Strongswan app 使用IKEv2 EAP 通过 Freeradius EAP认证 连接 Strongswan_strongswan安卓版下载

环境

@Linux

uname -a
Linux szqsm 4.15.0-73-generic #82-Ubuntu SMP Tue Dec 3 00:04:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
1
2
3
4

@Strongswan

ipsec --version
Linux strongSwan U5.6.2/K4.15.0-73-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
1
2
3
4
5
6
7

@Freeradius

freeradius -v
radiusd: FreeRADIUS Version 3.0.16, for host x86_64-pc-linux-gnu, built on Apr 17 2019 at 12:59:55
FreeRADIUS Version 3.0.16
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
1
2
3
4
5
6
7
8
9
10
11

Mobile Phone: 魅族16Plus/android8.1.0
Strongswan App：android4
1
2

安装

链接

@Strongswan官网
@Strongswan App 安卓客户端下载
@Freeradius官网

Ubuntu 安装 Strongswan

@阿里云源(下载安装更快)
vim /etc/apt/sources.list.d/aliyun.list
deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

@apt更新
apt upgrade	更新已安装的软件包

apt list --upgradable查看可升级的软件信息
apt list --upgradable -a查看可升级的软件的全部版本信息

注意事项：不能随意使用sudo apt upgrade -y命令

@安装Strongswan
apt-get install strongswan strongswan-*
* strongswan 的许多模块如radius模块都是以单独的包，直接写strongswan-*把模块全部安装了，避免后面出现未安装模块而导致的错误（当然实际使用时最好根据需求去添加安装）
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

配置 Strongswang

@官方EAP-Framed-IP-Radius 文档 *供参考

生成私钥
pki --gen --outform pem > caKey.pem
pki --self --in caKey.pem --dn "C=CN, O=SZQSM, CN=SZQSM Root CA" --san root --ca --lifetime 3650 --outform pem > caCert.pem	#根证书
C--Country 国家		O--Organization 组织	CN--通用名保持默认
!!!Never store the private key caKey.der of the Certification Authority (CA) on a host with constant direct access to the Internet
私钥不要放到公网上

pki --gen --outform pem > serverKey.pem
pki --issue --in serverKey.pem --type priv --cacert caCert.pem --cakey caKey.pem	--dn "C=CN, O=SZQSM, CN=server" --san server --san 10.207.238.11 --flag Server --outform pem > serverCert.pem


pki --gen --outform pem > androidKey.pem
pki --issue --in androidKey.pem --type priv --cacert caCert.pem --cakey caKey.pem	--dn "C=CN, O=SZQSM, CN=android" --san android --san 10.207.238.11 --outform pem > androidCert.pem

mv caCert.pem /etc/ipsec.d/cacerts/

mv serverKey.pem /etc/ipsec.d/private/
mv clientKey.pem /etc/ipsec.d/private/

mv serverCert.pem /etc/ipsec.d/certs/
mv clientCert.pem /etc/ipsec.d/certs/ 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

/etc/ipsec.conf
config setup
        charondebug="ike 2, knl 3, cfg 0"
        
conn %default
        fragmentation=yes
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=2
        reauth=yes
        rekey=yes
        keyexchange=ikev2
       

conn mobile
        left=10.207.238.11
        leftid=10.207.238.11
        leftsubnet=192.168.1.0/24
        leftsendcert=always
        leftauth=pubkey
        leftcert=serverCert.pem
        leftfirewall=yes
        rightsendcert=never
        rightauth=eap-radius
        rightsourceip=%radius
        eap_identity=%any
        auto=add
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

/etc/ipsec.secrets
: RSA serverKey.pem
1
2

/etc/strongswan.conf
charon {
   
    load_modular = yes
    plugins {
   
        eap-radius {
   
            class_group = yes
            secret = android_pass_123456
            server = 10.207.238.11
        }
        include strongswan.d/charon/*.conf
    }
    dns1 = 114.114.114.114
    dns2 = 8.8.8.8
    nbns1 = 114.114.114.114
    nbns1 = 8.8.8.8
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

在这里插入代码片
1

配置 Freeradius

/etc/freeradius/3.0/clients.conf
client android{
   
        showrtname      = android
        ipaddr          = 10.207.238.11/32
        secret          = android_pass_123456
        require_message_authenticator = yes
        nas-type        = other
}
1
2
3
4
5
6
7
8
9

@radcheck表
android Cleartext-Password := 123456

@radreply表
android	Framed-IP-Address = 192.168.200.101
android Framed-IP-Netmask = 255.255.255.0
android Reply-Message = EAP Auth Success!
1
2
3
4
5
6
7

/etc/freeradius/3.0/sites-enabled/default
        eap {
   
                ok = return
        }

/etc/freeradius/3.0/mods-available/eap
	default_eap_type = md5
1
2
3
4
5
6
7
8

配置Strongswan APP

Debug

开启Strongswan debug
ipsec start --nofork
+++++++++++++++++++++++Start+++++++++++++++++++++++++++++++++++
00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (16424) started after 120 ms

++++++++++++++++++++++Process+++++++++++++++++++++++++++
charon (16424) started after 120 ms
09[NET] received packet: from 10.207.238.201[63202] to 10.207.238.11[500] (716 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
09[IKE] 10.207.238.201 is initiating an IKE_SA
09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
09[IKE] remote host is behind NAT
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15