Как настроить Strongswan ikev2 client через okpg

[seejey]

Добрый день.

Ребята помогите настроить клиент strongswan ikev2

Vpn клиент должен подключаться к surfshark, скачал сертификат .crt
Через entware opkg установил.
Opkg install strongswan-full
У меня шлюз 192.168.1.1, кинетик ультра 1 ревизии.

 

Нигде не нашел инфы как его настроить на кинектике.

[seejey]

ВОобщем 2 дня мучений, настроил, но не до конца.

после установки нужно

ipsec.config - конфиг ниже

ipsec.secret -там уз и пароль

Цитата

 

# Add connections here.
conn %default
    type=tunnel
    keyexchange=ikev2
    authby=pubkey
    ike=aes256-sha2_256-modp2048!
    esp=aes256-sha2_256!

conn ikev2-vpn
    right=fr-bod.prod.surfshark.com
    rightid=fr-bod.prod.surfshark.com
    rightsubnet=0.0.0.0/0,::/0
    rightauth=pubkey
    eap_identity="USERNAME"
    left=%config
    leftauth=eap-mschapv2
    leftcert=mycert.crt
    leftsourceip=%config
    auto=add

 

 

После запуска отвеливается интернет, нельзя зайти на 192.168.1.1

Цитата

~ # ipsec up surfshark
initiating IKE_SA surfshark[1] to 45.134.79.133
unable to determine source address, faking NAT situation
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 0.0.0.0[500] to 45.134.79.133[500] (464 bytes)
received packet: from 45.134.79.133[500] to 100.118.133.99[500] (472 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
establishing CHILD_SA surfshark{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (448 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(1/3) ]
received fragment #1 of 3, waiting for complete IKE message
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (1236 bytes)
parsed IKE_AUTH response 1 [ EF(2/3) ]
received fragment #2 of 3, waiting for complete IKE message
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (628 bytes)
parsed IKE_AUTH response 1 [ EF(3/3) ]
received fragment #3 of 3, reassembled fragmented IKE message (2960 bytes)
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "CN=fr-bod.prod.surfshark.com"
received issuer cert "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
  using certificate "CN=fr-bod.prod.surfshark.com"
  using untrusted intermediate certificate "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
  using trusted ca certificate "C=VG, O=Surfshark, CN=Surfshark Root CA"
  reached self-signed root ca with a path length of 1
checking certificate status of "CN=fr-bod.prod.surfshark.com"
certificate status is not available
checking certificate status of "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
certificate status is not available
authentication of 'fr-bod.prod.surfshark.com' with RSA_EMSA_PKCS1_SHA2_256 successful
server requested EAP_IDENTITY (id 0x00), sending 'USERNAME'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (112 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (80 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
server requested EAP_PEAP authentication (id 0x01)
requesting EAP_MSCHAPV2 authentication, sending EAP_NAK
generating IKE_AUTH request 3 [ EAP/RES/NAK ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (80 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (112 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x02)
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (160 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (128 bytes)
parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: '(null)'
generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (80 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (80 bytes)
parsed IKE_AUTH response 5 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'C=VG, O=Surfshark, CN=Surfshark Root CA' (myself) with EAP
generating IKE_AUTH request 6 [ AUTH ]
sending packet: from 100.118.133.99[4500] to 45.134.79.133[4500] (112 bytes)
received packet: from 45.134.79.133[4500] to 100.118.133.99[4500] (384 bytes)
parsed IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS DNS MASK) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'fr-bod.prod.surfshark.com' with EAP successful
installing DNS server 162.252.172.57 to /opt/etc/resolv.conf
installing DNS server 149.154.159.92 to /opt/etc/resolv.conf
handling INTERNAL_IP4_NETMASK attribute failed
installing new virtual IP 10.6.1.171
peer supports MOBIKE
IKE_SA surfshark[1] established between 100.118.133.99[C=VG, O=Surfshark, CN=Surfshark Root CA]...45.134.79.133[fr-bod.prod.surfshark.com]
scheduling reauthentication in 9947s
maximum IKE_SA lifetime 10487s
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ

 

Уменьшал MTU, не помогло

Цитата

# iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir in --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# iptables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir out --syn -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# ip6tables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir in --syn -m tcpmss --mss 1341:1536 -j TCPMSS --set-mss 1340
# ip6tables -t mangle -I FORWARD -p tcp -m policy --pol ipsec --dir out --syn -m tcpmss --mss 1341:1536 -j TCPMSS --set-mss 1340

 

Есть подозрение, возможно еще нат настроить НАТ или что-то такое.

[seejey]

Тему можно закрывать

Edited May 12 by seejey
решено