Iptables
IPsec IKEv2 成功,但 Linux VTI 不適用於 SNAT
如果您認為
troubleshooting IPsec is tedious,請忘記我的日誌,只是let me know the implementation process,我仍然感到困惑,任何資訊都是有幫助的。我刪除了 SPI,這是我的 IP 映射:
Our private IP address: 10.1.1.2 Our S-NAT IP address: 172.16.0.1 Our Pubic/EIP address: 1.1.1.1 CheckPoint GW: 2.2.2.2 Instance behind CheckPoint: 192.168.1.1在左側,我在 AWS EC2 實例的 1:1 NAT 和彈性 IP 後面有 StrongSWAN,配置如下:
/etc/ipsec.conf:
config setup # strictcrlpolicy=yes # uniqueids = no charondebug="ike 2, knl 2, cfg 2" conn %default keyexchange=ikev2 ike=aes256-sha256-modp2048 ikelifetime=86400s esp=aes256-sha256-modp2048 lifetime=10800s keyingtries=%forever dpddelay=30s dpdtimeout=120s dpdaction=restart conn Tunnel1 auto=start left=10.1.1.2 # Our private IP address leftsubnet=172.16.0.1/32 # Our S-NAT IP address leftauth=psk leftid=1.1.1.1 # Our Pubic/EIP address right=2.2.2.2 # CheckPoint GW rightsubnet=192.168.1.1/32 # Instance behind CheckPoint rightauth=psk rightid=2.2.2.2 # CheckPoint GW type=tunnel compress=no mark=42/etc/ipsec.secrets:
1.1.1.1 2.2.2.2 : PSK "OURSECRET"/etc/strongswan.d/charon.conf:
install_routes = no install_virtual_ip = no右側有一個位於防火牆後面的 CheckPoint 設備,僅當數據包的源為 172.16.0.1/32 且其目標為 192.168.1.1/32 時才接受策略。
但是我的介面上沒有那個 IP,它是一個偽 IP,可以從右側(檢查點)隱藏我們的私有範圍。
此實例應充當路由器並通過 IPsec 隧道傳遞來自其他實例的流量,但每個數據包都應 SNAT 到 172.16.0.1/32。
我啟動了SongSWAN:
systemctl start strongswan && systemctl status -l strongswanLoaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2019-07-23 10:20:22 EEST; 12s ago Process: 2163 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS) Process: 2160 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS) Main PID: 2190 (starter) Tasks: 18 Memory: 12.2M CPU: 54ms CGroup: /system.slice/strongswan.service ├─2190 /usr/lib/ipsec/starter --daemon charon └─2191 /usr/lib/ipsec/charon --use-syslog --debug-ike 2 --debug-knl 2 --debug-cfg 2配置iptables:
iptables --append INPUT -s 2.2.2.2 -j ACCEPT iptables --append INPUT -d 2.2.2.2 -j ACCEPT iptables --table mangle --append FORWARD -o Tunnel1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu檢查 IKEv2 是否成功:ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1087-aws, x86_64): uptime: 79 seconds, since Jul 23 10:20:22 2019 malloc: sbrk 1646592, mmap 0, used 568016, free 1078576 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity Listening IP addresses: 10.1.1.2 Connections: Tunnel1: 10.1.1.2...2.2.2.2 IKEv2, dpddelay=30s Tunnel1: local: [1.1.1.1] uses pre-shared key authentication Tunnel1: remote: [2.2.2.2] uses pre-shared key authentication Tunnel1: child: 172.16.0.1/32 === 192.168.1.1/32 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): Tunnel1[1]: ESTABLISHED 79 seconds ago, 10.1.1.2[1.1.1.1]...2.2.2.2[2.2.2.2] Tunnel1[1]: IKEv2 SPIs: ##**REMOVED**##* ##**REMOVED**##, pre-shared key reauthentication in 23 hours Tunnel1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Tunnel1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c05ce72f_i 35f8fdaa_o Tunnel1{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours Tunnel1{1}: 172.16.0.1/32 === 192.168.1.1/32檢查是否已添加 XFRM 策略:ip -s -s xfrm 策略:
src 192.168.1.1/32 dst 172.16.0.1/32 uid 0 dir fwd action allow index 82 priority 2819 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-07-23 10:20:22 use - mark 0x2a/0xffffffff tmpl src 2.2.2.2 dst 10.1.1.2 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.1.1/32 dst 172.16.0.1/32 uid 0 dir in action allow index 72 priority 2819 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-07-23 10:20:22 use - mark 0x2a/0xffffffff tmpl src 2.2.2.2 dst 10.1.1.2 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 172.16.0.1/32 dst 192.168.1.1/32 uid 0 dir out action allow index 65 priority 2819 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-07-23 10:20:22 use - mark 0x2a/0xffffffff tmpl src 10.1.1.2 dst 2.2.2.2 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffffip -s -s xfrm 狀態:
src 10.1.1.2 dst 2.2.2.2 proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) mark 0x2a/0xffffffff auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128 enc cbc(aes) ##**REMOVED**## (256 bits) encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 9745(sec), hard 10800(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-07-23 10:20:22 use - stats: replay-window 0 replay 0 failed 0 src 2.2.2.2 dst 10.1.1.2 proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) mark 0x2a/0xffffffff auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128 enc cbc(aes) ##**REMOVED**## (256 bits) encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 10057(sec), hard 10800(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-07-23 10:20:22 use - stats: replay-window 0 replay 0 failed 0創建 VTI 設備:
ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42 ip addr add 172.16.0.1/32 remote 192.168.1.1/32 dev Tunnel1 ip link set Tunnel1 up mtu 1419禁用隧道策略並添加 iptables TCPMSS:
sysctl -w net.ipv4.conf.Tunnel1.disable_policy=1 iptables --table mangle --append FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 iptables --table mangle --append FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360但是當我用源 172.16.0.1 ping 192.168.1.1 時,我得到
Destination Host Unreachable.ping 192.168.1.1 OR ping -I 172.16.0.1 192.168.1.1 OR ping -I Tunnel1 192.168.1.1ping -c 3 -I 172.16.0.1 192.168.1.1 PING 192.168.1.1 (192.168.1.1) from 172.16.0.1 Tunnel1: 56(84) bytes of data. From 172.16.0.1 icmp_seq=1 Destination Host Unreachable From 172.16.0.1 icmp_seq=2 Destination Host Unreachable From 172.16.0.1 icmp_seq=3 Destination Host Unreachable --- 192.168.1.1 ping statistics --- 3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1998ms這是其他一些日誌: ip 地址顯示:
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1 link/ipip 0.0.0.0 brd 0.0.0.0 4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1 link/ipip 10.1.1.2 peer 2.2.2.2 inet 172.16.0.1 peer 192.168.1.1/32 scope global Tunnel1 valid_lft forever preferred_lft foreverip -s -s 連結顯示:
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1 link/ipip 0.0.0.0 brd 0.0.0.0 RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 0 4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/ipip 10.1.1.2 peer 2.2.2.2 RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 14 0 14 0 TX errors: aborted fifo window heartbeat transns 0 0 0 0 0ip -s 隧道顯示隧道 1:
Tunnel1: ip/ip remote 2.2.2.2 local 10.1.1.2 ttl inherit key 42 RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts 0 0 0 0 0 0 TX: Packets Bytes Errors DeadLoop NoRoute NoBufs 0 0 14 0 14 0ifconfig -a:
Tunnel1 Link encap:IPIP Tunnel HWaddr inet addr:172.16.0.1 P-t-P:192.168.1.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1419 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:14 dropped:0 overruns:0 carrier:14 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ip_vti0 Link encap:IPIP Tunnel HWaddr NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)我在 AWS EC2 上禁用了源和目標檢查,並將 AWS 安全組中所有流量的右側(檢查點)IP 地址列入白名單,我確定支持 NAT-Traversal,我可以通過 tcpdump 看到它的流量:tcpdump -i any - nnnNq 主機 2.2.2.2
10:32:02.983136 IP 10.1.1.2.500 > 2.2.2.2.500: UDP, length 1084 10:32:03.035572 IP 2.2.2.2.500 > 10.1.1.2.500: UDP, length 708 10:32:03.044827 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 372 10:32:03.108335 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 276 10:32:27.042735 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1 10:32:33.110661 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84 10:32:33.159623 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 84 10:32:57.043342 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1 10:33:03.110977 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84CheckPoint 顯示隧道已建立,但我在發送 ping 數據包時沒有收到任何 tcpdump。journalctl -fu strongswan 可從此處獲得:
我也以這種方式嘗試了 VTI 端點,但它沒有進行任何更改:
ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42 ip addr add 172.16.0.1/32 remote 0.0.0.0/0 dev Tunnel1 ip link set Tunnel1 up mtu 1419我是否正確實施了這個結構?我應該在 VTI 設備上設置偽 IP 嗎?我應該添加另一個 iptables 規則來應用 MARK 這樣的東西嗎?
iptables -t mangle -A INPUT -p esp -s 2.2.2.2 -d 1.1.1.1 -j MARK --set-xmark 42
Versions:ipsec –版本:
Linux strongSwan U5.3.5/K4.4.0-1087-awslsb_release -a:
Distributor ID: Ubuntu Description: Ubuntu 16.04.6 LTS Release: 16.04 Codename: xenialdpkg -l | grep -i strongswan:
ii libcharon-extra-plugins 5.3.5-1ubuntu3.8 amd64 strongSwan charon library (extra plugins) ii libstrongswan 5.3.5-1ubuntu3.8 amd64 strongSwan utility and crypto library ii libstrongswan-standard-plugins 5.3.5-1ubuntu3.8 amd64 strongSwan utility and crypto library (standard plugins) ii strongswan 5.3.5-1ubuntu3.8 all IPsec VPN solution metapackage ii strongswan-charon 5.3.5-1ubuntu3.8 amd64 strongSwan Internet Key Exchange daemon ii strongswan-libcharon 5.3.5-1ubuntu3.8 amd64 strongSwan charon library ii strongswan-starter 5.3.5-1ubuntu3.8 amd64 strongSwan daemon starter and configuration file parser ii strongswan-tnc-base 5.3.5-1ubuntu3.8 amd64 strongSwan Trusted Network Connect's (TNC) - base files在此先感謝您的幫助。
大約一個月後,我們停止了 StrongSWAN 的工作並使用 CHR(Mikrotik 雲託管路由器),設置簡單快捷,在過去兩個月內沒有遇到任何問題。
因此,對於正在閱讀此問題的任何人,您都可以使用免費許可證切換到 CHR或使用 VTI 測試基於 LibreSWAN Route-based VPN。