Jump to content
Как правильно добавить self-test и прочую отладку в тему
Официальное хранилище ПО в виде файлов

Настройки клиента iOS для доступа к IKEv2 серверу Keenetic

Alexandre Bougakov
 Share

Recommended Posts

Alexandre Bougakov Member

Alexandre Bougakov

Posted
Posted

Привет. На Keenetic Giga поднят сервер IKEv2. Если на iPhone создать простое VPN-соединение вручную, просто введя имя домена xxxx.keenetic.link, логин и пароль, то всё отлично работает из коробки: 

Jul 22 11:42:01 ipsec
10[IKE] y.y.y.y is initiating an IKE_SA
Jul 22 11:42:01 ipsec
10[CFG] received proposals: IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:01 ipsec
10[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
Jul 22 11:42:01 ipsec
10[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:01 ipsec
10[IKE] remote host is behind NAT
Jul 22 11:42:01 ipsec
10[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Jul 22 11:42:01 ipsec
05[IKE] y.y.y.y is initiating an IKE_SA
Jul 22 11:42:01 ipsec
05[CFG] received proposals: IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_GCM_16=256/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:01 ipsec
05[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
Jul 22 11:42:01 ipsec
05[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul 22 11:42:02 ipsec
05[IKE] remote host is behind NAT
Jul 22 11:42:02 ipsec
15[CFG] looking for peer configs matching x.x.x.x[censored.keenetic.link]...y.y.y.y[z.z.z.z]
Jul 22 11:42:02 ipsec
15[CFG] selected peer config 'VirtualIPServerIKE2'
Jul 22 11:42:02 ipsec
15[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 22 11:42:02 ipsec
15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 22 11:42:02 ipsec
15[IKE] peer supports MOBIKE, but disabled in config
Jul 22 11:42:02 ipsec
15[IKE] authentication of 'censored.keenetic.link' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jul 22 11:42:02 ipsec
15[IKE] sending end entity cert "CN=censored.keenetic.link"
Jul 22 11:42:02 ipsec
15[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R11"
Jul 22 11:42:03 ipsec
16[IKE] received EAP identity 'username'
Jul 22 11:42:03 ipsec
16[IKE] initiating EAP_MSCHAPV2 method (id 0x21)
Jul 22 11:42:03 ipsec
05[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 22 11:42:03 ipsec
08[IKE] authentication of 'z.z.z.z' with EAP successful
Jul 22 11:42:03 ipsec
08[IKE] authentication of 'censored.keenetic.link' (myself) with EAP
Jul 22 11:42:03 ipsec
08[IKE] IKE_SA VirtualIPServerIKE2[41] established between x.x.x.x[censored.keenetic.link]...y.y.y.y[z.z.z.z]
Jul 22 11:42:03 ipsec
08[IKE] peer requested virtual IP %any
Jul 22 11:42:03 ndm
Core::Server: started Session /var/run/ndm.core.socket.
Jul 22 11:42:03 ndm
IpSec::CryptoMapInfo: "VirtualIPServerIKE2": allocated address "172.20.8.1" for user "username" @ "z.z.z.z" from "y.y.y.y".

Теперь я пытаюсь создать профиль mobileconfig, чтобы его можно накатывать на устройства - и не могу подобрать комбинацию ciphers. Вот что предлагает конфигуратор для Encryption algorithm, Integrity algorithm и Diffie-Helman group. Вопрос - какую именно комбинацию клиенту IKEv2 надо предложить Кинетику, чтоб тот был счастлив? Спасибо.

image.png.66b22eeb6be35fbb9e7ba06b371a880d.png

image.png.ab110126a8b79e28be5f5d9097a141fe.pngimage.png.f8775a0e12b32d446009a46876e00a8e.png

Link to comment
Share on other sites
Alexandre Bougakov Member

Alexandre Bougakov

Posted
  • Author
Posted
3 hours ago, Le ecureuil said:

IKE: AES-256 + SHA2-256 + 14

К сожалению, не работает - "no acceptable proposal found ": 

[I] Jul 23 20:45:24 ipsec: 06[IKE] a.a.a.a is initiating an IKE_SA 
[I] Jul 23 20:45:24 ipsec: 06[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
[I] Jul 23 20:45:24 ipsec: 06[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 
[I] Jul 23 20:45:24 ipsec: 06[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
[I] Jul 23 20:45:24 ipsec: 06[IKE] remote host is behind NAT 
[I] Jul 23 20:45:24 ipsec: 05[CFG] looking for peer configs matching b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] 
[I] Jul 23 20:45:24 ipsec: 05[CFG] selected peer config 'VirtualIPServerIKE2' 
[I] Jul 23 20:45:24 ipsec: 05[IKE] initiating EAP_IDENTITY method (id 0x00) 
[I] Jul 23 20:45:24 ipsec: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
[I] Jul 23 20:45:24 ipsec: 05[IKE] peer supports MOBIKE, but disabled in config 
[I] Jul 23 20:45:24 ipsec: 05[IKE] authentication of 'censored.keenetic.link' (myself) with RSA signature successful 
[I] Jul 23 20:45:24 ipsec: 05[IKE] sending end entity cert "CN=censored.keenetic.link" 
[I] Jul 23 20:45:24 ipsec: 05[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R11" 
[I] Jul 23 20:45:24 ipsec: 04[IKE] received EAP identity 'username' 
[I] Jul 23 20:45:24 ipsec: 04[IKE] initiating EAP_MSCHAPV2 method (id 0x53) 
[I] Jul 23 20:45:25 ipsec: 15[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established 
[I] Jul 23 20:45:25 ipsec: 16[IKE] authentication of 'censored.keenetic.link' with EAP successful 
[I] Jul 23 20:45:25 ipsec: 16[IKE] authentication of 'censored.keenetic.link' (myself) with EAP 
[I] Jul 23 20:45:25 ipsec: 16[IKE] IKE_SA VirtualIPServerIKE2[108] established between b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] 
[I] Jul 23 20:45:25 ipsec: 16[IKE] peer requested virtual IP %any 
[I] Jul 23 20:45:25 ndm: Core::Server: started Session /var/run/ndm.core.socket. 
[I] Jul 23 20:45:25 ndm: IpSec::CryptoMapInfo: "VirtualIPServerIKE2": allocated address "172.20.8.3" for user "username" @ "censored.keenetic.link" from "a.a.a.a". 
[I] Jul 23 20:45:25 ndm: Core::Session: client disconnected. 
[I] Jul 23 20:45:25 ipsec: 16[IKE] assigning virtual IP 172.20.8.3 to peer 'username' 
[I] Jul 23 20:45:25 ipsec: 16[IKE] peer requested virtual IP %any6 
[I] Jul 23 20:45:25 ipsec: 16[IKE] no virtual IP found for %any6 requested by 'username' 
[I] Jul 23 20:45:25 ipsec: 16[CFG] received proposals: ESP:AES_GCM_16=256/NO_EXT_SEQ 
[I] Jul 23 20:45:25 ipsec: 16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_SHA2_256_128/NO_EXT_SEQ 
[I] Jul 23 20:45:25 ipsec: 16[IKE] no acceptable proposal found 
[I] Jul 23 20:45:25 ipsec: 16[IKE] closing IKE_SA due CHILD_SA setup failure 
[E] Jul 23 20:45:25 ndm: IpSec::Configurator: "VirtualIPServerIKE2": error while establishing CHILD_SA. 
[I] Jul 23 20:45:25 ipsec: 16[CFG] scheduling RADIUS Interim-Updates every 5s 
[I] Jul 23 20:45:25 ipsec: 06[IKE] deleting IKE_SA VirtualIPServerIKE2[108] between b.b.b.b[censored.keenetic.link]...a.a.a.a[censored.keenetic.link] 
[I] Jul 23 20:45:25 ipsec: 06[IKE] sending DELETE for IKE_SA VirtualIPServerIKE2[108]

image.thumb.png.ee2277a4db87fd79f6fd7af959364325.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...