strongswan 免证书

上一篇米扑博客:阿里云CentOS7 上部署 L2TP/IPSec VPN,IKEv2采用的证书验证,但证书一般是自签证书,对于windows和IOS9,我们必须导入CA证书,当然如果有多台服务器的话,我们只需要共用一对CA证书即可。但是有没有更简单的办法,我们能不能免证书呢?

 

1.  leftauth不用pubkey

参考配置,这里我没测试

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
    strictcrlpolicy=no
    uniqueids = no

# IKEv2 for iOS
conn iOS-IKEV2
    auto=add
    dpdaction=clear
    keyexchange=ikev2
    #left
    left=%any
    leftsubnet=0.0.0.0/0
    leftauth=psk
    leftid=im.zorro.ipsec.server
    #right
    right=%any
    rightsourceip=10.99.1.0/24
    rightauth=eap-mschapv2
    rightid=im.zorro.ipsec.client

 

2. 使用系统默认信任CA机构颁发的证书

在调试日志我们看到

Jul  3 12:51:36 localhost charon: 04[IKE] received 36 cert requests for an unknown ca

系统先会把自带的CA证书发给服务器去验证,如果没通过,肯定是会提示13801错误了,所以我们如果使用系统默认信任CA机构颁发的证书,就能不通过导入ca证书,而直接通过认证了。

哪去找证书呢? WosignStartSSL, or LetsEncrypt都有免费的,当然你也可以付费的,好处就是支持泛解析,不过前者每个子域名都要去申请。

比如我在Wosign申请的免费证书如下:

-rw-r--r--. 1 root root 2300 Jul  5 16:37 1_cross_Intermediate.crt
-rw-r--r--. 1 root root 2029 Jul  5 16:37 2_issuer_Intermediate.crt
-rw-r--r--. 1 root root 1667 Jul  5 16:37 3_user_vpn.linsir.org.crt
-rw-r--r--. 1 root root 1674 Jul  5 16:37 4_user_vpn.linsir.org.key
-rw-r--r--. 1 root root 2804 Jul  5 16:20 root.crt

前面两个1_cross_Intermediate.crt2_issuer_Intermediate.crt是子根证书,把他们复制到/etc/ipsec.d/cacerts下,

3_user_vpn.linsir.org.crt是公钥,复制到/etc/ipsec.d/certs

4_user_vpn.linsir.org.key是私钥,复制到/ect/ipsec.d/private

最后root.crt是根证书,复制到/etc/ipsec.d/cacerts下。

最后,我们使用

ipsec listall

就可以看到证书详情

List of X.509 End Entity Certificates

  subject:  "CN=vpn.linsir.org"
  issuer:   "C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2"
  validity:  not before Jul 03 16:55:59 2016, ok
             not after  Jul 03 16:55:59 2018, ok (expires in 722 days)
  serial:    1f:e6:75:bd:9d:a5:c2:16:3d:12:43:93:5c:bc:95:75
  altNames:  vpn.linsir.org
  flags:     serverAuth clientAuth 
  CRL URIs:  http://crls1.wosign.com/ca6-server1-free.crl
  OCSP URIs: http://ocsp1.wosign.com/ca6/server1/free
  certificatePolicies:
             2.23.140.1.2.1
             1.3.6.1.4.1.36305.1.1.2
             CPS: http://www.wosign.com/policy/
  authkeyId: d2:a7:16:20:7c:af:d9:95:9e:eb:43:0a:19:f2:e0:b9:74:0e:a8:c7
  subjkeyId: 60:9d:ff:1b:56:b8:8d:23:26:d6:31:3d:9f:84:82:ad:cc:f5:df:2e
  pubkey:    RSA 2048 bits, has private key
  keyid:     c2:56:89:e3:3c:79:9d:bb:ff:fe:21:de:70:81:38:24:a5:02:a4:77
  subjkey:   60:9d:ff:1b:56:b8:8d:23:26:d6:31:3d:9f:84:82:ad:cc:f5:df:2e

List of X.509 CA Certificates

  subject:  "C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2"
  issuer:   "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
  validity:  not before Nov 08 08:58:58 2014, ok
             not after  Nov 08 08:58:58 2029, ok (expires in 4868 days)
  serial:    38:f6:45:c1:e2:5d:91:2c:ce:3b:2b:39:12:31:74:0d
  flags:     CA CRLSign serverAuth clientAuth 
  CRL URIs:  http://crls1.wosign.com/ca1.crl
  OCSP URIs: http://ocsp1.wosign.com/ca1
  pathlen:   0
  certificatePolicies:
             1.3.6.1.4.1.36305.6.1.2.2.1
             CPS: http://www.wosign.com/policy/
  authkeyId: e1:66:cf:0e:d1:f1:b3:4b:b7:06:20:14:fe:87:12:d5:f6:fe:fb:3e
  subjkeyId: d2:a7:16:20:7c:af:d9:95:9e:eb:43:0a:19:f2:e0:b9:74:0e:a8:c7
  pubkey:    RSA 2048 bits
  keyid:     1c:d9:66:ff:e1:b9:1f:c9:e5:92:c1:a6:75:d1:7a:dd:0f:7a:e7:24
  subjkey:   d2:a7:16:20:7c:af:d9:95:9e:eb:43:0a:19:f2:e0:b9:74:0e:a8:c7

  subject:  "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
  issuer:   "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
  validity:  not before Sep 18 06:46:36 2006, ok
             not after  Jan 01 07:59:59 2020, ok (expires in 1269 days)
  serial:    19:c2:85:30:e9:3b:36
  flags:     CA CRLSign 
  CRL URIs:  http://crl.startssl.com/sfsca.crl
  OCSP URIs: http://ocsp.startssl.com/ca
  pathlen:   2
  authkeyId: 4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2
  subjkeyId: e1:66:cf:0e:d1:f1:b3:4b:b7:06:20:14:fe:87:12:d5:f6:fe:fb:3e
  pubkey:    RSA 4096 bits
  keyid:     69:9f:1b:7a:e9:b8:da:18:49:6c:60:8b:ce:4f:4e:aa:f9:f0:b7:aa
  subjkey:   e1:66:cf:0e:d1:f1:b3:4b:b7:06:20:14:fe:87:12:d5:f6:fe:fb:3e

  subject:  "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
  issuer:   "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
  validity:  not before Sep 18 03:46:36 2006, ok
             not after  Sep 18 03:46:36 2036, ok (expires in 7374 days)
  serial:    01
  flags:     CA CRLSign self-signed 
  CRL URIs:  http://cert.startcom.org/sfsca-crl.crl

http://crl.startcom.org/sfsca-crl.crl

  certificatePolicies:
             1.3.6.1.4.1.23223.1.1.1
             CPS: http://cert.startcom.org/policy.pdf
  subjkeyId: 4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2
  pubkey:    RSA 4096 bits
  keyid:     23:4b:71:25:56:13:e1:30:dd:e3:42:69:c9:cc:30:d4:6f:08:41:e0
  subjkey:   4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2

注意第一个证书pubkey: RSA 2048 bits, has private key这里的意思存在私钥,有时候提示13801错误,也有可能这cert和key不匹配。然后分别在ipsec.confipsec.sercets里配置cert和key的名称就可以了。

但是有些时候可能拿到的证书是pfx格式的,如何转换成我们上边的呢,可以参考下http://netkiller.github.io/cryptography/openssl/format.html

关于如何导出根证书,在windows下,双击pfx证书,然后证书路径标签,下点上级根证书,然后导出即可。

 

调试

查看日志信息

tailf /var/log/messages
或
journalctl -f

 

常见问题

1. no matching peer config found

说明在ipsec.conf没有找到匹配的配置,检查配置吧。

 

2. 13801错误/ deleting half open IKE_SA after timeout

这种情况一般是证书验证错误,如果是自签证书,首先请导入ca证书。第二步可以用ipsec listcerts检查证书是否有关键词pubkey: RSA 2048 bits, has private,没有的话,分别在ipsec.confipsec.sercets里配置cert和key的名称是否正确。还有就是cert和key是否是一对?

 

3. 连接上不能上网?

不能上网,首先确认seclinx是否关闭,sysctl.conf是否配置,iptables是否转发了流量。

还有一种可能就是,ikev2和方式xl2tp,pptp网段冲突,因为他们三个是不同的方式,如果网段一样的话,可能就会有一处方式上不了网。

 

PPTP、xl2tp 错误

1. rc_get_ipaddr: couldn't resolve hostname:

出现hostname不能反解析问题,只需要在dns中或者 /etc/hosts中 加入主机名和主机ip的映射关系

cat >> /etc/hosts<<-EOF
127.0.0.1    $HOSTNAME
EOF

 

2. VPN PPTP - CTRL: PTY read or GRE write failed

It turns out that there are packets, called GRE packets, that might be blocked in your configuration.

iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 47 -j ACCEPT

 

 

参考推荐

阿里云CentOS7 搭建 VPN

阿里云CentOS7 上部署 L2TP/IPSec VPN

VPN协议PPTP/L2TP/OpenVPN/IKEv2及SSH 区别与详解