搭建 VPN 网络

Summary: Author: 张亚飞 | 阅读时间: 10 minute read | Published: 2017-08-08
Filed under Categories: DevOpsTags: Linux, Strongswan, Vpn, DevOps,

使用 Strongswan 搭建 Vpn 网络

Ubuntu、CentOS搭建IPSec/IKEv2 VPN服务器全攻略

losisli/linux上用strongswan搭建ikev2协议vpn.md

CentOS 6.x/7.x Strongswan 5.5.0编译安装 + Freeradius验证

Ubuntu 16.04 使用一键安装脚本搭建 Vpn 试用服务器

wget --no-check-certificate https://raw.githubusercontent.com/quericy/one-key-ikev2-vpn/master/one-key-ikev2.sh
chmod +x one-key-ikev2.sh
sudo ./one-key-ikev2.sh

如果选择yes,使用SSL证书(如果证书是被信任的,后续步骤客户端将无需导入证书)请在继续下一步之前,将以下文件按提示命名并放在脚本相同的目录下:

导入证书

sudo cp -r /etc/letsencrypt/archive/nocs.cn .
  • Strongswan 依赖证书文件和 Let's Encrypt 对应关系:
ca.cert.pem [chain.pem] 证书颁发机构的CA,比如 Let‘s Encrypt 的证书,或者其他链证书;
server.cert.pem [cert.pem] 签发的域名证书;
server.pem [privkey.pem] 签发域名证书时用的私钥;
  • 导入证书到目标文件 my_key

/opt/data/vpn

mkdir my_key
cp -f /etc/letsencrypt/archive/nocs.cn/chain.pem my_key/ca.cert.pem
cp -f /etc/letsencrypt/archive/nocs.cn/cert.pem my_key/server.cert.pem
cp -f /etc/letsencrypt/archive/nocs.cn/cert.pem my_key/client.cert.pem
cp -f /etc/letsencrypt/archive/nocs.cn/privkey.pem my_key/server.pem
cp -f /etc/letsencrypt/archive/nocs.cn/privkey.pem my_key/client.pem

Linux 安装 Strongswan 搭建 Vpn 服务器

Ubuntu

sudo apt -y update
sudo apt -y install libpam0g-dev libssl-dev make gcc curl

CentOS

sudo yum -y install pam-devel openssl-devel make gcc
  • 以下配置适应于 kvm 平台的 vps

/opt/data

wget https://download.strongswan.org/strongswan-5.6.3.tar.gz
tar -zxvf strongswan-5.6.3.tar.gz
cd strongswan-5.6.3/
sudo ./configure  --enable-eap-identity --enable-eap-md5 \
     --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap  \
     --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap  \
     --enable-xauth-pam  --enable-dhcp  --enable-openssl  --enable-addrblock --enable-unity  \
     --enable-certexpire --enable-radattr --enable-swanctl --enable-openssl --disable-gmp
sudo make -j2
sudo make install
  • 导入证书

以下为配置示例:

/etc/letsencrypt/archive/nocs.cn

sudo cp -f chain.pem /usr/local/etc/ipsec.d/cacerts/ca.cert.pem

sudo cp -f cert.pem /usr/local/etc/ipsec.d/certs/server.cert.pem
sudo cp -f cert.pem /usr/local/etc/ipsec.d/certs/client.cert.pem

sudo cp -f privkey.pem /usr/local/etc/ipsec.d/private/server.pem
sudo cp -f privkey.pem /usr/local/etc/ipsec.d/private/client.pem
  • 配置文件

~/Server/Run/Docs/Server/Config/Vpn/A/

sudo cp -r * /usr/local/etc/
  • ip转发

修改内核设置,使其支持IP转发,编辑 /etc/sysctl.conf 文件,去掉 net.ipv4.ip_forward 左边的 #:

net.ipv4.ip_forward=1
sudo sysctl -p

sysctl -w net.ipv4.ip_forward=1
  • 配置 iptables

注:服务器需要允许外界访问 500/udp4500/udp .客户端连接后,可以把服务端作为路由的下一跳,服务端需要配置转发(弃用):

//sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
//sudo iptables -A FORWARD -s 10.100.0.0/24  -j ACCEPT
//sudo iptables -A INPUT -i eth0 -p esp -j ACCEPT
//sudo iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
//sudo iptables -A INPUT -i eth0 -p tcp --dport 500 -j ACCEPT
//sudo iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
//sudo iptables -A INPUT -i eth0 -p udp --dport 1701 -j ACCEPT
//sudo iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT

//sudo iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j SNAT --to-source 45.32.80.56

把网络包通过 nat 的方式从外网出口出去,地址与上面地址池对应,可以不用指定网卡和本机IP地址的.(以下配置命令必须执行):

iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -j MASQUERADE
  • 查看所有规则链
iptables -L
iptables -L -t nat
  • 禁止代理请求 [47.244.154.194:22312]
#ssh coam@47.244.154.194 -p22312
sudo iptables -I FORWARD -o eth0 -p tcp -d 47.244.154.194 --dport 22312 -j DROP

将以上命令加入 rc.local 中,防止重启后规则失效…

某些使用环境可能会设定默认 DROP、禁止 FORWARD 等,需要更复杂的配置,此处不赘述.

  • 其它说明

常用命令

ipsec start   #启动服务
ipsec start --nofork   #启动服务 - 在前台开启服务端日志
ipsec stop    #关闭服务
ipsec restart #重启服务
ipsec reload  #重新读取
ipsec status  #查看状态
ipsec --help  #查看帮助

VPN 很慢

查阅相关资料后发现是 TCPMSS 大小设置的问题.具体可以参考文末给出的链接.执行以下命令:

iptables -I FORWARD -p tcp --syn -i ppp+ -j TCPMSS --set-mss 1356

即可.

  • 保存并自动设置 iptables

我们在前面设置的 iptables 在重启电脑后就会恢复默认设置,因此我们需要将前面做的两个 iptables 设置保存下来并开机运行. 在执行过前面两个 iptables 指令的情况下,执行 iptables-save > /etc/iptables-rules,这样就可以把当前 iptables 设置导出到 /etc/ 下一个名为 iptables-rules 的文件中(名称和路径是任意的). 在 /etc/rc.local 中添加 iptables-restore < /etc/iptables-rules(当然,要放在 exit 0 语句之前啦),这样系统在开机时就会执行这条载入 iptables 设置的指令了. 注意: iptables-save 操作要使用 root 权限来完成(使用 root 账号或者使用 sudo 执行),否则将不会输出任何内容!


自定义 Strongswan 日志文件

strongswan 的默认配置会把日志写到系统日志里,可以参考官方文档将日志写入一个单独的文件.

/usr/local/etc/strongswan.d/charon-logging.conf

charon {
    filelog {
        /var/log/strongswan.log {
            append = yes
            default = 1
            flush_line = yes
            ike_name = yes
            time_format = %b %e %T
        }
    }
}

问题收集

  1. 升级 Strongswan 后, Mac OSX 连接 Vpn 不能上网,仅能连 Vpn 服务器,但是登录 Vpn 服务器却可以 ping 同外网,初步判断是由于 vpn 服务器 iptables 路由包转发问题

手动执行以下命令解决上网问题:

sudo iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -j MASQUERADE

原来每次开机重启都需要配置以上路由规则,我把它写到了 rc.local 中,但是由于 rc.local 有一条运行 shadowsocks 命令执行报错崩溃,未执行此配置命令导致路由失败!

  1. no matching peer config found

可能证书配置域名不匹配,检查证书配置

  1. 13801错误/ deleting half open IKE_SA after timeout

这种情况一般是证书验证错误

参见 * Strongswan IKEV2免导入证书配置及调试笔记 * CentOS下安装strongswan


  • 卸载方式

进入脚本所在目录的 strongswan 文件夹执行:

/opt/data/strongswan-5.5.1

make uninstall

删除脚本所在目录的相关文件(one-key-ikev2.sh,strongswan.tar.gz,strongswan文件夹,my_key文件夹).

卸载后记得检查 iptables 配置.


通过 virt-what 命令判断 vps 虚拟化平台

CentOSRedHat 系统的话,执行命令:

yum install -y virt-what

ubuntu(debian系):

sudo apt install virt-what

virt-what 是一个判断当前环境所使用的虚拟技术的脚本,常见的虚拟技术基本上都能正常识别出来.

安装好 virt-what 后,执行命令:

sudo virt-what

Linux 连接 vpn 服务器


CentOS 下安装 Vpn 客户端

在国内网络下的服务器运维,由于有的代码被墙或下载速度慢,于是尝试通过在服务器下搭建 Vpn 客户端解决

安装 StrongSwan

yum install epel-release
yum install openssl-devel
yum install strongswan

验证安装版本

root@t.cs.0:~# strongswan version
7.2/K3.10.0-957.21.3.el7.x86_64
University of Applied Sciences Rapperswil, Switzerland
See 'strongswan --copyright' for copyright information.

安装相关配置

连接配置,这里采用 eap 验证方式

/etc/strongswan/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
    uniqueids=never

conn centos
  type=tunnel
  auto=add
  keyexchange=ikev2
  ike=aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha1-modp2048!
  esp=aes256-sha256,3des-sha1,aes256-sha1!
  eap_identity=zyfmix
  dpdaction=clear
  dpddelay=300s
  left=%any
  #leftid任意
  leftid=vpn.iirii.com
  leftsourceip=%any
  leftauth=eap
  rightauth=pubkey
  right=vpn.iirii.com
  rightid=vpn.iirii.com
  #访问服务器的哪个网络
  rightsubnet=0.0.0.0/0

连接用户密码凭证

/etc/strongswan/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

#: RSA /etc/ssl/coam/ipsec/private.key
: RSA /etc/ssl/coam/domains/vpn.iirii.com/privkey.pem
zyfmix : EAP "******"  # iOS及Linux的EAP-MSCHAPv2

启动客户端连接到 Strongswan 服务器:

strongswan start
strongswan status
strongswan up centos

客户端查看连接状态:

root@t.cs.0:~# strongswan status
Security Associations (1 up, 0 connecting):
      centos[1]: ESTABLISHED 57 seconds ago, 172.17.0.3[vpn.iirii.com]...47.244.154.194[vpn.iirii.com]
      centos{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c53065e8_i cdb28fd1_o
      centos{1}:   10.100.0.2/32 === 0.0.0.0/0

问题分析

不能使用泛域名证书

使用泛域名证书服务端启动会报如下警告

05[CFG] received stroke: add connection 'android_xauth_psk'
05[CFG] adding virtual IP address pool 10.100.0.0/24
05[CFG] added configuration 'android_xauth_psk'
06[CFG] received stroke: add connection 'ios_ikev2'
06[CFG] reusing virtual IP address pool 10.100.0.0/24
06[CFG]   loaded certificate "CN=iirii.com" from '/etc/ssl/coam/domains/vpn.iirii.com/fullchain.pem'
06[CFG]   id 'vpn.iirii.com' not confirmed by certificate, defaulting to 'CN=iirii.com'
06[CFG] added configuration 'ios_ikev2'
09[CFG] received stroke: add connection 'Win10'
09[CFG] reusing virtual IP address pool 10.100.0.0/24
09[CFG]   loaded certificate "CN=iirii.com" from '/etc/ssl/coam/domains/vpn.iirii.com/fullchain.pem'
09[CFG]   id 'vpn.iirii.com' not confirmed by certificate, defaulting to 'CN=iirii.com'
09[CFG] added configuration 'Win10'

使用泛域名证书客户端连接会报如下错误

05[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
05[CFG] looking for peer configs matching 172.17.0.3[vpn.iirii.com]...171.113.255.67[192.168.1.101]
05[CFG] no matching peer config found
05[IKE] processing INTERNAL_IP4_ADDRESS attribute
05[IKE] processing INTERNAL_IP4_NETMASK attribute
05[IKE] processing INTERNAL_IP4_DHCP attribute
05[IKE] processing INTERNAL_IP4_DNS attribute
05[IKE] processing INTERNAL_IP6_ADDRESS attribute
05[IKE] processing INTERNAL_IP6_DHCP attribute
05[IKE] processing INTERNAL_IP6_DNS attribute
05[IKE] processing INTERNAL_DNS_DOMAIN attribute
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
05[NET] sending packet: from 172.17.0.3[4500] to 171.113.255.67[35415] (80 bytes)
05[IKE] IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING

签发 vpn 域名证书

sudo apt install certbot
sudo certbot certonly --standalone --email admin@iirii.com -d vpn.iirii.com

签发的证书目录如下

coam@a.us.1:/etc/ssl/coam/domains/vpn.iirii.com$ ll
total 24
drwxr-xr-x  2 root root 4096 Jan  6 17:05 ./
drwxr-xr-x 16 root root 4096 Jan  6 17:04 ../
-rwxr-xr-x  1 root root 1907 Jan  6 17:03 cert.pem*
-rwxr-xr-x  1 root root 1647 Jan  6 17:03 chain.pem*
-rwxr-xr-x  1 root root 3554 Jan  6 17:03 fullchain.pem*
-rwxr-xr-x  1 root root 1704 Jan  6 17:03 privkey.pem*

服务器端配置如下:

/etc/strongswan/ipsec.conf

conn ios_ikev2
    leftid=vpn.iirii.com
    leftcert=/etc/ssl/coam/domains/vpn.iirii.com/fullchain.pem

/etc/strongswan/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

#: RSA /etc/ssl/coam/ipsec/private.key
: RSA /etc/ssl/coam/domains/vpn.iirii.com/privkey.pem
zyfmix : EAP "******"  # iOS及Linux的EAP-MSCHAPv2
需要放置域名根证书

需要放置中间链证书 /etc/strongswan/ipsec.d/cacerts/ca.crt,

/etc/strongswan/ipsec.d/cacerts/ca.crt

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

否则启动客户端连接会报如下错:

no trusted RSA public key found for 'vpn.iirii.com

root@t.cs.0:~# strongswan up centos
initiating IKE_SA centos[1] to 47.244.154.194
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.17.0.3[500] to 47.244.154.194[500] (548 bytes)
received packet: from 47.244.154.194[500] to 172.17.0.3[500] (472 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
establishing CHILD_SA centos{1}
generating IKE_AUTH request 1 [ IDi CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (368 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (596 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, waiting for complete IKE message
retransmit 1 of request with message ID 1
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (368 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, reassembled fragmented IKE message (1760 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=vpn.iirii.com"
  using certificate "CN=vpn.iirii.com"
no issuer certificate found for "CN=vpn.iirii.com"
  issuer is "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
no trusted RSA public key found for 'vpn.iirii.com'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (80 bytes)
establishing connection 'centos' failed

需要放置根证书 /etc/strongswan/ipsec.d/cacerts/DST_Root_CA_X3.pem

/etc/strongswan/ipsec.d/cacerts/DST_Root_CA_X3.pem

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

否则启动客户端连接会报如下错:

no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"

root@t.cs.0:~# strongswan up centos
initiating IKE_SA centos[2] to 47.244.154.194
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.17.0.3[500] to 47.244.154.194[500] (548 bytes)
retransmit 1 of request with message ID 0
sending packet: from 172.17.0.3[500] to 47.244.154.194[500] (548 bytes)
retransmit 2 of request with message ID 0
sending packet: from 172.17.0.3[500] to 47.244.154.194[500] (548 bytes)
received packet: from 47.244.154.194[500] to 172.17.0.3[500] (472 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
establishing CHILD_SA centos{1}
generating IKE_AUTH request 1 [ IDi CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (368 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (596 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembled fragmented IKE message (1760 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=vpn.iirii.com"
  using certificate "CN=vpn.iirii.com"
  using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
checking certificate status of "CN=vpn.iirii.com"
  requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org' ...
  ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
  ocsp response is valid: until Jan 13 16:00:00 2020
certificate status is good
no issuer certificate found for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
  issuer is "O=Digital Signature Trust Co., CN=DST Root CA X3"
no trusted RSA public key found for 'vpn.iirii.com'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (80 bytes)
establishing connection 'centos' failed

如果启动客户端报错:

EAP-MS-CHAPv2 failed, no MD4 hasher available
  • 查看 StrongSwan 默认插件,发现默认没有 md4

strongSwan plugins

$ ipsec listplugins
md4:
    HASHER:HASH_MD4
md5:
    HASHER:HASH_MD5
  • 则编译时添加参数 --enable-md4
./configure --prefix=/usr/local --sysconfdir=/etc/strongswan --enable-md4
服务器系统 DNS 解析污染导致翻墙失败

连接成功后发现网络很慢,网络还是访问不了,网络测试 ping www.google.com 发现每次 IP 都不一样!

root@t.cs.0:~# ping www.google.com
PING www.google.com (172.217.160.68) 56(84) bytes of data.

root@t.cs.0:~# ping www.google.com
PING www.google.com (31.13.65.18) 56(84) bytes of data.

root@t.cs.0:~# ping www.google.com
PING www.google.com (31.13.75.18) 56(84) bytes of data.

在阿里云香港服务器 ping 解析获取到的正确 www.google.com 域名解析地址发现可以 ping 通,说明已在翻墙模式

root@t.cs.0:~# ping -c 10 172.217.26.132
PING 172.217.26.132 (172.217.26.132) 56(84) bytes of data.
64 bytes from 172.217.26.132: icmp_seq=4 ttl=52 time=151 ms
64 bytes from 172.217.26.132: icmp_seq=6 ttl=52 time=151 ms
64 bytes from 172.217.26.132: icmp_seq=7 ttl=52 time=151 ms
64 bytes from 172.217.26.132: icmp_seq=10 ttl=52 time=151 ms

--- 172.217.26.132 ping statistics ---
10 packets transmitted, 4 received, 60% packet loss, time 9003ms
rtt min/avg/max/mdev = 151.576/151.765/151.881/0.490 ms

估计大陆被 DNS 污染了,尝试修改 DNS 解析后正常

/etc/resolv.conf

; generated by /usr/sbin/dhclient-script
;nameserver 183.60.83.19
;nameserver 183.60.82.98
nameserver 8.8.4.4
nameserver 8.8.8.8

再次查看网络状态,不过还不稳定

root@t.cs.0:~# ping -c 10 www.google.com
PING www.google.com (172.217.26.132) 56(84) bytes of data.
64 bytes from kul08s06-in-f4.1e100.net (172.217.26.132): icmp_seq=1 ttl=52 time=151 ms
64 bytes from kul08s06-in-f4.1e100.net (172.217.26.132): icmp_seq=2 ttl=52 time=151 ms
64 bytes from kul08s06-in-f4.1e100.net (172.217.26.132): icmp_seq=4 ttl=52 time=151 ms
64 bytes from kul08s06-in-f4.1e100.net (172.217.26.132): icmp_seq=7 ttl=52 time=151 ms

--- www.google.com ping statistics ---
10 packets transmitted, 4 received, 60% packet loss, time 13311ms
rtt min/avg/max/mdev = 151.051/151.121/151.221/0.062 ms

测试发现 github.com 下载速度还是很慢,和没翻墙一样的效果,10+k/s的下载速度,不能达到正常的1M带宽,但是 wget www.google.com 等又可以访问,不知为何. 最后测试发现翻墙连接没问题,是因为腾讯云连接到香港服务器中间的带宽问题,使用 wget https://www.nocs.cn/attached/vb 在几台腾讯云服务器下载香港服务器上的问题测试验证此问题.

最后附完整启动日志:

root@t.cs.0:~# strongswan up centos
initiating IKE_SA centos[1] to 47.244.154.194
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.17.0.3[500] to 47.244.154.194[500] (548 bytes)
received packet: from 47.244.154.194[500] to 172.17.0.3[500] (472 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
remote host is behind NAT
sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
establishing CHILD_SA centos{1}
generating IKE_AUTH request 1 [ IDi CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (384 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
retransmit 1 of request with message ID 1
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (384 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received duplicate fragment #1
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (596 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembled fragmented IKE message (1760 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=vpn.iirii.com"
  using certificate "CN=vpn.iirii.com"
  using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
checking certificate status of "CN=vpn.iirii.com"
  requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org' ...
  ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
  ocsp response is valid: until Jan 13 16:00:00 2020
certificate status is good
  using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3"
checking certificate status of "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3' found
  requesting ocsp status from 'http://isrg.trustid.ocsp.identrust.com' ...
  ocsp response correctly signed by "C=US, O=Digital Signature Trust, OU=DST, CN=DST CA X3 OCSP Signer, E=pki-ops@IdenTrust.com"
  ocsp response is valid: until Jan 13 22:15:42 2020
certificate status is good
certificate policy 2.23.140.1.2.1 for 'CN=vpn.iirii.com' not allowed by trustchain, ignored
certificate policy 1.3.6.1.4.1.44947.1.1.1 for 'CN=vpn.iirii.com' not allowed by trustchain, ignored
  reached self-signed root ca with a path length of 1
authentication of 'vpn.iirii.com' with RSA_EMSA_PKCS1_SHA2_256 successful
server requested EAP_IDENTITY (id 0x00), sending 'zyfmix'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (80 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (112 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x07)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (144 bytes)
retransmit 1 of request with message ID 3
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (144 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (144 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (80 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (80 bytes)
parsed IKE_AUTH response 4 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'vpn.iirii.com' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (112 bytes)
retransmit 1 of request with message ID 5
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (112 bytes)
retransmit 2 of request with message ID 5
sending packet: from 172.17.0.3[4500] to 47.244.154.194[4500] (112 bytes)
received packet: from 47.244.154.194[4500] to 172.17.0.3[4500] (256 bytes)
parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
authentication of 'vpn.iirii.com' with EAP successful
IKE_SA centos[1] established between 172.17.0.3[vpn.iirii.com]...47.244.154.194[vpn.iirii.com]
scheduling reauthentication in 9959s
maximum IKE_SA lifetime 10499s
installing DNS server 8.8.8.8 to /etc/strongswan/resolv.conf
installing DNS server 8.8.4.4 to /etc/strongswan/resolv.conf
installing new virtual IP 10.100.0.2
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA centos{1} established with SPIs c53065e8_i cdb28fd1_o and TS 10.100.0.2/32 === 0.0.0.0/0
peer supports MOBIKE
connection 'centos' established successfully

Reference

本配置为2个linux 的通过IKE 协议连接


Comments

Cor-Ethan, the beverage → www.iirii.com