[GUIDA] strongSwan per IPsec su OpenWrt e Homeware

  • 199 Risposte
  • 15670 Visite

0 Utenti e 1 Visitatore stanno visualizzando questo topic.

Offline ttt666

  • Membro Giovane
  • **
  • 53
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #195 il: 19 Novembre 2021, 09:32 »
Forse al punto a) intendevi dire di decommentare rightca=
No, intendevo proprio decommentare (nella sezione 'conn rwPUBKEY') la riga 'rightauth2=eap-mschapv2'  inserita come commento dallo script di FrancYescO. Altrimenti il server non identifica il tipo di autenticazione del client, almeno nel mio caso è stato così.

Se avete suggerimenti o correzioni per migliorare le cose sono ben accetti, grazie mille.

Se può servire allego lo script per la sola generazione multipla dei certificati (1 lato server e 4 lato client), estratto integralmente dall'ottimo script di FrancYescO.
Prerequisito: eliminare i precedenti certificati presenti sul server svuotando le 3 cartelle '/etc/ipsec.conf/cacerts   /etc/ipsec.conf/certs   /etc/ipsec.conf/private'

file '/etc/certGen.sh':
Codice: [Seleziona]
#!/bin/sh
COUNTRYNAME="US"
CANAME="CATechnicolor"
ORGNAME="Technicolor"
CACERTPASSWORD="" #if set will be asked when installing cert on clients or generating new clientCert
SERVERDOMAINNAME=$(uci get ddns.myddns_ipv4.domain) #"myvpnserver.dyndns.org"
CLIENTNAMES="myvpnclient1 myvpnclient2 myvpnclient3 myvpnclient4"
SHAREDSAN="myVpnClients" # iOS clients need to match a common SAN

cd /tmp

echo "Building certificates for [ $SERVERDOMAINNAME ] and client [ $CLIENTNAME (aka $SHAREDSAN) ] "

[ -f "/etc/ipsec.d/private/ca.p12" ] && ln -s /etc/ipsec.d/private/ca.p12 ca.p12

if [ -f "caKey.pem" ] ; then
  echo "caKey exists, using existing caKey for signing serverCert and clientCert...."
elif [ -f "ca.p12" ] ; then
  echo "CA keys bundle exists, accessing existing protected caKey for signing serverCert and clientCert...."
  openssl pkcs12 -in ca.p12 -nocerts -out caKey.pem
else
  echo "generating a new cakey for [ $CANAME ]"
  ipsec pki --gen --outform pem > caKey.pem
fi
echo "generating caCert for [ $CANAME ]..."
ipsec pki --self --lifetime 3652 --in caKey.pem --dn "C=$COUNTRYNAME, O=$ORGNAME, CN=$CANAME" --ca --outform pem > caCert.pem
openssl x509 -inform PEM -outform DER -in caCert.pem -out caCert.crt
echo "Now building CA keys bundle"
openssl pkcs12 -export -inkey caKey.pem -in caCert.pem -name "$CANAME" -certfile caCert.pem -caname "$CANAME" -out ca.p12 -password "pass:$CACERTPASSWORD"

echo "generating server certificates for [ $SERVERDOMAINNAME ]... "
ipsec pki --gen --outform pem > serverKey_$SERVERDOMAINNAME.pem
ipsec pki --pub --in serverKey_$SERVERDOMAINNAME.pem | ipsec pki --issue --lifetime 3652 --cacert caCert.pem --cakey caKey.pem --dn "C=$COUNTRYNAME, O=$ORGNAME, CN=$SERVERDOMAINNAME" --san="$SERVERDOMAINNAME" --flag serverAuth --flag ikeIntermediate --outform pem > serverCert_$SERVERDOMAINNAME.pem
#openssl x509 -inform PEM -outform DER -in serverCert_$SERVERDOMAINNAME.pem -out serverCert_$SERVERDOMAINNAME.crt

for CLIENTNAME in $CLIENTNAMES; do
  if [ -f "clientCert_$CLIENTNAME.pem" ] ; then
    echo "clientCert for [ $CLIENTNAME ] exists, not generating new clientCert."
    continue
  fi
  echo "generating clientCert for [ $CLIENTNAME (aka $SHAREDSAN) ]..."
  ipsec pki --gen --outform pem > clientKey_$CLIENTNAME.pem
  ipsec pki --pub --in clientKey_$CLIENTNAME.pem | ipsec pki --issue --lifetime 3652 --cacert caCert.pem --cakey caKey.pem --dn "C=$COUNTRYNAME, O=$ORGNAME, CN=$CLIENTNAME" --san="$CLIENTNAME" --san="$SHAREDSAN" --outform pem > clientCert_$CLIENTNAME.pem
  openssl x509 -inform PEM -outform DER -in clientCert_$CLIENTNAME.pem -out clientCert_$CLIENTNAME.crt
  echo "Now building Client keys bundle for [ $CLIENTNAME ]"
  openssl pkcs12 -export -inkey clientKey_$CLIENTNAME.pem -in clientCert_$CLIENTNAME.pem -name "$CLIENTNAME" -certfile caCert.pem -caname "$CANAME" -out client_$CLIENTNAME.p12 -password "pass:$CACERTPASSWORD"
  rm clientKey_$CLIENTNAME.pem
  openssl x509 -inform PEM -outform DER -in clientCert_$CLIENTNAME.pem -out clientCert_$CLIENTNAME.crt
done

# where to put them...
mv caCert.pem /etc/ipsec.d/cacerts/
ln -s ../cacerts/caCert.pem /etc/ipsec.d/certs/caCert.pem
mv serverCert*.pem /etc/ipsec.d/certs/
mv serverKey*.pem /etc/ipsec.d/private/
mv clientCert*.pem /etc/ipsec.d/certs/

#These file are not needed on the server
[ ! -f "/etc/ipsec.d/private/ca.p12" ] && mv ca.p12 /etc/ipsec.d/private/ #needed to generate new clients
mv client_*.p12 /etc/ipsec.d/private/
mv clientCert_*.crt /etc/ipsec.d/private/
echo "**** THE END ****"

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2702
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #196 il: 20 Novembre 2021, 13:51 »
Ok forse ho intuito il tipo di problema ma quel punto ti conviene semplicemente rimuovere le sezioni rwPUBKEY visto che non le stai utilizzando. Ne deduco che tu stia utilizzando EAPTLS. Io comunque le ho entrambe attive, sia rwPUBKEY che rwEAPTLS, se mi dai il log e il tuo file config mi faccio un'idea del perchè non riesce a distinguerle.

Offline ttt666

  • Membro Giovane
  • **
  • 53
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #197 il: 21 Novembre 2021, 10:00 »
Ora la connessione va anche rimettendo il commento sulla riga 'rightauth2=eap-mschapv2'  (sezione 'conn rwPUBKEY')  e quindi non ho possibilità di mettere il file di log :facepalm: Non me lo so spiegare sinceramente.

Nel frattempo ho solo cambiato setting del DNS mettendo list dhcp_option '6,1.1.1.1,192.168.1.1' nella sezione lan di 'etc/config/dhcp'.

Comunque allego il file '/etc/ipsec.conf' attuale:
Codice: [Seleziona]
config setup

conn %default
        keyexchange=ikev2
        ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
        esp=aes128-aes256-sha256-modp3072-modp2048,aes128-aes256-sha256
        left=%any
        leftauth=pubkey
        leftcert=serverCert_SERVER.IP.pem
        leftid=SERVER.IP
        leftsubnet=0.0.0.0/0;::/0
        right=%any
        rightsourceip=%dhcp
        eap_identity=%identity
        auto=add

conn rwEAPMSCHAPV2
        leftsendcert=always
        #rightauth=eap-mschapv2
        rightsendcert=never

conn rwPUBKEYIOS
        leftsendcert=always
        rightid=myVpnClients
        rightauth=pubkey
        rightca=caCert.pem
        #rightauth2=eap-mschapv2

conn rwEAPTLSIOS
        leftsendcert=always
        rightid=myVpnClients
        rightauth=eap-tls
        rightcert=caCert.pem
        #rightauth2=eap-mschapv2

conn rwPUBKEY
        rightauth=pubkey
        rightcert=caCert.pem
        #rightauth2=eap-mschapv2

conn rwEAPTLS
        rightauth=eap-tls
        rightcert=caCert.pem

log ultima connessione avvenuta correttamente:
Codice: [Seleziona]
Sun Nov 21 09:51:28 2021 daemon.info charon: 09[NET] received packet: from CLIENT.IP[19802] to SERVER.IP[500] (716 bytes)
Sun Nov 21 09:51:28 2021 daemon.info charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Nov 21 09:51:28 2021 daemon.info charon: 09[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 21 09:51:28 2021 authpriv.info charon: 09[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 21 09:51:28 2021 daemon.info charon: 09[IKE] remote host is behind NAT
Sun Nov 21 09:51:28 2021 daemon.info charon: 09[IKE] DH group ECP_256 inacceptable, requesting MODP_3072
Sun Nov 21 09:51:28 2021 daemon.info charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sun Nov 21 09:51:28 2021 daemon.info charon: 09[NET] sending packet: from SERVER.IP[500] to CLIENT.IP[19802] (38 bytes)
Sun Nov 21 09:51:28 2021 daemon.info charon: 05[NET] received packet: from CLIENT.IP[19802] to SERVER.IP[500] (1036 bytes)
Sun Nov 21 09:51:28 2021 daemon.info charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sun Nov 21 09:51:28 2021 daemon.info charon: 05[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 21 09:51:28 2021 authpriv.info charon: 05[IKE] CLIENT.IP is initiating an IKE_SA
Sun Nov 21 09:51:29 2021 daemon.info charon: 05[IKE] remote host is behind NAT
Sun Nov 21 09:51:29 2021 daemon.info charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sun Nov 21 09:51:29 2021 daemon.info charon: 05[NET] sending packet: from SERVER.IP[500] to CLIENT.IP[19802] (590 bytes)
Sun Nov 21 09:51:30 2021 daemon.info charon: 13[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (1364 bytes)
Sun Nov 21 09:51:30 2021 daemon.info charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Sun Nov 21 09:51:30 2021 daemon.info charon: 13[ENC] received fragment #1 of 4, waiting for complete IKE message
Sun Nov 21 09:51:30 2021 daemon.info charon: 06[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (1364 bytes)
Sun Nov 21 09:51:30 2021 daemon.info charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Sun Nov 21 09:51:30 2021 daemon.info charon: 06[ENC] received fragment #2 of 4, waiting for complete IKE message
Sun Nov 21 09:51:30 2021 daemon.info charon: 10[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (1364 bytes)
Sun Nov 21 09:51:30 2021 daemon.info charon: 10[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Sun Nov 21 09:51:30 2021 daemon.info charon: 10[ENC] received fragment #3 of 4, waiting for complete IKE message
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (884 bytes)
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[ENC] received fragment #4 of 4, reassembling fragmented IKE message
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] received cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] received 156 cert requests for an unknown ca
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] received end entity cert "C=US, O=Technicolor, CN=myvpnclient2"
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG] looking for peer configs matching SERVER.IP[%any]...CLIENT.IP[C=US, O=Technicolor, CN=myvpnclient2]
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG] selected peer config 'rwEAPMSCHAPV2'
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG]   using certificate "C=US, O=Technicolor, CN=myvpnclient2"
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG]   using trusted ca certificate "C=US, O=Technicolor, CN=CATechnicolor"
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG] checking certificate status of "C=US, O=Technicolor, CN=myvpnclient2"
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG] certificate status is not available
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG]   reached self-signed root ca with a path length of 0
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] authentication of 'C=US, O=Technicolor, CN=myvpnclient2' with RSA_EMSA_PKCS1_SHA2_256 successful
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] peer supports MOBIKE
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] authentication of 'SERVER.ADDRESS' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] IKE_SA rwEAPMSCHAPV2[4] established between SERVER.IP[SERVER.ADDRESS]...CLIENT.IP[C=US, O=Technicolor, CN=myvpnclient2]
Sun Nov 21 09:51:30 2021 authpriv.info charon: 11[IKE] IKE_SA rwEAPMSCHAPV2[4] established between SERVER.IP[SERVER.ADDRESS]...CLIENT.IP[C=US, O=Technicolor, CN=myvpnclient2]
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] scheduling reauthentication in 9752s
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] maximum IKE_SA lifetime 10292s
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] sending end entity cert "C=US, O=Technicolor, CN=SERVER.ADDRESS"
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[IKE] peer requested virtual IP %any
Sun Nov 21 09:51:30 2021 daemon.info charon: 11[CFG] sending DHCP DISCOVER to 192.168.1.255
Sun Nov 21 09:51:31 2021 daemon.info charon: 11[CFG] sending DHCP DISCOVER to 192.168.1.255
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[CFG] sending DHCP DISCOVER to 192.168.1.255
Sun Nov 21 09:51:33 2021 daemon.info charon: 16[CFG] received DHCP OFFER 192.168.1.56 from 192.168.1.1
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[CFG] sending DHCP REQUEST for 192.168.1.56 to 192.168.1.1
Sun Nov 21 09:51:33 2021 daemon.info charon: 05[CFG] received DHCP ACK for 192.168.1.56
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[IKE] assigning virtual IP 192.168.1.56 to peer 'C=US, O=Technicolor, CN=myvpnclient2'
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[IKE] peer requested virtual IP %any6
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[IKE] no virtual IP found for %any6 requested by 'C=US, O=Technicolor, CN=myvpnclient2'
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[IKE] CHILD_SA rwEAPMSCHAPV2{2} established with SPIs cXXXXXXX_i YYYYYYYY_o and TS 0.0.0.0/0 === 192.168.1.56/32
Sun Nov 21 09:51:33 2021 authpriv.info charon: 11[IKE] CHILD_SA rwEAPMSCHAPV2{2} established with SPIs cXXXXXXX_i YYYYYYYY_o and TS 0.0.0.0/0 === 192.168.1.56/32
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[ENC] splitting IKE message with length of 1440 bytes into 2 fragments
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[NET] sending packet: from SERVER.IP[4500] to CLIENT.IP[19809] (1236 bytes)
Sun Nov 21 09:51:33 2021 daemon.info charon: 11[NET] sending packet: from SERVER.IP[4500] to CLIENT.IP[19809] (276 bytes)
Sun Nov 21 09:51:33 2021 daemon.info charon: 08[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (1364 bytes)
Sun Nov 21 09:51:33 2021 daemon.info charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/4) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 08[ENC] received fragment #1 of 4, waiting for complete IKE message
Sun Nov 21 09:51:33 2021 daemon.info charon: 12[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (1364 bytes)
Sun Nov 21 09:51:33 2021 daemon.info charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(2/4) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 12[ENC] received fragment #2 of 4, waiting for complete IKE message
Sun Nov 21 09:51:33 2021 daemon.info charon: 07[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (1364 bytes)
Sun Nov 21 09:51:33 2021 daemon.info charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(3/4) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 07[ENC] received fragment #3 of 4, waiting for complete IKE message
Sun Nov 21 09:51:33 2021 daemon.info charon: 15[NET] received packet: from CLIENT.IP[19809] to SERVER.IP[4500] (884 bytes)
Sun Nov 21 09:51:33 2021 daemon.info charon: 15[ENC] parsed IKE_AUTH request 1 [ EF(4/4) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 15[ENC] received fragment #4 of 4, reassembling fragmented IKE message
Sun Nov 21 09:51:33 2021 daemon.info charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sun Nov 21 09:51:33 2021 daemon.info charon: 15[IKE] received retransmit of request with ID 1, retransmitting response
Sun Nov 21 09:51:33 2021 daemon.info charon: 15[NET] sending packet: from SERVER.IP[4500] to CLIENT.IP[19809] (1236 bytes)
Sun Nov 21 09:51:33 2021 daemon.info charon: 15[NET] sending packet: from SERVER.IP[4500] to CLIENT.IP[19809] (276 bytes)[code]
« Ultima modifica: 21 Novembre 2021, 10:01 da ttt666 »

Offline ttt666

  • Membro Giovane
  • **
  • 53
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #198 il: 24 Novembre 2021, 22:29 »
Con la configurazione del post precedente (generata dallo script di FrancYescO), da client vpn (su rete mobile Vodafone) non riesco a raggiungere nessun client dell'unica lan interna 192.168.1.0/24.

Sul server strongswan è presente 'rightsourceip=%dhcp' che rilascia ai client indirizzi di classe 192.168.1.0/24.

Come potrei risolvere?

Offline LuKePicci

  • Global Moderator
  • VIP
  • *****
  • 2702
Re:[GUIDA] strongSwan per IPsec su OpenWrt e Homeware
« Risposta #199 il: Oggi alle 00:13 »
Questo dipende da come  hai configurato il firewall, cos'hai messo / cosa ti ha messo lo script come regole di iptables?