Ipsec使用证书认证

尝试

win7客户端

• 按文档里配置win7客户端，返回错误809,服务端错误“with unencrypted notification NO_PROPOSAL_CHOSEN”，未能解决，放弃。

• 有人说c/s两端都在同一个局域网段是无法使用证书连接的，未验证非同网段情况

openwrt19.07客户端

用openwrt19.07里的libreswan作为客户端尝试

使用配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

conn vpn.example.com
        left=%defaultroute
        leftcert=win7client.example.com
        leftid=%fromcert
        leftrsasigkey=%cert
        leftsubnet=0.0.0.0/0
        leftmodecfgclient=yes
        right=vpn.example.com
        rightsubnet=0.0.0.0/0
        rightid=@vpn.example.com
        rightrsasigkey=%cert
        narrowing=yes
        ikev2=insist
        rekey=yes
        fragmentation=yes
        mobike=yes
        auto=add
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear

报错

1
2

root@OpenWrt:~# ipsec auto --add vpn.example.com
036 MOBIKE kernel support missing for netkey interface: CONFIG_XFRM_MIGRATE && CONFIG_NET_KEY_MIGRATE

将mobike=yes关闭，报另一个错

1
2
3
4
5

002 "vpn.example.com"[3] 192.168.23.32 #7: received INTERNAL_IP4_ADDRESS 192.168.66.1
002 "vpn.example.com"[3] 192.168.23.32 #7: received INTERNAL_IP4_DNS 114.114.114.114
003 "vpn.example.com"[3] 192.168.23.32 #7: ERROR: netlink response for Add SA esp.6608fc4b@192.168.23.32 included errno 2: No such file or directory
002 "vpn.example.com"[3] 192.168.23.32 #7: setup_half_ipsec_sa() hit fail:
036 "vpn.example.com"[3] 192.168.23.32 #7: encountered fatal error in state STATE_PARENT_I2

参考这里决定放弃，试其他

尝试非官方搞法

• 文档链接

• win10尝试失败

• win7再次尝试成功,能正常连接的配置如下

  注册表修改

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

  root@OLYM-SW:~# cat /etc/ipsec.d/ikev2-cp.conf conn ikev2-cp left=192.168.23.32 leftcert=192.168.23.32 leftid=@192.168.23.32 leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert right=%any rightaddresspool=192.168.43.10-192.168.43.250 rightca=%same rightrsasigkey=%cert modecfgdns1=8.8.8.8 #modecfgdns2=8.8.4.4 narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no pfs=no fragmentation=yes #forceencaps=yes ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ms-dh-downgrade=yes #mobike=yes

  1 2 3 4 5 6 7 8

  root@OLYM-SW:~# certutil -L -d sql:/etc/ipsec.d Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Example CA CTu,u,u 192.168.23.32 u,u,u winclient u,u,u

  

  

  

  

  

200326 再次尝试

按LibreSwan IPsec IKEv2 VPN on RHEL 8 Beta Server and Windows 10 Client里的步骤来，win7/win10都一次成功

与之前的尝试，不同的地方有

1. 证书生成时多加一项选择

   1	1 - Client Auth

2. libreswan配置文件不同

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

   conn roadwarrior left=192.168.23.32 leftcert=192.168.23.32 leftid=@192.168.23.32 leftsourceip=192.168.23.32 leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert right=%any rightaddresspool=10.9.0.2-10.9.0.254 rightca=%same rightrsasigkey=%cert modecfgdns="1.1.1.1,1.0.0.1" narrowing=yes dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no fragmentation=yes ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024

3. windows上的连接配置不同

   • 数据加密选“可选加密”，经测试这里选其他都报“13868：策略匹配错误”
   • 高级设置中的"移动性"开启，经测试这个开关不影响

技术点

开启日志

1
2
3
4
5

root@OLYM-SW:~# cat /etc/ipsec.conf
config setup
	protostack=netkey
	# 加入以下配置
	plutodebug=all

查看日志

1

logread -f

问题点

ipsec initnss报错certutil: not found

1
2
3
4
5

root@OpenWrt:~# ipsec initnss
Initializing NSS database

/usr/sbin/ipsec: line 377: certutil: not found
Failed to initialize nss database sql:/etc/ipsec.d

需安装libnss，更多参考

1

root@OpenWrt:~# opkg install libnss

参考资料

FAQ-IKEv1和IKEv2有哪些区别

VPN server for remote clients using IKEv2

ipsec.conf - IPsec configuration and connections

Setup IKEv2/Windows 10

如何配置 IKEv2 VPN: Windows 7 和更新版本

Windows IKEv2 Error 809

Windows 错误 809

win7/8 IKEv2 VPN证书导入和正确使用方法

windows使用ikev2遇到的坑，及批处理batch脚本和powershell脚本

参考项目

setup-ipsec-vpn

setup-ipsec-vpn github