Вопросы Теги

Не удалось запустить IKEv2 VPN-подключение к Surfshark через NetworkManager

Я пытаюсь вручную подключиться к VPN-провайдеру Surfshark через IKEv2. Вот логи

 charon-nm[5070]: 05[CFG] received initiate for NetworkManager connection Surfshark IKE2
 charon-nm[5070]: 05[CFG] using gateway identity 'ru-mos.prod.surfshark.com'
 charon-nm[5070]: 05[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
 charon-nm[5070]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
 charon-nm[5070]: 05[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1096 bytes)
 NetworkManager[4583]: <info>  [1636055533.4566] vpn-connection[0x56150178a510,6c89b390-d6ee-47d8-a547-346f75797487,"Surfshark IKE2",0]: VPN plugin: state changed: starting (3)
 charon-nm[5070]: 15[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (38 bytes)
 charon-nm[5070]: 15[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
 charon-nm[5070]: 15[IKE] peer didn't accept DH group ECP_256, it requested ECP_521
 charon-nm[5070]: 15[IKE] initiating IKE_SA Surfshark IKE2[1] to 92.38.138.139
 charon-nm[5070]: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
 charon-nm[5070]: 15[NET] sending packet: from 192.168.2.35[35071] to 92.38.138.139[500] (1164 bytes)
 charon-nm[5070]: 01[NET] received packet: from 92.38.138.139[500] to 192.168.2.35[35071] (332 bytes)
 charon-nm[5070]: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
 charon-nm[5070]: 01[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/ECP_521
 charon-nm[5070]: 01[IKE] local host is behind NAT, sending keep alives
 charon-nm[5070]: 01[IKE] sending cert request for "C=VG, O=Surfshark, CN=Surfshark Root CA"
 charon-nm[5070]: 01[IKE] establishing CHILD_SA Surfshark IKE2{1}
 charon-nm[5070]: 01[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
 charon-nm[5070]: 01[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (438 bytes)
 charon-nm[5070]: 07[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
 charon-nm[5070]: 07[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
 charon-nm[5070]: 07[ENC] received fragment #1 of 3, waiting for complete IKE message
 charon-nm[5070]: 08[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1248 bytes)
 charon-nm[5070]: 08[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
 charon-nm[5070]: 08[ENC] received fragment #2 of 3, waiting for complete IKE message
 charon-nm[5070]: 09[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (579 bytes)
 charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
 charon-nm[5070]: 09[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2949 bytes)
 charon-nm[5070]: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
 charon-nm[5070]: 09[IKE] received end entity cert "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[IKE] received issuer cert "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG]   using certificate "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[CFG]   using untrusted intermediate certificate "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG] checking certificate status of "CN=ru-mos.prod.surfshark.com"
 charon-nm[5070]: 09[CFG] certificate status is not available
 charon-nm[5070]: 09[CFG]   using trusted ca certificate "C=VG, O=Surfshark, CN=Surfshark Root CA"
 charon-nm[5070]: 09[CFG] checking certificate status of "C=VG, O=Surfshark, CN=Surfshark Intermediate CA"
 charon-nm[5070]: 09[CFG] certificate status is not available
 charon-nm[5070]: 09[CFG]   reached self-signed root ca with a path length of 1
 charon-nm[5070]: 09[IKE] authentication of 'ru-mos.prod.surfshark.com' with RSA_EMSA_PKCS1_SHA2_256 successful
 charon-nm[5070]: 09[IKE] server requested EAP_IDENTITY (id 0x00), sending 'mYidENtitY'
 charon-nm[5070]: 09[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
 charon-nm[5070]: 09[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (90 bytes)
 charon-nm[5070]: 10[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (67 bytes)
 charon-nm[5070]: 10[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 10[IKE] server requested EAP_PEAP authentication (id 0x01)
 charon-nm[5070]: 10[TLS] EAP_PEAP version is v0
 charon-nm[5070]: 10[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ]
 charon-nm[5070]: 10[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (275 bytes)
 charon-nm[5070]: 11[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1065 bytes)
 charon-nm[5070]: 11[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 11[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 charon-nm[5070]: 11[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ]
 charon-nm[5070]: 11[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
 charon-nm[5070]: 12[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (1061 bytes)
 charon-nm[5070]: 12[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 12[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ]
 charon-nm[5070]: 12[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (67 bytes)
 charon-nm[5070]: 13[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (747 bytes)
 charon-nm[5070]: 13[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]
 charon-nm[5070]: 13[TLS] received TLS server certificate 'C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org'
 charon-nm[5070]: 13[TLS] received TLS intermediate certificate 'C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority'
 charon-nm[5070]: 13[CFG]   using certificate "C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, E=admin@example.org"
 charon-nm[5070]: 13[CFG]   using untrusted intermediate certificate "C=FR, ST=Radius, L=Somewhere, O=Example Inc., E=admin@example.org, CN=Example Certificate Authority"
 charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021)
 charon-nm[5070]: 13[TLS] no TLS public key found for server '%any'
 charon-nm[5070]: 13[TLS] sending fatal TLS alert 'certificate unknown'
 charon-nm[5070]: 13[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ]
 charon-nm[5070]: 13[NET] sending packet: from 192.168.2.35[58480] to 92.38.138.139[4500] (74 bytes)
 charon-nm[5070]: 14[NET] received packet: from 92.38.138.139[4500] to 192.168.2.35[58480] (65 bytes)
 charon-nm[5070]: 14[ENC] parsed IKE_AUTH response 6 [ EAP/FAIL ]
 charon-nm[5070]: 14[IKE] received EAP_FAILURE, EAP authentication failed

Все выглядит нормально, пока на ответ 5 я не получаю какой-то странный сертификат. Я не знаю, как именно работает протокол PEAP и что должно произойти на этом этапе, но соединение работает в Windows, поэтому я предполагаю, что проблема на моей стороне.

0
задан 4 November 2021 в 19:14
1 ответ
charon-nm[5070]: 13[CFG] subject certificate invalid (valid from Apr 12 17:41:01 2021 to Jun 11 17:41:01 2021)

Судя по всему, срок действия сертификата RADIUS-сервера, запросившего EAP-PEAP, истек, но тема со всеми этими «примерами» все равно выглядит странно, (если вы не изменили ее). Почему Windows согласится с этим, если она действительно использует EAP-PEAP, я не знаю.

Вы можете попробовать отключить плагин eap-peap и надеяться, что сервер поддерживает другие методы EAP (, например. EAP-MD5 или EAP-MSCHAPv2). Для этого добавьте следующее вstrongswan.conf:

charon-nm {
  plugins {
    eap-peap {
      load = no
    }
  }
}
1
ответ дан 11 November 2021 в 16:56

Теги

Похожие вопросы