Вопросы Теги

с помощью strongswan с pkcs11 и yubikey

. Я пытаюсь развернуть новую конфигурацию VPN на своем предприятии.

Я успешно установил соединение между своим компьютером и сервером vpn ipsec в режиме сертификата.

Я загрузил файл p12 в свой yubikey, который содержит мой закрытый ключ, открытый ключ сервера и ЦС.

$ pkcs11-tool --test --login

Using slot 0 with a present token (0x0)
Logging in to "uid=r.beal,dc=ldap-...".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (PIV AUTH key) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Decryption (currently only for RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
No errors

Я добавил этот раздел в файл swanctl.conf:

secrets {
    tokenyubikey {
        pin = 123456
        slot = 0
        handle = 1 # From what i understood, it's here that my crt is
        module = yubi-module
    }
}

И этот раздел в файл /etc/strongswan.d/charon/pkcs11.conf:

yubi-module {
    #path = /usr/lib/libykcs11.so
    path = /usr/lib/pkcs11/opensc-pkcs11.so
}

Когда я использую модуль yubikey pkcs11:

00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.40 library 'yubi-module' (/usr/lib/libykcs11.so)
00[CFG]   Yubico (www.yubico.com): PKCS#11 PIV Library (SP-800-73) v2.21
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     YubiKey PIV #16616360 (Yubico (www.yubico.com): YubiKey YK5)
00[CFG]     loaded untrusted cert 'X.509 Certificate for PIV Authentication'
00[CFG]     loaded untrusted cert 'X.509 Certificate for PIV Attestation'

И когда использование модуля opensc:

00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG]   OpenSC Project: OpenSC smartcard framework v0.22
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'

Какой модуль следует использовать?

При запуске демона ipsec

# ipsec restart --nofork
Starting strongSwan 5.9.3 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.3, Linux 5.14.15-arch1-1, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG]   OpenSC Project: OpenSC smartcard framework v0.22
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'
00[CFG] attr-sql plugin: database URI not set
00[NET] using forecast interface wlan0
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, E=admin@company.fr" from '/etc/ipsec.d/cacerts/ca.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] sql plugin: database URI not set
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
06[IKE] installed bypass policy for 172.17.0.0/16
06[IKE] installed bypass policy for 192.168.1.0/24
06[IKE] installed bypass policy for ::1/128
06[IKE] installed bypass policy for fe80::/64
02[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
02[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
02[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'
charon (10359) started after 120 ms
11[CFG] received stroke: add connection 'test'
11[CFG]   loaded certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, E=r.beal@mail.fr" from '/etc/swanctl/x509/r.beal.pem'
11[CFG]   id 'UID=r.beal, DC=ldap, DC=company, DC=fr' not confirmed by certificate, defaulting to 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, E=r.beal@mail.fr'
11[CFG] added configuration 'test'

Смарт-карта присутствует!

Сейчас пытаюсь подключиться к VPN (/etc/ipsec.conf):

conn test
     right=1.2.3.4 <= the public ip of my vpn server
     rightid=remote_id_of_the_server
     leftcert=/etc/swanctl/x509/r.beal.pem
     leftid=my_mail
     left=%defaultroute
     #leftcert=%smartcard
     auto=add

Я поместил ЦС в /etc/ipsec.d/cacerts/

Журнал ipsec:

01[CFG] received stroke: initiate 'test'
09[IKE] initiating IKE_SA test[1] to 1.2.3.4
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
09[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1000 bytes)
10[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (38 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
10[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
10[IKE] initiating IKE_SA test[1] to 1.2.3.4
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
10[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1192 bytes)
06[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (481 bytes)
06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) ]
06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] received cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, E=admin@company.fr"
06[IKE] sending cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, E=admin@company.fr"
06[IKE] no private key found for 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, E=r.beal@mail.fr'

Начало связи! Что нужно сделать, чтобы ipsec использовал закрытый ключ моей смарт-карты?

Я видел это сообщение:"NO_PROPOSAL_CHOSEN" при попытке аутентификации с помощью сертификата от смарт-карты с помощью swanctl У меня такая же проблема? Я попытался скопировать все сертификаты в каталог x509, но у меня та же ошибка «закрытый ключ не найден».

РЕДАКТИРОВАТЬ ===

Теперь, когда я вызываю "swanctl --load-creds", ipsec находит закрытый ключ и использует его!

Но теперь у меня проблема с сетью.

16[IKE] authentication of 'compagny.com' with RSA_EMSA_PKCS1_SHA2_256 successful
16[IKE] IKE_SA test[1] established between 192.168.1.199[r.beal@mail.fr]...1.2.3.4[compagny.com]
16[IKE] scheduling reauthentication in 10059s
16[IKE] maximum IKE_SA lifetime 10599s
16[CFG] handling UNITY_SPLITDNS_NAME attribute failed
16[CFG] handling INTERNAL_IP4_NETMASK attribute failed
16[IKE] installing DNS server 172.22.0.17 to /etc/resolv.conf
16[IKE] installing new virtual IP 10.66.0.5
16[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[IKE] received AUTH_LIFETIME of 20278s, reauthentication already scheduled in 10059s

Я добавил в свой файл конфигурации.:

leftsourceip=%config

Мой VPN-сервер настроен так, чтобы не направлять интернет-трафик клиента. Поэтому я думаю, что сейчас проблема с конфигурацией сети.

0
задан 11 November 2021 в 14:25
1 ответ