LINUX.ORG.RU
ФорумAdmin

Strongswan 5.0.4 + certificate

 , , , ,


0

1

Господа, прошу помощи, устал уже ковырять, не вижу причину. Может кто сталкивался. Описание системы и проблемы: 

centos x86-64 обновленная
strongswan-5.0.4-4.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
ipsec + ikev2 = двухсторонняя аутентификация сертификатами, и насколько я вижу, с ней все порядке. Проблема так же и не в Iptables, т.к. пробовал локально, там фаер полностью открыт. Пробовал уже аутентификацию клиента через пароли EAP (проходит успешно), остановка на том же месте.

Привожу конфиги и лог: cat ipsec.conf 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

conn %default
        left=me_external_static_ip
	leftsubnet=0.0.0.0/0
        leftcert=/etc/strongswan/ipsec.d/certs/server.XXX.by_key.pem
	leftid="C=by, ST=Belarus, O=XXX.by, CN=XXX.by"
	auto=add

conn IPSEC_NAT-T_eap
        right=%any
        rightsubnet=192.168.2.0/24
        rightauth=eap-mschapv2
        eap_identity=%any
        auto=start

conn IPSEC_NAT-T_certs
        right=%any
	rightsourceip=10.0.7.40/27
        auto=start
cat ipsec.secrets 
: RSA /etc/strongswan/ipsec.d/private/server.XXX.by_cert.pem "me_pass"
me_user : EAP "me_pass"
(домен и статический ип затер) ну и самое интересное - логи с момента перезапуска: 
Sep 16 19:55:26 00[DMN] signal of type SIGINT received. Shutting down
Sep 16 19:55:28 00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-358.18.1.el6.x86_64, x86_64)
Sep 16 19:55:28 00[LIB] plugin 'sqlite' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-sqlite.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] openssl FIPS mode(0) - disabled 
Sep 16 19:55:28 00[LIB] plugin 'eap-radius' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-radius.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'eap-tnc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-tnc.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnc-imc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imc.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnc-imv' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imv.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnc-tnccs' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-tnccs.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnccs-20' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-20.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnccs-11' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-11.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[LIB] plugin 'tnccs-dynamic' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-dynamic.so: cannot open shared object file: No such file or directory
Sep 16 19:55:28 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Sep 16 19:55:28 00[CFG]   loaded ca certificate "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by" from '/etc/strongswan/ipsec.d/cacerts/XXX.by_CA_cert.pem'
Sep 16 19:55:28 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Sep 16 19:55:28 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Sep 16 19:55:28 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Sep 16 19:55:28 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Sep 16 19:55:28 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Sep 16 19:55:28 00[CFG]   loaded RSA private key from '/etc/strongswan/ipsec.d/private/server.XXX.by_key.pem'
Sep 16 19:55:28 00[CFG]   loaded EAP secret for user
Sep 16 19:55:28 00[DMN] loaded plugins: charon curl aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp
Sep 16 19:55:28 00[JOB] spawning 16 worker threads
Sep 16 19:55:28 09[CFG] received stroke: add connection 'IPSEC_NAT-T_eap'
Sep 16 19:55:28 09[CFG]   loaded certificate "C=by, ST=Belarus, O=XXX.by, CN=XXX.by" from '/etc/strongswan/ipsec.d/certs/server.XXX.by_cert.pem'
Sep 16 19:55:28 09[CFG] added configuration 'IPSEC_NAT-T_eap'
Sep 16 19:55:28 12[CFG] received stroke: initiate 'IPSEC_NAT-T_eap'
Sep 16 19:55:28 12[IKE] unable to initiate to %any
Sep 16 19:55:28 12[MGR] tried to check-in and delete nonexisting IKE_SA
Sep 16 19:55:28 11[CFG] received stroke: add connection 'IPSEC_NAT-T_certs'
Sep 16 19:55:28 11[CFG] adding virtual IP address pool 10.0.7.40/27
Sep 16 19:55:28 11[CFG]   loaded certificate "C=by, ST=Belarus, O=XXX.by, CN=XXX.by" from '/etc/strongswan/ipsec.d/certs/server.XXX.by_cert.pem'
Sep 16 19:55:28 11[CFG] added configuration 'IPSEC_NAT-T_certs'
Sep 16 19:55:28 15[CFG] received stroke: initiate 'IPSEC_NAT-T_certs'
Sep 16 19:55:28 15[IKE] unable to initiate to %any
Sep 16 19:55:28 15[MGR] tried to check-in and delete nonexisting IKE_SA
и сам момент подключения, разделил для удобства 
Sep 16 19:58:31 09[NET] received packet: from 93.125.67.53[500] to me_external_static_ip[500] (616 bytes)
Sep 16 19:58:31 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Sep 16 19:58:31 09[ENC] received unknown vendor ID: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
Sep 16 19:58:31 09[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Sep 16 19:58:31 09[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Sep 16 19:58:31 09[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Sep 16 19:58:31 09[IKE] 93.125.67.53 is initiating an IKE_SA
Sep 16 19:58:31 09[IKE] remote host is behind NAT
Sep 16 19:58:31 09[IKE] sending cert request for "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by"
Sep 16 19:58:31 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sep 16 19:58:31 09[NET] sending packet: from me_external_static_ip[500] to 93.125.67.53[500] (333 bytes)
Sep 16 19:58:32 14[NET] received packet: from 93.125.67.53[4500] to me_external_static_ip[4500] (2268 bytes)
Sep 16 19:58:32 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
Sep 16 19:58:32 14[IKE] received cert request for "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by"
Sep 16 19:58:32 14[IKE] received 33 cert requests for an unknown ca
Sep 16 19:58:32 14[IKE] received end entity cert "C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by"
Sep 16 19:58:32 14[CFG] looking for peer configs matching me_external_static_ip[%any]...93.125.67.53[C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by]
Sep 16 19:58:32 14[CFG] selected peer config 'IPSEC_NAT-T_eap'
Sep 16 19:58:32 14[CFG]   using certificate "C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by"
Sep 16 19:58:32 14[CFG]   using trusted ca certificate "C=by, ST=Belarus, L=Minsk, O=XXX.by, OU=XXX.by, CN=Root CA of XXX.by, E=admin@XXX.by"
Sep 16 19:58:32 14[CFG] checking certificate status of "C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by"
Sep 16 19:58:32 14[CFG] certificate status is not available
Sep 16 19:58:32 14[CFG]   reached self-signed root ca with a path length of 0
Sep 16 19:58:32 14[IKE] authentication of 'C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by' with RSA signature successful
Sep 16 19:58:32 14[CFG] constraint check failed: EAP identity '%any' required 
Sep 16 19:58:32 14[CFG] selected peer config 'IPSEC_NAT-T_eap' inacceptable: non-matching authentication done
Sep 16 19:58:32 14[CFG] switching to peer config 'IPSEC_NAT-T_certs'
Sep 16 19:58:32 14[IKE] peer supports MOBIKE
Sep 16 19:58:32 14[IKE] authentication of 'C=by, ST=Belarus, O=XXX.by, CN=XXX.by' (myself) with RSA signature successful
Sep 16 19:58:32 14[IKE] IKE_SA IPSEC_NAT-T_certs[3] established between me_external_static_ip[C=by, ST=Belarus, O=XXX.by, CN=XXX.by]...93.125.67.53[C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by]
Sep 16 19:58:32 14[IKE] scheduling reauthentication in 10205s
Sep 16 19:58:32 14[IKE] maximum IKE_SA lifetime 10745s
Sep 16 19:58:32 14[IKE] sending end entity cert "C=by, ST=Belarus, O=XXX.by, CN=XXX.by"
Sep 16 19:58:32 14[IKE] peer requested virtual IP %any
Sep 16 19:58:32 14[CFG] assigning new lease to 'C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by'
Sep 16 19:58:32 14[IKE] assigning virtual IP 10.0.7.41 to peer 'C=by, ST=Belarus, O=XXX.by, OU=XXX.by, CN=bender.XXX.by'
Sep 16 19:58:32 14[IKE] CHILD_SA IPSEC_NAT-T_certs{1} established with SPIs cbfb8f34_i 16ca58d8_o and TS 0.0.0.0/0 === 10.0.7.41/32 
Sep 16 19:58:32 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS NBNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Sep 16 19:58:32 14[NET] sending packet: from me_external_static_ip[4500] to 93.125.67.53[4500] (1540 bytes)
Это все, дальше этого просто не идет. Прошу помощи у сообщества ) помогите решить ))



Последнее исправление: cetjs2 (всего исправлений: 1)

блин, неужели никто не сталкивался? посоветуйте хоть куда обратиться :)

vaga
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin