Iptables

IPsec IKEv2 成功,但 Linux VTI 不適用於 SNAT

  • October 13, 2019

如果您認為troubleshooting IPsec is tedious,請忘記我的日誌,只是let me know the implementation process,我仍然感到困惑,任何資訊都是有幫助的。

我刪除了 SPI,這是我的 IP 映射:

Our private IP address:
10.1.1.2
Our S-NAT IP address:
172.16.0.1
Our Pubic/EIP address:
1.1.1.1
CheckPoint GW:
2.2.2.2
Instance behind CheckPoint:
192.168.1.1

在左側,我在 AWS EC2 實例的 1:1 NAT 和彈性 IP 後面有 StrongSWAN,配置如下:

/etc/ipsec.conf:

config setup
   # strictcrlpolicy=yes
   # uniqueids = no
   charondebug="ike 2, knl 2, cfg 2"

conn %default
   keyexchange=ikev2
   ike=aes256-sha256-modp2048
   ikelifetime=86400s
   esp=aes256-sha256-modp2048
   lifetime=10800s
   keyingtries=%forever
   dpddelay=30s
   dpdtimeout=120s
   dpdaction=restart

conn Tunnel1
   auto=start
   left=10.1.1.2 # Our private IP address
   leftsubnet=172.16.0.1/32 # Our S-NAT IP address
   leftauth=psk
   leftid=1.1.1.1 # Our Pubic/EIP address
   right=2.2.2.2 # CheckPoint GW
   rightsubnet=192.168.1.1/32 # Instance behind CheckPoint 
   rightauth=psk
   rightid=2.2.2.2 # CheckPoint GW
   type=tunnel
   compress=no
   mark=42

/etc/ipsec.secrets:

1.1.1.1 2.2.2.2 : PSK "OURSECRET"

/etc/strongswan.d/charon.conf:

install_routes = no
install_virtual_ip = no

右側有一個位於防火牆後面的 CheckPoint 設備,僅當數據包的源為 172.16.0.1/32 且其目標為 192.168.1.1/32 時才接受策略。

但是我的介面上沒有那個 IP,它是一個偽 IP,可以從右側(檢查點)隱藏我們的私有範圍。

此實例應充當路由器並通過 IPsec 隧道傳遞來自其他實例的流量,但每個數據包都應 SNAT 到 172.16.0.1/32。

我啟動了SongSWAN:

systemctl start strongswan && systemctl status -l strongswan
Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled)
  Active: active (running) since Tue 2019-07-23 10:20:22 EEST; 12s ago
 Process: 2163 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
 Process: 2160 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
Main PID: 2190 (starter)
   Tasks: 18
  Memory: 12.2M
     CPU: 54ms
  CGroup: /system.slice/strongswan.service
          ├─2190 /usr/lib/ipsec/starter --daemon charon
          └─2191 /usr/lib/ipsec/charon --use-syslog --debug-ike 2 --debug-knl 2 --debug-cfg 2

配置iptables:

iptables --append INPUT -s 2.2.2.2 -j ACCEPT
iptables --append INPUT -d 2.2.2.2 -j ACCEPT
iptables --table mangle --append FORWARD -o Tunnel1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

檢查 IKEv2 是否成功:ipsec statusall

Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1087-aws, x86_64):
 uptime: 79 seconds, since Jul 23 10:20:22 2019
 malloc: sbrk 1646592, mmap 0, used 568016, free 1078576
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
 10.1.1.2
Connections:
    Tunnel1:  10.1.1.2...2.2.2.2  IKEv2, dpddelay=30s
    Tunnel1:   local:  [1.1.1.1] uses pre-shared key authentication
    Tunnel1:   remote: [2.2.2.2] uses pre-shared key authentication
    Tunnel1:   child:  172.16.0.1/32 === 192.168.1.1/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
    Tunnel1[1]: ESTABLISHED 79 seconds ago, 10.1.1.2[1.1.1.1]...2.2.2.2[2.2.2.2]
    Tunnel1[1]: IKEv2 SPIs: ##**REMOVED**##* ##**REMOVED**##, pre-shared key reauthentication in 23 hours
    Tunnel1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    Tunnel1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c05ce72f_i 35f8fdaa_o
    Tunnel1{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours
    Tunnel1{1}:   172.16.0.1/32 === 192.168.1.1/32

檢查是否已添加 XFRM 策略:ip -s -s xfrm 策略:

src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
   dir fwd action allow index 82 priority 2819 share any flag  (0x00000000)
   lifetime config:
     limit: soft (INF)(bytes), hard (INF)(bytes)
     limit: soft (INF)(packets), hard (INF)(packets)
     expire add: soft 0(sec), hard 0(sec)
     expire use: soft 0(sec), hard 0(sec)
   lifetime current:
     0(bytes), 0(packets)
     add 2019-07-23 10:20:22 use -
   mark 0x2a/0xffffffff
   tmpl src 2.2.2.2 dst 10.1.1.2
       proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
       level required share any
       enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
   dir in action allow index 72 priority 2819 share any flag  (0x00000000)
   lifetime config:
     limit: soft (INF)(bytes), hard (INF)(bytes)
     limit: soft (INF)(packets), hard (INF)(packets)
     expire add: soft 0(sec), hard 0(sec)
     expire use: soft 0(sec), hard 0(sec)
   lifetime current:
     0(bytes), 0(packets)
     add 2019-07-23 10:20:22 use -
   mark 0x2a/0xffffffff
   tmpl src 2.2.2.2 dst 10.1.1.2
       proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
       level required share any
       enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.16.0.1/32 dst 192.168.1.1/32 uid 0
   dir out action allow index 65 priority 2819 share any flag  (0x00000000)
   lifetime config:
     limit: soft (INF)(bytes), hard (INF)(bytes)
     limit: soft (INF)(packets), hard (INF)(packets)
     expire add: soft 0(sec), hard 0(sec)
     expire use: soft 0(sec), hard 0(sec)
   lifetime current:
     0(bytes), 0(packets)
     add 2019-07-23 10:20:22 use -
   mark 0x2a/0xffffffff
   tmpl src 10.1.1.2 dst 2.2.2.2
       proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
       level required share any
       enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

ip -s -s xfrm 狀態:

src 10.1.1.2 dst 2.2.2.2
   proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
   replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
   mark 0x2a/0xffffffff
   auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
   enc cbc(aes) ##**REMOVED**## (256 bits)
   encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
   anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
   lifetime config:
     limit: soft (INF)(bytes), hard (INF)(bytes)
     limit: soft (INF)(packets), hard (INF)(packets)
     expire add: soft 9745(sec), hard 10800(sec)
     expire use: soft 0(sec), hard 0(sec)
   lifetime current:
     0(bytes), 0(packets)
     add 2019-07-23 10:20:22 use -
   stats:
     replay-window 0 replay 0 failed 0
src 2.2.2.2 dst 10.1.1.2
   proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
   replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
   mark 0x2a/0xffffffff
   auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
   enc cbc(aes) ##**REMOVED**## (256 bits)
   encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
   anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
   lifetime config:
     limit: soft (INF)(bytes), hard (INF)(bytes)
     limit: soft (INF)(packets), hard (INF)(packets)
     expire add: soft 10057(sec), hard 10800(sec)
     expire use: soft 0(sec), hard 0(sec)
   lifetime current:
     0(bytes), 0(packets)
     add 2019-07-23 10:20:22 use -
   stats:
     replay-window 0 replay 0 failed 0

創建 VTI 設備:

ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42
ip addr add 172.16.0.1/32 remote 192.168.1.1/32 dev Tunnel1
ip link set Tunnel1 up mtu 1419

禁用隧道策略並添加 iptables TCPMSS:

sysctl -w net.ipv4.conf.Tunnel1.disable_policy=1
iptables --table mangle --append FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables --table mangle --append FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

但是當我用源 172.16.0.1 ping 192.168.1.1 時,我得到Destination Host Unreachable.

ping 192.168.1.1 OR ping -I 172.16.0.1 192.168.1.1 OR ping -I Tunnel1 192.168.1.1
ping -c 3 -I 172.16.0.1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) from 172.16.0.1 Tunnel1: 56(84) bytes of data.
From 172.16.0.1 icmp_seq=1 Destination Host Unreachable
From 172.16.0.1 icmp_seq=2 Destination Host Unreachable
From 172.16.0.1 icmp_seq=3 Destination Host Unreachable

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1998ms

這是其他一些日誌: ip 地址顯示:

3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
   link/ipip 0.0.0.0 brd 0.0.0.0
4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1
   link/ipip 10.1.1.2 peer 2.2.2.2
   inet 172.16.0.1 peer 192.168.1.1/32 scope global Tunnel1
      valid_lft forever preferred_lft forever

ip -s -s 連結顯示:

3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1
   link/ipip 0.0.0.0 brd 0.0.0.0
   RX: bytes  packets  errors  dropped overrun mcast
   0          0        0       0       0       0
   RX errors: length   crc     frame   fifo    missed
              0        0       0       0       0
   TX: bytes  packets  errors  dropped carrier collsns
   0          0        0       0       0       0
   TX errors: aborted  fifo   window heartbeat transns
              0        0       0       0       0
4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
   link/ipip 10.1.1.2 peer 2.2.2.2
   RX: bytes  packets  errors  dropped overrun mcast
   0          0        0       0       0       0
   RX errors: length   crc     frame   fifo    missed
              0        0       0       0       0
   TX: bytes  packets  errors  dropped carrier collsns
   0          0        14      0       14      0
   TX errors: aborted  fifo   window heartbeat transns
              0        0       0       0       0

ip -s 隧道顯示隧道 1:

Tunnel1: ip/ip  remote 2.2.2.2  local 10.1.1.2  ttl inherit  key 42
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
   0          0            0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
   0          0            14     0        14       0

ifconfig -a:

Tunnel1   Link encap:IPIP Tunnel  HWaddr
         inet addr:172.16.0.1  P-t-P:192.168.1.1  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP  MTU:1419  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:14 dropped:0 overruns:0 carrier:14
         collisions:0 txqueuelen:1
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
ip_vti0   Link encap:IPIP Tunnel  HWaddr
         NOARP  MTU:1480  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

我在 AWS EC2 上禁用了源和目標檢查,並將 AWS 安全組中所有流量的右側(檢查點)IP 地址列入白名單,我確定支持 NAT-Traversal,我可以通過 tcpdump 看到它的流量:tcpdump -i any - nnnNq 主機 2.2.2.2

10:32:02.983136 IP 10.1.1.2.500 > 2.2.2.2.500: UDP, length 1084
10:32:03.035572 IP 2.2.2.2.500 > 10.1.1.2.500: UDP, length 708
10:32:03.044827 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 372
10:32:03.108335 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 276
10:32:27.042735 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
10:32:33.110661 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84
10:32:33.159623 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 84
10:32:57.043342 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
10:33:03.110977 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84

CheckPoint 顯示隧道已建立,但我在發送 ping 數據包時沒有收到任何 tcpdump。journalctl -fu strongswan 可從此處獲得:

https://pastebin.com/AuephC04

我也以這種方式嘗試了 VTI 端點,但它沒有進行任何更改:

ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42
ip addr add 172.16.0.1/32 remote 0.0.0.0/0 dev Tunnel1
ip link set Tunnel1 up mtu 1419

我是否正確實施了這個結構?我應該在 VTI 設備上設置偽 IP 嗎?我應該添加另一個 iptables 規則來應用 MARK 這樣的東西嗎?

iptables -t mangle -A INPUT -p esp -s 2.2.2.2 -d 1.1.1.1 -j MARK --set-xmark 42

Versions:

ipsec –版本:

Linux strongSwan U5.3.5/K4.4.0-1087-aws

lsb_release -a:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:    16.04
Codename:   xenial

dpkg -l | grep -i strongswan:

ii  libcharon-extra-plugins          5.3.5-1ubuntu3.8                           amd64        strongSwan charon library (extra plugins)
ii  libstrongswan                    5.3.5-1ubuntu3.8                           amd64        strongSwan utility and crypto library
ii  libstrongswan-standard-plugins   5.3.5-1ubuntu3.8                           amd64        strongSwan utility and crypto library (standard plugins)
ii  strongswan                       5.3.5-1ubuntu3.8                           all          IPsec VPN solution metapackage
ii  strongswan-charon                5.3.5-1ubuntu3.8                           amd64        strongSwan Internet Key Exchange daemon
ii  strongswan-libcharon             5.3.5-1ubuntu3.8                           amd64        strongSwan charon library
ii  strongswan-starter               5.3.5-1ubuntu3.8                           amd64        strongSwan daemon starter and configuration file parser
ii  strongswan-tnc-base              5.3.5-1ubuntu3.8                           amd64        strongSwan Trusted Network Connect's (TNC) - base files

在此先感謝您的幫助。

大約一個月後,我們停止了 StrongSWAN 的工作並使用 CHR(Mikrotik 雲託管路由器),設置簡單快捷,在過去兩個月內沒有遇到任何問題。

因此,對於正在閱讀此問題的任何人,您都可以使用免費許可證切換到 CHR使用 VTI 測試基於 LibreSWAN Route-based VPN

引用自:https://unix.stackexchange.com/questions/531645