首页 > Linux > VPS上基于Debian搭建和配置Pure IPsec支持WinXP平台Cisco VPN Client客户端

VPS上基于Debian搭建和配置Pure IPsec支持WinXP平台Cisco VPN Client客户端

2012年12月17日 LTNS     访问次数 1,858 发表评论 阅读评论

前几天利用strongSwan成功地在 VPS上基于Debian搭建和配置Pure IPsec支持iOS/win7/android等多平台VPN客户端,现在继续寻找可以在Windows XP平台上能使用的第三方VPN客户端软件。

经google搜索得知至少有如下第三方的vpn客户端可以访问strongSwan的pure IPsec的服务端:
1. 收费的HighAssurance Remote,支持IKEv2,但没看到有试用版
http://english.cyprotect.com/main0191.php

2. 免费的shrew,不支持IKEv2,网上有人提到可以兼容strongswan,但官网关于此项的wiki空白,而且似乎也没找到可参考的教程,暂时放弃
http://shrew.net/software


3. Cisco VPN Client,官网 下载比较麻烦,网上搜到如下的下载页面:

x86的版本
File: vpnclient-win-msi-5.0.07.0410-k9.exe
Size: 8001536 bytes
MD5: A8407593072CFABB83410F2F06FA8B61
SHA1: 9DCB2E9DE75204A4361036CDD194D2775B0B4B26
CRC32: D30E8447

x64的版本
File: vpnclient-winx64-msi-5.0.07.0440-k9.exe
Size: 5026816 bytes
MD5: 8D10A9D6DD25793D600A08389A56825C
SHA1: B186F2BBAB0F36B17FBA0C13E537447FC200D24C
CRC32: 8A95A02F

Cisco VPN Client同样不支持IKEv2,配合用racoon搭建的pure IPsec服务器没问题,但曾尝试过和strongSwan连接失败,因为strongSwan作者在 这里的讨论贴中 曾提到过

[strongSwan] StrongSwan 4.1.2 with Cisco VPN Client asRoadwarrior

Andreas Steffen andreas.steffen at strongswan.org
Fri May 11 19:17:30 CEST 2007

> May 11 14:07:43 lumberjack pluto[16813]:
    packet from 123.123.123.123:500:
    unsupported exchange type ISAKMP_XCHG_AGGR in message

strongSwan does not support IKE Aggressive Mode [and never will].
Please use IKE Main Mode with X.509 certificates.

strongSwan官网上有一个相关的 讨论贴 ,看结果应该是用Cisco VPN Client访问成功了,于是参考其配置文件修改了一下我自己的 /etc/ipsec.conf

config setup
        charonstart = yes
        plutostart=yes
        nat_traversal=yes
        uniqueids=yes
        #charondebug="net 0"
        #plutodebug=none
        crlcheckinterval=10m
        strictcrlpolicy=yes

ca vpnca
        cacert=caCert.pem
        crluri=crl.pem
        auto=add

conn %default
        auto=add
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        right=%any

conn ios
        keyexchange=ikev1
        authby=xauthpsk
        xauth=server
        leftfirewall=yes
        rightsubnet=10.11.0.0/24
        rightsourceip=10.11.0.0/24
        pfs=no
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=clear

conn win7&android
        keyexchange=ikev2
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        leftauth=pubkey
        leftcert=serverCert.pem
        leftid="C=CH, O=strongSwan, CN=VPS的公网ip"
        rightsourceip=10.11.1.0/24
        rightauth=eap-mschapv2
        rightsendcert=never
        eap_identity=%any

conn cisco
        keyexchange=ikev1
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1!
        dpdaction=clear
        dpddelay=300s
        rekey=no
        leftauth=pubkey
        leftcert=serverCert.pem
        leftid="C=CH, O=strongSwan, CN=VPS的公网ip"
        rightsourceip=10.11.2.0/24
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        type=tunnel
        authby=xauthrsasig
        xauth=server
        pfs=no

首先需要注意的是必须有一条 keyexchange=ikev1 ,如果像我一样配置多平台客户端支持的话(原文中没有是因为只用pluto而关闭了charon,所以默认就是IKEv1),否则服务器端的/var/log/auth.log文件中会提示出错
but no connection has been authorized with policy=PUBKEY+XAUTHRSASIG+XAUTHSERVER

其次是多了一个 crl.pem 的参数,经google搜索才知道CRL是一个证书撤销列表(Certificate Revoke List)。该文件可以自制,于是参照 strongSwan官网说明

3.3 Generating a CRL

An empty CRL that is signed by the CA can be generated with the command

    openssl ca -gencrl -crldays 15 -out crl.pem

If you omit the -crldays option then the default_crl_days value (30 days) specified in openssl.cnf is used.

If you prefer the CRL to be in binary DER format, then this conversion can be achieved with

    openssl crl -in crl.pem -outform DER -out cert.crl

The directory /etc/ipsec.d/crls/ contains all CRLs either in binary DER or in base64 PEM format. Irrespective of the file suffix, pluto "automagically" determines the correct format.

不过我运行同样的命令却出错 :(

openssl ca -gencrl -out crl.pem
#反馈错误如下
  Using configuration from /usr/lib/ssl/openssl.cnf
  Error opening CA private key ./demoCA/private/cakey.pem
  3502:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('./demoCA/private/cakey.pem','r')
  3502:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
  unable to load CA private key

联想到之前的证书制作命令是 ipsec pki .. 而非 openssl ..,于是继续查找官方文档,找到一篇 strongSwan官网关于ipsec pki命令的说明文件

按照其说明试着执行了如下的一条命令,似乎没问题

ipsec pki --signcrl --cacert caCert.pem --cakey caKey.pem --outform pem > crl.pem
cp crl.pem /etc/ipsec.d/crls/     #复制到对应的目录

当然,还要在 /etc/ipsec.secrets 中添加帐号

: RSA serverKey.pem
用户名3 : XAUTH "密码3"

以及在 /etc/rc.local 中添加两行iptables命令实现NAT

iptables -t nat -A POSTROUTING -s 10.11.2.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.11.2.0/24 -j ACCEPT

重启ipsec就完成了服务端的配置

ipsec restart

 

接下来是在windows XP端安装cisco vpn client软件,在软件中导入客户端证书如clientCert.p12
cisco vpn client_certificates

在配置中选择certificate认证方式(下面的send CA Certificate Chain不知道什么意思,勾选或不勾选都能正常使用。),选择刚才导入的客户端证书保存,不能是默认的Group Authentication(估计这就是strongSwan不支持的ike aggressive mode)
cisco vpn client

然后点击左上角的connect,输入 用户名3和密码3 ,确认,最后弹出banner显示连接成功。 :D
cisco vpn client connected

现在访问 http://www.checkip.org,应该就能显示VPS的公网ip了。

 

补充1:
客户端证书的注销方法

ipsec pki --signcrl --cacert caCert.pem --cakey caKey.pem --reason superseded --cert clientCert.pem > crl.pem
cp crl.pem /etc/ipsec.d/crls/
ipsec restart

这时使用该客户端证书的vpn客户端访问时就会被拒绝,服务器端会有如下日志
Dec 17 06:52:25 (none) pluto[2244]: “cisco”[1] x.x.x.x:xxx #1: Peer ID is ID_DER_ASN1_DN: ‘C=CH, O=strongSwan, CN=client’
Dec 17 06:52:25 (none) pluto[2244]: “cisco”[1] x.x.x.x:xxx #1: certificate was revoked on Dec 17 06:47:17 UTC 2012, reason: superseded
Dec 17 06:52:25 (none) pluto[2244]: “cisco”[1] x.x.x.x:xxx #1: X.509 certificate rejected
Dec 17 06:52:25 (none) pluto[2244]: “cisco”[1] x.x.x.x:xxx #1: no public key known for ‘C=CH, O=strongSwan, CN=client’
Dec 17 06:52:25 (none) pluto[2244]: “cisco”[1] x.x.x.x:xxx #1: sending encrypted notification INVALID_KEY_INFORMATION to x.x.x.x:xxx
Dec 17 06:52:31 (none) pluto[2244]: “cisco”[1] x.x.x.x:xxx #1: ignoring Delete SA payload: ISAKMP SA not established

 

补充2:
建议每次制作完成一批证书后,更新一下CRL并重启ipsec,防止可能的crl.pem文件出错。

ipsec pki --signcrl --cacert caCert.pem --cakey caKey.pem --outform pem > crl.pem
cp crl.pem /etc/ipsec.d/crls/
ipsec restart

 

补充3:
更改客户端登录vpn成功后的banner内容

在源代码文件 /src/pluto/modecfg.c 里找到如下行

#define DEFAULT_UNITY_BANNER	"Welcome to strongSwan - the Linux VPN Solution!\n"

将其中的字符串替换后重新编译strongSwan即可。

但这样的改动只对ikev1的vpn客户端如cisco vpn client和iphone自带的有效(而android 4.2.2自带的客户端本来就不弹出banner),对ikev2的客户端无效。

 

2014.01.18 更新
建议更新CRL时增加 –lifetime 参数,比如指定CRL有效期一年(默认仅15天)

ipsec pki --signcrl --cacert caCert.pem --cakey caKey.pem --lifetime 365 --outform pem > crl.pem
cp crl.pem /etc/ipsec.d/crls/
ipsec restart

若CRL未及时更新,则到期后在服务端日志中会提示出错
Jan 17 01:30:05 (none) pluto[7135]: fetching crl from ‘file:///etc/ipsec.d/crls/crl.pem’ …
Jan 17 01:30:05 (none) pluto[7135]: unable to fetch from file:///etc/ipsec.d/crls/crl.pem, no capable fetcher found

 
 

参考文章
https://lists.strongswan.org/pipermail/users/2010-May/004894.html
http://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiSignCrl
 

分类: Linux 标签: , , , , , , , ,
  1. fish
    2013年5月14日17:16 | #1

    hi.
    怎么当我导入p12文件时,提示unable to import connection entry newclient.p12?

  2. LTNS
    2013年5月14日18:58 | #2

    @fish
    网上有篇 文档 提到
    Error 22: Unable to import connection entry %1.
    The VPN Client was unable to import the connection entry. The connection entry attempting to import may not exist. A connection entry with the same name as the entry being imported may already exist. There may be a problem with the file system.

    建议检查一下 cisco vpn client 软件的安装路径和 .p12文件的所在路径是否为全英文和数字,不能有中文或其他字符。

  3. wang
    2013年7月10日18:33 | #3

    因为racoon搭建的vpn总是出现莫名其妙的问题连接不了。改成strongswan采用非cisco vpn client连接,用
    caKey.pem caCert.pem serverKey.pem serverCert.pem clientKey.pem clientCert.pem clientCert.p12,上诉几个证书连接正常,改成博主配置,采用crl.pem,先注销原来的证书?那原来的哪几个证书无用的,还是只增加crl.pem就行?

  4. LTNS
    2013年7月11日09:24 | #4

    @wang
    *.pem和*.p12等证书文件应该只和strongSwan有关而跟你用哪个vpn客户端无关,所以我认为只需增加crl.pem就行。

  5. wang
    2013年7月11日14:14 | #5

    cisco vpnc 连接老是提示412错误:the remote peer is no longer responding.
    leftauth=pubkey,pubkey在哪设置?

  6. wang
    2013年7月11日14:21 | #6

    会不会因为AWS EC2的vps是内网的原因?

  7. LTNS
    2013年8月2日22:03 | #7

    @wang
    请去掉 Send CA Certificate Chain 的勾选再试一下。

    另,这里贴上cisco vpn client登录成功后,服务器端对应的日志,供参考
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: size (1160) differs from size specified in ISAKMP HDR (1144)
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: Cisco VPN client appends 16 surplus NULL bytes
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: received Vendor ID payload [XAUTH]
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: received Vendor ID payload [Dead Peer Detection]
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: ignoring Vendor ID payload [Cisco-Unity]
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: responding to Main Mode from unknown peer x.x.x.x:xxxx
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: peer requested 2147483 seconds which exceeds our limit 86400 seconds
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_1536] refused due to strict flag
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: peer requested 2147483 seconds which exceeds our limit 86400 seconds
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP_1536] refused due to strict flag
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: policy does not allow public key authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: policy does not allow public key authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: peer requested 2147483 seconds which exceeds our limit 86400 seconds
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: lifetime reduced to 86400 seconds (todo: IPSEC_RESPONDER_LIFETIME notification)
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: size (288) differs from size specified in ISAKMP HDR (272)
    Aug 2 21:54:14 (none) pluto[1332]: packet from x.x.x.x:xxxx: Cisco VPN client appends 16 surplus NULL bytes
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: ignoring Vendor ID payload [9b392206dea9e49be3370e619791000d]
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: ignoring Vendor ID payload [Cisco-Unity]
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    Aug 2 21:54:14 (none) pluto[1332]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[5] x.x.x.x:xxxx #3: Peer ID is ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=client'
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: deleting connection "cisco" instance with peer 180.157.70.247 {isakmp=#0/ipsec=#0}
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: we have a cert and are sending it upon request
    Aug 2 21:54:14 (none) pluto[1332]: | NAT-T: new mapping x.x.x.x:xxxx/1076)
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: sent MR3, ISAKMP SA established
    Aug 2 21:54:14 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: sending XAUTH request
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: parsing XAUTH reply
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: extended authentication was successful
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: sending XAUTH status
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: parsing XAUTH ack
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: received XAUTH ack, established
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: parsing ModeCfg request
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: unknown attribute type (28683)
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: unknown attribute type (28684)
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: peer requested virtual IP %any
    Aug 2 21:54:21 (none) pluto[1332]: assigning new lease to 'username'
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: assigning virtual IP 10.11.2.1 to peer
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: sending ModeCfg reply
    Aug 2 21:54:21 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #3: sent ModeCfg reply, established
    Aug 2 21:54:22 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #4: IPSec Transform [AES_CBC (256), HMAC_MD5] refused due to strict flag
    Aug 2 21:54:22 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #4: IPSec Transform [AES_CBC (128), HMAC_MD5] refused due to strict flag
    Aug 2 21:54:22 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #4: IPSec Transform [AES_CBC (128), HMAC_SHA1] refused due to strict flag
    Aug 2 21:54:22 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #4: IPSec Transform [AES_CBC (256), HMAC_MD5] refused due to strict flag
    Aug 2 21:54:22 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #4: responding to Quick Mode
    Aug 2 21:54:22 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #4: Dead Peer Detection (RFC 3706) enabled
    Aug 2 21:54:22 (none) pluto[1332]: "cisco"[6] x.x.x.x:xxxx #4: IPsec SA established {ESP=>0x8996ddda <0xc938116c NATOA=0.0.0.0}
    Aug 2 21:54:30 (none) pluto[1332]: "cisco"[4] x.x.x.x:xxxx #2: max number of retransmissions (2) reached STATE_XAUTH_R2
    Aug 2 21:54:30 (none) pluto[1332]: "cisco"[4] x.x.x.x:xxxx: deleting connection "cisco" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}

  8. wang
    2013年8月3日12:52 | #8

    博主,谢谢你的帮助,我水平不行,不会分析日志,cisco vpn client 过些时候再说。
    ShrewSoft vpn client 应该兼容strongswan,2种连接都成功。
    1 用户密码+证书:
    local identity 选ASN.1,remote identity 选any,然后选择ca p12 p12证书
    p1 选main,其他auto,p2 3个auto,compress 选disable。
    2 用户密码+psk
    client 项,net traversal 选enable,IKE fragmentation只能选force,不然连接上还是不能上网。
    然后local identity选fully,再填好psk。
    p1 选aggressive,DH 选group 2,按顺序再2个auto,p2 2个auto,2个disable。
    注意psk方式,最重要的是ipsec.conf要加aggressive=yes,IKE fragmentation 选force。
    不然ShrewSoft 连接不了。

  9. LTNS
    2013年8月3日17:25 | #9

    @wang
    谢谢,回头有空试一下shrew vpn客户端。

  10. fish
    2013年8月18日14:57 | #10

    @LTNS
    hi.博主有具体用shrew vpn client连接你的vpn server吗?能连上并翻墙吗?我用它能连上我的racoon vpn server,不过打不开任何网站,怪事,博主有遇到此等怪事吗?(我运行了有关的iptables命令,但似乎无济于事)。

  11. fish
    2013年8月18日17:27 | #11

    @LTNS

    hi,
    我下载安装了32位版,不过在导入证书时,它要求的证书格式是pcf(没有其他格式的选项),我的格式是p12,没法成功导入。如何把pcf格式转换为p12呢?
    cisco vpn client 软件的安装路径和 .p12文件的所在路径为全英文和数字,没有中文或其他字符。
    我真的很好奇博主是如何成功导入p12格式的证书的?

  12. LTNS
    2013年8月18日23:49 | #12

    @fish
    你肯定点了“Connection Entries”栏中的 import图标(所以才会要求导入.pcf格式),该栏界面和我文中的第一张截图(“Certificates”栏界面,import要求的是.p12格式)是不一样的。

    或者请下载前一篇文章中我提到的 各平台VPN客户端的使用教程,其中有详细步骤

  13. fish
    2013年8月19日15:46 | #13

    @LTNS
    hi.
    这次是我是点击certificates-import来导入的,导入成功。
    不过你文中说:“点击左上角的connect,输入 用户名3和密码3”,我点击了左上角的connect,但并未弹出要求输入用户名和密码的对话框,怎么回事?

  14. LTNS
    2013年8月19日18:13 | #14

    @fish
    请去掉 Send CA Certificate Chain 的勾选再试一下,如果还是不行,请对照#7楼检查一下服务器端的日志。

  15. LTNS
    2014年6月22日23:33 | #15

    wang :

    cisco vpnc 连接老是提示412错误:the remote peer is no longer responding.
    leftauth=pubkey,pubkey在哪设置?

    今天我把 strongSwan升级到 5.1.3之后也遇到了 412错误,把 conn cisco配置里的 leftauth=pubkey这行删掉就解决了。

    另外,如果客户端日志中出现 reason = DEL_REASON_NON_UNITY_PEER的出错提示,可以在 strongswan.conf中的 charon项里添加一行 “cisco_unity = yes”

  16. 2014年9月25日09:46 | #16

    strongSwan我配过一次,没有成功,有几个地方要配置,没搞清楚,以后有时间再尝试一下。你的博客很好,都是技术文章,以后折腾的时候就到你这里来参考。

  1. 2015年11月2日23:41 | #1
40 + 8 = (必填)