LINUX.ORG.RU
ФорумAdmin

StrongSwan -> mikrotik не авторизует по сертификату AUTH_FAILED

 , , ,


0

1

Здравствуйте, уважаемые! Имею следующий зоопарк:

  1. Сесвер с приложением в облаке (Openstack)
  2. Клиенты на микротах MIPS 74Kc V4.12
  3. Клиенты на виндах10
  4. Один клиент на микроте ARMv7

На сервере развернут Strongswan, IKEv2, сертификаты LE, авторизация psk.

Проблема в том, что после автообновления сертификата роутер на ARMv7 выдает ошибку авторизации сервера, хотя все другие роутеры и клиенты спокойно подключаются после автообновления.

часть лога на клиенте ARMv7

ipsec,error unable to get local issuer certificate(20) at depth:2 cert:CN=ISRG Root X1,C=US,ST=,L=,O=Internet Security Research Group,OU=,SN= 
13:09:04 ipsec,error can't verify peer's certificate from store 
13:09:04 ipsec,info,account peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi:c8080fa0e52e0f5f:a040b27c85e6f90c 
13:09:04 ipsec send notify: AUTHENTICATION_FAILED 
13:09:04 ipsec adding notify: AUTHENTICATION_FAILED 
13:09:04 ipsec,debug => (size 0x8) 
13:09:04 ipsec,debug 00000008 00000018 
13:09:04 ipsec <- ike2 request, exchange: INFORMATIONAL:2 xx.xx.xx.xx[4500] c8080fa0e52e0f5f:a040b27c85e6f90c 
13:09:04 ipsec,debug,packet => outgoing plain packet (size 0x24) 
13:09:04 ipsec,debug,packet c8080fa0 e52e0f5f a040b27c 85e6f90c 29202508 00000002 00000024 00000008 
13:09:04 ipsec,debug,packet 00000018 
13:09:04 ipsec adding payload: ENC

лог на сервере

calhost charon: 07[CFG]   esp=aes256gcm16-aes256gcm12-aes256gcm8-aes192gcm16-aes192gcm12-aes128gcm16-aes128gcm12-sha512-sha256-ecp256,chacha20poly1305
Sep 18 11:48:40 localhost charon: 07[CFG]   dpddelay=30
Sep 18 11:48:40 localhost charon: 07[CFG]   dpdtimeout=40
Sep 18 11:48:40 localhost charon: 07[CFG]   dpdaction=3
Sep 18 11:48:40 localhost charon: 07[CFG]   sha256_96=no
Sep 18 11:48:40 localhost charon: 07[CFG]   mediation=no
Sep 18 11:48:40 localhost charon: 07[CFG]   keyexchange=ikev2
Sep 18 11:48:40 localhost charon: 07[CFG] reusing virtual IP address pool 192.168.1.0/24
Sep 18 11:48:40 localhost charon: 07[CFG]   loaded certificate "CN=AUTH_problem.example.com" from 'fullchain.pem'
Sep 18 11:48:40 localhost charon: 07[CFG] added configuration 'IPSec-IKEv2-EAP'
Sep 18 11:48:56 localhost charon: 09[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.1.1[4500] (340 bytes)
Sep 18 11:48:56 localhost charon: 09[ENC] parsed IKE_SA_INIT request 0 [ N(FRAG_SUP) N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Sep 18 11:48:56 localhost charon: 09[CFG] looking for an IKEv2 config for 192.168.1.1...xx.xx.xx.xx
Sep 18 11:48:56 localhost charon: 09[CFG] ike config match: 28 (%any...%any IKEv2)
Sep 18 11:48:56 localhost charon: 09[CFG]   candidate: %any...%any, prio 28
Sep 18 11:48:56 localhost charon: 09[CFG] ike config match: 28 (%any...%any IKEv2)
Sep 18 11:48:56 localhost charon: 09[CFG]   candidate: %any...%any, prio 28
Sep 18 11:48:56 localhost charon: 09[CFG] found matching ike config: %any...%any with prio 28
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   leftid=@AUTH_problem.example.com
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   leftcert=fullchain.pem
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   leftupdown=ipsec _updown iptables
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   right=%any
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   rightsourceip=192.168.1.0/24
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   rightauth=eap-mschapv2
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   eap_identity=%identity
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   ike=aes256-aes192-sha512-ecp256,aes256-aes192-sha256-ecp256,aes256-aes192-sha384-ecp256
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   esp=aes256gcm16-aes256gcm12-aes256gcm8-aes192gcm16-aes192gcm12-aes128gcm16-aes128gcm12-sha512-sha256-ecp256,chacha20poly1305
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   dpddelay=30
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   dpdtimeout=40
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   dpdaction=3
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   sha256_96=no
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   mediation=no
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   keyexchange=ikev2
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG] reusing virtual IP address pool 192.168.1.0/24
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG]   loaded certificate "CN=AUTH_problem.example.com" from 'fullchain.pem'
Sep 18 11:48:56 localhost ipsec[8618]: 07[CFG] added configuration 'IPSec-IKEv2-EAP'
Sep 18 11:48:56 localhost ipsec[8618]: 09[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.1.1[4500] (340 bytes)
Sep 18 11:48:56 localhost ipsec[8618]: 09[ENC] parsed IKE_SA_INIT request 0 [ N(FRAG_SUP) N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG] looking for an IKEv2 config for 192.168.1.1...xx.xx.xx.xx
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG] ike config match: 28 (%any...%any IKEv2)
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG]   candidate: %any...%any, prio 28
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG] ike config match: 28 (%any...%any IKEv2)
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG]   candidate: %any...%any, prio 28
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG] found matching ike config: %any...%any with prio 28
Sep 18 11:48:56 localhost ipsec[8618]: 09[IKE] xx.xx.xx.xx is initiating an IKE_SA
Sep 18 11:48:56 localhost ipsec[8618]: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG] selecting proposal:
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG]   no acceptable INTEGRITY_ALGORITHM found
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG] selecting proposal:
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG]   proposal matches
Sep 18 11:48:56 localhost ipsec[8618]: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521/ECP_384/ECP_256/(4)/(3)
....
                 ..pb:...~
Sep 18 11:48:57 localhost charon: 11[IKE] authentication of 'AUTH_problem.example.com' (myself) with RSA signature successful
Sep 18 11:48:57 localhost charon: 11[IKE] sending end entity cert "CN=AUTH_problem.example.com"
Sep 18 11:48:57 localhost charon: 11[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Sep 18 11:48:57 localhost charon: 11[IKE] sending issuer cert "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Sep 18 11:48:57 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID ]
Sep 18 11:48:57 localhost charon: 11[ENC] splitting IKE message (4400 bytes) into 4 fragments
Sep 18 11:48:57 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/4) ]
Sep 18 11:48:57 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/4) ]
Sep 18 11:48:57 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ EF(3/4) ]
Sep 18 11:48:57 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ EF(4/4) ]
Sep 18 11:48:57 localhost charon: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (1236 bytes)
Sep 18 11:48:57 localhost charon: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (1236 bytes)
Sep 18 11:48:57 localhost charon: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (1236 bytes)
Sep 18 11:48:57 localhost charon: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (900 bytes)
Sep 18 11:48:57 localhost charon: 12[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.1.1[4500] (272 bytes)
Sep 18 11:48:57 localhost charon: 12[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Sep 18 11:48:57 localhost ipsec[8618]: 11[CFG] peer config "IPSec-IKEv2-EAP", ike match: 28 (%any...%any IKEv2)
Sep 18 11:48:57 localhost ipsec[8618]: 11[CFG]   local id match: 1 (ID_ANY: )
Sep 18 11:48:57 localhost ipsec[8618]: 11[CFG]   remote id match: 1 (ID_KEY_ID: 66:61:63:74:6f:72:79)
Sep 18 11:48:57 localhost ipsec[8618]: 11[CFG]   candidate "IPSec-IKEv2-EAP", match: 1/1/28 (me/other/ike)
Sep 18 11:48:57 localhost ipsec[8618]: 11[CFG] selected peer config 'IPSec-IKEv2'
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] peer requested EAP, config unacceptable
Sep 18 11:48:57 localhost ipsec[8618]: 11[CFG] switching to peer config 'IPSec-IKEv2-EAP'
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] initiating EAP_IDENTITY method (id 0x00)
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] processing INTERNAL_IP4_ADDRESS attribute
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] processing INTERNAL_IP4_NETMASK attribute
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] processing INTERNAL_IP4_SUBNET attribute
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] processing INTERNAL_IP4_DNS attribute
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] processing (25) attribute
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] IDx' => 17 bytes @ 0x7f28501a9940
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]    0: 02 00 00 00 64 6F 63 6B 79 61 72 64 2E 68 6F 73  ....AUTH_problem.example.com
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   16: 74                                               t
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] SK_p => 32 bytes @ 0x7f28280030c0
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]    0: F1 C7 64 B1 A5 42 BC 66 AA 95 F9 C4 E1 F5 59 D3  ..d..B.f......Y.
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   16: 04 9C 55 EB 46 28 07 5B CE 86 C4 B9 78 46 12 6E  ..U.F(.[....xF.n
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] octets = message + nonce + prf(Sk_px, IDx') => 377 bytes @ 0x7f282c0073f0
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]    0: CF 82 A5 19 E3 C1 94 6A CA A6 7C CC B4 0D B7 05  .......j..|.....
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   16: 21 20 22 20 00 00 00 00 00 00 01 41 22 00 00 30  ! " .......A"..0
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   32: 00 00 00 2C 01 01 00 04 03 00 00 0C 01 00 00 0C  ...,............
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   48: 80 0E 01 00 03 00 00 08 03 00 00 0C 03 00 00 08  ................
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   64: 02 00 00 05 00 00 00 08 04 00 00 13 28 00 00 48  ............(..H
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   80: 00 13 00 00 D2 40 BA 6B 84 E4 D0 A2 A7 69 A1 C4  .....@.k.....i..
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]   96: 40 51 DB 1B 40 61 C3 95 45 CF 55 B5 36 B5 DC D4  @Q..@a..E.U.6...
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  112: F5 29 5E 25 81 47 F7 3A C2 A5 10 63 91 4A 58 AF  .)^%.G.:...c.JX.
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  128: 08 AA 5A 82 D6 4A 6A EA 75 DF A7 C7 D0 55 59 E8  ..Z..Jj.u....UY.
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  144: 56 E9 0B C2 29 00 00 24 94 91 CC 0C D3 FE 50 7F  V...)..$......P.
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  160: 03 79 66 F1 D5 BB A2 A5 7D 7E 82 36 F9 58 42 4C  .yf.....}~.6.XBL
Sep 18 11:48:57 localhost charon: 12[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  176: B3 AF AC B8 7D 12 45 82 29 00 00 1C 00 00 40 04  ....}.E.).....@.
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  192: 10 A7 5F BE E4 E1 99 F3 AB DC C6 DA D3 0D 03 5A  .._............Z
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  208: AB 9B 0A 2C 26 00 00 1C 00 00 40 05 A6 03 FA 99  ...,&.....@.....
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  224: 3D 68 52 62 1C 2E 49 21 70 D6 15 EB B6 41 85 BB  =hRb..I!p....A..
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  240: 29 00 00 41 04 8A 93 82 F4 C8 04 08 34 5E 5B C2  )..A........4^[.
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  256: F8 D7 55 D3 C2 E7 62 48 CF F8 16 51 3C FD 1B 44  ..U...bH...Q<..D
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  272: 9F 2E 6B 28 A1 97 22 1F B8 1F 51 4E 3C 8A 93 82  ..k(.."...QN<...
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  288: F4 C8 04 08 34 5E 5B C2 F8 D7 55 D3 C2 E7 62 48  ....4^[...U...bH
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  304: CF 29 00 00 08 00 00 40 2E 00 00 00 08 00 00 40  .).....@.......@
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  320: 14 46 1D 6F 1C 2E 54 24 96 D9 BF FD 46 82 FD 64  .F.o..T$....F..d
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  336: E1 97 01 1D 74 A7 5B A6 C9 2E D4 12 7F AB 7C 80  ....t.[.......|.
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  352: 2B 5A C5 F8 B4 44 36 9F 63 3B D1 10 3B D9 23 6C  +Z...D6.c;..;.#l
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE]  368: AA 1F 70 62 3A FA 1F 09 7E                       ..pb:...~
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] authentication of 'AUTH_problem.example.com' (myself) with RSA signature successful
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] sending end entity cert "CN=AUTH_problem.example.com"
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Sep 18 11:48:57 localhost ipsec[8618]: 11[IKE] sending issuer cert "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Sep 18 11:48:57 localhost ipsec[8618]: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID ]
Sep 18 11:48:57 localhost ipsec[8618]: 11[ENC] splitting IKE message (4400 bytes) into 4 fragments
Sep 18 11:48:57 localhost ipsec[8618]: 11[ENC] generating IKE_AUTH response 1 [ EF(1/4) ]
Sep 18 11:48:57 localhost ipsec[8618]: 11[ENC] generating IKE_AUTH response 1 [ EF(2/4) ]
Sep 18 11:48:57 localhost ipsec[8618]: 11[ENC] generating IKE_AUTH response 1 [ EF(3/4) ]
Sep 18 11:48:57 localhost ipsec[8618]: 11[ENC] generating IKE_AUTH response 1 [ EF(4/4) ]
Sep 18 11:48:57 localhost ipsec[8618]: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (1236 bytes)
Sep 18 11:48:57 localhost ipsec[8618]: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (1236 bytes)
Sep 18 11:48:57 localhost ipsec[8618]: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (1236 bytes)
Sep 18 11:48:57 localhost ipsec[8618]: 11[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (900 bytes)
Sep 18 11:48:57 localhost charon: 12[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (80 bytes)
Sep 18 11:48:57 localhost ipsec[8618]: 12[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.1.1[4500] (272 bytes)
Sep 18 11:48:57 localhost charon: 12[IKE] IKE_SA IPSec-IKEv2-EAP[2] state change: CONNECTING => DESTROYING
Sep 18 11:48:58 localhost charon: 13[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.1.1[4500] (340 bytes)
Sep 18 11:48:58 localhost charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(FRAG_SUP) N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Sep 18 11:48:58 localhost ipsec[8618]: 12[ENC] parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Sep 18 11:48:58 localhost ipsec[8618]: 12[ENC] generating INFORMATIONAL response 2 [ N(AUTH_FAILED) ]
Sep 18 11:48:58 localhost ipsec[8618]: 12[NET] sending packet: from 192.168.1.1[4500] to xx.xx.xx.xx[4500] (80 bytes)
Sep 18 11:48:58 localhost ipsec[8618]: 12[IKE] IKE_SA IPSec-IKEv2-EAP[2] state change: CONNECTING => DESTROYING

Настройки на всех микротах идентичные, но не подключается лишь 1, все остальные клиенты подключаются и работают.

Помогите, плиз, разобраться в проблеме



Последнее исправление: jun33 (всего исправлений: 2)

Наверное сменился рут в сертификате, а на твоём старом микроте его нет в хранилище CA certs. Скорее всего это связано с тем, что 30 сентября протухнет DST Root CA X3.

BOOBLIK ★★★
()
Ответ на: комментарий от BOOBLIK

Не, сертификаты все с сайта выкачал и поставил заново на всех устройствах (кроме виндов). Такое поведение при каждом обновлении.

jun33
() автор топика

Добавь промежуточные сертификаты в trust или отключи проверку сертификатов

zgen ★★★★★
()
Ответ на: комментарий от jun33

Не, сертификаты все с сайта выкачал и поставил заново на всех устройствах

Врешь. В логе написано, что ты этого не сделал

zgen ★★★★★
()
Ответ на: комментарий от zgen

точно те говорю! сам выкачивал и на мокротиках распихивал - не гони. за совет про цепочку в доверенные - спасибо( думал, что LE давно везде в доверенных)

jun33
() автор топика
Ответ на: комментарий от jun33

Ты не мне говори, ты на микротик ори, это он в логи пишет что ты этого не делал.

В микротике вообще никаких сертификатов в доверенных нет

zgen ★★★★★
()
Последнее исправление: zgen (всего исправлений: 1)

Если вы внимательно посмотрите логи, то увидите, что добрый strongswan загружает из цепочки fullchain.pem только первый сертификат, чтобы вам жизнь малиной не казалась. Разделите его на части.

Bloody ★★
()
Последнее исправление: Bloody (всего исправлений: 1)
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Admin