Hallo
Seit Monaten kämpfe ich um einen VPN Tunnel zwischen einem Suse Linux System im OpenSwan 2.6.46 und einer Astaro Firewall (V9) aufzubauen.
Leider habe ich auf die Astaro keinen Zugriff (Firmenzusammenschluss, anderer Provider), somit kann ich nur von der Linux-Seite beschreiben.
Grundsätzlich: Zwischen 2 OpenSwan Systemen kann ich einen VPN-Tunnel aufbauen. Daher sollten meine Firewall-Einstellungen korrekt sein.
Ich habe 2 Anliegen:
1) ipsec verify
Der Test schreibt einige Fehler, ich finde aber keine guten Beschreibungen was mir das sagen soll bzw. wie die zu beheben sind.
a) Was bedeutet "Test incomplete" bei NAT und wie kann ich das beheben?Code:grisu:~ # ipsec verify Checking if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Openswan U2.6.46/K3.7.10-1.45-default (netkey) See `ipsec --copyright' for copyright information. Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Hardware random device check [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED] Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED] Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED] Checking NAT and MASQUERADEing [TEST INCOMPLETE] Checking 'ip' command [OK] Checking 'iptables' command [OK] ipsec verify: encountered errors
b) "not implemented" ... fehlen mir da ev. Pakete?
2) Verbindung zu Astaro
Wie schon gesagt der VPN Tunnel will einfach nicht.
Kann mir da jemand bei der Suche nach dem Grund helfen?
Meine OpenSwan Config:
Code:# /etc/ipsec.conf - Openswan IPsec configuration file # basic configuration config setup # interfaces="ipsec0=eth1" interfaces=%defaultroute # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # plutodebug=all # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal # nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast # protostack=auto protostack=netkey # Use this to log to a file, or disable logging on embedded systems (like openwrt) plutostderrlog=/var/log/pluto # Add connections here include /etc/ipsec.d/*.confMit den verschiedenen Parametern habe ich schon herum probiert. Erfolglos!Code:# /etc/ipsec.d/krokus.config conn HBH-Krokus type=tunnel left=%eth1 leftid=@grisu.hbh.at leftsubnet=192.168.5.0/24 leftnexthop=%defaultroute leftprotoport=udp/1701 # rsakey AQPrgP4cv leftrsasigkey=0sAQPrg....RZ right=213.47.173.15 rightid=@mail.krokus.at rightsubnets={ 192.168.0.0/24 192.168.1.0/24 } rightprotoport=udp/1701 rightrsasigkey=0sAQPo....cw== authby=rsasig # authby=secret auto=start # pfs=yes ## phase 1 ## # keyexchange=ike # ike=aes128-sha1;modp1024 # ikelifetime = 130m # lifetime = 1h ## phase 2 ## # phase2=esp # esp = aes128;sha1 # phase2alg=aes128-sha1 # rekey=yes
Pluto Log:
Die letzten 9 Zeilen kommen immer wieder.Code:Plutorun started on Thu May 5 14:03:53 CEST 2016 adjusting ipsec.d to /etc/ipsec.d Labelled IPsec not enabled; value 32001 ignored. Starting Pluto (Openswan Version 2.6.46; Vendor ID OSWqwPd@^IAE) pid:22500 LEAK_DETECTIVE support [disabled] OCF support for IKE [disabled] SAref support [disabled]: Protocol not available SAbind support [disabled]: Protocol not available NSS support [disabled] HAVE_STATSD notification support not compiled in Setting NAT-Traversal port-4500 floating to off port floating activation criteria nat_t=0/port_float=1 NAT-Traversal support [disabled] using /dev/urandom as source of random entropy ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) starting up 1 cryptographic helpers started helper pid=22504 (fd:4) Using Linux XFRM/NETKEY IPsec interface code on 3.7.10-1.45-default using /dev/urandom as source of random entropy ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) adding connection: "HBH-Krokus/0x1" adding connection: "HBH-Krokus/0x2" listening for IKE messages adding interface vlan9/vlan9 192.168.9.5:500 adding interface vlan7/vlan7 192.168.7.5:500 adding interface vlan5:ast/vlan5:ast 192.168.5.4:500 adding interface vlan5/vlan5 192.168.5.5:500 adding interface eth1/eth1 213.47.7.15:500 adding interface lo/lo 127.0.0.1:500 loading secrets from "/etc/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQO6/QIDl initiating all conns with alias='HBH-Krokus' "HBH-Krokus/0x2" #1: initiating Main Mode packet from 213.47.173.15:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb] packet from 213.47.173.15:500: received Vendor ID payload [Cisco-Unity] packet from 213.47.173.15:500: received Vendor ID payload [XAUTH] packet from 213.47.173.15:500: received Vendor ID payload [Dead Peer Detection] "HBH-Krokus/0x1" #2: responding to Main Mode "HBH-Krokus/0x1" #2: policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD "HBH-Krokus/0x1" #2: no acceptable Oakley Transform "HBH-Krokus/0x1" #2: sending notification NO_PROPOSAL_CHOSEN to 213.47.173.15:500 "HBH-Krokus/0x1" #2: deleting state #2 (STATE_MAIN_R0) packet from 213.47.173.15:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb] packet from 213.47.173.15:500: received Vendor ID payload [Cisco-Unity] packet from 213.47.173.15:500: received Vendor ID payload [XAUTH] packet from 213.47.173.15:500: received Vendor ID payload [Dead Peer Detection] "HBH-Krokus/0x1" #3: responding to Main Mode "HBH-Krokus/0x1" #3: policy does not allow OAKLEY_PRESHARED_KEY authentication. Attribute OAKLEY_AUTHENTICATION_METHOD "HBH-Krokus/0x1" #3: no acceptable Oakley Transform "HBH-Krokus/0x1" #3: sending notification NO_PROPOSAL_CHOSEN to 213.47.173.15:500 "HBH-Krokus/0x1" #3: deleting state #3 (STATE_MAIN_R0)
Die aktive Config sieht meiner Meinung nach nicht so schlecht aus.
Die Strecke wird korrekt erkannt.
Hat jemand eine Idee dazu?Code:grisu:~ # ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1 000 interface eth1/eth1 213.47.7.15 000 interface vlan5/vlan5 192.168.5.5 000 interface vlan5:ast/vlan5:ast 192.168.5.4 000 interface vlan7/vlan7 192.168.7.5 000 interface vlan9/vlan9 192.168.9.5 000 %myid = (none) 000 debug none 000 000 virtual_private (%priv): 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10 000 - disallowed 0 subnets: 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 000 private address space in internal use, it should be excluded! 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "HBH-Krokus/0x1": 192.168.5.0/24===213.47.7.15<%eth1>[@grisu.hbh.at]:17/1701---213.47.7.1...213.47.173.15<213.47.173.15>[@mail.krokus.at]:17/1701===192.168.0.0/24; unrouted; eroute owner: #0 000 "HBH-Krokus/0x1": myip=unset; hisip=unset; 000 "HBH-Krokus/0x1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "HBH-Krokus/0x1": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth1; kind=CK_PERMANENT 000 "HBH-Krokus/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0; 000 "HBH-Krokus/0x1": aliases: HBH-Krokus 000 "HBH-Krokus/0x2": 192.168.5.0/24===213.47.7.15<%eth1>[@grisu.hbh.at]:17/1701---213.47.7.1...213.47.173.15<213.47.173.15>[@mail.krokus.at]:17/1701===192.168.1.0/24; unrouted; eroute owner: #0 000 "HBH-Krokus/0x2": myip=unset; hisip=unset; 000 "HBH-Krokus/0x2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "HBH-Krokus/0x2": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth1; kind=CK_PERMANENT 000 "HBH-Krokus/0x2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0; 000 "HBH-Krokus/0x2": aliases: HBH-Krokus 000 000 #1: "HBH-Krokus/0x2":500 IKEv1.0 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 28s; nodpd; idle; import:admin initiate 000 #1: pending Phase 2 for "HBH-Krokus/0x1" replacing #0 000 #1: pending Phase 2 for "HBH-Krokus/0x2" replacing #0
Für jede Hilfe wäre ich dankbar.
Grüsse robi
Lesezeichen