Назад | Перейти на главную страницу

Шлюз Azure VPN с проблемой подключения Strongswan

Я пытаюсь установить соединение типа "сеть-сеть" между шлюзом Azure VPN Gateway и моей локальной сетью. Независимо от выбранных мной вариантов я получаю следующее:

Aug 13 08:57:06 OWRT01 : 13[IKE] received NO_PROPOSAL_CHOSEN notify error

В чем может быть проблема?

Есть ли способ получить доступ к журналам шлюза VPN Azure из Azure, чтобы выявить проблему?

Несколько дней пытался искать. Не повезло. Мой IPSEC / StrongSwan находится на Raspberry Pi 2 за моим основным маршрутизатором. Raspberry Pi 2 работает под управлением OpenWRT (192.168.0.2). Мой маршрутизатор работает под управлением DD-WRT (100.100.100.100, 192.168.0.6).

Детали конфигурации:

root@OWRT01:~# cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
192.168.0.12 123.123.123.123 : PSK "SECRETPASS"
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# vi /etc/ipsec.secrets
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# vi /etc/ipsec.conf
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn azure
        authby=secret
        auto=start
        type=tunnel
        keyexchange=ikev2
        keylife=3600s
        ikelifetime=28800s

        left=192.168.0.12
        leftsubnet=0.0.0.0/0
        right=123.123.123.123
        rightsubnet=0.0.0.0/0

        ike=aes256-sha1-modp1024!
        esp=aes256-sha1-modp2048!

        closeaction=restart
        dpdaction=restart
        reauth=no

        keyingtries=%forever
        type=tunnel
        forceencaps=yes

root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.8.2 IPsec [starter]...
root@OWRT01:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l):
  uptime: 40 seconds, since Aug 13 08:54:04 2020
  worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
  192.168.0.12
  fdc8:29db:a9ed::1
Connections:
       azure:  192.168.0.12...123.123.123.123  IKEv2, dpddelay=30s
       azure:   local:  [192.168.0.12] uses pre-shared key authentication
       azure:   remote: [123.123.123.123] uses pre-shared key authentication
       azure:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none
root@OWRT01:~# ping 123.123.123.123
PING 123.123.123.123 (123.123.123.123): 56 data bytes
^C
--- 123.123.123.123 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~#
root@OWRT01:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        filelog {
                charon {
                        path = /var/log/charon.log
                        time_format = %b %e %T
                        append = no
                        default = 0 # in case troubleshoot is required switch this to 2
                }
                stderr {
                        ike = 0 # in case troubleshoot is required switch this to 2
                        knl = 0 # in case troubleshoot is required switch this to 3
                        ike_name = yes
                }
        }
        syslog {
                # enable logging to LOG_DAEMON, use defaults
                daemon {
                }
                # minimalistic IKE auditing logging to LOG_AUTHPRIV
                auth {
                        default = 0 # in case troubleshoot is required switch this to 2
                        ike = 0 # in case troubleshoot is required switch this to 2
                }
        }
}
include strongswan.d/*.conf
root@OWRT01:~#

Сервер удаленного журналирования Linux:

Aug 13 08:57:01 OWRT01 : 00[DMN] signal of type SIGINT received. Shutting down
Aug 13 08:57:04 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l)
Aug 13 08:57:04 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
Aug 13 08:57:06 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not supported, https:// disabled
Aug 13 08:57:06 OWRT01 : 00[CFG] disabling load-tester plugin, not configured
Aug 13 08:57:06 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Aug 13 08:57:06 OWRT01 : 00[LIB] created TUN device: ipsec0
Aug 13 08:57:06 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
Aug 13 08:57:06 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug 13 08:57:06 OWRT01 : 00[NET] using forecast interface br-lan
Aug 13 08:57:06 OWRT01 : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 13 08:57:06 OWRT01 : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 13 08:57:06 OWRT01 : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 13 08:57:06 OWRT01 : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 13 08:57:06 OWRT01 : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 13 08:57:06 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 13 08:57:06 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 13 08:57:06 OWRT01 : 00[CFG]   loaded IKE secret for 192.168.0.12 123.123.123.123
Aug 13 08:57:06 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug 13 08:57:06 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug 13 08:57:06 OWRT01 : 00[CFG] HA config misses local/remote address
Aug 13 08:57:06 OWRT01 : 00[CFG] coupling file path unspecified
Aug 13 08:57:06 OWRT01 : 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug 13 08:57:06 OWRT01 : 00[JOB] spawning 16 worker threads
Aug 13 08:57:06 OWRT01 : 11[CFG] received stroke: add connection 'azure'
Aug 13 08:57:06 OWRT01 : 11[CFG] added configuration 'azure'
Aug 13 08:57:06 OWRT01 : 14[CFG] received stroke: initiate 'azure'
Aug 13 08:57:06 OWRT01 : 14[IKE] initiating IKE_SA azure[1] to 123.123.123.123
Aug 13 08:57:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 13 08:57:06 OWRT01 : 14[NET] sending packet: from 192.168.0.12[500] to 123.123.123.123[500] (336 bytes)
Aug 13 08:57:06 OWRT01 : 15[NET] received packet: from 192.168.0.6[500] to 192.168.0.12[500] (336 bytes)
Aug 13 08:57:06 OWRT01 : 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 13 08:57:06 OWRT01 : 15[IKE] no IKE config found for 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 13 08:57:06 OWRT01 : 15[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 13 08:57:06 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500] to 192.168.0.6[500] (36 bytes)
Aug 13 08:57:06 OWRT01 : 13[NET] received packet: from 123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
Aug 13 08:57:06 OWRT01 : 13[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Aug 13 08:57:06 OWRT01 : 13[IKE] received NO_PROPOSAL_CHOSEN notify error

Результат DD-WRT tcpdump:

root@DD-WRT:~# tcpdump -n | grep -Ei "123.123.123.123"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:54:04.615716 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
08:54:04.618727 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp: parent_sa ikev2_init[R]
08:54:51.093347 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 26970, seq 0, length 64
08:54:51.093490 IP 100.100.100.100 > 123.123.123.123: ICMP echo request, id 26970, seq 0, length 64
08:54:52.093679 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 26970, seq 1, length 64
08:54:52.093771 IP 100.100.100.100 > 123.123.123.123: ICMP echo request, id 26970, seq 1, length 64
08:54:53.093909 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 26970, seq 2, length 64
08:54:53.093999 IP 100.100.100.100 > 123.123.123.123: ICMP echo request, id 26970, seq 2, length 64
08:54:54.094138 IP 192.168.0.12 > 123.123.123.123: ICMP echo request, id 26970, seq 3, length 64
08:54:54.094217 IP 100.100.100.100 > 123.123.123.123: ICMP echo request, id 26970, seq 3, length 64
08:57:06.440515 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I]
08:57:06.443841 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp: parent_sa ikev2_init[R]

Со стороны Azure я вижу следующее:

Check all connection parameters
Check all connection parameters to ensure the on premises VPN device public IP does not conflict with another connection, and also ensure address spaces of the connected networks do not overlap. Learn more.
Resetting the VPN gateway
Try resetting the VPN gateway. https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-resetgw-classic/
Contact support
If you are experiencing problems you believe are caused by Azure, contact support. http://azure.microsoft.com/support

Cross premises
Create a cross premises connection. Learn more.
VNet-to-VNet
Create a VNet-to-VNet connection. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
Contact support
If you are experiencing problems you believe are caused by Azure, contact support. http://azure.microsoft.com/support

Однако мне осталось неясным:

Особенности Azure GW:

Azure VPN Gateway SMDS-RG
Location
:East US


Subscription
(change)
: Azure MYNAME Pay-as-you-Go Subscription

Subscription ID
:<ID>

SKU
: Basic

Gateway type
:VPN


VPN type
: Route-based

Virtual network
: MY-VPN-VNET

Public IP address
: 123.123.123.123

Я создал правильные правила переадресации NAT, результаты которых показаны выше, показывая поток трафика от команды tcpdump в команде DD-WRT:

# UDP
iptables -t nat -I PREROUTING -p udp --dport 500 -j DNAT --to 192.168.0.12:500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 500 -j ACCEPT

iptables -t nat -I PREROUTING -p udp --dport 4500 -j DNAT --to 192.168.0.12:4500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 4500 -j ACCEPT