我正在嘗試在我的企業中部署新的 VPN 配置。
我已在文件模式下成功在我的電腦和 vpn ipsec 伺服器之間建立了連接。
我在 yubikey 中上傳了 p12 文件,其中包含我的私鑰、伺服器的 pub 金鑰和 CA。
$ pkcs11-tool --test --loginUsing slot 0 with a present token (0x0)Logging in to "uid=r.beal,dc=ldap-...".Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OKDigests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OKSignatures (currently only for RSA) testing key 0 (PIV AUTH key) all 4 signature functions seem to work testing signature mechanisms: RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK SHA256-RSA-PKCS: OKVerify (currently only for RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OKDecryption (currently only for RSA) testing key 0 (PIV AUTH key) RSA-X-509: OK RSA-PKCS: OKNo errors
我在 swanctl.conf 檔案中新增了此部分:
secrets { tokenyubikey { pin = 123456 slot = 0 handle = 1 # From what i understood, it's here that my crt is module = yubi-module }}
/etc/strongswan.d/charon/pkcs11.conf 檔案中的此部分:
yubi-module { #path = /usr/lib/libykcs11.so path = /usr/lib/pkcs11/opensc-pkcs11.so}
當我使用 yubikey pkcs11 模組時:
00[CFG] PKCS11 module '<name>' lacks library path00[CFG] loaded PKCS#11 v2.40 library 'yubi-module' (/usr/lib/libykcs11.so)00[CFG] Yubico (www.yubico.com): PKCS#11 PIV Library (SP-800-73) v2.2100[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)00[CFG] YubiKey PIV #16616360 (Yubico (www.yubico.com): YubiKey YK5)00[CFG] loaded untrusted cert 'X.509 Certificate for PIV Authentication'00[CFG] loaded untrusted cert 'X.509 Certificate for PIV Attestation'
當使用模組是 opensc 時:
00[CFG] PKCS11 module '<name>' lacks library path00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)00[CFG] OpenSC Project: OpenSC smartcard framework v0.2200[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)00[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)00[CFG] loaded untrusted cert 'Certificate for PIV Authentication'
我應該使用哪個模組?
當我運行 ipsec 守護程式時
# ipsec restart --noforkStarting strongSwan 5.9.3 IPsec [starter]...00[DMN] Starting IKE charon daemon (strongSwan 5.9.3, Linux 5.14.15-arch1-1, x86_64)00[CFG] PKCS11 module '<name>' lacks library path00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)00[CFG] OpenSC Project: OpenSC smartcard framework v0.2200[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)00[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)00[CFG] loaded untrusted cert 'Certificate for PIV Authentication'00[CFG] attr-sql plugin: database URI not set00[NET] using forecast interface wlan000[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.25000[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'00[CFG] loaded ca certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [emailprotected]" from '/etc/ipsec.d/cacerts/ca.pem'00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'00[CFG] loading crls from '/etc/ipsec.d/crls'00[CFG] loading secrets from '/etc/ipsec.secrets'00[CFG] sql plugin: database URI not set00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory00[CFG] loaded 0 RADIUS server configurations00[CFG] HA config misses local/remote address00[CFG] no script for ext-auth script defined, disabled00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters00[LIB] dropped capabilities, running as uid 0, gid 000[JOB] spawning 16 worker threads06[IKE] installed bypass policy for 172.17.0.0/1606[IKE] installed bypass policy for 192.168.1.0/2406[IKE] installed bypass policy for ::1/12806[IKE] installed bypass policy for fe80::/6402[CFG] found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)02[CFG] uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)02[CFG] loaded untrusted cert 'Certificate for PIV Authentication'charon (10359) started after 120 ms11[CFG] received stroke: add connection 'test'11[CFG] loaded certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [emailprotected]" from '/etc/swanctl/x509/r.beal.pem'11[CFG] id 'UID=r.beal, DC=ldap, DC=company, DC=fr' not confirmed by certificate, defaulting to 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [emailprotected]'11[CFG] added configuration 'test'
智慧卡已存在!
現在我嘗試連線到 VPN (/etc/ipsec.conf):
conn test right=1.2.3.4 <= the public ip of my vpn server rightid=remote_id_of_the_server leftcert=/etc/swanctl/x509/r.beal.pem leftid=my_mail left=%defaultroute #leftcert=%smartcard auto=add
我將 CA 放在 /etc/ipsec.d/cacerts/ 中
ipsec 日誌:
01[CFG] received stroke: initiate 'test'09[IKE] initiating IKE_SA test[1] to 1.2.3.409[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]09[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1000 bytes)10[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (38 bytes)10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]10[IKE] peer didn't accept DH group ECP_256, it requested MODP_204810[IKE] initiating IKE_SA test[1] to 1.2.3.410[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]10[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1192 bytes)06[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (481 bytes)06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) ]06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_204806[IKE] local host is behind NAT, sending keep alives06[IKE] remote host is behind NAT06[IKE] received cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [emailprotected]"06[IKE] sending cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [emailprotected]"06[IKE] no private key found for 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [emailprotected]'
有一個連接的開始!我該怎麼做才能讓 ipsec 使用我的智慧卡內的私鑰?
我看到了這個帖子:嘗試使用 swanctl 透過智慧卡中的憑證進行驗證時出現“NO_PROPOSAL_CHOSEN”我也有同樣的問題嗎?我嘗試複製 x509 目錄中的所有證書,但出現相同的錯誤“未找到私鑰”。
編輯===
現在,當我呼叫“swanctl --load-creds”時,ipsec 會找到私鑰並使用它!
但我現在遇到網路問題了。
16[IKE] authentication of 'compagny.com' with RSA_EMSA_PKCS1_SHA2_256 successful16[IKE] IKE_SA test[1] established between 192.168.1.199[[emailprotected]]...1.2.3.4[compagny.com]16[IKE] scheduling reauthentication in 10059s16[IKE] maximum IKE_SA lifetime 10599s16[CFG] handling UNITY_SPLITDNS_NAME attribute failed16[CFG] handling INTERNAL_IP4_NETMASK attribute failed16[IKE] installing DNS server 172.22.0.17 to /etc/resolv.conf16[IKE] installing new virtual IP 10.66.0.516[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built16[IKE] failed to establish CHILD_SA, keeping IKE_SA16[IKE] received AUTH_LIFETIME of 20278s, reauthentication already scheduled in 10059s
我添加到我的conf文件中:
leftsourceip=%config
我的 VPN 伺服器配置為不路由客戶端的互聯網流量。所以我現在認為是網路配置問題。
答案1
解決方案是將rightsubnet設定為0.0.0.0/0
感謝 ecdsa !