Conexão Strongswan (IKEv2) estabelecida, mas nenhum roteamento de tráfego

8

Já vi esse tipo de pergunta postado algumas vezes antes, mas até agora nenhuma delas resolveu meu problema.

Estou tentando configurar uma VPN IKEv2 no meu servidor Ubuntu para usar com o Windows Phone usando o Strongswan. A conexão parece estar configurada corretamente, mas nenhum pacote é roteado e não consigo executar ping no endereço IP do cliente VPN.

A rede interna do meu servidor é 192.168.1.0/24 e o IP do meu servidor é 192.168.1.110 e está atrás do NAT.

/ var / log / syslog

May  8 09:50:01 seanco-server charon: 16[NET] received packet: from 166.147.118.120[13919] to 192.168.1.110[500]
May  8 09:50:01 seanco-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May  8 09:50:01 seanco-server charon: 16[IKE] 166.147.118.120 is initiating an IKE_SA
May  8 09:50:01 seanco-server charon: 16[IKE] local host is behind NAT, sending keep alives
May  8 09:50:01 seanco-server charon: 16[IKE] remote host is behind NAT
May  8 09:50:01 seanco-server charon: 16[IKE] sending cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  8 09:50:01 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[500] to 166.147.118.120[13919]
May  8 09:50:01 seanco-server charon: 08[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP4_SERVER
May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP6_SERVER
May  8 09:50:01 seanco-server charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May  8 09:50:01 seanco-server charon: 08[IKE] received cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 08[IKE] received 31 cert requests for an unknown ca
May  8 09:50:01 seanco-server charon: 08[CFG] looking for peer configs matching 192.168.1.110[%any]...166.147.118.120[10.212.235.245]
May  8 09:50:01 seanco-server charon: 08[CFG] selected peer config 'windows-phone-vpn'
May  8 09:50:01 seanco-server charon: 08[IKE] initiating EAP-Identity request
May  8 09:50:01 seanco-server charon: 08[IKE] peer supports MOBIKE
May  8 09:50:01 seanco-server charon: 08[IKE] authentication of 'steakscorp.org' (myself) with RSA signature successful
May  8 09:50:01 seanco-server charon: 08[IKE] sending end entity cert "D=xxx, C=xx, CN=xxx, E=xxx"
May  8 09:50:01 seanco-server charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May  8 09:50:01 seanco-server charon: 08[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 10[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May  8 09:50:02 seanco-server charon: 10[IKE] received EAP identity 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xA5)
May  8 09:50:02 seanco-server charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 10[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 09[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 09[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 11[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
May  8 09:50:02 seanco-server charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
May  8 09:50:02 seanco-server charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
May  8 09:50:02 seanco-server charon: 11[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:02 seanco-server charon: 12[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May  8 09:50:02 seanco-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
May  8 09:50:02 seanco-server charon: 12[IKE] authentication of '10.212.235.245' with EAP successful
May  8 09:50:02 seanco-server charon: 12[IKE] authentication of 'steakscorp.org' (myself) with EAP
May  8 09:50:02 seanco-server charon: 12[IKE] IKE_SA windows-phone-vpn[2] established between 192.168.1.110[steakscorp.org]...166.147.118.120[10.212.235.245]
May  8 09:50:02 seanco-server charon: 12[IKE] scheduling reauthentication in 10200s
May  8 09:50:02 seanco-server charon: 12[IKE] maximum IKE_SA lifetime 10740s
May  8 09:50:02 seanco-server charon: 12[IKE] peer requested virtual IP %any6
May  8 09:50:02 seanco-server charon: 12[CFG] reassigning offline lease to 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'Windows Phone\jinhai'
May  8 09:50:02 seanco-server charon: 12[IKE] CHILD_SA windows-phone-vpn{2} established with SPIs c214680b_i a1cbebd2_o and TS 0.0.0.0/0[udp/l2f] === 10.8.0.1/32[udp]
May  8 09:50:02 seanco-server vpn: + 10.212.235.245 10.8.0.1/32 == 166.147.118.120 -- 192.168.1.110 == 0.0.0.0/0
May  8 09:50:02 seanco-server charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
May  8 09:50:02 seanco-server charon: 12[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:22 seanco-server charon: 16[IKE] sending keep alive
May  8 09:50:22 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May  8 09:50:32 seanco-server charon: 10[IKE] sending DPD request
May  8 09:50:32 seanco-server charon: 10[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]

/etc/ipsec.conf

config setup
        strictcrlpolicy = no
        charonstart = yes
        plutostart = no

conn windows-phone-vpn
        auto = route
        compress = no
        dpdaction = clear
        pfs = no
        keyexchange = ikev2
        type = tunnel
        left = %any
        leftfirewall = yes
        leftauth = pubkey
        leftid = steakscorp.org
        leftcert = /etc/apache2/ssl/start-ssl.crt
        leftca = /etc/apache2/ssl/start-ssl-ca.pem
        leftsendcert = always
        leftsubnet = 0.0.0.0/0
        right = %any
        rightauth = eap-mschapv2
        eap_identity = %any
        rightca = /etc/ipsec.d/cacerts/vpnca.pem
        rightsendcert = ifasked
        rightsourceip = 10.8.0.0/24
        #leftprotoport = 17/1701
        #rightprotoport = 17/%any

ifconfig

eth1      Link encap:Ethernet  HWaddr aa:00:04:00:0a:04
          inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:4fff:feaa:1577/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:157187 errors:0 dropped:0 overruns:0 frame:0
          TX packets:162827 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:121434663 (121.4 MB)  TX bytes:129069773 (129.0 MB)
          Interrupt:21 Memory:fe9e0000-fea00000

ham0      Link encap:Ethernet  HWaddr 7a:79:19:da:fb:84
          inet addr:25.218.251.132  Bcast:25.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::7879:19ff:feda:fb84/64 Scope:Link
          inet6 addr: 2620:9b::19da:fb84/96 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1404  Metric:1
          RX packets:1622 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3115 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:384780 (384.7 KB)  TX bytes:1249410 (1.2 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:6554 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6554 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2036987 (2.0 MB)  TX bytes:2036987 (2.0 MB)

iptables

# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*mangle
:PREROUTING ACCEPT [604388:58921019]
:INPUT ACCEPT [4937028:2589137657]
:FORWARD ACCEPT [22:1366]
:OUTPUT ACCEPT [3919078:5188868578]
:POSTROUTING ACCEPT [4008714:5195778648]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Fri May  9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*filter
:INPUT ACCEPT [1737:217459]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16831:20344894]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_ADMIN_IN - [0:0]
:AS0_U_USERLOCA_IN - [0:0]
:AS0_WEBACCEPT - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-apache-404 - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-apache-postflood - [0:0]
:fail2ban-ip-blocklist - [0:0]
:fail2ban-repeatoffender - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-404
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A INPUT -p tcp -j fail2ban-ip-blocklist
-A INPUT -p tcp -j fail2ban-repeatoffender
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.8.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_OUT -j DROP
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_U_ADMIN_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_ADMIN_IN -j AS0_IN_POST
-A AS0_U_USERLOCA_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_USERLOCA_IN -j AS0_IN_POST
-A AS0_WEBACCEPT -j ACCEPT
-A fail2ban-apache -j RETURN
-A fail2ban-apache-404 -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-apache-postflood -j RETURN
-A fail2ban-ip-blocklist -j RETURN
-A fail2ban-repeatoffender -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
COMMIT
# Completed on Fri May  9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
*nat
:PREROUTING ACCEPT [906:84714]
:INPUT ACCEPT [860:81590]
:OUTPUT ACCEPT [233:50740]
:POSTROUTING ACCEPT [233:50740]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
-A AS0_NAT -o eth1 -j SNAT --to-source 192.168.1.110
-A AS0_NAT -o ham0 -j SNAT --to-source 25.218.251.132
-A AS0_NAT -o tun0 -j SNAT --to-source 10.8.0.1
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -d 10.0.8.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Fri May  9 10:33:46 2014

política xfrm ip

src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
        dir fwd priority 1920
        tmpl src 166.147.118.120 dst 192.168.1.110
                proto esp reqid 3 mode tunnel
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
        dir in priority 1920
        tmpl src 166.147.118.120 dst 192.168.1.110
                proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 10.8.0.1/32 proto udp sport 1701
        dir out priority 1920
        tmpl src 192.168.1.110 dst 166.147.118.120
                proto esp reqid 3 mode tunnel

Algumas coisas parecem um pouco estranhas para mim (não deve ser apresentado um ipsec0 ou algo assim quando a conexão é estabelecida?), Mas estou perplexo nesse momento e realmente aprecio alguma ajuda.

Edit : Comentou linhas protoport e derrubou a interface tun0.

Jinhai
fonte
1
Você definitivamente deve se livrar das left|rightprotoportopções. Com esses valores, eles são usados ​​ao usar IKEv1 / L2TP / IPsec, e você não está usando o IKEv2 com IPsec simples. Por que existe um dispositivo TUN que possui o endereço IP do cliente atribuído? A leitura do Forwarding e do Split-Tunneling no wiki strongSwan também pode ajudar.
Ecdsa
Corrigidas as configurações (tun0 não está mais ativo e as opções do protoport foram comentadas). Vou dar uma olhada no artigo da wiki novamente - e tentei configurar o NAT na minha interface voltada para a esquerda com: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACEITAR iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE ... mas até agora nada mudou.
Jinhai
Notei um "-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE" em minhas tabelas de ip da minha VPN L2TP / PPP, no entanto, e isso funciona. Talvez eu precise adicionar um equivalente para minha rede IKEv2 e 10.8.0.0/24, mas qual interface eu usaria? (Desculpe, tipo de idiota quando se trata de iptables)
Jinhai

Respostas:

3

Você precisa:

>$ iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source "your VPN host IP"
>$ service iptables save
>$ service iptables restart
>$ service ipsec restart
Alex G.
fonte
5
Por que isso corrige seu problema?
21816 Ryan Shillington #
1

Você ativou o encaminhamento de ipv4?

$sudo sysctl -w net.ipv4.ip_forward=1

Você adicionou uma regra de MASQUERADE POSTROUTING?

$sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
MemCtrl
fonte
Sim e sim (embora meu adaptador seja eth1).
Jinhai
Você pode postar a tabela de roteamento do cliente?
MemCtrl 30/06
Não posso, mas tenho certeza de que esse é o problema - meu servidor não mostra nenhum tráfego na rede privada 10.8.0.0/24 do telefone quando está conectado e tentando acessar a Internet. Existe algo que eu possa adicionar no lado do servidor para adicionar uma rota para o exterior no cliente?
Jinhai