다음 지침을 OpenWRT에서 IPSec IKEv2를 VPN 서버를 구성하기 위해 (15.05 카오스 조용한)
라우터 : Linksys AC1900-WRT
# uname -a
Linux OpenWrt 3.18.23 #1 SMP Sun Jan 31 12:53:24 CET 2016 armv7l GNU/Linux
클라이언트-Android Strongswan.app. 또한 동일한 Android 기기의 핫스팟에 연결된 Macbook으로 테스트합니다.
구성
인증서와 키가 있습니다 :
root@OpenWrt:/etc# ls -l /etc/ipsec.d/cacerts/
-r--r--r-- 1 root root 4342 Apr 28 18:18 ca-chain.cert.pem
-r--r--r-- 1 root root 2187 Apr 28 18:18 ca.cert.pem
-r--r--r-- 1 root root 2155 Apr 28 18:17 intermediate.cert.pem
root@OpenWrt:/etc# ls -l /etc/ipsec.d/certs/
-rw-r--r-- 1 root root 2346 Apr 28 18:17 ikev2.drew.cert.pem
-rw-r--r-- 1 root root 2561 Apr 28 18:17 ikev2.server.cert.pem
root@OpenWrt:/etc# ls -l /etc/ipsec.d/private/
-r-------- 1 root root 3326 Apr 28 18:20 ca.key.pem
-r-------- 1 root root 3326 Apr 28 18:17 ikev2.drew.key.pem
-r--r----- 1 root root 3243 Apr 28 18:17 ikev2.server.key.pem
-r-------- 1 root root 3326 Apr 28 18:20 intermediate.key.pem
/etc/ipsec.conf :
config setup
conn %default
keyexchange=ikev2
conn roadwarrior
left=%any
leftauth=pubkey
leftcert=ikev2.server.cert.pem
leftid=MY-ROUTER.DDNS
leftsubnet=0.0.0.0/0,::/0
right=%any
rightsourceip=10.0.1.0/24
rightauth=pubkey
rightcert=ikev2.drew.cert.pem
rightauth2=eap-mschapv2
auto=add
/etc/ipsec.secrets
: RSA ikev2.server.key.pem
drew : EAP "Secret_password"
/etc/strongswan.conf
charon {
load_modular = yes
dns1 = 192.168.1.1
dns2 = 192.168.1.254
plugins {
include strongswan.d/charon/*.conf
}
}
방화벽
/etc/firewall.user :
iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
/ etc / config / firewall
# IPSEC
config rule
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
config rule
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'
로고
OpenWrt 사이트 로그 :
# logread && logread -f
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (704 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 authpriv.info syslog: 08[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] local host is behind NAT, sending keep alives
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] remote host is behind NAT
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[IKE] DH group ECP_256 inacceptable, requesting MODP_2048
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 08[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (38 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] received packet: from XXX.XXX.XXX.XXX[33530] to 192.168.0.2[500] (896 bytes)
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 authpriv.info syslog: 09[IKE] XXX.XXX.XXX.XXX is initiating an IKE_SA
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] local host is behind NAT, sending keep alives
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] remote host is behind NAT
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sat Apr 28 18:28:51 2018 daemon.info syslog: 09[NET] sending packet: from 192.168.0.2[500] to XXX.XXX.XXX.XXX[33530] (501 bytes)
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] received packet: from XXX.XXX.XXX.XXX[33490] to 192.168.0.2[4500] (2828 bytes)
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] looking for peer configs matching 192.168.0.2[MY-ROUTER.DDNS]...XXX.XXX.XXX.XXX[C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[CFG] no matching peer config found
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[IKE] peer supports MOBIKE
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sat Apr 28 18:28:52 2018 daemon.info syslog: 13[NET] sending packet: from 192.168.0.2[4500] to XXX.XXX.XXX.XXX[33490] (76 bytes)
192.168.0.2 -라우터의 WAN IP (ISP의 방화벽 / 라우터 뒤에 있음)
XXX.XXX.XXX.XXX -서버의 공개 IP
YYY.YYY.YYY.YYY -안드로이드 클라이언트의 공개 IP
Android Strongswan.app 로그 :
Apr 28 19:01:16 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 7.0 - NRD90M.G935FXXU2DRC4/2018-03-01, SM-G935F - samsung/hero2ltexx/samsung, Linux 3.18.14-12365438, aarch64)
Apr 28 19:01:16 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Apr 28 19:01:16 00[JOB] spawning 16 worker threads
Apr 28 19:01:16 08[CFG] loaded user certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' and private key
Apr 28 19:01:16 08[CFG] loaded CA certificate 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM'
Apr 28 19:01:16 08[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX
Apr 28 19:01:16 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 28 19:01:16 08[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (704 bytes)
Apr 28 19:01:16 11[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (38 bytes)
Apr 28 19:01:16 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 28 19:01:16 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Apr 28 19:01:16 11[IKE] initiating IKE_SA android[12] to XXX.XXX.XXX.XXX
Apr 28 19:01:16 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 28 19:01:16 11[NET] sending packet: from YYY.YYY.YYY.YYY[51707] to XXX.XXX.XXX.XXX[500] (896 bytes)
Apr 28 19:01:16 12[NET] received packet: from XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[51707] (501 bytes)
Apr 28 19:01:16 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Apr 28 19:01:16 12[IKE] local host is behind NAT, sending keep alives
Apr 28 19:01:16 12[IKE] remote host is behind NAT
Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] received cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, L=Vancouver, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:17 12[IKE] sending cert request for "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:19 12[IKE] authentication of 'C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Apr 28 19:01:19 12[IKE] sending end entity cert "C=CA, ST=BC, O=MY_NAME, OU=MY_ORGANIZATIONAL_UNIT, CN=MY-ROUTER.DDNS, E=MY@EMAIL.COM"
Apr 28 19:01:19 12[IKE] establishing CHILD_SA android{6}
Apr 28 19:01:19 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
Apr 28 19:01:19 12[NET] sending packet: from YYY.YYY.YYY.YYY[55262] to XXX.XXX.XXX.XXX[4500] (2828 bytes)
Apr 28 19:01:19 15[NET] received packet: from XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[55262] (76 bytes)
Apr 28 19:01:19 15[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 28 19:01:19 15[IKE] received AUTHENTICATION_FAILED notify error
내가 뭘 잘못했는지 알아? 무엇이든 도움이됩니다.
답장을 보내 주셔서 감사합니다. 예, 서버 인증서는
—
Drew
MY-ROUTER.DDNSas subjectAltName 확장명을 갖습니다
의 출력을 추가해 주시겠습니까
—
ecdsa
ipsec statusall?
MY-ROUTER.DDNSsubjectAltName 확장명을 포함합니까? 그렇지 않은 경우 추가하십시오.