Я пытаюсь настроить туннель между сайтами, следуя тем же учебник как этот парень: LEDE 17.01.1, StrongSwan 5.6.0 swanctl NAT.
Сценарий такой:
Два маршрутизатора, оба с lede / openwrt 17.01.4 со следующими пакетами. у меня есть roadwarrior соединение для каждого из двух сайтов (которые, похоже, имеют одну и ту же проблему) и между сайтами (а именно net-net) туннель между ними. Соединение успешно создано.
Список пакетов:
strongswan - 5.5.3-1
strongswan-charon - 5.5.3-1
strongswan-libtls - 5.5.3-1
strongswan-mod-aes - 5.5.3-1
strongswan-mod-attr - 5.5.3-1
strongswan-mod-constraints - 5.5.3-1
strongswan-mod-coupling - 5.5.3-1
strongswan-mod-curve25519 - 5.5.3-1
strongswan-mod-des - 5.5.3-1
strongswan-mod-dhcp - 5.5.3-1
strongswan-mod-gmp - 5.5.3-1
strongswan-mod-ha - 5.5.3-1
strongswan-mod-hmac - 5.5.3-1
strongswan-mod-kernel-netlink - 5.5.3-1
strongswan-mod-led - 5.5.3-1
strongswan-mod-load-tester - 5.5.3-1
strongswan-mod-md5 - 5.5.3-1
strongswan-mod-nonce - 5.5.3-1
strongswan-mod-pem - 5.5.3-1
strongswan-mod-pkcs1 - 5.5.3-1
strongswan-mod-pubkey - 5.5.3-1
strongswan-mod-random - 5.5.3-1
strongswan-mod-revocation - 5.5.3-1
strongswan-mod-sha1 - 5.5.3-1
strongswan-mod-sha2 - 5.5.3-1
strongswan-mod-socket-default - 5.5.3-1
strongswan-mod-stroke - 5.5.3-1
strongswan-mod-uci - 5.5.3-1
strongswan-mod-updown - 5.5.3-1
strongswan-mod-x509 - 5.5.3-1
strongswan-utils - 5.5.3-1
strongswan.conf: (одинаково для обеих сторон)
charon {
load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
signature_authentication = no
load_modular = yes
duplicheck.enable = no
compress = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
Сайт А:
ipsec.conf:
config setup
#charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
rekey=no
keyingtries=1
dpdaction=clear
dpddelay=300s
rightsendcert=never
rightauth=pubkey
conn roadwarrior
left=xxx.yyy.3.50
leftsubnet=yyy.zzz.1.0/24
leftcert=siteA.pem
leftid=a.site.com
rightsourceip=%dhcp
rightid=%any
auto=add
type=tunnel
mobike=yes
conn winxp
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn net-net
left=xxx.yyy.3.50
leftsubnet=yyy.zzz.1.0/24
leftcert=siteA.pem
leftid=a.site.com
leftfirewall=yes
right=xxx.yyy.0.191
rightid=b.site.com
rightcert=siteB.pem
rightsubnet=yyy.zzz.2.0/24
auto=add
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
strongswan.log:
no files found matching '/etc/strongswan.d/*.conf'
Starting strongSwan 5.5.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Loading config setup
Loading conn 'roadwarrior'
Loading conn 'winxp'
Loading conn 'net-net'
found netkey IPsec stack
Attempting to start charon...
00[LIB] no files found matching '/etc/strongswan.d/*.conf'
00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.4.92, armv7l)
00[CFG] disabling load-tester plugin, not configured
00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
00[CFG] coupling file path unspecified
00[CFG] HA config misses local/remote address
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "E=contact@a.site.com, C=CN, O=a.site.com, OU=Site Root CA, CN=Site Root CA" from '/etc/ipsec.d/cacerts/cacert_siteA.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/siteA_priv.pem'
00[LIB] loaded plugins: charon attr constraints des dhcp led md5 pubkey random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 revocation hmac stroke kernel-netlink socket-default updown
00[JOB] spawning 16 worker threads
charon (28558) started after 40 ms
05[CFG] received stroke: add connection 'roadwarrior'
05[CFG] loaded certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=a.site.com" from 'siteA.pem'
05[CFG] added configuration 'roadwarrior'
07[CFG] received stroke: add connection 'net-net'
07[CFG] loaded certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=a.site.com" from 'siteA.pem'
07[CFG] loaded certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=b.site.com" from 'siteB.pem'
07[CFG] added configuration 'net-net'
09[NET] received packet: from xxx.yyy.0.191[500] to xxx.yyy.3.50[500] (404 bytes)
09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(REDIR_SUP) ]
09[IKE] xxx.yyy.0.191 is initiating an IKE_SA
09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
09[NET] sending packet: from xxx.yyy.3.50[500] to xxx.yyy.0.191[500] (216 bytes)
11[NET] received packet: from xxx.yyy.0.191[500] to xxx.yyy.3.50[500] (880 bytes)
11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
11[CFG] looking for peer configs matching xxx.yyy.3.50[a.site.com]...xxx.yyy.0.191[b.site.com]
11[CFG] selected peer config 'net-net'
11[CFG] using trusted ca certificate "E=contact@a.site.com, C=CN, O=a.site.com, OU=Site Root CA, CN=Site Root CA"
11[CFG] checking certificate status of "E=contact@a.site.com, C=CN, O=a.site.com, CN=b.site.com"
11[CFG] certificate status is not available
11[CFG] reached self-signed root ca with a path length of 0
11[CFG] using trusted certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=b.site.com"
11[IKE] authentication of 'b.site.com' with RSA signature successful
11[IKE] authentication of 'a.site.com' (myself) with RSA signature successful
11[IKE] IKE_SA net-net[1] established between xxx.yyy.3.50[a.site.com]...xxx.yyy.0.191[b.site.com]
11[IKE] CHILD_SA net-net{1} established with SPIs cd8b11c0_i cd034598_o and TS yyy.zzz.1.0/24 === yyy.zzz.2.0/24
11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
11[NET] sending packet: from xxx.yyy.3.50[500] to xxx.yyy.0.191[500] (704 bytes)
Сайт B:
ipsec.conf:
config setup
#charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
rekey=no
keyingtries=1
dpdaction=clear
dpddelay=300s
rightsendcert=never
rightauth=pubkey
conn roadwarrior
left=xxx.yyy.0.191
leftsubnet=yyy.zzz.2.0/24
leftcert=siteB.pem
leftid=b.site.com
rightsourceip=%dhcp
rightid=%any
auto=add
type=tunnel
mobike=yes
conn winxp
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn net-net
left=xxx.yyy.0.191
leftsubnet=yyy.zzz.2.0/24
leftcert=siteB.pem
leftid=b.site.com
leftfirewall=yes
right=xxx.yyy.3.50
rightid=a.site.com
rightcert=siteA.pem
rightsubnet=yyy.zzz.1.0/24
auto=start
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
strongswan.log:
no files found matching '/etc/strongswan.d/*.conf'
Starting strongSwan 5.5.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Loading config setup
Loading conn 'roadwarrior'
Loading conn 'winxp'
Loading conn 'net-net'
found netkey IPsec stack
Attempting to start charon...
00[LIB] no files found matching '/etc/strongswan.d/*.conf'
00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.4.92, mips)
00[CFG] disabling load-tester plugin, not configured
00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
00[CFG] coupling file path unspecified
00[CFG] HA config misses local/remote address
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "E=contact@a.site.com, C=CN, O=a.site.com, OU=Site Root CA, CN=Site Root CA" from '/etc/ipsec.d/cacerts/cacert_siteA.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/siteB_priv.pem'
00[LIB] loaded plugins: charon attr constraints des led md5 pubkey random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 revocation hmac stroke kernel-netlink socket-default updown
00[JOB] spawning 16 worker threads
charon (6822) started after 400 ms
05[CFG] received stroke: add connection 'roadwarrior'
05[CFG] loaded certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=b.site.com" from 'siteB.pem'
05[CFG] added configuration 'roadwarrior'
07[CFG] received stroke: add connection 'net-net'
07[CFG] loaded certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=b.site.com" from 'siteB.pem'
07[CFG] loaded certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=a.site.com" from 'siteA.pem'
07[CFG] added configuration 'net-net'
09[CFG] received stroke: initiate 'net-net'
09[IKE] initiating IKE_SA net-net[1] to xxx.yyy.3.50
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(REDIR_SUP) ]
09[NET] sending packet: from xxx.yyy.0.191[500] to xxx.yyy.3.50[500] (404 bytes)
11[NET] received packet: from xxx.yyy.3.50[500] to xxx.yyy.0.191[500] (216 bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
11[IKE] authentication of 'b.site.com' (myself) with RSA signature successful
11[IKE] establishing CHILD_SA net-net
11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
11[NET] sending packet: from xxx.yyy.0.191[500] to xxx.yyy.3.50[500] (880 bytes)
12[NET] received packet: from xxx.yyy.3.50[500] to xxx.yyy.0.191[500] (704 bytes)
12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
12[CFG] using trusted ca certificate "E=contact@a.site.com, C=CN, O=a.site.com, OU=Site Root CA, CN=Site Root CA"
12[CFG] checking certificate status of "E=contact@a.site.com, C=CN, O=a.site.com, CN=a.site.com"
12[CFG] certificate status is not available
12[CFG] reached self-signed root ca with a path length of 0
12[CFG] using trusted certificate "E=contact@a.site.com, C=CN, O=a.site.com, CN=a.site.com"
12[IKE] authentication of 'a.site.com' with RSA signature successful
12[IKE] IKE_SA net-net[1] established between xxx.yyy.0.191[b.site.com]...xxx.yyy.3.50[a.site.com]
12[IKE] CHILD_SA net-net{1} established with SPIs cd034598_i cd8b11c0_o and TS yyy.zzz.2.0/24 === yyy.zzz.1.0/24
16[NET] received packet: from xxx.yyy.3.50[500] to xxx.yyy.0.191[500] (80 bytes)
16[ENC] parsed INFORMATIONAL request 0 [ D ]
Примечание: xxx.yyy замаскируйте те же цифры и то же самое для yyy.zzz соответственно.
iptables -v -L выдержка из Сайт А с участием fw3 остановился:
Chain INPUT (policy ACCEPT 44 packets, 4876 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 2384 packets, 2500K bytes)
pkts bytes target prot opt in out source destination
18662 16M RRDIPT all -- any any anywhere anywhere
7 420 ACCEPT all -- pppoe-wan any yyy.zzz.2.0/24 yyy.zzz.1.0/24 policy match dir in pol ipsec reqid 1 proto esp
31 2564 ACCEPT all -- any pppoe-wan yyy.zzz.1.0/24 yyy.zzz.2.0/24 policy match dir out pol ipsec reqid 1 proto esp
Chain OUTPUT (policy ACCEPT 33 packets, 5038 bytes)
pkts bytes target prot opt in out source destination
Проблема с fw3. Как только я это сделаю fw3 stop (с обеих сторон), я могу пинговать хост на другом сайте.
iptables -v -L выдержка из Сайт А с участием fw3 началось:
Chain INPUT (policy ACCEPT 39 packets, 4361 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 999 packets, 679K bytes)
pkts bytes target prot opt in out source destination
3445 2490K RRDIPT all -- any any anywhere anywhere
0 0 ACCEPT all -- pppoe-wan any yyy.zzz.2.0/24 yyy.zzz.1.0/24 policy match dir in pol ipsec reqid 1 proto esp
77 7260 ACCEPT all -- any pppoe-wan yyy.zzz.1.0/24 yyy.zzz.2.0/24 policy match dir out pol ipsec reqid 1 proto esp
Chain OUTPUT (policy ACCEPT 43 packets, 6857 bytes)
pkts bytes target prot opt in out source destination
Chain RRDIPT (1 references)
pkts bytes target prot opt in out source destination
Я протестировал часть Roadwarrior на отдельном сервере CentOS 7, и он может без проблем общаться. Проблема явно где-то в брандмауэре openwrt. Но мои навыки исчерпаны настолько, что я могу отлаживать дальше.