Strongswan (IKEv2) -Verbindung hergestellt, aber kein Verkehrsrouting

8

Ich habe diese Art von Frage schon einige Male gesehen, aber bisher hat keine von ihnen mein Problem gelöst.

Ich versuche, auf meinem Ubuntu-Server ein IKEv2-VPN für die Verwendung mit meinem Windows Phone mithilfe von Strongswan einzurichten. Die Verbindung scheint korrekt eingerichtet zu sein, aber es werden keine Pakete weitergeleitet und ich kann die IP-Adresse des VPN-Clients nicht anpingen.

Das interne Netzwerk meines Servers ist 192.168.1.0/24 und die IP meines Servers ist 192.168.1.110 und hinter NAT.

/ var / log / syslog

May  8 09:50:01 seanco-server charon: 16[NET] received packet: from 166.147.118.120[13919] to 192.168.1.110[500]
May  8 09:50:01 seanco-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  8 09:50:01 seanco-server charon: 16[IKE] 166.147.118.120 is initiating an IKE_SA
May  8 09:50:01 seanco-server charon: 16[IKE] local host is behind NAT, sending keep alives
May  8 09:50:01 seanco-server charon: 16[IKE] remote host is behind NAT
May  8 09:50:01 seanco-server charon: 16[IKE] sending cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  8 09:50:01 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[500] to 166.147.118.120[13919]
May  8 09:50:01 seanco-server charon: 08[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP4_SERVER
May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP6_SERVER
May  8 09:50:01 seanco-server charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May  8 09:50:01 seanco-server charon: 08[IKE] received cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 08[IKE] received 31 cert requests for an unknown ca
May  8 09:50:01 seanco-server charon: 08[CFG] looking for peer configs matching 192.168.1.110[%any]...166.147.118.120[10.212.235.245]
May  8 09:50:01 seanco-server charon: 08[CFG] selected peer config 'windows-phone-vpn'
May  8 09:50:01 seanco-server charon: 08[IKE] initiating EAP-Identity request
May  8 09:50:01 seanco-server charon: 08[IKE] peer supports MOBIKE
May  8 09:50:01 seanco-server charon: 08[IKE] authentication of 'steakscorp.org' (myself) with RSA signature successful
May  8 09:50:01 seanco-server charon: 08[IKE] sending end entity cert "D=xxx, C=xx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May  8 09:50:01 seanco-server charon: 08[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 10[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May  8 09:50:02 seanco-server charon: 10[IKE] received EAP identity 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xA5)
May  8 09:50:02 seanco-server charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 10[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 09[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 09[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 11[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
May  8 09:50:02 seanco-server charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
May  8 09:50:02 seanco-server charon: 11[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 12[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
May  8 09:50:02 seanco-server charon: 12[IKE] authentication of '10.212.235.245' with EAP successful
May  8 09:50:02 seanco-server charon: 12[IKE] authentication of 'steakscorp.org' (myself) with EAP
May  8 09:50:02 seanco-server charon: 12[IKE] IKE_SA windows-phone-vpn[2] established between 192.168.1.110[steakscorp.org]...166.147.118.120[10.212.235.245]
May  8 09:50:02 seanco-server charon: 12[IKE] scheduling reauthentication in 10200s
May  8 09:50:02 seanco-server charon: 12[IKE] maximum IKE_SA lifetime 10740s
May  8 09:50:02 seanco-server charon: 12[IKE] peer requested virtual IP %any6
May  8 09:50:02 seanco-server charon: 12[CFG] reassigning offline lease to 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 12[IKE] CHILD_SA windows-phone-vpn{2} established with SPIs c214680b_i a1cbebd2_o and TS 0.0.0.0/0[udp/l2f] === 10.8.0.1/32[udp]
May  8 09:50:02 seanco-server vpn: + 10.212.235.245 10.8.0.1/32 == 166.147.118.120 -- 192.168.1.110 == 0.0.0.0/0
May  8 09:50:02 seanco-server charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
May  8 09:50:02 seanco-server charon: 12[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:22 seanco-server charon: 16[IKE] sending keep alive
May  8 09:50:22 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:32 seanco-server charon: 10[IKE] sending DPD request
May  8 09:50:32 seanco-server charon: 10[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]

/etc/ipsec.conf

config setup
        strictcrlpolicy = no
        charonstart = yes
        plutostart = no

conn windows-phone-vpn
        auto = route
        compress = no
        dpdaction = clear
        pfs = no
        keyexchange = ikev2
        type = tunnel
        left = %any
        leftfirewall = yes
        leftauth = pubkey
        leftid = steakscorp.org
        leftcert = /etc/apache2/ssl/start-ssl.crt
        leftca = /etc/apache2/ssl/start-ssl-ca.pem
        leftsendcert = always
        leftsubnet = 0.0.0.0/0
        right = %any
        rightauth = eap-mschapv2
        eap_identity = %any
        rightca = /etc/ipsec.d/cacerts/vpnca.pem
        rightsendcert = ifasked
        rightsourceip = 10.8.0.0/24
        #leftprotoport = 17/1701
        #rightprotoport = 17/%any

ifconfig

eth1      Link encap:Ethernet  HWaddr aa:00:04:00:0a:04
          inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:4fff:feaa:1577/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:157187 errors:0 dropped:0 overruns:0 frame:0
          TX packets:162827 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:121434663 (121.4 MB)  TX bytes:129069773 (129.0 MB)
          Interrupt:21 Memory:fe9e0000-fea00000

ham0      Link encap:Ethernet  HWaddr 7a:79:19:da:fb:84
          inet addr:25.218.251.132  Bcast:25.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::7879:19ff:feda:fb84/64 Scope:Link
          inet6 addr: 2620:9b::19da:fb84/96 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1404  Metric:1
          RX packets:1622 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3115 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:384780 (384.7 KB)  TX bytes:1249410 (1.2 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6554 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2036987 (2.0 MB)  TX bytes:2036987 (2.0 MB)

iptables

# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*mangle
:PREROUTING ACCEPT [604388:58921019]
:INPUT ACCEPT [4937028:2589137657]
:FORWARD ACCEPT [22:1366]
:OUTPUT ACCEPT [3919078:5188868578]
:POSTROUTING ACCEPT [4008714:5195778648]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Fri May  9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*filter
:INPUT ACCEPT [1737:217459]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16831:20344894]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_ADMIN_IN - [0:0]
:AS0_U_USERLOCA_IN - [0:0]
:AS0_WEBACCEPT - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-apache-404 - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-apache-postflood - [0:0]
:fail2ban-ip-blocklist - [0:0]
:fail2ban-repeatoffender - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-404
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A INPUT -p tcp -j fail2ban-ip-blocklist
-A INPUT -p tcp -j fail2ban-repeatoffender
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.8.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_OUT -j DROP
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_U_ADMIN_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_ADMIN_IN -j AS0_IN_POST
-A AS0_U_USERLOCA_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_USERLOCA_IN -j AS0_IN_POST
-A AS0_WEBACCEPT -j ACCEPT
-A fail2ban-apache -j RETURN
-A fail2ban-apache-404 -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-apache-postflood -j RETURN
-A fail2ban-ip-blocklist -j RETURN
-A fail2ban-repeatoffender -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
COMMIT
# Completed on Fri May  9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*nat
:PREROUTING ACCEPT [906:84714]
:INPUT ACCEPT [860:81590]
:OUTPUT ACCEPT [233:50740]
:POSTROUTING ACCEPT [233:50740]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
-A AS0_NAT -o eth1 -j SNAT --to-source 192.168.1.110
-A AS0_NAT -o ham0 -j SNAT --to-source 25.218.251.132
-A AS0_NAT -o tun0 -j SNAT --to-source 10.8.0.1
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -d 10.0.8.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Fri May  9 10:33:46 2014

IP-Xfrm-Richtlinie

src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
        dir fwd priority 1920
        tmpl src 166.147.118.120 dst 192.168.1.110
                proto esp reqid 3 mode tunnel
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
        dir in priority 1920
        tmpl src 166.147.118.120 dst 192.168.1.110
                proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 10.8.0.1/32 proto udp sport 1701
        dir out priority 1920
        tmpl src 192.168.1.110 dst 166.147.118.120
                proto esp reqid 3 mode tunnel

Ein paar Dinge sehen für mich etwas seltsam aus (sollte nicht ein ipsec0 aufgerufen werden oder so, wenn die Verbindung hergestellt wird?), Aber ich bin an dieser Stelle ratlos und würde mich über Hilfe sehr freuen.

Bearbeiten : Protoport-Linien auskommentiert und tun0-Schnittstelle heruntergefahren.

Jinhai
quelle
1
Sie sollten auf jeden Fall die left|rightprotoportOptionen loswerden . Mit diesen Werten werden sie verwendet, wenn Sie IKEv1 / L2TP / IPsec verwenden, was Sie nicht sind. Sie verwenden IKEv2 mit einfachem IPsec. Warum gibt es ein TUN-Gerät, dem die IP-Adresse des Clients zugewiesen ist? Das Lesen von Forwarding und Split-Tunneling im strongSwan-Wiki könnte ebenfalls hilfreich sein.
Ecdsa
Die Konfigurationen wurden behoben (tun0 ist nicht mehr aktiv und die Protoport-Optionen wurden auskommentiert). Ich werde mir den Wiki-Artikel noch einmal ansehen - und ich habe versucht, NAT für meine nach links gerichtete Oberfläche einzurichten mit: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -m Richtlinie --dir out --pol ipsec -j ACEPPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE ... aber bisher hat sich nichts geändert.
Jinhai
Ich habe jedoch in meinen iptables von meinem L2TP / PPP-VPN ein "-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE" bemerkt, und das funktioniert. Möglicherweise muss ich ein Äquivalent für mein IKEv2- und 10.8.0.0/24-Netzwerk hinzufügen, aber welche Schnittstelle würde ich verwenden? (Sorry, irgendwie dumm, wenn es um Iptables geht)
Jinhai

Antworten:

3

Du brauchst:

>$ iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source "your VPN host IP"
>$ service iptables save
>$ service iptables restart
>$ service ipsec restart
Alex G.
quelle
5
Warum behebt dies Ihr Problem?
Ryan Shillington
1

Haben Sie die IPv4-Weiterleitung aktiviert?

$sudo sysctl -w net.ipv4.ip_forward=1

Haben Sie eine MASQUERADE POSTROUTING-Regel hinzugefügt?

$sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
MemCtrl
quelle
Ja und ja (obwohl mein Adapter stattdessen eth1 ist).
Jinhai
Können Sie die Routing-Tabelle vom Client aus veröffentlichen?
MemCtrl
Ich kann nicht, aber ich bin mir ziemlich sicher, dass dies das Problem ist - mein Server zeigt keinen Datenverkehr im privaten 10.8.0.0/24-Netzwerk vom Telefon an, wenn es verbunden ist und versucht, ins Internet zu gelangen. Gibt es etwas, das ich serverseitig hinzufügen kann, um auf dem Client eine Route nach außen hinzuzufügen?
Jinhai