Ubuntu 16.04 上 iOS NEVPNManager 和 StrongSwan 之间的 VPN 连接

【问题标题】:Vpn connect between iOS NEVPNManager and StrongSwan on Ubuntu 16.04Ubuntu 16.04 上 iOS NEVPNManager 和 StrongSwan 之间的 VPN 连接
【发布时间】:2021-07-27 14:36:30
【问题描述】:

我正在尝试在我的应用中创建 vpn 连接。在服务器端,在 Ubuntu 16.04 上使用带有 StrongSwan 的 IKEv2 VPN 服务器。通过这个 guid (https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04) 构建。

当我尝试连接时。 服务器发送此日志:

 - May  5 08:58:21 ip-2 charon: 05[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:21 ip-2 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:21 ip-2 charon: 05[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:21 ip-2 charon: 05[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:21 ip-2 charon: 05[IKE] remote host is behind NAT
 - May  5 08:58:21 ip-2 charon: 05[IKE] received proposals inacceptable
 - May  5 08:58:21 ip-2 charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:21 ip-2 charon: 05[NET] sending packet: from 2[500] to 3[500] (36 bytes)
 - May  5 08:58:22 ip-2 charon: 16[NET] received packet: from 3[500] to 2[500] (432 bytes)
 - May  5 08:58:22 ip-2 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
 - May  5 08:58:22 ip-2 charon: 16[IKE] 3 is initiating an IKE_SA
 - May  5 08:58:22 ip-2 charon: 16[IKE] local host is behind NAT, sending keep alives
 - May  5 08:58:22 ip-2 charon: 16[IKE] remote host is behind NAT
 - May  5 08:58:22 ip-2 charon: 16[IKE] received proposals inacceptable
 - May  5 08:58:22 ip-2 charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
 - May  5 08:58:22 ip-2 charon: 16[NET] sending packet: from 2[500] to 3[500] (36 bytes)

我在服务器上使用这个配置:

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    lifetime=8h
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=<IP>
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!

在 iOS 上使用此代码:

class VpnManager {
    
    let vpnManager = NEVPNManager.shared()
    let info = VPNINFO()
    
    func connectToVPN() {
        vpnManager.loadFromPreferences { error in
            guard error == nil else {
                print(error)
                return
            }

            let IKEv2Protocol = NEVPNProtocolIKEv2()
            IKEv2Protocol.serverAddress = self.info.serverAddress
            IKEv2Protocol.authenticationMethod = .certificate
            
            let certificate = SecCertificateCreateWithData(nil, Data(base64Encoded: self.info.cert)! as CFData)!
            let certificateData = SecCertificateCopyData(certificate) as Data
            IKEv2Protocol.identityData = certificateData
            
            self.vpnManager.protocolConfiguration = IKEv2Protocol
            self.vpnManager.isEnabled = true
            
            self.vpnManager.saveToPreferences { error in
                guard error == nil else {
                    print(error)
                    return
                }
                do {
                    try self.vpnManager.connection.startVPNTunnel(
                        options: ([
                            NEVPNConnectionStartOptionUsername: "username",
                            NEVPNConnectionStartOptionPassword: KeychainWrapper.passwordRefForVPNID("MY_PASSWORD")
                        ] as! [String: NSObject]))
                } catch let error {
                    print(error)
                }
            }
        }
    }
    
    
}

预期结果: 已连接

实际结果: 连接 -> 断开连接

最后的控制台日志:

Jun  4 15:44:51 charon: 06[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 06[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 06[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 06[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 06[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:44:51 charon: 05[NET] received packet: from <my ip>[500] to <server ip>[500] (304 bytes)
Jun  4 15:44:51 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun  4 15:44:51 charon: 05[IKE] <my ip> is initiating an IKE_SA
Jun  4 15:44:51 charon: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jun  4 15:44:51 charon: 05[IKE] local host is behind NAT, sending keep alives
Jun  4 15:44:51 charon: 05[IKE] remote host is behind NAT
Jun  4 15:44:51 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jun  4 15:44:51 charon: 05[NET] sending packet: from <server ip>[500] to <my ip>[500] (328 bytes)
Jun  4 15:45:11 charon: 08[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:11 charon: 09[IKE] sending keep alive to <my ip>[500]
Jun  4 15:45:21 charon: 10[JOB] deleting half open IKE_SA with <my ip> after timeout
Jun  4 15:45:21 charon: 11[JOB] deleting half open IKE_SA with <my ip> after timeout

【问题讨论】:

  • 您为什么要遵循那个旧教程(并使用非常旧的操作系统)?无论如何,在配置中设置的建议使用 iOS 可能不建议的旧的/不安全的 DH 组。所以我会尝试删除ike(和esp)行。您还可以将 cfg 的日志级别增加到 2,以便看到客户端发送的建议(较新的 strongSwan 版本在错误情况下默认执行此操作)。
  • 我尝试使用 ubunta 20 但结果是一样的。
  • 显然,如果您使用了不合适的配置。

标签: swift ubuntu vpn nevpnmanager strongswan


【解决方案1】:

您的 strongswan 服务器配置了以下加密算法。

ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!

解决方案

您需要在 NEVPNProtocolIKEv2 实例中指定 VPN Server 支持的 Cipher。

    IKEv2Protocol.ikeSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.ikeSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.ikeSecurityAssociationParameters.diffieHellmanGroup = .group2 
    IKEv2Protocol.ikeSecurityAssociationParameters.lifetimeMinutes = 480
    
    IKEv2Protocol.childSecurityAssociationParameters.encryptionAlgorithm = .algorithmAES256
    IKEv2Protocol.childSecurityAssociationParameters.integrityAlgorithm = .SHA96
    IKEv2Protocol.childSecurityAssociationParameters.diffieHellmanGroup = .group2
    IKEv2Protocol.childSecurityAssociationParameters.lifetimeMinutes = 60

【讨论】:

  • 我尝试添加此代码,但它不影响连接。但它改变了一些日志。
  • @DmitryK 请分享控制台日志,以便我为您提供帮助。
  • 我在问题末尾添加了控制台日志,谢谢帮助
猜你喜欢
  • 2022-07-28
  • 2016-02-28
  • 2017-01-03
  • 1970-01-01
  • 1970-01-01
  • 2016-09-17
  • 1970-01-01
  • 2018-07-20
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode