon: 04[IKE] sending cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:50:28 router charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 23 15:50:28 router charon: 04[NET] sending packet: from 10.0.0.2[500] to 1.0.0.1[500]
Nov 23 15:50:28 router charon: 03[NET] received packet: from 1.0.0.1[4500] to 10.0.0.2[4500]
Nov 23 15:50:28 router charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 23 15:50:28 router charon: 03[IKE] received cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:50:28 router charon: 03[IKE] received end entity cert "C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com"
Nov 23 15:50:28 router charon: 03[CFG] looking for peer configs matching 10.0.0.2[server@warwick.com]...1.0.0.1[C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com]
Nov 23 15:50:28 router charon: 03[CFG] no matching peer config found
Nov 23 15:50:28 router charon: 03[IKE] peer supports MOBIKE
Nov 23 15:50:28 router charon: 03[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 23 15:50:28 router charon: 03[NET] sending packet: from 10.0.0.2[4500] to 1.0.0.1[4500]
Nov 23 15:59:49 router charon: 01[NET] received packet: from 1.0.0.1[500] to 10.0.0.2[500]
Nov 23 15:59:49 router charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 23 15:59:49 router charon: 01[IKE] 1.0.0.1 is initiating an IKE_SA
Nov 23 15:59:49 router charon: 01[IKE] sending cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:59:49 router charon: 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 23 15:59:49 router charon: 01[NET] sending packet: from 10.0.0.2[500] to 1.0.0.1[500]
Nov 23 15:59:49 router charon: 07[NET] received packet: from 1.0.0.1[4500] to 10.0.0.2[4500]
Nov 23 15:59:49 router charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 23 15:59:49 router charon: 07[IKE] received cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:59:49 router charon: 07[IKE] received end entity cert "C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com"
Nov 23 15:59:49 router charon: 07[CFG] looking for peer configs matching 10.0.0.2[server@warwick.com]...1.0.0.1[C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com]
Nov 23 15:59:49 router charon: 07[CFG] no matching peer config found
Nov 23 15:59:49 router charon: 07[IKE] peer supports MOBIKE
Nov 23 15:59:49 router charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 23 15:59:49 router charon: 07[NET] sending packet: from 10.0.0.2[4500] to 1.0.0.1[4500]
```


# carol ipsec.conf
```
config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

conn home
    left=%any
    leftcert=carolCert.pem
    #leftid=carol@warwick.com
    #leftfirewall=yes
    right=10.0.0.2
    rightid=server@warwick.com
    rightsubnet=213.1.133.0/27
    auto=add
```
# carol: ipsec statusall
```
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 44 minutes, since Nov 23 15:49:38 2019
  malloc: sbrk 1048576, mmap 0, used 145448, free 903128
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
Listening IP addresses:
  1.0.0.1
Connections:
        home:  %any...10.0.0.2
        home:   local:  [C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com] uses public key authentication
        home:    cert:  "C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com"
        home:   remote: [server@warwick.com] uses any authentication
        home:   child:  dynamic === 213.1.133.0/27 
Security Associations:
  none
```
# carol: /var/log/daemon.log

```
Nov 23 15:49:38 rootstrap charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Nov 23 15:49:38 rootstrap charon: 00[LIB] Padlock not found, CPU is GenuineIntel
Nov 23 15:49:38 rootstrap charon: 00[LIB] plugin 'padlock': failed to load - padlock_plugin_create returned NULL
Nov 23 15:49:38 rootstrap charon: 00[KNL] listening on interfaces:
Nov 23 15:49:38 rootstrap charon: 00[KNL]   eth0
Nov 23 15:49:38 rootstrap charon: 00[KNL]     1.0.0.1
Nov 23 15:49:38 rootstrap charon: 00[KNL]     fe80::271:71ff:fe71:7171
Nov 23 15:49:38 rootstrap charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 23 15:49:38 rootstrap charon: 00[CFG]   loaded ca certificate "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk" from '/etc/ipsec.d/cacerts/caCert.pem'
Nov 23 15:49:38 rootstrap charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 23 15:49:38 rootstrap charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 23 15:49:38 rootstrap charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 23 15:49:38 rootstrap charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 23 15:49:38 rootstrap charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 23 15:49:38 rootstrap charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/carolKey.pem'
Nov 23 15:49:38 rootstrap charon: 00[CFG] sql plugin: database URI not set
Nov 23 15:49:38 rootstrap charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Nov 23 15:49:38 rootstrap charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 23 15:49:38 rootstrap charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
Nov 23 15:49:38 rootstrap charon: 00[CFG] mediation client database URI not defined, skipped
Nov 23 15:49:38 rootstrap charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Nov 23 15:49:38 rootstrap charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
Nov 23 15:49:38 rootstrap charon: 00[CFG] HA config misses local/remote address
Nov 23 15:49:38 rootstrap charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Nov 23 15:49:38 rootstrap charon: 00[DMN] loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock 
Nov 23 15:49:38 rootstrap charon: 00[JOB] spawning 16 worker threads
Nov 23 15:49:38 rootstrap charon: 07[CFG] received stroke: add connection 'home'
Nov 23 15:49:38 rootstrap charon: 07[CFG] left nor right host is our side, assuming left=local
Nov 23 15:49:38 rootstrap charon: 07[CFG]   loaded certificate "C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com" from 'carolCert.pem'
Nov 23 15:49:38 rootstrap charon: 07[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com'
Nov 23 15:49:38 rootstrap charon: 07[CFG] added configuration 'home'
Nov 23 15:50:28 rootstrap charon: 07[CFG] received stroke: initiate 'home'
Nov 23 15:50:28 rootstrap charon: 03[IKE] initiating IKE_SA home[1] to 10.0.0.2
Nov 23 15:50:28 rootstrap charon: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 23 15:50:28 rootstrap charon: 03[NET] sending packet: from 1.0.0.1[500] to 10.0.0.2[500]
Nov 23 15:50:28 rootstrap charon: 02[NET] received packet: from 10.0.0.2[500] to 1.0.0.1[500]
Nov 23 15:50:28 rootstrap charon: 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 23 15:50:28 rootstrap charon: 02[IKE] received cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:50:28 rootstrap charon: 02[IKE] sending cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:50:28 rootstrap charon: 02[IKE] authentication of 'C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com' (myself) with RSA signature successful
Nov 23 15:50:28 rootstrap charon: 02[IKE] sending end entity cert "C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com"
Nov 23 15:50:28 rootstrap charon: 02[IKE] establishing CHILD_SA home
Nov 23 15:50:28 rootstrap charon: 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 23 15:50:28 rootstrap charon: 02[NET] sending packet: from 1.0.0.1[4500] to 10.0.0.2[4500]
Nov 23 15:50:28 rootstrap charon: 01[NET] received packet: from 10.0.0.2[4500] to 1.0.0.1[4500]
Nov 23 15:50:28 rootstrap charon: 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 23 15:50:28 rootstrap charon: 01[IKE] received AUTHENTICATION_FAILED notify error
Nov 23 15:59:49 rootstrap charon: 05[CFG] received stroke: initiate 'home'
Nov 23 15:59:49 rootstrap charon: 03[IKE] initiating IKE_SA home[2] to 10.0.0.2
Nov 23 15:59:49 rootstrap charon: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 23 15:59:49 rootstrap charon: 03[NET] sending packet: from 1.0.0.1[500] to 10.0.0.2[500]
Nov 23 15:59:49 rootstrap charon: 02[NET] received packet: from 10.0.0.2[500] to 1.0.0.1[500]
Nov 23 15:59:49 rootstrap charon: 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 23 15:59:49 rootstrap charon: 02[IKE] received cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:59:49 rootstrap charon: 02[IKE] sending cert request for "C=UK, ST=England, L=Coventry, O=Warwick, OU=Warwick office, CN=warwick ca, E=warwick.ca@warwick.ac.uk"
Nov 23 15:59:49 rootstrap charon: 02[IKE] authentication of 'C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com' (myself) with RSA signature successful
Nov 23 15:59:49 rootstrap charon: 02[IKE] sending end entity cert "C=UK, ST=England, L=London, O=coral, OU=coral, CN=carol@warwick.com, E=carol@warwick.com"
Nov 23 15:59:49 rootstrap charon: 02[IKE] establishing CHILD_SA home
Nov 23 15:59:49 rootstrap charon: 02[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 23 15:59:49 rootstrap charon: 02[NET] sending packet: from 1.0.0.1[4500] to 10.0.0.2[4500]
Nov 23 15:59:49 rootstrap charon: 01[NET] received packet: from 10.0.0.2[4500] to 1.0.0.1[4500]
Nov 23 15:59:49 rootstrap charon: 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 23 15:59:49 rootstrap charon: 01[IKE] received AUTHENTICATION_FAILED notify error
```

我还收听了ISP eth2,并获得了以下所示的流量。 ISP.eth2.pcap wireshark traffic graph

我认为关键是

Nov 23 15:59:49 rootstrap charon: 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 23 15:59:49 rootstrap charon: 01[IKE] received AUTHENTICATION_FAILED notify error

但是我不知道为什么,我希望得到答复。谢谢!

0 个答案:

没有答案
相关问题
最新问题