带有RADIUS的Amazon上的StrongSwan

Question

我试图在Amazon实例上运行strongSwan，并对RADIUS进行身份验证，但是在尝试启动strongSwan时收到了一个错误

charon[9518]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required

要安装strongSwan，我运行了

yum install strongswan

# swanctl --version strongSwan swanctl 5.7.1

# swanctl --stats loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters

cat < /etc/strongswan/strongswan.d/charon/eap-radius.conf
eap-radius {
    load = yes
    nas_identifier = ${DNSNAME}
    retransmit_timeout = 30
    retransmit_tries = 1
    servers {
        primary {
            preference = 99
            address = ${RADIUSFQDN}
            auth_port = 1812
            secret = ${RADIUSPSWD}
            sockets = 5
        }
    }
}
EOF

完整启动日志

Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[MGR] tried to checkin and delete nonexisting IKE_SA
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[IKE] unable to resolve %any, initiate aborted
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 06[CFG] received stroke: initiate 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] added configuration 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG]   loaded certificate "CN=vpn.test.dev.poddev.naimuri.uk" from 'vpnserver.crt'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] adding virtual IP address pool 192.168.250.0/24
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 05[CFG] received stroke: add connection 'pod'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: charon (10493) started after 60 ms
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: charon (10493) started after 60 ms
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[JOB] spawning 16 worker threads
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation const
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] no script for ext-auth script defined, disabled
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] HA config misses local/remote address
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loaded 0 RADIUS server configurations
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading RADIUS server 'primary' failed, skipped
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] RADIUS initialization failed, HMAC/MD5/RNG required
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] sql plugin: database URI not set
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG]   loaded RSA private key from '/etc/strongswan/ipsec.d/private/vpnserver.key'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG]   loaded ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" from '/etc/strongswan/ipsec.d/
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[LIB] openssl FIPS mode(2) - enabled
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[CFG] PKCS11 module '' lacks library path
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal charon[10493]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 4.14.72-73.55.amzn2.x86_64, x86_64)
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal ipsec_starter[10484]: Starting strongSwan 5.7.1 IPsec [starter]...
Nov 13 14:14:34 ip-10-0-0-218.eu-west-2.compute.internal strongswan[10484]: Starting strongSwan 5.7.1 IPsec [starter]...

Answer 1

问题是您在FIPS模式下使用OpenSSL，这会禁用MD5，因为这不是FIPS批准的。

虽然加载了md5和hmac插件，但后者是在openssl插件之后进行的，后者仍然注册了自己的HMAC_MD5_128实现。这个实现甚至可以实例化，因为插件的HMAC构造函数实际上只检查给定哈希算法是否存在静态EVP_MD实例，不幸的是，即使在MD5模式下也是如此。但是，以后在HMAC_INIT_ex()中使用该实例会失败(触发错误的是试图在HMAC实例上设置键)。

为了避免这种情况，您可以禁用FIPS模式(通过charon.plugins.openssl.fips_mode)，或者确保使用HMAC插件提供的hmac实现，而不是使用openssl插件。

后者可以通过修改/etc/strongswan/strongswan.d/charon中它们各自配置代码段中这些插件的加载设置来实现，以便降级openssl插件(将其设置为负值)，或者提升hmac插件(设置为值> 1)。重新启动后，应该相应地更改swanctl --stats中看到的插件顺序，swanctl --list-algs的输出应该显示hmac插件正在提供HMAC_MD5_128。