我想我的Ubuntu 12.04开发盒连接到企业网络。他们让OpenBSD 5.1它们与isakmpd路由器上。中的授权是由只使用RSA密钥来完成。
在我身边,我想安装的openswan(易于得到安装的openswan)并没有设定:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
include /etc/ipsec.d/ipsec.*.conf
在这里,连接的建立:
conn office
auto=start
type=tunnel
compress=yes
aggrmode=no
forceencaps=yes
left=%defaultroute
[email protected]
# To get the proper rsasigkey values, use ipsec showhostkey. On left (vpgw1) run: ipsec showhostkey --left
leftrsasigkey=0sAwEAAavfJOtpFvA......big_key
leftca=ca.crt
leftsendcert=always
# Convert PEM cert to der
# openssl x509 -in andrey-ubuntu.pem -outform DER -out andrey-ubuntu.der
leftcert=andrey-ubuntu.der
#
right=4.5.3.126
[email protected]
rightrsasigkey=0sAwEAAc92q7qKyW......big_key
#leftupdown="ipsec _updown --route yes" # See ipsec_pluto(8) for details. Relevant only locally, other end need not agree on it.
ike=aes256-sha1;modp2048
phase2alg=aes256-sha1;modp2048
ikelifetime=28800s
authby=rsasig
pfs=yes
salifetime=28800s
keyexchange=ike
我的工作站使用NAT。当我开始openswan的服务,我认为这在我的机器的日志:
Sep 17 06:15:25 zentavr-ig ipsec_setup: Starting Openswan IPsec U2.6.37/K3.5.0-23-generic...
Sep 17 06:15:25 zentavr-ig ipsec_setup: Using NETKEY(XFRM) stack
Sep 17 06:15:25 zentavr-ig kernel: [19389.748253] Initializing XFRM netlink socket
Sep 17 06:15:25 zentavr-ig ipsec_setup: ...Openswan IPsec started
Sep 17 06:15:25 zentavr-ig pluto: adjusting ipsec.d to /etc/ipsec.d
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Sep 17 06:15:25 zentavr-ig rsyslogd-2177: imuxsock begins to drop messages from pid 25281 due to rate-limiting
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 loading certificate from andrey-ubuntu.der
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 loaded host cert file '/etc/ipsec.d/certs/andrey-ubuntu.der' (893 bytes)
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 added connection description "office"
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 104 "office" #1: STATE_MAIN_I1: initiate
和更多:
root@zentavr-ig:/etc/ipsec.d# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.16.30.254
000 interface eth0/eth0 172.16.30.254
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+klips+pfkey+nattraversal+x509+dpd+private
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048}
000
000 "office": 172.16.30.254[@andrey-ubuntu.idle-games.com,+S=C]...4.5.3.126<204.15.3.126>[@secure1.example.com,+S=C]; prospective erouted; eroute owner: #0
000 "office": myip=unset; hisip=unset; mycert=andrey-ubuntu.der;
000 "office": CAs: '\011'...'%any'
000 "office": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "office": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "office": dpd: action:clear; delay:0; timeout:0;
000 "office": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "office": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP2048(14); flags=-strict
000 "office": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)
000 "office": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP2048(14); flags=-strict
000 "office": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000
000 #1: "office":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: pending Phase 2 for "office" replacing #0
000
...就这样。到sevrers侧我们可以看到:
@400000005237c9581197de3c 201526.295150 Default isakmpd: phase 1 done (as responder): initiator id andrey-ubuntu.example.com, responder id secure1.example.com, src: 4.5.3.126 dst: 1.18.7.156
@400000005237c9581d9d9c94 201526.496860 Default message_parse_payloads: reserved field non-zero: c3
@400000005237c9581d9db01c 201526.496867 Default dropped message from 1.8.7.156 port 1024 due to notification type PAYLOAD_MALFORMED
@400000005237c958298b3b24 201526.696975 Default message_recv: cleartext phase 2 message
@400000005237c958298b567c 201526.696984 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c9621f5c4c24 201536.526130 Default message_recv: cleartext phase 2 message
@400000005237c9621f5c6394 201536.526140 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c9672034702c 201541.540296 Default message_recv: cleartext phase 2 message
@400000005237c96720348b84 201541.540305 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c96c22a335dc 201546.581110 Default message_recv: cleartext phase 2 message
@400000005237c96c22a34d4c 201546.581118 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c9712389d8d4 201551.596225 Default message_recv: cleartext phase 2 message
@400000005237c9712389ec5c 201551.596233 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
@400000005237c97625f0e9dc 201556.636531 Default message_recv: cleartext phase 2 message
@400000005237c97625f0fd64 201556.636542 Default dropped message from 1.18.7.156 port 1024 due to notification type INVALID_FLAGS
OpeBSDs isakmpd在这样完成的:
ike passive esp tunnel \
from any to any \
main auth hmac-sha1 enc aes-256 group modp2048 \
quick auth hmac-sha1 enc aes-256 group modp2048 \
srcid secure1.example.com \
tag ipsec-$id
我想知道:为什么Openswan也不能在所有与服务器端的我看到了这样奇怪的错误,开始第2阶段?我的想法后调试的几个晚上耗尽:(
无效标志使我怀疑可能是压缩或其他设置你已经有一方启用了不与其他兼容。我几乎总是使用压缩=没有上过OpenSWAN避免兼容性问题我自己。