pekopeter
26.08.04, 12:32
Hallo :-)
ich würde gerne folgendes Realiseren:
Zu einem gemietetem Server im Rechenzentrum - SuSE 9 - 2.4.27 Vanilla
StrongSwan 2.1.5 würde ich gerne mit mehreren(soviel wie möglich) Devil-Linux Firewalls (2.4.25, FreeSwan 1.99.8, X-509) von DSL-Anschlüssen (Dyn.IP) VPN Verbindungen aufbauen. Alle VPN-Clients enthalten je ein verschiedenes Subnet!
192.168.0.0/24 -> 192.168.0.254 -> INTERNET -> feste IP -> 192.168.1.0/24
Der Verbindungsaufbau von einem der Clients klappt auch erstmal einwandfrei.
>> root@quadro_intranet_gw:/ # ipsec auto --up quadro_root
>> 104 "quadro_root" #4: STATE_MAIN_I1: initiate
>> 106 "quadro_root" #4: STATE_MAIN_I2: sent MI2, expecting MR2
>> 108 "quadro_root" #4: STATE_MAIN_I3: sent MI3, expecting MR3
>> 004 "quadro_root" #4: STATE_MAIN_I4: ISAKMP SA established
>> 117 "quadro_root" #5: STATE_QUICK_I1: initiate
>> 004 "quadro_root" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
Auch eine Route wird erzeugt:
>> 217.5.98.138 * 255.255.255.255 UH 0 0 0 ppp0
>> 217.5.98.138 * 255.255.255.255 UH 0 0 0 ipsec0
>> 192.168.1.0 217.5.98.138 255.255.255.0 UG 0 0 0 ipsec0
>> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
>> default 217.5.98.138 0.0.0.0 UG 0 0 0 ppp0
Es erfolgt jedoch keinerlei Routing. Ping des anderen Subnets ist nicht möglich.
Auf der Hostseite erfolgt kein Routingeintrag in der Routingtabelle.
/var/log/messagees sagt:
Aug 26 13:19:53 h3893 pluto[14448]: | install_ipsec_sa() for #2: outbound only
Aug 26 13:19:53 h3893 pluto[14448]: | route owner of "quadro_intranet_gw"[1] 80.143.72.75 unrouted: NULL; eroute owner: NULL
Aug 26 13:19:53 h3893 pluto[14448]: | finish_pfkey_msg: SADB_ADD message 23 for Add SA tun.1004@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | 02 03 00 09 0b 00 00 00 17 00 00 00 70 38 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 01 00 00 00 10 04 00 01 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 02 00 00 00 51 a9 aa cc 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 06 00 00 00 00 00 02 00 00 00 50 8f 48 4b
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | pfkey_get: SADB_ADD message 23
Aug 26 13:19:53 h3893 pluto[14448]: | finish_pfkey_msg: SADB_ADD message 24 for Add SA esp.ec1aed6e@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | 02 03 00 03 12 00 00 00 18 00 00 00 70 38 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 01 00 ec 1a ed 6e 40 01 02 03 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 02 00 00 00 51 a9 aa cc 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 06 00 00 00 00 00 02 00 00 00 50 8f 48 4b
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00 03 00 08 00 80 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 93 8b f3 1f 77 e5 8b 88 f1 08 7d f5 97 dd 5c 8f
Aug 26 13:19:53 h3893 pluto[14448]: | 04 00 09 00 c0 00 00 00 5f d8 76 6f e3 1c 21 b2
Aug 26 13:19:53 h3893 pluto[14448]: | c7 51 5b 89 e3 cf 24 f2 87 8c 2d 6d 98 62 b7 3f
Aug 26 13:19:53 h3893 pluto[14448]: | pfkey_get: SADB_ADD message 24
Aug 26 13:19:53 h3893 pluto[14448]: | grouping unk0.ec1aed6e@80.143.72.75 and unk0.1004@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | finish_pfkey_msg: SADB_X_GRPSA message 25 for group unk0.1004@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | 02 0d 00 09 0f 00 00 00 19 00 00 00 70 38 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 01 00 00 00 10 04 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | ff ff ff ff 00 00 00 00 03 00 06 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 02 00 00 00 50 8f 48 4b 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 01 00 12 00 03 00 00 00 03 00 13 00 ec 1a ed 6e
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 14 00 00 00 00 00 02 00 00 00 50 8f 48 4b
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | pfkey_get: SADB_X_ADDFLOW message 26
Aug 26 13:19:53 h3893 pluto[14448]: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='quadro_intranet_gw' PLUTO_NEXT_HOP='81.169.170.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='81.169.170.204' PLUTO_MY_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_root' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='80.143.72.75' PLUTO_PEER_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=Quadrotech_CA, E=info@XX.de' /usr/local/lib/ipsec/_updown_x509
Aug 26 13:19:53 h3893 vpn: + C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw 192.168.0.0/24 == 80.143.72.75 -- 81.169.170.204 == 192.168.1.0/24
Aug 26 13:19:53 h3893 pluto[14448]: | route_and_eroute: firewall_notified: true
Aug 26 13:19:53 h3893 pluto[14448]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='quadro_intranet_gw' PLUTO_NEXT_HOP='81.169.170.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='81.169.170.204' PLUTO_MY_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_root' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='80.143.72.75' PLUTO_PEER_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=XX_CA, E=info@XX' /usr/local/lib/ipsec/_updown_x509
Aug 26 13:19:53 h3893 pluto[14448]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='quadro_intranet_gw' PLUTO_NEXT_HOP='81.169.170.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='81.169.170.204' PLUTO_MY_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_root' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='80.143.72.75' PLUTO_PEER_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=XX_CA, E=info@quadrotech.de' /usr/local/lib/ipsec/_updown_x509
Aug 26 13:19:53 h3893 pluto[14448]: "quadro_intranet_gw"[1] 80.143.72.75 #2: route-client output: RTNETLINK answers: Network is unreachable
Aug 26 13:19:53 h3893 pluto[14448]: "quadro_intranet_gw"[1] 80.143.72.75 #2: route-client output: /usr/local/lib/ipsec/_updown_x509: `ip route add 192.168.0.0/24 via 81.169.170.1 dev ipsec0' failed
Aug 26 13:19:53 h3893 pluto[14448]: "quadro_intranet_gw"[1] 80.143.72.75 #2: route-client command exited with status 2
Jemand ne Idee??
Gruß
pekopeter
ich würde gerne folgendes Realiseren:
Zu einem gemietetem Server im Rechenzentrum - SuSE 9 - 2.4.27 Vanilla
StrongSwan 2.1.5 würde ich gerne mit mehreren(soviel wie möglich) Devil-Linux Firewalls (2.4.25, FreeSwan 1.99.8, X-509) von DSL-Anschlüssen (Dyn.IP) VPN Verbindungen aufbauen. Alle VPN-Clients enthalten je ein verschiedenes Subnet!
192.168.0.0/24 -> 192.168.0.254 -> INTERNET -> feste IP -> 192.168.1.0/24
Der Verbindungsaufbau von einem der Clients klappt auch erstmal einwandfrei.
>> root@quadro_intranet_gw:/ # ipsec auto --up quadro_root
>> 104 "quadro_root" #4: STATE_MAIN_I1: initiate
>> 106 "quadro_root" #4: STATE_MAIN_I2: sent MI2, expecting MR2
>> 108 "quadro_root" #4: STATE_MAIN_I3: sent MI3, expecting MR3
>> 004 "quadro_root" #4: STATE_MAIN_I4: ISAKMP SA established
>> 117 "quadro_root" #5: STATE_QUICK_I1: initiate
>> 004 "quadro_root" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
Auch eine Route wird erzeugt:
>> 217.5.98.138 * 255.255.255.255 UH 0 0 0 ppp0
>> 217.5.98.138 * 255.255.255.255 UH 0 0 0 ipsec0
>> 192.168.1.0 217.5.98.138 255.255.255.0 UG 0 0 0 ipsec0
>> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
>> default 217.5.98.138 0.0.0.0 UG 0 0 0 ppp0
Es erfolgt jedoch keinerlei Routing. Ping des anderen Subnets ist nicht möglich.
Auf der Hostseite erfolgt kein Routingeintrag in der Routingtabelle.
/var/log/messagees sagt:
Aug 26 13:19:53 h3893 pluto[14448]: | install_ipsec_sa() for #2: outbound only
Aug 26 13:19:53 h3893 pluto[14448]: | route owner of "quadro_intranet_gw"[1] 80.143.72.75 unrouted: NULL; eroute owner: NULL
Aug 26 13:19:53 h3893 pluto[14448]: | finish_pfkey_msg: SADB_ADD message 23 for Add SA tun.1004@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | 02 03 00 09 0b 00 00 00 17 00 00 00 70 38 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 01 00 00 00 10 04 00 01 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 02 00 00 00 51 a9 aa cc 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 06 00 00 00 00 00 02 00 00 00 50 8f 48 4b
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | pfkey_get: SADB_ADD message 23
Aug 26 13:19:53 h3893 pluto[14448]: | finish_pfkey_msg: SADB_ADD message 24 for Add SA esp.ec1aed6e@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | 02 03 00 03 12 00 00 00 18 00 00 00 70 38 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 01 00 ec 1a ed 6e 40 01 02 03 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 02 00 00 00 51 a9 aa cc 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 06 00 00 00 00 00 02 00 00 00 50 8f 48 4b
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00 03 00 08 00 80 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 93 8b f3 1f 77 e5 8b 88 f1 08 7d f5 97 dd 5c 8f
Aug 26 13:19:53 h3893 pluto[14448]: | 04 00 09 00 c0 00 00 00 5f d8 76 6f e3 1c 21 b2
Aug 26 13:19:53 h3893 pluto[14448]: | c7 51 5b 89 e3 cf 24 f2 87 8c 2d 6d 98 62 b7 3f
Aug 26 13:19:53 h3893 pluto[14448]: | pfkey_get: SADB_ADD message 24
Aug 26 13:19:53 h3893 pluto[14448]: | grouping unk0.ec1aed6e@80.143.72.75 and unk0.1004@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | finish_pfkey_msg: SADB_X_GRPSA message 25 for group unk0.1004@80.143.72.75
Aug 26 13:19:53 h3893 pluto[14448]: | 02 0d 00 09 0f 00 00 00 19 00 00 00 70 38 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 01 00 00 00 10 04 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | ff ff ff ff 00 00 00 00 03 00 06 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 02 00 00 00 50 8f 48 4b 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 01 00 12 00 03 00 00 00 03 00 13 00 ec 1a ed 6e
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | 03 00 14 00 00 00 00 00 02 00 00 00 50 8f 48 4b
Aug 26 13:19:53 h3893 pluto[14448]: | 00 00 00 00 00 00 00 00
Aug 26 13:19:53 h3893 pluto[14448]: | pfkey_get: SADB_X_ADDFLOW message 26
Aug 26 13:19:53 h3893 pluto[14448]: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='quadro_intranet_gw' PLUTO_NEXT_HOP='81.169.170.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='81.169.170.204' PLUTO_MY_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_root' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='80.143.72.75' PLUTO_PEER_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=Quadrotech_CA, E=info@XX.de' /usr/local/lib/ipsec/_updown_x509
Aug 26 13:19:53 h3893 vpn: + C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw 192.168.0.0/24 == 80.143.72.75 -- 81.169.170.204 == 192.168.1.0/24
Aug 26 13:19:53 h3893 pluto[14448]: | route_and_eroute: firewall_notified: true
Aug 26 13:19:53 h3893 pluto[14448]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='quadro_intranet_gw' PLUTO_NEXT_HOP='81.169.170.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='81.169.170.204' PLUTO_MY_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_root' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='80.143.72.75' PLUTO_PEER_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=XX_CA, E=info@XX' /usr/local/lib/ipsec/_updown_x509
Aug 26 13:19:53 h3893 pluto[14448]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='quadro_intranet_gw' PLUTO_NEXT_HOP='81.169.170.1' PLUTO_INTERFACE='ipsec0' PLUTO_ME='81.169.170.204' PLUTO_MY_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_root' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='80.143.72.75' PLUTO_PEER_ID='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=quadro_intranet_gw' PLUTO_PEER_CLIENT='192.168.0.0/24' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=DE, ST=NRW, L=Bochum, O=XX, OU=IT, CN=XX_CA, E=info@quadrotech.de' /usr/local/lib/ipsec/_updown_x509
Aug 26 13:19:53 h3893 pluto[14448]: "quadro_intranet_gw"[1] 80.143.72.75 #2: route-client output: RTNETLINK answers: Network is unreachable
Aug 26 13:19:53 h3893 pluto[14448]: "quadro_intranet_gw"[1] 80.143.72.75 #2: route-client output: /usr/local/lib/ipsec/_updown_x509: `ip route add 192.168.0.0/24 via 81.169.170.1 dev ipsec0' failed
Aug 26 13:19:53 h3893 pluto[14448]: "quadro_intranet_gw"[1] 80.143.72.75 #2: route-client command exited with status 2
Jemand ne Idee??
Gruß
pekopeter