Connexion Strongswan (IKEv2) établie, mais aucun routage du trafic


8

J'ai déjà vu ce genre de question plusieurs fois auparavant, mais jusqu'à présent, aucune d'entre elles n'a résolu mon problème.

J'essaie de configurer un VPN IKEv2 sur mon serveur Ubuntu à utiliser avec mon Windows Phone à l'aide de Strongswan. La connexion semble être correctement configurée, mais aucun paquet n'est acheminé et je ne peux pas cingler l'adresse IP du client VPN.

Le réseau interne de mon serveur est 192.168.1.0/24, et l'IP de mon serveur est 192.168.1.110 et derrière NAT.

/ var / log / syslog

May  8 09:50:01 seanco-server charon: 16[NET] received packet: from 166.147.118.120[13919] to 192.168.1.110[500]
May  8 09:50:01 seanco-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  8 09:50:01 seanco-server charon: 16[IKE] 166.147.118.120 is initiating an IKE_SA
May  8 09:50:01 seanco-server charon: 16[IKE] local host is behind NAT, sending keep alives
May  8 09:50:01 seanco-server charon: 16[IKE] remote host is behind NAT
May  8 09:50:01 seanco-server charon: 16[IKE] sending cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  8 09:50:01 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[500] to 166.147.118.120[13919]
May  8 09:50:01 seanco-server charon: 08[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP4_SERVER
May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP6_SERVER
May  8 09:50:01 seanco-server charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May  8 09:50:01 seanco-server charon: 08[IKE] received cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 08[IKE] received 31 cert requests for an unknown ca
May  8 09:50:01 seanco-server charon: 08[CFG] looking for peer configs matching 192.168.1.110[%any]...166.147.118.120[10.212.235.245]
May  8 09:50:01 seanco-server charon: 08[CFG] selected peer config 'windows-phone-vpn'
May  8 09:50:01 seanco-server charon: 08[IKE] initiating EAP-Identity request
May  8 09:50:01 seanco-server charon: 08[IKE] peer supports MOBIKE
May  8 09:50:01 seanco-server charon: 08[IKE] authentication of 'steakscorp.org' (myself) with RSA signature successful
May  8 09:50:01 seanco-server charon: 08[IKE] sending end entity cert "D=xxx, C=xx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May  8 09:50:01 seanco-server charon: 08[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 10[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May  8 09:50:02 seanco-server charon: 10[IKE] received EAP identity 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xA5)
May  8 09:50:02 seanco-server charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 10[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 09[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 09[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 11[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
May  8 09:50:02 seanco-server charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
May  8 09:50:02 seanco-server charon: 11[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 12[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
May  8 09:50:02 seanco-server charon: 12[IKE] authentication of '10.212.235.245' with EAP successful
May  8 09:50:02 seanco-server charon: 12[IKE] authentication of 'steakscorp.org' (myself) with EAP
May  8 09:50:02 seanco-server charon: 12[IKE] IKE_SA windows-phone-vpn[2] established between 192.168.1.110[steakscorp.org]...166.147.118.120[10.212.235.245]
May  8 09:50:02 seanco-server charon: 12[IKE] scheduling reauthentication in 10200s
May  8 09:50:02 seanco-server charon: 12[IKE] maximum IKE_SA lifetime 10740s
May  8 09:50:02 seanco-server charon: 12[IKE] peer requested virtual IP %any6
May  8 09:50:02 seanco-server charon: 12[CFG] reassigning offline lease to 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 12[IKE] CHILD_SA windows-phone-vpn{2} established with SPIs c214680b_i a1cbebd2_o and TS 0.0.0.0/0[udp/l2f] === 10.8.0.1/32[udp]
May  8 09:50:02 seanco-server vpn: + 10.212.235.245 10.8.0.1/32 == 166.147.118.120 -- 192.168.1.110 == 0.0.0.0/0
May  8 09:50:02 seanco-server charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
May  8 09:50:02 seanco-server charon: 12[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:22 seanco-server charon: 16[IKE] sending keep alive
May  8 09:50:22 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:32 seanco-server charon: 10[IKE] sending DPD request
May  8 09:50:32 seanco-server charon: 10[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]

/etc/ipsec.conf

config setup
        strictcrlpolicy = no
        charonstart = yes
        plutostart = no

conn windows-phone-vpn
        auto = route
        compress = no
        dpdaction = clear
        pfs = no
        keyexchange = ikev2
        type = tunnel
        left = %any
        leftfirewall = yes
        leftauth = pubkey
        leftid = steakscorp.org
        leftcert = /etc/apache2/ssl/start-ssl.crt
        leftca = /etc/apache2/ssl/start-ssl-ca.pem
        leftsendcert = always
        leftsubnet = 0.0.0.0/0
        right = %any
        rightauth = eap-mschapv2
        eap_identity = %any
        rightca = /etc/ipsec.d/cacerts/vpnca.pem
        rightsendcert = ifasked
        rightsourceip = 10.8.0.0/24
        #leftprotoport = 17/1701
        #rightprotoport = 17/%any

ifconfig

eth1      Link encap:Ethernet  HWaddr aa:00:04:00:0a:04
          inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:4fff:feaa:1577/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:157187 errors:0 dropped:0 overruns:0 frame:0
          TX packets:162827 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:121434663 (121.4 MB)  TX bytes:129069773 (129.0 MB)
          Interrupt:21 Memory:fe9e0000-fea00000

ham0      Link encap:Ethernet  HWaddr 7a:79:19:da:fb:84
          inet addr:25.218.251.132  Bcast:25.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::7879:19ff:feda:fb84/64 Scope:Link
          inet6 addr: 2620:9b::19da:fb84/96 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1404  Metric:1
          RX packets:1622 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3115 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:384780 (384.7 KB)  TX bytes:1249410 (1.2 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6554 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2036987 (2.0 MB)  TX bytes:2036987 (2.0 MB)

iptables

# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*mangle
:PREROUTING ACCEPT [604388:58921019]
:INPUT ACCEPT [4937028:2589137657]
:FORWARD ACCEPT [22:1366]
:OUTPUT ACCEPT [3919078:5188868578]
:POSTROUTING ACCEPT [4008714:5195778648]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Fri May  9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*filter
:INPUT ACCEPT [1737:217459]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16831:20344894]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_ADMIN_IN - [0:0]
:AS0_U_USERLOCA_IN - [0:0]
:AS0_WEBACCEPT - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-apache-404 - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-apache-postflood - [0:0]
:fail2ban-ip-blocklist - [0:0]
:fail2ban-repeatoffender - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-404
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A INPUT -p tcp -j fail2ban-ip-blocklist
-A INPUT -p tcp -j fail2ban-repeatoffender
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.8.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_OUT -j DROP
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_U_ADMIN_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_ADMIN_IN -j AS0_IN_POST
-A AS0_U_USERLOCA_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_USERLOCA_IN -j AS0_IN_POST
-A AS0_WEBACCEPT -j ACCEPT
-A fail2ban-apache -j RETURN
-A fail2ban-apache-404 -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-apache-postflood -j RETURN
-A fail2ban-ip-blocklist -j RETURN
-A fail2ban-repeatoffender -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
COMMIT
# Completed on Fri May  9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*nat
:PREROUTING ACCEPT [906:84714]
:INPUT ACCEPT [860:81590]
:OUTPUT ACCEPT [233:50740]
:POSTROUTING ACCEPT [233:50740]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
-A AS0_NAT -o eth1 -j SNAT --to-source 192.168.1.110
-A AS0_NAT -o ham0 -j SNAT --to-source 25.218.251.132
-A AS0_NAT -o tun0 -j SNAT --to-source 10.8.0.1
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -d 10.0.8.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Fri May  9 10:33:46 2014

politique d'ip xfrm

src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
        dir fwd priority 1920
        tmpl src 166.147.118.120 dst 192.168.1.110
                proto esp reqid 3 mode tunnel
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
        dir in priority 1920
        tmpl src 166.147.118.120 dst 192.168.1.110
                proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 10.8.0.1/32 proto udp sport 1701
        dir out priority 1920
        tmpl src 192.168.1.110 dst 166.147.118.120
                proto esp reqid 3 mode tunnel

Certaines choses me semblent un peu étranges (ne devrait-on pas faire apparaître un ipsec0 ou quelque chose lorsque la connexion s'établit?), Mais je suis perplexe à ce stade et j'apprécierais vraiment une aide.

Edit : commenté les lignes protoport et supprimé l'interface tun0.


1
Vous devez certainement vous débarrasser des left|rightprotoportoptions. Avec ces valeurs, elles sont utilisées lorsque vous utilisez IKEv1 / L2TP / IPsec, ce que vous n'êtes pas, vous utilisez IKEv2 avec IPsec standard. Pourquoi y a-t-il un périphérique TUN auquel l'adresse IP du client est attribuée? La lecture de Forwarding et de Split-Tunneling sur le wiki strongSwan pourrait également aider.
ecdsa

Correction des configurations (tun0 n'est plus activé et les options du protoport ont été commentées). Je vais de nouveau consulter l'article wiki - et j'ai essayé de configurer NAT sur mon interface gauche avec: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPTER iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE ... mais jusqu'à présent, rien n'a changé.
Jinhai

J'ai remarqué un "-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE" dans mes iptables de mon VPN L2TP / PPP, et cela fonctionne. Peut-être que je dois ajouter un équivalent pour mon réseau IKEv2 et 10.8.0.0/24, mais quelle interface utiliserais-je? (Désolé, un peu stupide en ce qui concerne iptables)
Jinhai

Réponses:


3

Vous avez besoin:

>$ iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source "your VPN host IP"
>$ service iptables save
>$ service iptables restart
>$ service ipsec restart

5
Pourquoi cela résout-il votre problème?
Ryan Shillington

1

Avez-vous activé le transfert ipv4?

$sudo sysctl -w net.ipv4.ip_forward=1

Avez-vous ajouté une règle MASQUERADE POSTROUTING?

$sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Oui et oui (bien que mon adaptateur soit eth1 à la place).
Jinhai

Pouvez-vous publier la table de routage du client?
MemCtrl

Je ne peux pas, mais je suis sûr que c'est le problème - mon serveur n'affiche aucun trafic sur le réseau privé 10.8.0.0/24 à partir du téléphone lorsqu'il est connecté et essaie d'accéder à Internet. Y a-t-il quelque chose que je peux ajouter côté serveur pour ajouter une route vers l'extérieur sur le client?
Jinhai
En utilisant notre site, vous reconnaissez avoir lu et compris notre politique liée aux cookies et notre politique de confidentialité.
Licensed under cc by-sa 3.0 with attribution required.