[LuKePicci]

E' probabile che avendo lui eseguito lo script quando ancora non aveva openssl funzionate gli abbia lasciato in giro qualcosa di sporco.

[FrancYescO]

lo script dice

Codice: [Seleziona]

caKey exists, using existing caKey for signing serverCert and clientCert.... quindi che i file ci siano è certo, che siano validi, ho qualche dubbio: controlla che non siano vuoti, nel caso eliminali e rifai partire lo script.

[a1pollo]

Secondo me lo script e' andato a leggere il servizio ddns, ma non era configurato.

[satigno]

Scusate, eccomi qua. Purtroppo posso solo provare a fare cose durante il weekend non essendo a casa durante la settimana.
Avevo provato a fare qualcosa che non mi ricordo e sostanzialmente ho dovuto riflashare il firmware da zero, fare root, ecc.
Ora sono su 2.2.1 con GUI Ansuel.
Ho reinstallato tutto e ho rifatto partire lo script (nello script ho cambiato solo il SERVERDOMAINNAME, inserendo il mio DDNS (configurato precedentemente), e il CLIENTNAMES, inserendo un nome a mio piacimento.
Ora con un logread -f ottengo:

Codice: [Seleziona]

Sat Feb 12 11:09:20 2022 daemon.info charon: 14[NET] received packet: from MIOTELEFONO[16523] to MIOMODEM[500] (660 bytes)
Sat Feb 12 11:09:20 2022 daemon.info charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Feb 12 11:09:20 2022 daemon.info charon: 14[IKE] MIOTELEFONO is initiating an IKE_SA
Sat Feb 12 11:09:20 2022 authpriv.info charon: 14[IKE] MIOTELEFONO is initiating an IKE_SA
Sat Feb 12 11:09:20 2022 daemon.info charon: 14[IKE] remote host is behind NAT
Sat Feb 12 11:09:20 2022 daemon.info charon: 14[IKE] DH group MODP_2048_256 inacceptable, requesting MODP_2048
Sat Feb 12 11:09:20 2022 daemon.info charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sat Feb 12 11:09:20 2022 daemon.info charon: 14[NET] sending packet: from MIOMODEM[500] to MIOTELEFONO[16523] (38 bytes)
Sat Feb 12 11:09:20 2022 daemon.info charon: 05[NET] received packet: from MIOTELEFONO[16523] to MIOMODEM[500] (660 bytes)
Sat Feb 12 11:09:20 2022 daemon.info charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sat Feb 12 11:09:20 2022 daemon.info charon: 05[IKE] MIOTELEFONO is initiating an IKE_SA
Sat Feb 12 11:09:20 2022 authpriv.info charon: 05[IKE] MIOTELEFONO is initiating an IKE_SA
Sat Feb 12 11:09:21 2022 daemon.info charon: 05[IKE] remote host is behind NAT
Sat Feb 12 11:09:21 2022 daemon.info charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sat Feb 12 11:09:21 2022 daemon.info charon: 05[NET] sending packet: from MIOMODEM[500] to MIOTELEFONO[16523] (462 bytes)
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[NET] received packet: from MIOTELEFONO[17072] to MIOMODEM[4500] (624 bytes)
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[IKE] received cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[CFG] looking for peer configs matching MIOMODEM[%any]...MIOTELEFONO[AndreaBerna]
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[CFG] selected peer config 'rwEAPMSCHAPV2'
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[IKE] no trusted RSA public key found for 'AndreaBerna'
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[IKE] peer supports MOBIKE
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sat Feb 12 11:09:21 2022 daemon.info charon: 07[NET] sending packet: from MIOMODEM[4500] to MIOTELEFONO[17072] (80 bytes)

Sostanzialmente quello che ottenevo prima di incasinare tutto e partire da zero.

In /etc/init.d/ il file ipsec deve esserci per forza altrimenti il servizio non si sarebbe attivato

Ora c'è!

il server ti sta dicendo che MODP_2048_256 non e' la sintassi giusta per questa cifratura ma bensi' MODP_2048 quindi dovresti controllare in /etc/ipsec.conf  e correggerlo. ogni volta che modifichi qualcosa dovrai ridare il comando /etc/init.d/ipsec restart

Come faccio a modificarlo? Al momento in ipsec.conf ho questo:

Codice: [Seleziona]

conn %default
        keyexchange=ikev2
        ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024


Non riesce a trovare la chiave rsa , qui dovresti controllare il file /etc/ipsec.secret il nome del certificato dopo i due punti e la dicitura RSA , lo stesso nome deve essere quello della chiave del certificato del server, che si trova nella cartella /etc/ipsec.d/private

Hanno lo stesso identico nome.
E' possibile che debba fare qualcosa alla password e all'username in ipsecrets.conf? Ho provato ad eliminare la riga ma mi sembra che gli errori che ottengo siano gli stessi, nonostante abbia ricaricato la config e restartato ipsec.

Grazie mille, ce la farò prima o poi 


EDIT

Mi sembrava non caricasse i certificati quindi ho pensato che mancasse un pacchetto strongswan. Ho dato i seguenti comandi:

Codice: [Seleziona]

opkg list | grep strongswan | awk '{print $1}' | xargs opkg install
opkg install strongswan-default strongswan-pki strongswan-mod-dhcp
opkg list | grep strongswan-mod-eap- | awk '{print $1}' | xargs opkg install
E ora connettendomi ottengo:

Codice: [Seleziona]

root@modemtim:~# logread -f
Sat Feb 12 12:40:11 2022 daemon.info charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.1.38, armv7l)
Sat Feb 12 12:40:11 2022 daemon.info charon: 00[CFG] PKCS11 module '<name>' lacks library path
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] disabling load-tester plugin, not configured
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[LIB] failed to open /dev/net/tun: No such file or directory
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[KNL] failed to create TUN device
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[LIB] plugin 'uci' failed to load: /usr/lib/ipsec/plugins/libstrongswan-uci.so: undefined symbol: uci_lookup
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] attr-sql plugin: database URI not set
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[NET] using forecast interface eth4
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG]   loaded ca certificate "C=US, O=Technicolor, CN=CATechnicolor" from '/etc/ipsec.d/cacerts/caCert.pem'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/serverKey_MIODDNS.pem'
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] sql plugin: database URI not set
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] loaded 0 RADIUS server configurations
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] HA config misses local/remote address
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[CFG] coupling file path unspecified
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default socket-dynamic connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Sat Feb 12 12:40:14 2022 daemon.info charon: 00[JOB] spawning 16 worker threads
Sat Feb 12 12:40:14 2022 daemon.info charon: 06[DMN] thread 6 received 11
Sat Feb 12 12:40:14 2022 daemon.info charon: 06[LIB]  dumping 0 stack frame addresses:
Sat Feb 12 12:40:14 2022 authpriv.info ipsec_starter[15317]: charon (15817) started after 2820 ms
Sat Feb 12 12:40:14 2022 daemon.info charon: 06[DMN] killing ourself, received critical signal
Sat Feb 12 12:40:14 2022 daemon.info charon: 05[DMN] thread 5 received 11
Sat Feb 12 12:40:14 2022 daemon.info charon: 05[LIB]  dumping 0 stack frame addresses:
Sat Feb 12 12:40:14 2022 daemon.info charon: 07[DMN] thread 7 received 11
Sat Feb 12 12:40:14 2022 daemon.info charon: 07[LIB]  dumping 0 stack frame addresses:
Sat Feb 12 12:40:14 2022 user.notice postmortem: core dump for pid 15817 file charon.15817.6.1644666014.core ignored due to system.[member=77439]coredump[/member][0].action=ignore setting
Sat Feb 12 12:40:14 2022 authpriv.info ipsec_starter[15317]: charon has died -- restart scheduled (5sec)

Almeno adesso sembra carichi i certificati ma comunque non va...

[a1pollo]

Ciao, per un telefono android i settaggi sono questi:

Codice: [Seleziona]

1)server: il tuo ddns
2)vpn type IKEv2 Certificate oppure IKEv2 EAP-TLS(devi aver installato i certificati generati insieme a quelli del server, ovvero se li avevi installati da una precedente installazione devi rimuoverli e installare i nuovi)
poi scorri in basso
3)show advance settings
4)IKEv2 Algoritms     sha1-aes128-modp2048
5)IPsec/ESP Algoritms     sha1-aes128
Per quanto riguarda 4 e 5 gli algoritmi che puoi usare sono quelli che hai sul file ipsec.conf, ovviamente se supportati es : sha256 aes256 modp3072

Per i-phone consulta la guida ufficiale:

Codice: [Seleziona]

https://openwrt.org/docs/guide-user/services/vpn/strongswan/roadwarrior


[satigno]

Non trovo quelle impostazioni... su Android sto utilizzando: Tipo: IKEV2/IPSEC RSA, server: mio ddns, certificato utente e certificato CA quello importato (file .p12), identificatore IPSEC: quello inserito in CLIENTNAMES.


EDIT

Ho dovuto utilizzare il client STRONGSWAN per inserire le impostazioni a cui ti riferivi e finalmente è andata! Grazie!
Ora ho un problema:

- il telefono non naviga su internet, è come se gli mancasse la connessione.

Altra cosa: cosa è possibile fare per rendere più sicuro il tutto? è possibile cancellare il certificato dal modem? Grazie!

Consigli? Grazie

[a1pollo]

Stai utilizzando l'app strongswan?
Stai utilizzando android 11-12?

Codice: [Seleziona]

Starting with Android 11 a native IKEv2 implementation is available. For some reasons, it didn't work until Android 12.

Android 12 IKEv2 works just fine but it doesn't allow using HMAC-SHA1 for the CHILD_SA. This wouldn't be an issue unless you explicitly excluded - for whatever reasons - greater integrity algorithms.
Io sto utilizzando android9 e i seguenti algoritmi su ipsec.conf, pero' ho un raspberry 4, la configurazione e' identica:

Codice: [Seleziona]

       ike = chacha20poly1305-prfsha256-x25519,chacha20poly1305-sha384-ecp384,chacha20poly1305-prfsha256-newhope128,chacha20poly1305-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes256-sha256-modp2048,aes256-sha256-modp1024,chacha20poly1305-sha1-ecp256,chacha20poly1305-prfsha512-curve25519,chacha20poly1305-sha1-modp1024,chacha20poly1305-sha512-curve25519,aes128-sha1-modp1024,aes256-aes128-sha256-sha512-sha1-modp3072-modp2048-modp1024-modp4096-modp8192-modp6144-curve25519-ecp256-ecp384-ecp521,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024,chacha20poly1305-sha256-curve25519,chacha20poly1305-prfsha256-newhope128,chacha20poly1305-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes256-sha256-modp2048,aes256-sha256-modp1024,chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-sha2_512-curve25519,aes256gcm128-sha2_512-curve448,aes256gcm128-sha2_512-modp4096,aes256gcm128-sha2_512-modp3072,aes256gcm128-sha2_512-modp2048,aes256gcm128-sha2_256-curve25519,aes256gcm128-sha2_256-curve448,aes256gcm128-sha2_256-modp4096,aes256gcm128-sha2_256-modp3072,aes256gcm128-sha2_256-modp2048,aes256gcm96-sha2_512-curve25519,aes256gcm96-sha2_512-curve448,aes256gcm96-sha2_512-modp4096,aes256gcm96-sha2_512-modp3072,aes256gcm96-sha2_512-modp2048,aes256gcm96-sha2_256-curve25519,aes256gcm96-sha2_256-curve448,aes256gcm96-sha2_256-modp4096,aes256gcm96-sha2_256-modp3072,aes256gcm96-sha2_256-modp2048,aes256gcm64-sha2_512-curve25519,aes256gcm64-sha2_512-curve448,aes256gcm64-sha2_512-modp4096,aes256gcm64-sha2_512-modp3072,aes256gcm64-sha2_512-modp2048,aes256gcm64-sha2_256-curve25519,aes256gcm64-sha2_256-curve448,aes256gcm64-sha2_256-modp4096,aes256gcm64-sha2_256-modp3072,aes256gcm64-sha2_256-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-sha2_512-curve25519,aes192gcm128-sha2_512-curve448,aes192gcm128-sha2_512-modp4096,aes192gcm128-sha2_512-modp3072,aes192gcm128-sha2_512-modp2048,aes192gcm128-sha2_256-curve25519,aes192gcm128-sha2_256-curve448,aes192gcm128-sha2_256-modp4096,aes192gcm128-sha2_256-modp3072,aes192gcm128-sha2_256-modp2048,aes192gcm96-sha2_512-curve25519,aes192gcm96-sha2_512-curve448,aes192gcm96-sha2_512-modp4096,aes192gcm96-sha2_512-modp3072,aes192gcm96-sha2_512-modp2048,aes192gcm96-sha2_256-curve25519,aes192gcm96-sha2_256-curve448,aes192gcm96-sha2_256-modp4096,aes192gcm96-sha2_256-modp3072,aes192gcm96-sha2_256-modp2048,aes192gcm64-sha2_512-curve25519,aes192gcm64-sha2_512-curve448,aes192gcm64-sha2_512-modp4096,aes192gcm64-sha2_512-modp3072,aes192gcm64-sha2_512-modp2048,aes192gcm64-sha2_256-curve25519,aes192gcm64-sha2_256-curve448,aes192gcm64-sha2_256-modp4096,aes192gcm64-sha2_256-modp3072,aes192gcm64-sha2_256-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-sha2_512-curve25519,aes128gcm128-sha2_512-curve448,aes128gcm128-sha2_512-modp4096,aes128gcm128-sha2_512-modp3072,aes128gcm128-sha2_512-modp2048,aes128gcm128-sha2_256-curve25519,aes128gcm128-sha2_256-curve448,aes128gcm128-sha2_256-modp4096,aes128gcm128-sha2_256-modp3072,aes128gcm128-sha2_256-modp2048,aes128gcm96-sha2_512-curve25519,aes128gcm96-sha2_512-curve448,aes128gcm96-sha2_512-modp4096,aes128gcm96-sha2_512-modp3072,aes128gcm96-sha2_512-modp2048,aes128gcm96-sha2_256-curve25519,aes128gcm96-sha2_256-curve448,aes128gcm96-sha2_256-modp4096,aes128gcm96-sha2_256-modp3072,aes128gcm96-sha2_256-modp2048,aes128gcm64-sha2_512-curve25519,aes128gcm64-sha2_512-curve448,aes128gcm64-sha2_512-modp4096,aes128gcm64-sha2_512-modp3072,aes128gcm64-sha2_512-modp2048,aes128gcm64-sha2_256-curve25519,aes128gcm64-sha2_256-curve448,aes128gcm64-sha2_256-modp4096,aes128gcm64-sha2_256-modp3072,aes128gcm64-sha2_256-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048
       esp = chacha20poly1305-x25519,chacha20poly1305-curve25519,chacha20poly1305-prfsha256-newhope128,chacha20poly1305-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes256-sha256-modp2048,aes256-sha256-modp1024,chacha20poly1305,chacha20poly1305-ecp256,chacha20poly1305-sha1-ecp256,chacha20poly1305-sha1-modp1024,chacha20poly1305-curve25519,chacha20poly1305-sha512-curve25519,aes128-sha1-modp1024,aes256-aes128-sha256-sha512-sha1-modp3072-modp2048-modp1024-modp4096-modp8192-modp6144-curve25519-ecp256-ecp384-ecp521,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024,chacha20poly1305-sha256-curve25519,chacha20poly1305-prfsha256-newhope128,chacha20poly1305-prfsha256-ecp256,aes128gcm16-prfsha256-ecp256,aes256-sha256-modp2048,aes256-sha256-modp1024,chacha20poly1305,chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-curve25519,aes256gcm128-curve448,aes256gcm128-modp4096,aes256gcm128-modp3072,aes256gcm128-modp2048,aes256gcm96-curve25519,aes256gcm96-curve448,aes256gcm96-modp4096,aes256gcm96-modp3072,aes256gcm96-modp2048,aes256gcm64-curve25519,aes256gcm64-curve448,aes256gcm64-modp4096,aes256gcm64-modp3072,aes256gcm64-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-curve25519,aes192gcm128-curve448,aes192gcm128-modp4096,aes192gcm128-modp3072,aes192gcm128-modp2048,aes192gcm96-curve25519,aes192gcm96-curve448,aes192gcm96-modp4096,aes192gcm96-modp3072,aes192gcm96-modp2048,aes192gcm64-curve25519,aes192gcm64-curve448,aes192gcm64-modp4096,aes192gcm64-modp3072,aes192gcm64-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-curve25519,aes128gcm128-curve448,aes128gcm128-modp4096,aes128gcm128-modp3072,aes128gcm128-modp2048,aes128gcm96-curve25519,aes128gcm96-curve448,aes128gcm96-modp4096,aes128gcm96-modp3072,aes128gcm96-modp2048,aes128gcm64-curve25519,aes128gcm64-curve448,aes128gcm64-modp4096,aes128gcm64-modp3072,aes128gcm64-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048
Puoi inserirli anche tu' , e provare a sostituire sullo smartphone sha1 con sha512 sempre se sia possibile

[a1pollo]

Devi controllare le regole sul firewall:

Codice: [Seleziona]

config rule 'ipsec_esp'
option src 'wan'
option name 'IPSec ESP'
option proto 'esp'
option target 'ACCEPT'

config rule 'ipsec_ike'
option src 'wan'
option name 'IPSec IKE'
option proto 'udp'
option dest_port '500'
option target 'ACCEPT'

config rule 'ipsec_nat_traversal'
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'

config rule 'ipsec_auth_header'
option src 'wan'
option name 'Auth Header'
option proto 'ah'
option target 'ACCEPT'

e su firewall user:

Codice: [Seleziona]

#strongswan
iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

provare ad aggiungere i dns su ipsec.conf

Codice: [Seleziona]

   rightdns = 192.168.1.1 #ip del tuo gateway oppure i dns 1.1.1.1 o 8.8.8.8

ed infine controllare il file strongswan.conf

Codice: [Seleziona]

charon {
        load_modular=yes
        dns1 = 192.168.1.1  #ip del tuo gateway
        nbns1 = 192.168.1.1 #ip del tuo gateway
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf


[satigno]

Stai utilizzando l'app strongswan?
Stai utilizzando android 11-12?

Con l'app strongswan funziona, con il client nativo invece no. Sono su Android 12.
EDIT: con il client nativo ho dovuto inserire nome utente e password presenti in ipsecrets.conf e impostare il tipo "IKEV2/IPSEC MSCHAPv2". ma non funziona internet.
A livello di sicurezza cambia qualcosa rispetto all'utilizzo di strongswan "IKEv2 Certificate"?

Puoi inserirli anche tu' , e provare a sostituire sullo smartphone sha1 con sha512 sempre se sia possibile

Su client VPN di Android non posso modificare praticamente nulla, ergo dovrei provare a modificare ipsec.conf e connettermi sostanzialmente.

Ora internet funziona, dopo aver modificato ipsec.conf e strongswan.conf! Unica cosa: senza VPN ho un download di circa 40 Mbps, con VPN di 14 Mbps. Si può considerare un buon risultato o ci sono margini di miglioramento?

Ti ringrazio davvero tanto

[a1pollo]

Io arrivo a toccare in wifi 40Mb (strongswan sul router), in 4g dipende dalla rete 10/20/30 comunque 14 e' come se fosse una adsl, direi ottima con openvpn spesso si viaggia attorno 1 mb.
Invece col raspy ho anche wireguard(secondo me la migliore vpn) praticamente navigo a tutta banda vdsl 200/20.

[satigno]

Me la tengo tranquillamente cosi che va già benone!
Sto avendo problemi a settare la VPN su windows. Ho installato il file Client con estensione .p12 e settato una VPN con il mio DDNS e come autenticazione ho spuntato certificati. Purtroppo faccio connetti e non me li chiede i certificati da usare e mi dice "Credenziali di autenticazione ike inaccettabili".

[a1pollo]

Su windows anche io su un pc ho avuto problemi, e ho fatto tante di quelle modifiche sia sui registri che tramite powershell, che non saprei indicarti una soluzione precisa, so' solo che di default non usa quelle cypher.
Puoi prendere spunto da qui':

Codice: [Seleziona]

https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps
Per quanto riguarda i certificati windows, ne manda una serie al server,che seleziona quelli che corrispondono ai criteri dei suoi, e questo lo puoi verificare solo con il log sul server.

[satigno]

Per carità tanto il pc quando sto fuori lo uso sempre con il mio telefono su cui ho messo la VPN, quindi non morirò se non riesco a impostarla anche su W10.

Codice: [Seleziona]

root@modemtim:~# logread -f
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[NET] received packet: from IPCOMPUTER[500] to IPMODEM[500] (624 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[IKE] received MS-Negotiation Discovery Capable vendor ID
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[IKE] received Vid-Initial-Contact vendor ID
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[IKE] IPCOMPUTER is initiating an IKE_SA
Sun Feb 13 10:43:36 2022 authpriv.info charon: 13[IKE] IPCOMPUTER is initiating an IKE_SA
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[IKE] remote host is behind NAT
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[IKE] sending cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[IKE] sending cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 13[NET] sending packet: from IPMODEM[500] to IPCOMPUTER[500] (365 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 14[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 14[ENC] parsed IKE_AUTH request 1 [ EF(1/6) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 14[ENC] received fragment #1 of 6, waiting for complete IKE message
Sun Feb 13 10:43:36 2022 daemon.info charon: 05[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(3/6) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 05[ENC] received fragment #3 of 6, waiting for complete IKE message
Sun Feb 13 10:43:36 2022 daemon.info charon: 12[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 12[ENC] parsed IKE_AUTH request 1 [ EF(2/6) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 12[ENC] received fragment #2 of 6, waiting for complete IKE message
Sun Feb 13 10:43:36 2022 daemon.info charon: 09[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/6) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 09[ENC] received fragment #4 of 6, waiting for complete IKE message
Sun Feb 13 10:43:36 2022 daemon.info charon: 07[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(5/6) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 07[ENC] received fragment #5 of 6, waiting for complete IKE message
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (144 bytes)
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(6/6) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[ENC] received fragment #6 of 6, reassembling fragmented IKE message
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[IKE] received cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[IKE] received 55 cert requests for an unknown ca
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[IKE] received end entity cert "C=US, O=Technicolor, CN=AndreaBerna"
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[CFG] looking for peer configs matching IPMODEM[%any]...IPCOMPUTER[C=US, O=Technicolor, CN=AndreaBerna]
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[CFG] no matching peer config found
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[IKE] peer supports MOBIKE
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[NET] sending packet: from IPMODEM[4500] to IPCOMPUTER[4500] (76 bytes)
EDIT

Dando il comando

Codice: [Seleziona]

PS C:\> Add-VpnConnection -Name "Contoso" -ServerAddress MIODDNS -TunnelType "Ikev2" e inserendo quando richiesto username e password sono entrato.

EDIT 2

Dato che non voglio che si possa entrare nella rete solo tramite username e password ho eliminato in ipsec.conf le seguenti righe:

Codice: [Seleziona]

conn rwEAPMSCHAPV2
        leftsendcert=always
        rightauth=eap-mschapv2
        rightsendcert=never
e in effetti ora il pc per fortuna non si connette più.
Basta eliminare questo per evitare che bastino user e pass per entrare nella rete?

[a1pollo]

Mi pare di capire che i certificati il server li accetta, ma non trova una configurazione valida sul server, non usare gli stessi che usi sullo smartphone, nella riga del setup dell'installazione puoi aggiungere piu' nomi(CLIENTNAMES="myvpnclient myvpnclient2 muvpnclient3"):

Codice: [Seleziona]

Sun Feb 13 10:43:36 2022 daemon.info charon: 11[IKE] received end entity cert "C=US, O=Technicolor, CN=AndreaBerna"
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[CFG] looking for peer configs matching IPMODEM[%any]...IPCOMPUTER[C=US, O=Technicolor, CN=AndreaBerna]
Sun Feb 13 10:43:36 2022 daemon.info charon: 11[CFG] no matching peer config found
In teoria se puoi entrare con user e pass puoi entrare anche con i certificati

Edit2

prova ad aggiungere su ipsec.conf:

Codice: [Seleziona]


conn rwPUBKEYtest
        rightauth=pubkey
        rightca="C=xx, O=xx, CN=xx" #la ca che ha generato i certificati credo questi C=US, O=Technicolor, CN=CATechnicolor


[satigno]

Non vorrei far partire di nuovo l'installazione sinceramente (anche perchè dovrei risostituire i certificati e riapplicare le modifiche sui vari file).
Nada:

Codice: [Seleziona]

Sun Feb 13 13:49:24 2022 daemon.info charon: 15[NET] received packet: from IPCOMPUTER[500] to IPMODEM[500] (624 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[IKE] received MS-Negotiation Discovery Capable vendor ID
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[IKE] received Vid-Initial-Contact vendor ID
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[IKE] IPCOMPUTER is initiating an IKE_SA
Sun Feb 13 13:49:24 2022 authpriv.info charon: 15[IKE] IPCOMPUTER is initiating an IKE_SA
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[IKE] remote host is behind NAT
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[IKE] sending cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[IKE] sending cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 15[NET] sending packet: from IPMODEM[500] to IPCOMPUTER[500] (365 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 06[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 06[ENC] parsed IKE_AUTH request 1 [ EF(1/6) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 06[ENC] received fragment #1 of 6, waiting for complete IKE message
Sun Feb 13 13:49:24 2022 daemon.info charon: 08[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(2/6) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 08[ENC] received fragment #2 of 6, waiting for complete IKE message
Sun Feb 13 13:49:24 2022 daemon.info charon: 13[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(4/6) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 13[ENC] received fragment #4 of 6, waiting for complete IKE message
Sun Feb 13 13:49:24 2022 daemon.info charon: 16[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (144 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 16[ENC] parsed IKE_AUTH request 1 [ EF(6/6) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 16[ENC] received fragment #6 of 6, waiting for complete IKE message
Sun Feb 13 13:49:24 2022 daemon.info charon: 05[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(3/6) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 05[ENC] received fragment #3 of 6, waiting for complete IKE message
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[NET] received packet: from IPCOMPUTER[4500] to IPMODEM[4500] (576 bytes)
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(5/6) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[ENC] received fragment #5 of 6, reassembling fragmented IKE message
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[IKE] received cert request for "C=US, O=Technicolor, CN=CATechnicolor"
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[IKE] received 55 cert requests for an unknown ca
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[IKE] received end entity cert "C=US, O=Technicolor, CN=AndreaBerna"
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[CFG] looking for peer configs matching IPMODEM[%any]...IPCOMPUTER[C=US, O=Technicolor, CN=AndreaBerna]
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[CFG] no matching peer config found
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[IKE] peer supports MOBIKE
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sun Feb 13 13:49:24 2022 daemon.info charon: 11[NET] sending packet: from IPMODEM[4500] to IPCOMPUTER[4500] (76 bytes)