Anzeige:
Ergebnis 1 bis 2 von 2

Thema: VPN Tunnel zwischen OpenSwan und Astaro

  1. #1
    Registrierter Benutzer
    Registriert seit
    Mar 2016
    Beiträge
    1

    VPN Tunnel zwischen OpenSwan und Astaro

    Hallo

    Seit Monaten kämpfe ich um einen VPN Tunnel zwischen einem Suse Linux System im OpenSwan 2.6.46 und einer Astaro Firewall (V9) aufzubauen.
    Leider habe ich auf die Astaro keinen Zugriff (Firmenzusammenschluss, anderer Provider), somit kann ich nur von der Linux-Seite beschreiben.
    Grundsätzlich: Zwischen 2 OpenSwan Systemen kann ich einen VPN-Tunnel aufbauen. Daher sollten meine Firewall-Einstellungen korrekt sein.

    Ich habe 2 Anliegen:
    1) ipsec verify
    Der Test schreibt einige Fehler, ich finde aber keine guten Beschreibungen was mir das sagen soll bzw. wie die zu beheben sind.

    Code:
    grisu:~ # ipsec verify
    Checking if IPsec got installed and started correctly:
    
    Version check and ipsec on-path                   	[OK]
    Openswan U2.6.46/K3.7.10-1.45-default (netkey)
    See `ipsec --copyright' for copyright information.
    Checking for IPsec support in kernel              	[OK]
     NETKEY: Testing XFRM related proc values
             ICMP default/send_redirects              	[OK]
             ICMP default/accept_redirects            	[OK]
             XFRM larval drop                         	[OK]
    Hardware random device check                      	[N/A]
    Two or more interfaces found, checking IP forwarding	[OK]
    Checking rp_filter                                	[ENABLED]
     /proc/sys/net/ipv4/conf/all/rp_filter            	[ENABLED]
    Checking that pluto is running                    	[OK]
     Pluto listening for IKE on udp 500               	[OK]
     Pluto listening for IKE on tcp 500               	[NOT IMPLEMENTED]
     Pluto listening for IKE/NAT-T on udp 4500        	[DISABLED]
     Pluto listening for IKE/NAT-T on tcp 4500        	[NOT IMPLEMENTED]
     Pluto listening for IKE on tcp 10000 (cisco)     	[NOT IMPLEMENTED]
    Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
    Checking 'ip' command                             	[OK]
    Checking 'iptables' command                       	[OK]
    
    ipsec verify: encountered errors
    a) Was bedeutet "Test incomplete" bei NAT und wie kann ich das beheben?
    b) "not implemented" ... fehlen mir da ev. Pakete?

    2) Verbindung zu Astaro
    Wie schon gesagt der VPN Tunnel will einfach nicht.
    Kann mir da jemand bei der Suche nach dem Grund helfen?

    Meine OpenSwan Config:
    Code:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    
    # basic configuration
    config setup
    	# interfaces="ipsec0=eth1"
    	interfaces=%defaultroute
    	# Do not set debug options to debug configuration issues!
    	# plutodebug / klipsdebug = "all", "none" or a combation from below:
    	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    	# eg:
    	# plutodebug="control parsing"
    	# plutodebug=all
    	# Again: only enable plutodebug or klipsdebug when asked by a developer
    	#
    	# enable to get logs per-peer
    	# plutoopts="--perpeerlog"
    	#
    	# Enable core dumps (might require system changes, like ulimit -C)
    	# This is required for abrtd to work properly
    	# Note: incorrect SElinux policies might prevent pluto writing the core
    	dumpdir=/var/run/pluto/
    	#
    	# NAT-TRAVERSAL support, see README.NAT-Traversal
    	# nat_traversal=yes
    	# exclude networks used on server side by adding %v4:!a.b.c.0/24
    	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
    	# using 25/8 as "private" address space on their 3G network.
    	# This range has not been announced via BGP (at least upto 2010-12-21)
    	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    	# OE is now off by default. Uncomment and change to on, to enable.
    	oe=off
    	# which IPsec stack to use. auto will try netkey, then klips then mast
    	# protostack=auto
    	protostack=netkey
    	# Use this to log to a file, or disable logging on embedded systems (like openwrt)
    	plutostderrlog=/var/log/pluto
    
    # Add connections here
    
    include /etc/ipsec.d/*.conf
    Code:
    # /etc/ipsec.d/krokus.config
    
    conn HBH-Krokus
    	type=tunnel
    	left=%eth1
    	leftid=@grisu.hbh.at
    	leftsubnet=192.168.5.0/24
    	leftnexthop=%defaultroute
    	leftprotoport=udp/1701
    	# rsakey AQPrgP4cv
    	leftrsasigkey=0sAQPrg....RZ
    	right=213.47.173.15
    	rightid=@mail.krokus.at
    	rightsubnets={ 192.168.0.0/24 192.168.1.0/24 }
    	rightprotoport=udp/1701
    	rightrsasigkey=0sAQPo....cw==
    	authby=rsasig
    	# authby=secret
    	auto=start
    	# pfs=yes
    	## phase 1 ##
            # keyexchange=ike
    	# ike=aes128-sha1;modp1024
    	# ikelifetime = 130m
    	# lifetime = 1h
            ## phase 2 ##
            # phase2=esp
    	# esp = aes128;sha1
            # phase2alg=aes128-sha1
    	# rekey=yes
    Mit den verschiedenen Parametern habe ich schon herum probiert. Erfolglos!

    Pluto Log:
    Code:
    Plutorun started on Thu May 5 14:03:53 CEST 2016
    adjusting ipsec.d to /etc/ipsec.d
    Labelled IPsec not enabled; value 32001 ignored.
    Starting Pluto (Openswan Version 2.6.46; Vendor ID OSWqwPd@^IAE) pid:22500
    LEAK_DETECTIVE support [disabled]
    OCF support for IKE [disabled]
    SAref support [disabled]: Protocol not available
    SAbind support [disabled]: Protocol not available
    NSS support [disabled]
    HAVE_STATSD notification support not compiled in
    Setting NAT-Traversal port-4500 floating to off
       port floating activation criteria nat_t=0/port_float=1
       NAT-Traversal support  [disabled]
    using /dev/urandom as source of random entropy
    ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
    ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
    ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
    starting up 1 cryptographic helpers
    started helper pid=22504 (fd:4)
    Using Linux XFRM/NETKEY IPsec interface code on 3.7.10-1.45-default
    using /dev/urandom as source of random entropy
    ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
    ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
    ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
    ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
    ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
    ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
    ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
    ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
    ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
    ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
    ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
    adding connection: "HBH-Krokus/0x1"
    adding connection: "HBH-Krokus/0x2"
    listening for IKE messages
    adding interface vlan9/vlan9 192.168.9.5:500
    adding interface vlan7/vlan7 192.168.7.5:500
    adding interface vlan5:ast/vlan5:ast 192.168.5.4:500
    adding interface vlan5/vlan5 192.168.5.5:500
    adding interface eth1/eth1 213.47.7.15:500
    adding interface lo/lo 127.0.0.1:500
    loading secrets from "/etc/ipsec.secrets"
    loaded private key for keyid: PPK_RSA:AQO6/QIDl
    initiating all conns with alias='HBH-Krokus' 
    "HBH-Krokus/0x2" #1: initiating Main Mode
    packet from 213.47.173.15:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
    packet from 213.47.173.15:500: received Vendor ID payload [Cisco-Unity]
    packet from 213.47.173.15:500: received Vendor ID payload [XAUTH]
    packet from 213.47.173.15:500: received Vendor ID payload [Dead Peer Detection]
    "HBH-Krokus/0x1" #2: responding to Main Mode
    "HBH-Krokus/0x1" #2: policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD
    "HBH-Krokus/0x1" #2: no acceptable Oakley Transform
    "HBH-Krokus/0x1" #2: sending notification NO_PROPOSAL_CHOSEN to 213.47.173.15:500
    "HBH-Krokus/0x1" #2: deleting state #2 (STATE_MAIN_R0)
    packet from 213.47.173.15:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
    packet from 213.47.173.15:500: received Vendor ID payload [Cisco-Unity]
    packet from 213.47.173.15:500: received Vendor ID payload [XAUTH]
    packet from 213.47.173.15:500: received Vendor ID payload [Dead Peer Detection]
    "HBH-Krokus/0x1" #3: responding to Main Mode
    "HBH-Krokus/0x1" #3: policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD
    "HBH-Krokus/0x1" #3: no acceptable Oakley Transform
    "HBH-Krokus/0x1" #3: sending notification NO_PROPOSAL_CHOSEN to 213.47.173.15:500
    "HBH-Krokus/0x1" #3: deleting state #3 (STATE_MAIN_R0)
    Die letzten 9 Zeilen kommen immer wieder.

    Die aktive Config sieht meiner Meinung nach nicht so schlecht aus.
    Die Strecke wird korrekt erkannt.

    Code:
    grisu:~ # ipsec auto --status
    000 using kernel interface: netkey
    000 interface lo/lo 127.0.0.1
    000 interface eth1/eth1 213.47.7.15
    000 interface vlan5/vlan5 192.168.5.5
    000 interface vlan5:ast/vlan5:ast 192.168.5.4
    000 interface vlan7/vlan7 192.168.7.5
    000 interface vlan9/vlan9 192.168.9.5
    000 %myid = (none)
    000 debug none
    000  
    000 virtual_private (%priv):
    000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
    000 - disallowed 0 subnets: 
    000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
    000          private address space in internal use, it should be excluded!
    000  
    000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
    000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
    000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
    000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
    000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
    000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
    000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
    000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
    000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
    000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
    000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
    000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
    000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
    000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
    000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
    000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
    000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
    000  
    000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
    000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
    000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
    000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
    000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
    000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
    000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
    000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
    000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
    000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
    000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
    000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
    000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
    000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
    000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
    000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
    000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
    000  
    000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
    000  
    000 "HBH-Krokus/0x1": 192.168.5.0/24===213.47.7.15<%eth1>[@grisu.hbh.at]:17/1701---213.47.7.1...213.47.173.15<213.47.173.15>[@mail.krokus.at]:17/1701===192.168.0.0/24; unrouted; eroute owner: #0
    000 "HBH-Krokus/0x1":     myip=unset; hisip=unset;
    000 "HBH-Krokus/0x1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
    000 "HBH-Krokus/0x1":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth1; kind=CK_PERMANENT
    000 "HBH-Krokus/0x1":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
    000 "HBH-Krokus/0x1":   aliases: HBH-Krokus 
    000 "HBH-Krokus/0x2": 192.168.5.0/24===213.47.7.15<%eth1>[@grisu.hbh.at]:17/1701---213.47.7.1...213.47.173.15<213.47.173.15>[@mail.krokus.at]:17/1701===192.168.1.0/24; unrouted; eroute owner: #0
    000 "HBH-Krokus/0x2":     myip=unset; hisip=unset;
    000 "HBH-Krokus/0x2":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
    000 "HBH-Krokus/0x2":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth1; kind=CK_PERMANENT
    000 "HBH-Krokus/0x2":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
    000 "HBH-Krokus/0x2":   aliases: HBH-Krokus 
    000  
    000 #1: "HBH-Krokus/0x2":500 IKEv1.0 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 28s; nodpd; idle; import:admin initiate
    000 #1: pending Phase 2 for "HBH-Krokus/0x1" replacing #0
    000 #1: pending Phase 2 for "HBH-Krokus/0x2" replacing #0
    Hat jemand eine Idee dazu?
    Für jede Hilfe wäre ich dankbar.

    Grüsse robi

  2. #2
    root !*****istrator Avatar von mbo
    Registriert seit
    Oct 2000
    Ort
    Karlsruhe
    Beiträge
    1.717
    police does not allow
    42

Ähnliche Themen

  1. VPN Tunnel zwischen zwei Servern
    Von Dono im Forum Sicherheit
    Antworten: 5
    Letzter Beitrag: 18.11.15, 18:41
  2. VPN zwischen Openswan und Fritzbox
    Von kee im Forum Linux als Server
    Antworten: 0
    Letzter Beitrag: 04.04.14, 00:40
  3. SSH Tunnel zwischen 2 Ports über das Internet
    Von server1698 im Forum Anbindung an die Aussenwelt
    Antworten: 10
    Letzter Beitrag: 12.07.09, 15:15
  4. MySQL-Cluster mit OpenSWAN VPN-Tunnel
    Von Zwer2k im Forum Linux als Server
    Antworten: 3
    Letzter Beitrag: 15.11.07, 11:32
  5. Openswan Net-to-net - Tunnel OK, Routet nicht richtig
    Von nocheiniggy im Forum Router und Netzaufbau
    Antworten: 0
    Letzter Beitrag: 10.01.07, 11:37

Lesezeichen

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •