Jump to content

Как настроить Strongswan ikev2 client через okpg


Recommended Posts

Добрый день.

Ребята помогите настроить клиент strongswan ikev2

Vpn клиент должен подключаться к surfshark, скачал сертификат .crt
Через entware opkg установил.
Opkg install strongswan-full
У меня шлюз 192.168.1.1, кинетик ультра 1 ревизии.

 

Нигде не нашел инфы как его настроить на кинектике.

Link to comment
Share on other sites

ВОобщем 2 дня мучений, настроил, но не до конца.

после установки нужно

ipsec.config - конфиг ниже

ipsec.secret -там уз и пароль

Цитата

 

# Add connections here.
conn %default
    type=tunnel
    keyexchange=ikev2
    authby=pubkey
    ike=aes256-sha2_256-modp2048!
    esp=aes256-sha2_256!

conn ikev2-vpn
    right=fr-bod.prod.surfshark.com
    rightid=fr-bod.prod.surfshark.com
    rightsubnet=0.0.0.0/0,::/0
    rightauth=pubkey
    eap_identity="USERNAME"
    left=%config
    leftauth=eap-mschapv2
    leftcert=mycert.crt
    leftsourceip=%config
    auto=add

 

 

После запуска отвеливается интернет, нельзя зайти на 192.168.1.1

Цитата

~ # ipsec up surfshark
initiating IKE_SA surfshark[1] to 45.134.79.133
unable to determine source address, faking NAT situation
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 0.0.0.0[500] to 45.134.79.133[500] (464 bytes)
received packet: from 45.134.79.133[500] to 100.118.133.99[500] (472 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
establishing CHILD_SA surfshark{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (448 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/3) ]
received fragment #1 of 3, waiting for complete IKE message
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(2/3) ]
received fragment #2 of 3, waiting for complete IKE message
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (628 bytes)
parsed IKE_AUTH response 1 [ EF(3/3) ]
received fragment #3 of 3, reassembled fragmented IKE message (2960 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=fr-bod.prod.surfshark.com"
received issuer cert "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
  using certificate "CN=fr-bod.prod.surfshark.com"
  using untrusted intermediate certificate "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
  using trusted ca certificate "C=VG, O=Surfshark, CN=Surfshark Root CA"
  reached self-signed root ca with a path length of 1
checking certificate status of "CN=fr-bod.prod.surfshark.com"
certificate status is not available
checking certificate status of "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
certificate status is not available
authentication of 'fr-bod.prod.surfshark.com' with RSA_EMSA_PKCS1_SHA2_256 successful
server requested EAP_IDENTITY (id 0x00), sending 'USERNAME'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (112 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (80 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
server requested EAP_PEAP authentication (id 0x01)
requesting EAP_MSCHAPV2 authentication, sending EAP_NAK
generating IKE_AUTH request 3 [ EAP/RES/NAK ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (80 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (112 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x02)
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (160 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (128 bytes)
parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: '(null)'
generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (80 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (80 bytes)
parsed IKE_AUTH response 5 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'C=VG, O=Surfshark, CN=Surfshark Root CA' (myself) with EAP
generating IKE_AUTH request 6 [ AUTH ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (112 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (384 bytes)
parsed IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS MASK) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'fr-bod.prod.surfshark.com' with EAP successful
installing DNS server 162.252.172.57 to /opt/etc/resolv.conf
installing DNS server 149.154.159.92 to /opt/etc/resolv.conf
handling INTERNAL_IP4_NETMASK attribute failed
installing new virtual IP 10.6.1.171
peer supports MOBIKE
IKE_SA surfshark[1] established between 100.118.133.99[C=VG, O=Surfshark, CN=Surfshark Root CA]...45.134.79.133[fr-bod.prod.surfshark.com]
scheduling reauthentication in 9947s
maximum IKE_SA lifetime 10487s
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

 

Уменьшал MTU, не помогло

Цитата

# iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir in --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir out --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# ip6tables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir in --syn -m tcpmss --mss 1341:1536 -j TCPMSS --set-mss 1340
# ip6tables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir out --syn -m tcpmss --mss 1341:1536 -j TCPMSS --set-mss 1340

 

Есть подозрение, возможно еще нат настроить НАТ или что-то такое.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...