IPsec server na Linuxu pro MikroTik klienty

IPsec server na Linuxu pro MikroTik klienty
« kdy: 19. 10. 2018, 22:20:03 »
Ahoj,
snazim se uz druhym dnem rozjet na Linuxu IPsec server. Do te doby jsem s IPsec nikdy nedelal.

Pouzil jsem strongSwan, ktery ma balicky v Debianu a Ubuntu.
Mam Ubuntu 18.04 a strongSwan 5.6.2.

Dalo mi dost prace rozchodit IKEv2 s databazi uzivatelu a IP poolem ve FreeRADIUSu, ale nakonec se podarilo (funkcni je sekce "conn ikev2-vpn").
Pro strongSwan pouzivam Let's Encrypt certifikat.
Bohuzel jak jsem zjistil, oficialni strongSwan app na Androidu funguje, ale MikroTik se k tomutu typu IPsec pripojit neumi (integrovany Android VPN klient ake ne).

Takze se snazim rozchodit strongSwan, aby byl IPsec serverem pro MikroTik (hAp lite) klienty.
Idealne bych se rad vyhnul klientskym certifikatum a pouzil jenom jmeno+heslo. Bylo by to mnohem snazsi na nastavovani MikroTiku.

Me snazeni je v sekci "conn xauth-ikev1-mikrotik". Jenze MikroTik se nedokaze pripojit, stale do logu sype tyto chyby:

Kód: [Vybrat]
       #  tail -F /var/log/syslog | grep "ipsec\|charon"
Oct 19 18:13:51 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:13:51 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:13:51 vpn charon: 08[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:13:51 vpn charon: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:13:51 vpn charon: 08[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:13:51 vpn charon: 08[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:13:51 vpn charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:13:51 vpn charon: 08[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:13:51 vpn charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Oct 19 18:13:51 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:02 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:02 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:02 vpn charon: 06[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:02 vpn charon: 06[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:02 vpn charon: 06[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:02 vpn charon: 06[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:02 vpn charon: 06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:02 vpn charon: 06[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:02 vpn charon: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING
Oct 19 18:14:02 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:12 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:12 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:12 vpn charon: 13[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:12 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:12 vpn charon: 13[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:12 vpn charon: 13[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:12 vpn charon: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:12 vpn charon: 13[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:12 vpn charon: 13[IKE] IKE_SA (unnamed)[3] state change: CREATED => DESTROYING
Oct 19 18:14:12 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:23 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:23 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:23 vpn charon: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:23 vpn charon: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:23 vpn charon: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:23 vpn charon: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:23 vpn charon: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:23 vpn charon: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:23 vpn charon: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => DESTROYING
Oct 19 18:14:23 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:34 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:34 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG]   sha256_96=no
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG]   mediation=no
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG]   keyexchange=ikev2
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] algorithm 'saha256' not recognized
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] skipped invalid proposal string: aes128-saha256-ecp256
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 08[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 08[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 08[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 08[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 08[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 06[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 06[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 06[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 06[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 06[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 13[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 13[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 13[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 13[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 13[IKE] IKE_SA (unnamed)[3] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] IKE_SA (unnamed)[4] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn ipsec[30143]: 04[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn ipsec[30143]: 04[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 04[IKE] IKE_SA (unnamed)[5] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn ipsec[30143]: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:44 vpn ipsec[30143]: 02[NET] waiting for data on sockets
Oct 19 18:14:44 vpn ipsec[30143]: 14[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:44 vpn ipsec[30143]: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 14[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:44 vpn ipsec[30143]: 14[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:44 vpn charon: 14[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:44 vpn charon: 14[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:44 vpn charon: 14[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:44 vpn charon: 14[IKE] IKE_SA (unnamed)[6] state change: CREATED => DESTROYING
Oct 19 18:14:44 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:14:55 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:14:55 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:14:55 vpn charon: 05[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:14:55 vpn charon: 05[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:14:55 vpn charon: 05[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:14:55 vpn charon: 05[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:14:55 vpn charon: 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:14:55 vpn charon: 05[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:14:55 vpn charon: 05[IKE] IKE_SA (unnamed)[7] state change: CREATED => DESTROYING
Oct 19 18:14:55 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]
Oct 19 18:15:05 vpn charon: 02[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500]
Oct 19 18:15:05 vpn charon: 02[NET] waiting for data on sockets
Oct 19 18:15:05 vpn charon: 12[NET] received packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (440 bytes)
Oct 19 18:15:05 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 19 18:15:05 vpn charon: 12[CFG] looking for an ike config for 6.7.8.9...1.2.3.4
Oct 19 18:15:05 vpn charon: 12[IKE] no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Oct 19 18:15:05 vpn charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 19 18:15:05 vpn charon: 12[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (36 bytes)
Oct 19 18:15:05 vpn charon: 12[IKE] IKE_SA (unnamed)[8] state change: CREATED => DESTROYING
Oct 19 18:15:05 vpn charon: 03[NET] sending packet: from 6.7.8.9[4500] to 1.2.3.4[4500]

StrongSwan mam vcetne vsech radius pluginu:
Kód: [Vybrat]
apt-get install strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins

Zde jsou me configy:

Kód: [Vybrat]
           # cat /etc/ipsec.conf

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"

    uniqueids=no
    # allow multiple connections from a given user

conn xauth-ikev1-mikrotik
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev1

    rekey=no
    left=%any
    leftid=muj.vpn.server.cz
    leftauth=psk

    leftcert=/etc/strongswan_certs/cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
 
    rightauth=psk
    rightauth2=xauth-radius
    xauth=server
    authby=xauthpsk

    rightsourceip=%radius
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity


    ike=aes128-saha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!


conn ikev2-vpn
    auto=add
    # On strongSwan startup, load this connection and then wait for clients to connect to it (auto=add)

    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes

    dpdaction=clear
    dpddelay=300s
    dpdtimeout=1800s
    # Enable Dead Peer Detection (DPD), which periodically checks that the
    # client is still responding and if it's not then the IKEv2 session and the IPsec tunnel are cleared.

    ike=aes256-aes192-aes128-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!
    # List our acceptable encryption and message-integrity algorithms, for the authentication and key exchange process.

    rekey=no
    left=%any
    leftid=muj.vpn.server.cz
    leftauth=pubkey

    leftcert=/etc/strongswan_certs/cert.pem
    # Must only contain our public key, not the complete certificate chain!

    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-radius
    rightsourceip=%radius
   
    #rightsourceip=10.10.10.1-10.10.10.150   
    # rightsourceip=192.0.2.0/25,2001:db8::/96
    # Assign each client dynamic addresses from an IPv4 and an IPv6 pool.
    # The first and last addresses in each subnet will not be use
    rightdns=8.8.8.8,8.8.4.4
    rightsendcert=never

    eap_identity=%identity
    # Allow any defined user to connect (provided they're present in ipsec.secrets).


# static IPs are not excluded from the pool you configured in ikev2-vpn !!!!!!!!
#
#  And if this static config selection works will also depend on the client.
#  If the IKE identity is not the same as the EAP-Identity a match on rightid won't
#  be possible (our Android app sets both to the same value, but e.g. the Windows
#  IKEv2 client does not)
conn static_ip___staticuserX
    also=ikev2-vpn
    #the parameters of that section are inherited by the current section
    rightid=staticuserX
    rightsourceip=10.10.10.200/32
    auto=add


Kód: [Vybrat]
                  # cat /etc/ipsec.secrets
: RSA "/etc/strongswan_certs/key.pem"
: PSK : "secret123"


Kód: [Vybrat]
        # cat /etc/strongswan.d/charon.conf
charon {
  plugins {
    eap-radius {
      servers {
        primary {
          address = 127.0.0.1
          secret = testing123
          nas_identifer = ipsec-gateway
          sockets = 20
          preference = 99
        }
      }
    }
    xauth-eap {
      backend = radius
    }
  }
}

Kód: [Vybrat]
            # cat /etc/freeradius/3.0/users
DEFAULT Pool-Name := main_pool
Fall-Through = Yes

"testuser" Cleartext-Password := "123456789"

"teststatic" Cleartext-Password := "123456789"
Framed-IP-Address := 10.10.10.199,
Framed-IP-Netmask := 255.255.255.0

V MikroTiku jsem se snazil nastavit VPN pomoci:
Kód: [Vybrat]
/ip ipsec peer> add address=6.7.8.9/32 auth-method=pre-shared-key-xauth secret=secret123 xauth-login=testuser xauth-password=123456789

Dokazal by mi nekdo poradit, jak nastavit StrongSwan, aby fungoval, jako IPsec VPN server pro MikroTik klienty?
Rad bych se vyhnul certifikatum, ale jenom spolecne PSK heslo pro vsechny se mi nelibi.

Neni nejaky kompromis, jako PSK + jmeno a heslo k tomu? V MikroTiku mozna secret + xauth-login + xauth-password?
Neco podobneho jsem videl v Android VPN klientovi "IPsec Xauth PSK" - mimochodem take se nepripoji.

Staci mi L3 VPN, proto se mi zda zbytecne pouzivat L2TP/IPsec.
VPN bude slouzit primarne pro VoIP (SIP), takze kazda vrstva, ktera nebude je dobra. VoIP bude mit dalsi zabezpeceni, proto bych se uplne nebal ani Xauth IKEv1, od ktereho jsem byl tak zrazovan .
A VPN musi byt kvuli VoIP UDP - jinak bych pouzil OpenVPN, se kterou mam vyborne zkusenosti - ale MikroTik ji umi jen v TCP rezimu :-(



"Kdo v zájmu bezpečí obětuje část své svobody, v konečném důsledku přijde o svobodu i svou bezpečnost."


samalama

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #1 kdy: 19. 10. 2018, 22:32:38 »
no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN

skipped invalid proposal string: aes128-saha256-ecp256

user

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #2 kdy: 20. 10. 2018, 00:25:02 »
So strongSwan ti nepomôžem, ale moje postrehy:

1. Kľudne môžeš použiť UDP v OpenVPN cez TCP. Samozrejme, môže sa to zdať pocitovo pomalšie/horšie, lebo bude cez VPN pretláčať všetky pakety, ale ja to tak mám väčšinou na ADSL linkách (Mikrotik u klienta) a rozdiel oproti priamemu UDP spoju som nepostrehol.

2. Aj cez to, že píšeš že sa tomu chceš vyhnúť, odporúčam použiť L2TP/IPsec - je to jednoduchšie, je to L3, pôjde ti cez to VoIP a pôjde to bez problémov na Androide/iOS/ROS.
« Poslední změna: 20. 10. 2018, 00:28:04 od user »

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #3 kdy: 20. 10. 2018, 01:07:14 »
no IKE config found for 6.7.8.9...1.2.3.4, sending NO_PROPOSAL_CHOSEN
skipped invalid proposal string: aes128-saha256-ecp256

Toho jsem si vsiml, jen zatim nevim, jak to opravit.


1. Kľudne môžeš použiť UDP v OpenVPN cez TCP. Samozrejme, môže sa to zdať pocitovo pomalšie/horšie, lebo bude cez VPN pretláčať všetky pakety, ale ja to tak mám väčšinou na ADSL linkách (Mikrotik u klienta) a rozdiel oproti priamemu UDP spoju som nepostrehol.

2. Aj cez to, že píšeš že sa tomu chceš vyhnúť, odporúčam použiť L2TP/IPsec - je to jednoduchšie, je to L3, pôjde ti cez to VoIP a pôjde to bez problémov na Androide/iOS/ROS.

1)
Why TCP Over TCP Is A Bad Idea - http://sites.inka.de/bigred/devel/tcp-tcp.html
ale SIP je jen "upravene html", takze to by zas tolik nevadilo.
Problem je RTP. Nemuzu pouzit TCP VPN. Resil jsem to i na odorik.cz foru a opravdu neni dobry napad tunelovat RTP stream VoIP hovoru skrz TCP tunel. Durazne mi doporucili to nedelat.

2)
L2TP/IPsec - mozna to nakonec tak skonci.
Mas nejaky overeny config/navod, jak nastavit mnou pozadovane?
"Kdo v zájmu bezpečí obětuje část své svobody, v konečném důsledku přijde o svobodu i svou bezpečnost."

naseptavac

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #4 kdy: 20. 10. 2018, 01:34:10 »
Hlavne je treba mikrotik pridavat i do kafe, jinak to nepujde. Ja jsem tim zaujetim stupidnima omezenejma krabickama konsternovan. Usetri se par supu pri nakupu a pak se furt resi co nejde a co jde a po mesicich zkoumani se ta usetrena tisicovka konecne "vrati" (pokud vam staci minimalni mzda nebo je sef debil)


cacin

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #5 kdy: 20. 10. 2018, 03:45:15 »
Ahoj,

v konfigu /etc/ipsec.conf vidim preklep v IKE proposal

    ike=aes128-saha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!


by melo byt

    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!


Tomas

NaSRat

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #6 kdy: 20. 10. 2018, 08:15:15 »
Hlavne je treba mikrotik pridavat i do kafe, jinak to nepujde. Ja jsem tim zaujetim stupidnima omezenejma krabickama konsternovan. Usetri se par supu pri nakupu a pak se furt resi co nejde a co jde a po mesicich zkoumani se ta usetrena tisicovka konecne "vrati" (pokud vam staci minimalni mzda nebo je sef debil)

Takže neovládáš mikrotik, ok.

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #7 kdy: 23. 10. 2018, 13:05:11 »
v konfigu /etc/ipsec.conf vidim preklep v IKE proposal

    ike=aes128-saha256-ecp256,aes256-sha384

Diky za tip. Opraveno, ale stejne nepomohlo :-(
"Kdo v zájmu bezpečí obětuje část své svobody, v konečném důsledku přijde o svobodu i svou bezpečnost."

V.

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #8 kdy: 23. 10. 2018, 13:27:29 »
Obecně:
No proposal chosen znamená to, že peerA nemá neprázdnou množinu šifer s peeremB.
Neshodnou se na sestavení tunelu.

Konkrétně pokud se k tomu dostanu to taky vyzkoušim, mam zkušenosti pouze s kombinacemi jiných výrobců.

samalama

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #9 kdy: 23. 10. 2018, 15:22:28 »
mozno by sa hodila konfiguracia mkt...

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #10 kdy: 05. 11. 2018, 00:09:29 »
Tak jsem zacal misto samotneho IPsec zkouset L2TP/IPsec a stale bez uspechu.

Me configy:

Kód: [Vybrat]
root@vpn:/# cat /etc/ipsec.conf
config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
    uniqueids=no

conn wtf
    type=transport
    pfs=no
    rekey=no
    keyingtries=1
    left=%any
    leftprotoport=udp/l2tp
    leftid=@88.86.113.219
    right=%any
    rightprotoport=udp/%any
    auto=add
    aggressive=yes
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    leftauth2=xauthpsk
    rightauth2=xauthpsk

Kód: [Vybrat]
root@vpn:/# cat /etc/xl2tpd/xl2tpd.conf

[global]
listen-addr = 88.86.113.219

[lns default]
ip range = 10.10.100.10-10.10.100.250
local ip = 10.10.100.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = TEST_VPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Kód: [Vybrat]
root@vpn:/# cat /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

Stale vsak vidim jen tuto chybu:
Kód: [Vybrat]
Oct 31 15:27:41 vpn charon: 03[NET] waiting for data on sockets
Oct 31 15:27:41 vpn charon: 14[NET] received packet: from 77.78.90.200[500] to 88.86.113.219[500] (364 bytes)
Oct 31 15:27:41 vpn charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 31 15:27:41 vpn charon: 14[IKE] remote host is behind NAT
Oct 31 15:27:41 vpn charon: 14[CFG]   candidate "wtf", match: 1/1/28 (me/other/ike)
Oct 31 15:27:41 vpn charon: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 31 15:27:41 vpn charon: 14[NET] sending packet: from 88.86.113.219[500] to 77.78.90.200[500] (372 bytes)
Oct 31 15:27:41 vpn charon: 04[NET] sending packet: from 88.86.113.219[500] to 77.78.90.200[500]
Oct 31 15:27:42 vpn charon: 03[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500]
Oct 31 15:27:42 vpn charon: 03[NET] waiting for data on sockets
Oct 31 15:27:42 vpn charon: 16[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500] (76 bytes)
Oct 31 15:27:42 vpn charon: 16[ENC] invalid ID_V1 payload length, decryption failed?
Oct 31 15:27:42 vpn charon: 16[ENC] could not decrypt payloads
Oct 31 15:27:42 vpn charon: 16[IKE] message parsing failed
Oct 31 15:27:42 vpn charon: 16[ENC] generating INFORMATIONAL_V1 request 3597591477 [ HASH N(PLD_MAL) ]

Hesla jsem kontroloval asi 10x.

Klientem je Mikrotik hAp lite.

Uz jsem uplne bezradny :-(

Uvitam jakykoliv tip, jak rozjet funkcni kombinaci L2TP/IPsec server na linuxu a Mikrotik klientu.

Radsi bych mel overovani certifikaty, ale preziju i IPsec PSK (klikatko na vpn ve winboxu mic jineho nenabizi) a jmena+hesla na L2TP.
"Kdo v zájmu bezpečí obětuje část své svobody, v konečném důsledku přijde o svobodu i svou bezpečnost."

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #11 kdy: 05. 11. 2018, 07:57:13 »
Ahoj, kedysi som nastavoval ipsec medzi libreswan a libreswan -fungovalo. Vcera som riesil Ipsec medzi mikrotik a mikrotik -  fungovalo..  Mozem to skusit v rychlosti ked budem mat cas na libreswan a mikrotik ci sa mi to rozbehne..

Kazdopadne takto od oka vidim , ze v mikrotiku mas nastavene ip ipsec peer, ale nemas nastavenu ip ipsec policy takze zatial skromne tipujem , ze problem bude niekde tam. Alebo nejake dalsie parametre v peer.

Pripadne zapni debug log na ipsec
system logging> add topics=ipsec,!debug
a potom

Log print

a ukaz co to pise.
« Poslední změna: 05. 11. 2018, 08:06:20 od snuff1987 »

TKL

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #12 kdy: 05. 11. 2018, 08:51:24 »
Dokazal by mi nekdo poradit, jak nastavit StrongSwan, aby fungoval, jako IPsec VPN server pro MikroTik klienty?


Dobrý den,

se StrongSwanem vám neporadím, ale IPSec tunely mezi Mikrotik routery a linuxovým serverem k plné spokojenosti už roky provozuji pomocí Racoon.
Návod pro nastavení je zde: https://wiki.debian.org/IPsec

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #13 kdy: 05. 11. 2018, 10:26:26 »
Aktualne zkousim tento ipsec server config https://forum.root.cz/index.php?topic=19874.msg294389#msg294389

a v mikrotiku pouzivam ppp->interface->l2tp client a vyplnim tu tabulku. Nic jineho jsem v mikrotiku nenastavoval a porad stejna chyba:

Kód: [Vybrat]
Nov  5 10:23:29 vpn charon: 03[NET] waiting for data on sockets
Nov  5 10:23:29 vpn charon: 06[NET] received packet: from 77.78.90.200[4500] to 88.86.113.219[4500] (76 bytes)
Nov  5 10:23:29 vpn charon: 06[ENC] invalid ID_V1 payload length, decryption failed?
Nov  5 10:23:29 vpn charon: 06[ENC] could not decrypt payloads
Nov  5 10:23:29 vpn charon: 06[IKE] message parsing failed
"Kdo v zájmu bezpečí obětuje část své svobody, v konečném důsledku přijde o svobodu i svou bezpečnost."

M.

Re:IPsec server na Linuxu pro MikroTik klienty
« Odpověď #14 kdy: 05. 11. 2018, 10:57:22 »
Ten odkazovaný config hovoří o použití xauth na tom strongswan serveru. Pokud na ROSu nastavíš L2TP/IPsec přes L2TP volby s automatickým IPsec configem, tak Xauth nepoužije (použije pre-shared-key a ne pre-shared-key-xauth).
Pokud máš stále zapnuto Xauth na IPsec serveru a ROS s L2TP automatický IPsec, tak ta hláška "invalid ID_V1 payload length, decryption failed?" odpovídá tomu stavu.

Jiná možnost je chybné to sdílené heslo, ale pokud jsi ho nastavoval 10x (jo, při pohledu na storngswan verzi, zkus pro jistotu PSK bez podivných nealfanumerických znaků, občas z toho bývalo překvapení).