# strongswan 免证书
通过以前写的一篇 CentOS7下Strongswan架设IPSec-IKEv1, IKEv2我们知道,由于各个系统限制,兼容更多的系统,我们不得不用证书验证,但是用证书的话,我们一般是自签证书,对于windows和IOS9,我们必须导入CA证书,当然如果有多台服务器的话,我们只需要共用一对CA证书即可。但是我们能不能免证书呢?
# 1. leftauth不用pubkey
参考这个老兄http://blog.zorro.im/posts/strongswan-ikev2-for-ios-without-certificate.html配置,这里我没测试
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
uniqueids = no
# IKEv2 for iOS
conn iOS-IKEV2
auto=add
dpdaction=clear
keyexchange=ikev2
#left
left=%any
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=im.zorro.ipsec.server
#right
right=%any
rightsourceip=10.99.1.0/24
rightauth=eap-mschapv2
rightid=im.zorro.ipsec.client
# 2. 使用系统默认信任CA机构颁发的证书
在调试日志我们看到
Jul 3 12:51:36 localhost charon: 04[IKE] received 36 cert requests for an unknown ca
系统先会把自带的CA证书发给服务器去验证,如果没通过,肯定是会提示13801错误了,所以我们如果使用系统默认信任CA机构颁发的证书,就能不通过导入ca证书,而直接通过认证了。
哪去找证书呢? Wosign
, StartSSL
, or LetsEncrypt
都有免费的,当然你也可以付费的,好处就是支持泛解析,不过前者每个子域名都要去申请。
比如我在Wosign申请的免费证书如下:
-rw-r--r--. 1 root root 2300 Jul 5 16:37 1_cross_Intermediate.crt
-rw-r--r--. 1 root root 2029 Jul 5 16:37 2_issuer_Intermediate.crt
-rw-r--r--. 1 root root 1667 Jul 5 16:37 3_user_vpn.linsir.org.crt
-rw-r--r--. 1 root root 1674 Jul 5 16:37 4_user_vpn.linsir.org.key
-rw-r--r--. 1 root root 2804 Jul 5 16:20 root.crt
前面两个1_cross_Intermediate.crt
,2_issuer_Intermediate.crt
是子根证书,把他们复制到/etc/ipsec.d/cacerts
下,
3_user_vpn.linsir.org.crt
是公钥,复制到/etc/ipsec.d/certs
4_user_vpn.linsir.org.key
是私钥,复制到/ect/ipsec.d/private
最后root.crt
是根证书,复制到/etc/ipsec.d/cacerts
下。
最后,我们使用
ipsec listall
就可以看到证书详情
List of X.509 End Entity Certificates
subject: "CN=vpn.linsir.org"
issuer: "C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2"
validity: not before Jul 03 16:55:59 2016, ok
not after Jul 03 16:55:59 2018, ok (expires in 722 days)
serial: 1f:e6:75:bd:9d:a5:c2:16:3d:12:43:93:5c:bc:95:75
altNames: vpn.linsir.org
flags: serverAuth clientAuth
CRL URIs: http://crls1.wosign.com/ca6-server1-free.crl
OCSP URIs: http://ocsp1.wosign.com/ca6/server1/free
certificatePolicies:
2.23.140.1.2.1
1.3.6.1.4.1.36305.1.1.2
CPS: http://www.wosign.com/policy/
authkeyId: d2:a7:16:20:7c:af:d9:95:9e:eb:43:0a:19:f2:e0:b9:74:0e:a8:c7
subjkeyId: 60:9d:ff:1b:56:b8:8d:23:26:d6:31:3d:9f:84:82:ad:cc:f5:df:2e
pubkey: RSA 2048 bits, has private key
keyid: c2:56:89:e3:3c:79:9d:bb:ff:fe:21:de:70:81:38:24:a5:02:a4:77
subjkey: 60:9d:ff:1b:56:b8:8d:23:26:d6:31:3d:9f:84:82:ad:cc:f5:df:2e
List of X.509 CA Certificates
subject: "C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2"
issuer: "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
validity: not before Nov 08 08:58:58 2014, ok
not after Nov 08 08:58:58 2029, ok (expires in 4868 days)
serial: 38:f6:45:c1:e2:5d:91:2c:ce:3b:2b:39:12:31:74:0d
flags: CA CRLSign serverAuth clientAuth
CRL URIs: http://crls1.wosign.com/ca1.crl
OCSP URIs: http://ocsp1.wosign.com/ca1
pathlen: 0
certificatePolicies:
1.3.6.1.4.1.36305.6.1.2.2.1
CPS: http://www.wosign.com/policy/
authkeyId: e1:66:cf:0e:d1:f1:b3:4b:b7:06:20:14:fe:87:12:d5:f6:fe:fb:3e
subjkeyId: d2:a7:16:20:7c:af:d9:95:9e:eb:43:0a:19:f2:e0:b9:74:0e:a8:c7
pubkey: RSA 2048 bits
keyid: 1c:d9:66:ff:e1:b9:1f:c9:e5:92:c1:a6:75:d1:7a:dd:0f:7a:e7:24
subjkey: d2:a7:16:20:7c:af:d9:95:9e:eb:43:0a:19:f2:e0:b9:74:0e:a8:c7
subject: "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
issuer: "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
validity: not before Sep 18 06:46:36 2006, ok
not after Jan 01 07:59:59 2020, ok (expires in 1269 days)
serial: 19:c2:85:30:e9:3b:36
flags: CA CRLSign
CRL URIs: http://crl.startssl.com/sfsca.crl
OCSP URIs: http://ocsp.startssl.com/ca
pathlen: 2
authkeyId: 4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2
subjkeyId: e1:66:cf:0e:d1:f1:b3:4b:b7:06:20:14:fe:87:12:d5:f6:fe:fb:3e
pubkey: RSA 4096 bits
keyid: 69:9f:1b:7a:e9:b8:da:18:49:6c:60:8b:ce:4f:4e:aa:f9:f0:b7:aa
subjkey: e1:66:cf:0e:d1:f1:b3:4b:b7:06:20:14:fe:87:12:d5:f6:fe:fb:3e
subject: "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
issuer: "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
validity: not before Sep 18 03:46:36 2006, ok
not after Sep 18 03:46:36 2036, ok (expires in 7374 days)
serial: 01
flags: CA CRLSign self-signed
CRL URIs: http://cert.startcom.org/sfsca-crl.crl
http://crl.startcom.org/sfsca-crl.crl
certificatePolicies:
1.3.6.1.4.1.23223.1.1.1
CPS: http://cert.startcom.org/policy.pdf
subjkeyId: 4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2
pubkey: RSA 4096 bits
keyid: 23:4b:71:25:56:13:e1:30:dd:e3:42:69:c9:cc:30:d4:6f:08:41:e0
subjkey: 4e:0b:ef:1a:a4:40:5b:a5:17:69:87:30:ca:34:68:43:d0:41:ae:f2
注意第一个证书pubkey: RSA 2048 bits, has private key
这里的意思存在私钥,有时候提示13801错误,也有可能这cert和key不匹配。然后分别在ipsec.conf
和ipsec.sercets
里配置cert和key的名称就可以了。
但是有些时候可能拿到的证书是pfx格式的,如何转换成我们上边的呢,可以参考下http://netkiller.github.io/cryptography/openssl/format.html
关于如何导出根证书,在windows下,双击pfx证书,然后证书路径
标签,下点上级根证书,然后导出即可。
# 调试
# 查看日志信息
tailf /var/log/messages
或
journalctl -f
# 常见问题
# 1. no matching peer config found
说明在ipsec.conf
没有找到匹配的配置,检查配置吧。
# 2. 13801错误/ deleting half open IKE_SA after timeout
这种情况一般是证书验证错误,如果是自签证书,首先请导入ca证书。第二步可以用ipsec listcerts
检查证书是否有关键词pubkey: RSA 2048 bits, has private
,没有的话,分别在ipsec.conf
和ipsec.sercets
里配置cert和key的名称是否正确。还有就是cert和key是否是一对?
# 3. 连接上不能上网?
不能上网,首先确认seclinx是否关闭,sysctl.conf是否配置,iptables是否转发了流量。
还有一种可能就是,ikev2和方式xl2tp,pptp网段冲突,因为他们三个是不同的方式,如果网段一样的话,可能就会有一处方式上不了网。
# PPTP、xl2tp错误
# 1. rc_get_ipaddr: couldn't resolve hostname:
出现hostname不能反解析问题,只需要在dns中或者 /etc/hosts中 加入主机名和主机ip的映射关系
cat >> /etc/hosts<<-EOF
127.0.0.1 $HOSTNAME
EOF
# 2. VPN PPTP - CTRL: PTY read or GRE write failed
It turns out that there are packets, called GRE packets, that might be blocked in your configuration.
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 47 -j ACCEPT