Ahoj,
testuju nějaké problémy s IPSec VPN v naší síti a sestavuji si testovací tunel, kde pak příslušného klienta budu přehazovat do různě omezených subnetů..... . Napřed ale potřebuji mít funkční konfiguraci, což se mi rozpadlo pod rukama.
Používám server na Debian 12 a laptop na Ubuntu 22.04.
Konfigurace alá Roadwarrior Case with Virtual IP podle
https://docs.strongswan.org/docs/5.9/config/quickstart.htmlCertifikáty jsem vygeneroval podle
https://docs.strongswan.org/docs/5.9/pki/pkiQuickstart.html a soubory rozkopíroval na příslušné místa podle návodu.
Server (anonymizováno):
connections {
rw6in4 {
local_addrs = X.Y.Z.U
pools = rw_pool4
#, rw_pool6
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
# id = client.strongswan.org
}
children {
netx {
local_ts = 0.0.0.0/0
#, ::/0
esp_proposals = aes192gcm16,aes128gcm16,aes192-ecp256,aes192-sha256-modp3072,default
}
}
version = 2
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
}
}
pools {
rw_pool4 {
addrs = 172.16.16.0/24
dns = X.Y.Z.U
}
Klient (anonymizováno):
Jediný rozdíl od návodu je změna "local_ts" na "remote_ts" (myslím že bug v dokumentaci) a v mé konfiguraci je to gateway místo konktétního subnetu.
connections {
home {
remote_addrs = X.Y.Z.U
vips = 0.0.0.0
local {
auth = pubkey
certs = clientCert.pem
id = client.strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 0.0.0.0/0
start_action = start
esp_proposals = aes192gcm16,aes128gcm16,aes192-ecp256,aes192-sha256-modp3072,default
}
}
proposals = aes256-sha1-modp1024,aes192-sha256-modp3072,default
version = 2
}
}
Certifikát server:
subject: "C=CH, O=strongswan, CN=moon.strongswan.org"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity: not before Sep 20 14:14:02 2023, ok
not after Sep 19 14:14:02 2028, ok (expires in 1825 days)
serial: 01
altNames: moon.strongswan.org
flags:
authkeyId: cd:8f:8b:46:30:4a:22:5a:6f:2f:c8:dd:0a:7c:21:9b:18:5d:1f:11
subjkeyId: ba:85:ec:e9:da:4c:ce:c5:bd:6b:73:db:ac:72:d6:c8:3c:43:64:90
pubkey: ED25519 256 bits
keyid: d1:e5:b3:f6:a1:ac:9f:12:88:eb:f9:27:c7:4c:3f:5b:be:de:3a:87
subjkey: ba:85:ec:e9:da:4c:ce:c5:bd:6b:73:db:ac:72:d6:c8:3c:43:64:90
Certifikát klient:
subject: "C=CH, O=strongswan, CN=client.strongswan.org"
issuer: "C=CH, O=strongSwan, CN=strongSwan Root CA"
validity: not before Sep 20 14:14:14 2023, ok
not after Sep 19 14:14:14 2028, ok (expires in 1825 days)
serial: 01
altNames: client.strongswan.org
flags:
authkeyId: cd:8f:8b:46:30:4a:22:5a:6f:2f:c8:dd:0a:7c:21:9b:18:5d:1f:11
subjkeyId: 83:78:fd:4d:29:da:b0:65:49:e1:10:bc:04:5e:03:41:8c:64:95:b3
pubkey: ED25519 256 bits
keyid: 01:5a:e9:6e:d3:e8:25:80:90:6f:15:36:b5:52:c5:e1:35:89:90:dc
subjkey: 83:78:fd:4d:29:da:b0:65:49:e1:10:bc:04:5e:03:41:8c:64:95:b3
Už mi to fungovalo a celá VPN běžela. Pak jsem do toho šáhl a nedokážu se vrátit k funkční konfiguraci.
Při funkčním spojení se v logu objevily vedle IP jednotlivých uzlů i ID z konfigurace.
Sep 19 13:15:19 localhost charon: 12[NET] received packet: from A.B.C.D[500] to X.Y.Z.U[500] (1088 bytes)
Sep 19 13:15:19 localhost charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 19 13:15:19 localhost charon: 12[IKE] A.B.C.D is initiating an IKE_SA
Sep 19 13:15:19 localhost charon: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 19 13:15:20 localhost charon: 12[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Sep 19 13:15:20 localhost charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 19 13:15:20 localhost charon: 12[NET] sending packet: from X.Y.Z.U[500] to A.B.C.D[500] (361 bytes)
Sep 19 13:15:20 localhost charon: 11[NET] received packet: from A.B.C.D[4500] to X.Y.Z.U[4500] (1248 bytes)
Sep 19 13:15:20 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(1/2) ]
Sep 19 13:15:20 localhost charon: 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Sep 19 13:15:20 localhost charon: 11[NET] received packet: from A.B.C.D[4500] to X.Y.Z.U[4500] (528 bytes)
Sep 19 13:15:20 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ EF(2/2) ]
Sep 19 13:15:20 localhost charon: 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1708 bytes)
Sep 19 13:15:20 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 19 13:15:20 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Sep 19 13:15:20 localhost charon: 11[IKE] received end entity cert "C=CH, O=strongswan, CN=laptop.strongswan.org"
Sep 19 13:15:20 localhost charon: 11[CFG] looking for peer configs matching X.Y.Z.U[moon.strongswan.org]...A.B.C.D[client.strongswan.org]
Sep 19 13:15:20 localhost charon: 11[CFG] selected peer config 'rw6in4'
Sep 19 13:15:20 localhost charon: 11[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA"
Teď už dostávám jen IP adresy a phase 1 - ike se nespojí, ani nezačne ověřovat certifikáty (anonymizováno):
2023-09-20T14:22:20.781411+02:00 test-pc-c4 charon: 11[NET] received packet: from A.B.C.D[500] to X.Y.Z.U[500] (1088 bytes)
2023-09-20T14:22:20.782145+02:00 test-pc-c4 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2023-09-20T14:22:20.783289+02:00 test-pc-c4 charon: 11[IKE] no IKE config found for X.Y.Z.U...A.B.C.D, sending NO_PROPOSAL_CHOSEN
2023-09-20T14:22:20.783803+02:00 test-pc-c4 charon: 11[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2023-09-20T14:22:20.784294+02:00 test-pc-c4 charon: 11[NET] sending packet: from X.Y.Z.U[500] to A.B.C.D[500] (36 bytes)
Už se s tím rýpu hrozně dlouho a nemůžu přijít na to, co to rozbilo.
Nevšiml si někdo zkušenější nejakého problému v konfiguraci?
3 Odpovědí
2053 Zhlédnutí