我想将我的Ubuntu 12.04开发人员盒连接到公司网络。他们在路由器上安装了带有isakmpd的OpenBSD 5.1。 auth仅通过使用RSA密钥完成。
在我身边,我安装了openswan(apt-get install openswan)并进行了设置:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
include /etc/ipsec.d/ipsec.*.conf
这里建立了连接:
conn office
auto=start
type=tunnel
compress=yes
aggrmode=no
forceencaps=yes
left=%defaultroute
leftid=@andrey-ubuntu.example.com
# To get the proper rsasigkey values, use ipsec showhostkey. On left (vpgw1) run: ipsec showhostkey --left
leftrsasigkey=0sAwEAAavfJOtpFvA......big_key
leftca=ca.crt
leftsendcert=always
# Convert PEM cert to der
# openssl x509 -in andrey-ubuntu.pem -outform DER -out andrey-ubuntu.der
leftcert=andrey-ubuntu.der
#
right=4.5.3.126
rightid=@secure1.example.com
rightrsasigkey=0sAwEAAc92q7qKyW......big_key
#leftupdown="ipsec _updown --route yes" # See ipsec_pluto(8) for details. Relevant only locally, other end need not agree on it.
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048
ikelifetime=28800s
authby=rsasig
pfs=yes
salifetime=28800s
keyexchange=ike
我的工作站使用NAT。当我启动openswan服务时,我在我的机器的日志中看到了这一点:
Sep 17 06:15:25 zentavr-ig ipsec_setup: Starting Openswan IPsec U2.6.37/K3.5.0-23-generic...
Sep 17 06:15:25 zentavr-ig ipsec_setup: Using NETKEY(XFRM) stack
Sep 17 06:15:25 zentavr-ig kernel: [19389.748253] Initializing XFRM netlink socket
Sep 17 06:15:25 zentavr-ig ipsec_setup: ...Openswan IPsec started
Sep 17 06:15:25 zentavr-ig pluto: adjusting ipsec.d to /etc/ipsec.d
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Sep 17 06:15:25 zentavr-ig rsyslogd-2177: imuxsock begins to drop messages from pid 25281 due to rate-limiting
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 loading certificate from andrey-ubuntu.der
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/andrey-ubuntu.der' (893 bytes)
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 added connection description "office"
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 104 "office" #1: STATE_MAIN_I1: initiate
以及更多:
root@zentavr-ig:/etc/ipsec.d# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.16.30.254
000 interface eth0/eth0 172.16.30.254
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+klips+pfkey+nattraversal+x509+dpd+private
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048}
000
000 "office": 172.16.30.254[@andrey-ubuntu.idle-games.com,+S=C]...4.5.3.126<204.15.3.126>[@secure1.example.com,+S=C]; prospective erouted; eroute owner: #0
000 "office": myip=unset; hisip=unset; mycert=andrey-ubuntu.der;
000 "office": CAs: '\011'...'%any'
000 "office": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "office": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "office": dpd: action:clear; delay:0; timeout:0;
000 "office": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "office": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP2048(14); flags=-strict
000 "office": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)
000 "office": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP2048(14); flags=-strict
000 "office": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000
000 #1: "office":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: pending Phase 2 for "office" replacing #0
000
......就是这样。在sevrers方面,我们看到:
@400000005237c9581197de3c 201526.295150 Default isakmpd: phase 1 done (as responder): initiator id andrey-ubuntu.example.com, responder id secure1.example.com, src: 4.5.3.126 dst: 1.18.7.156
@400000005237c9581d9d9c94 201526.496860 Default message_parse_payloads: reserved field non-zero: c3
@400000005237c9581d9db01c 201526.496867 Default dropped message from 1.8.7.156 port 1024 due to notification type PAYLOAD_MALFORMED
@400000005237c958298b3b24 201526.696975 Default message_recv: cleartext phase 2 message
@400000005237c958298b567c 201526.696984 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c9621f5c4c24 201536.526130 Default message_recv: cleartext phase 2 message
@400000005237c9621f5c6394 201536.526140 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c9672034702c 201541.540296 Default message_recv: cleartext phase 2 message
@400000005237c96720348b84 201541.540305 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c96c22a335dc 201546.581110 Default message_recv: cleartext phase 2 message
@400000005237c96c22a34d4c 201546.581118 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c9712389d8d4 201551.596225 Default message_recv: cleartext phase 2 message
@400000005237c9712389ec5c 201551.596233 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c97625f0e9dc 201556.636531 Default message_recv: cleartext phase 2 message
@400000005237c97625f0fd64 201556.636542 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
OpeBSDs isakmpd就是这样完成的:
ike passive esp tunnel \
from any to any \
main auth hmac-sha1 enc aes-256 group modp2048 \
quick auth hmac-sha1 enc aes-256 group modp2048 \
srcid secure1.example.com \
tag ipsec-$id
我想知道:为什么openSWAN根本无法启动phase2而且在服务器端我看到了这些奇怪的错误?经过几个晚上的调试后,我的想法已经耗尽:(
答案 0 :(得分:0)
无效的标志让我想知道您在一侧启用的压缩或其他设置是否与另一侧不兼容。我几乎总是在OpenSWAN上使用compression = no来避免兼容性问题。