Tocotac
25.09.15, 12:56
Hallo Forum,
nach langer Forumabstinenz hab ich mal wieder ein Problem.
ich möchte gerne zwei Raspberry über IPSEC verbinden. Folgende Schema:
-------------------- ---------------------- ------------ ---------------------- --------------------
| Raspberry A | => | Fritzbox 7330 | => | Internet | => | SonicWall tz170 | => | Raspberry B |
| LAN: 192.168.0.9 | | LAN: 192.168.0.1 | ------------ | LAN: 192.168.2.254 | | LAN 192.168.2.70 |
-------------------- | WAN: 151.19.172.16 | | WAN: 86.17.23.53 | --------------------
---------------------- ----------------------
Die Ports 500 UDP, 4500 UDP und das Protokol ESP sind auf den Routern zum Weiterleiten eingerichtet.
dann kommt die Konfiguration von racoon / IPSEC:
Raspberry A
/etc/ipsec-tools.conf
spdadd 192.168.0.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/192.168.0.9-86.17.23.53/require;
spdadd 192.168.2.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/86.17.23.53-192.168.0.9/require;
/etc/racoon/racoon.conf
log info;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 192.168.0.9 [500];
isakmp_natt 192.168.0.9 [4500];
}
padding {
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
remote anonymous {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
my_identifier address 151.19.172.16;
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/racoon/psk.txt
86.17.23.53 <irgendetwas_super_geheimes>
Raspberry B
/etc/ipsec-tools.conf
spdadd 192.168.2.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/192.168.2.70-151.19.172.16/require;
spdadd 192.168.0.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/151.19.172.16-192.168.2.70/require;
/etc/racoon/racoon.conf
log info;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 192.168.2.70 [500];
isakmp_natt 192.168.2.70 [4500];
}
padding {
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
remote anonymous {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
my_identifier address 86.17.23.53;
verify_identifier off;
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/racoon/psk.txt
151.19.172.16 <irgendetwas_super_geheimes>
Der Tunnel wird mMn. aufgebaut:
Raspberry A
/var/log/syslog
INFO: ISAKMP-SA established 192.168.0.9[500]-86.17.23.53[500] spi:0d1cbdbae1ddf3cc:dee264f519436cc3
[86.17.23.53] INFO: received INITIAL-CONTACT
INFO: initiate new phase 2 negotiation: 192.168.0.9[500]<=>86.17.23.53[500]
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.9[500]->86.17.23.53[500] spi=110913255(0x69c66e7)
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.9[500]->86.17.23.53[500] spi=99622605(0x5f01ecd)
racoonctl show-sa esp
192.168.0.9 86.17.23.53
esp mode=tunnel spi=99622605(0x05f01ecd) reqid=0(0x00000000)
E: 3des-cbc 9edbd2a9 7bbba30e be024f8f b892727d ae997e3b 9dbc5cb3
A: hmac-sha1 aa0ca7e3 a17404ae a82efa7a cbe22d67 7f372e4b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:44:30 2015
diff: 3573(s) hard: 28800(s) soft: 23040(s)
last: Sep 25 12:44:58 2015 hard: 0(s) soft: 0(s)
current: 3864(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 46 hard: 0 soft: 0
sadb_seq=1 pid=27320 refcnt=0
86.17.23.53 192.168.0.9
esp mode=tunnel spi=110913255(0x069c66e7) reqid=0(0x00000000)
E: 3des-cbc 590ad32a beb28766 1ee7bb09 a40f4767 a94e714f 85be3ec3
A: hmac-sha1 388ec394 66f834f5 8fce49e3 5870247b 50466761
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:44:30 2015
diff: 3573(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=27320 refcnt=0
Raspberry B
/var/log/syslog
INFO: ISAKMP-SA established 192.168.2.70[500]-151.19.172.16[500] spi:0d1cbdbae1ddf3cc:dee264f519436cc3
[151.19.172.16] INFO: received INITIAL-CONTACT
INFO: respond new phase 2 negotiation: 192.168.2.70[500]<=>151.19.172.16[500]
INFO: IPsec-SA established: ESP/Tunnel 192.168.2.70[500]->151.19.172.16[500] spi=99622605(0x5f01ecd)
INFO: IPsec-SA established: ESP/Tunnel 192.168.2.70[500]->151.19.172.16[500] spi=110913255(0x69c66e7)
racoonctl show-sa esp
192.168.2.70 151.19.172.16
esp mode=tunnel spi=110913255(0x069c66e7) reqid=0(0x00000000)
E: 3des-cbc 590ad32a beb28766 1ee7bb09 a40f4767 a94e714f 85be3ec3
A: hmac-sha1 388ec394 66f834f5 8fce49e3 5870247b 50466761
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:48:52 2015
diff: 3835(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=11292 refcnt=0
151.19.172.16 192.168.2.70
esp mode=tunnel spi=99622605(0x05f01ecd) reqid=0(0x00000000)
E: 3des-cbc 9edbd2a9 7bbba30e be024f8f b892727d ae997e3b 9dbc5cb3
A: hmac-sha1 aa0ca7e3 a17404ae a82efa7a cbe22d67 7f372e4b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:48:52 2015
diff: 3835(s) hard: 28800(s) soft: 23040(s)
last: Sep 25 12:44:58 2015 hard: 0(s) soft: 0(s)
current: 3864(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 46 hard: 0 soft: 0
sadb_seq=0 pid=11292 refcnt=0
Leider kann ich die Gegenseite nicht pingen. Wenn ich vom Raspberry A aus den Raspberry B anpingen möchte, bekomme 100% packet loss.
Mit tcpdump auf dem Raspberry B sehe ich jedoch die ankommenden Pakete, aber nicht die Antwort
tcpdump -v icmp -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:51:09.376843 IP (tos 0x0, ttl 64, id 59516, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 1, length 64
13:51:10.372682 IP (tos 0x0, ttl 64, id 59551, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 2, length 64
13:51:11.374399 IP (tos 0x0, ttl 64, id 59638, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 3, length 64
13:51:12.372166 IP (tos 0x0, ttl 64, id 59700, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 4, length 64
Ich bin mit meine Latein am Ende und hoffe ihr könnt mir weiterhelfen.
Vielen Dank
nach langer Forumabstinenz hab ich mal wieder ein Problem.
ich möchte gerne zwei Raspberry über IPSEC verbinden. Folgende Schema:
-------------------- ---------------------- ------------ ---------------------- --------------------
| Raspberry A | => | Fritzbox 7330 | => | Internet | => | SonicWall tz170 | => | Raspberry B |
| LAN: 192.168.0.9 | | LAN: 192.168.0.1 | ------------ | LAN: 192.168.2.254 | | LAN 192.168.2.70 |
-------------------- | WAN: 151.19.172.16 | | WAN: 86.17.23.53 | --------------------
---------------------- ----------------------
Die Ports 500 UDP, 4500 UDP und das Protokol ESP sind auf den Routern zum Weiterleiten eingerichtet.
dann kommt die Konfiguration von racoon / IPSEC:
Raspberry A
/etc/ipsec-tools.conf
spdadd 192.168.0.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/192.168.0.9-86.17.23.53/require;
spdadd 192.168.2.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/86.17.23.53-192.168.0.9/require;
/etc/racoon/racoon.conf
log info;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 192.168.0.9 [500];
isakmp_natt 192.168.0.9 [4500];
}
padding {
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
remote anonymous {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
my_identifier address 151.19.172.16;
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/racoon/psk.txt
86.17.23.53 <irgendetwas_super_geheimes>
Raspberry B
/etc/ipsec-tools.conf
spdadd 192.168.2.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/192.168.2.70-151.19.172.16/require;
spdadd 192.168.0.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/151.19.172.16-192.168.2.70/require;
/etc/racoon/racoon.conf
log info;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 192.168.2.70 [500];
isakmp_natt 192.168.2.70 [4500];
}
padding {
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
remote anonymous {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
my_identifier address 86.17.23.53;
verify_identifier off;
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/racoon/psk.txt
151.19.172.16 <irgendetwas_super_geheimes>
Der Tunnel wird mMn. aufgebaut:
Raspberry A
/var/log/syslog
INFO: ISAKMP-SA established 192.168.0.9[500]-86.17.23.53[500] spi:0d1cbdbae1ddf3cc:dee264f519436cc3
[86.17.23.53] INFO: received INITIAL-CONTACT
INFO: initiate new phase 2 negotiation: 192.168.0.9[500]<=>86.17.23.53[500]
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.9[500]->86.17.23.53[500] spi=110913255(0x69c66e7)
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.9[500]->86.17.23.53[500] spi=99622605(0x5f01ecd)
racoonctl show-sa esp
192.168.0.9 86.17.23.53
esp mode=tunnel spi=99622605(0x05f01ecd) reqid=0(0x00000000)
E: 3des-cbc 9edbd2a9 7bbba30e be024f8f b892727d ae997e3b 9dbc5cb3
A: hmac-sha1 aa0ca7e3 a17404ae a82efa7a cbe22d67 7f372e4b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:44:30 2015
diff: 3573(s) hard: 28800(s) soft: 23040(s)
last: Sep 25 12:44:58 2015 hard: 0(s) soft: 0(s)
current: 3864(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 46 hard: 0 soft: 0
sadb_seq=1 pid=27320 refcnt=0
86.17.23.53 192.168.0.9
esp mode=tunnel spi=110913255(0x069c66e7) reqid=0(0x00000000)
E: 3des-cbc 590ad32a beb28766 1ee7bb09 a40f4767 a94e714f 85be3ec3
A: hmac-sha1 388ec394 66f834f5 8fce49e3 5870247b 50466761
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:44:30 2015
diff: 3573(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=27320 refcnt=0
Raspberry B
/var/log/syslog
INFO: ISAKMP-SA established 192.168.2.70[500]-151.19.172.16[500] spi:0d1cbdbae1ddf3cc:dee264f519436cc3
[151.19.172.16] INFO: received INITIAL-CONTACT
INFO: respond new phase 2 negotiation: 192.168.2.70[500]<=>151.19.172.16[500]
INFO: IPsec-SA established: ESP/Tunnel 192.168.2.70[500]->151.19.172.16[500] spi=99622605(0x5f01ecd)
INFO: IPsec-SA established: ESP/Tunnel 192.168.2.70[500]->151.19.172.16[500] spi=110913255(0x69c66e7)
racoonctl show-sa esp
192.168.2.70 151.19.172.16
esp mode=tunnel spi=110913255(0x069c66e7) reqid=0(0x00000000)
E: 3des-cbc 590ad32a beb28766 1ee7bb09 a40f4767 a94e714f 85be3ec3
A: hmac-sha1 388ec394 66f834f5 8fce49e3 5870247b 50466761
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:48:52 2015
diff: 3835(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=11292 refcnt=0
151.19.172.16 192.168.2.70
esp mode=tunnel spi=99622605(0x05f01ecd) reqid=0(0x00000000)
E: 3des-cbc 9edbd2a9 7bbba30e be024f8f b892727d ae997e3b 9dbc5cb3
A: hmac-sha1 aa0ca7e3 a17404ae a82efa7a cbe22d67 7f372e4b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 25 12:44:57 2015 current: Sep 25 13:48:52 2015
diff: 3835(s) hard: 28800(s) soft: 23040(s)
last: Sep 25 12:44:58 2015 hard: 0(s) soft: 0(s)
current: 3864(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 46 hard: 0 soft: 0
sadb_seq=0 pid=11292 refcnt=0
Leider kann ich die Gegenseite nicht pingen. Wenn ich vom Raspberry A aus den Raspberry B anpingen möchte, bekomme 100% packet loss.
Mit tcpdump auf dem Raspberry B sehe ich jedoch die ankommenden Pakete, aber nicht die Antwort
tcpdump -v icmp -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:51:09.376843 IP (tos 0x0, ttl 64, id 59516, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 1, length 64
13:51:10.372682 IP (tos 0x0, ttl 64, id 59551, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 2, length 64
13:51:11.374399 IP (tos 0x0, ttl 64, id 59638, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 3, length 64
13:51:12.372166 IP (tos 0x0, ttl 64, id 59700, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 4, length 64
Ich bin mit meine Latein am Ende und hoffe ihr könnt mir weiterhelfen.
Vielen Dank