Strona 1 z 1

Ipsec, openSwan, komunikacja tylko w jedną stronę

: 28 marca 2012, 18:59
autor: Diabl0
Witam.

Stoję przed zadaniem stworzenia tunelu IPSec pomiędzy naszym serwerem a współpracującą z nami firmą. Niestety, nigdy tego nie robiłem (normalnie używam OpenVPN).

Po odrobinie bojów w VMWare wybór padł na openSWAN gdzie wszystko działało prawidłowo. Niestety na produkcyjnym działa tylko w jedną stronę, tzn. ja mam dostęp do ich serwerów, oni do naszych już nie.

Takie zalecenia dostałem od nich:

Kod: Zaznacz cały

Phase 1 [IKE]: 
Encryption = AES-256
Data integrity = SHA1
DH Group = Group 2
Use Aggressive Mode = No
Renegotiate IKE = every 1440 minutes


Phase 2 [IPsec]: 
Encryption = AES-256
Data integrity = SHA1
Use Perfect Forward Secrecy = No
Renegotiate IPsec = every 3600 secs
Support IP Compression = No


Our VPN gateway = Checkpoint firewall 
Host IP addresses = 10.170.3.233, 10.170.3.246 and 10.170.3.247 
A tak wygląda mój konfig /etc/ipsec.conf:

Kod: Zaznacz cały

conn medlab
     authby=secret
      ike=aes256

     phase2=esp
     phase2alg=aes256-sha1

     left=83.244.233.102
     leftsubnet=10.170.3.0/24
     leftsourceip=10.170.3.233
     leftnexthop=82.103.136.165

     right=82.103.136.165
     rightsubnet=10.4.4.0/24
     rightsourceip=10.4.4.44
     rightnexthop=83.244.233.102
     auto=start

Przy startowaniu ipsec do sysloga trafiają następujące komunikaty:

Kod: Zaznacz cały

Mar 28 17:49:32 g4 kernel: [112133.444078] NET: Registered protocol family 15
Mar 28 17:49:32 g4 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-2-amd64...
Mar 28 17:49:32 g4 ipsec_setup: Using NETKEY(XFRM) stack
Mar 28 17:49:32 g4 kernel: [112133.515678] Initializing XFRM netlink socket
Mar 28 17:49:32 g4 kernel: [112133.521457] padlock_sha: VIA PadLock Hash Engine not detected.
Mar 28 17:49:32 g4 kernel: [112133.524421] Intel AES-NI instructions are not detected.
Mar 28 17:49:32 g4 kernel: [112133.530491] Intel AES-NI instructions are not detected.
Mar 28 17:49:32 g4 ipsec_setup: multiple ip addresses, using  #@nasze_publiczne_ip@# on eth0
Mar 28 17:49:32 g4 ipsec_setup: ...Openswan IPsec started
Mar 28 17:49:32 g4 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Mar 28 17:49:32 g4 pluto: adjusting ipsec.d to /etc/ipsec.d
Mar 28 17:49:32 g4 ipsec__plutorun: 002 added connection description "medlab"
Mar 28 17:49:32 g4 ipsec__plutorun: 104 "medlab" #1: STATE_MAIN_I1: initiate

A to wynik:

Kod: Zaznacz cały

ipsec auto --status

Kod: Zaznacz cały

000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 #@nasze_publiczne_ip@#
000 interface eth0/eth0 #@nasze_publiczne_ip@#
000 interface eth0:3/eth0:3 10.4.4.44
000 interface eth0:3/eth0:3 10.4.4.44
000 interface eth0:1/eth0:1 82.103.129.10
000 interface eth0:1/eth0:1 82.103.129.10
000 interface tun0/tun0 10.10.0.10
000 interface tun0/tun0 10.10.0.10
000 interface tun1/tun1 10.8.0.6
000 interface tun1/tun1 10.8.0.6
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048}
000
000 "medlab": 10.4.4.0/24===#@nasze_publiczne_ip@#<#@nasze_publiczne_ip@#>[+S=C]...#@ich_publiczne_ip@#<#@ich_publiczne_ip@#>[+S=C]===10.170.3.0/24; erouted; eroute owner: #2
000 "medlab":     myip=10.4.4.44; hisip=10.170.3.233;
000 "medlab":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "medlab":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;
000 "medlab":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "medlab":   IKE algorithms wanted: AES_CBC(7)_256-MD5(1)_000-MODP1536(5), AES_CBC(7)_256-SHA1(2)_000-MODP1536(5), AES_CBC(7)_256-MD5(1)_000-MODP1024(2), AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "medlab":   IKE algorithms found:  AES_CBC(7)_256-MD5(1)_128-MODP1536(5), AES_CBC(7)_256-SHA1(2)_160-MODP1536(5), AES_CBC(7)_256-MD5(1)_128-MODP1024(2), AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "medlab":   IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "medlab":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict
000 "medlab":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "medlab":   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #2: "medlab":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28039s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "medlab" esp.304be42d@#@ich_publiczne_ip@# esp.504e1f86@#@nasze_publiczne_ip@# tun.0@#@ich_publiczne_ip@# tun.0@#@nasze_publiczne_ip@# ref=0 refhim=4294901761
000 #1: "medlab":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2766s; newest ISAKMP; nodpd; idle; import:admin initiate
000

Polecenie:

Kod: Zaznacz cały

tcpdump -n host #@ich_publiczne_ip@#
daje natomiast taki efekt:

Kod: Zaznacz cały

17:53:28.137611 IP #@nasze_publiczne_ip@#.500 > #@ich_publiczne_ip@#.500: isakmp: phase 1 I ident
17:53:28.181927 IP #@ich_publiczne_ip@#.500 > #@nasze_publiczne_ip@#.500: isakmp: phase 1 R ident
17:53:28.183184 IP #@nasze_publiczne_ip@#.500 > #@ich_publiczne_ip@#.500: isakmp: phase 1 I ident
17:53:28.233390 IP #@ich_publiczne_ip@#.500 > #@nasze_publiczne_ip@#.500: isakmp: phase 1 R ident
17:53:28.234442 IP #@nasze_publiczne_ip@#.500 > #@ich_publiczne_ip@#.500: isakmp: phase 1 I ident[E]
17:53:28.288312 IP #@ich_publiczne_ip@#.500 > #@nasze_publiczne_ip@#.500: isakmp: phase 1 R ident[E]
17:53:28.289643 IP #@nasze_publiczne_ip@#.500 > #@ich_publiczne_ip@#.500: isakmp: phase 2/others I oakley-quick[E]
17:53:28.340838 IP #@ich_publiczne_ip@#.500 > #@nasze_publiczne_ip@#.500: isakmp: phase 2/others R oakley-quick[E]
17:53:28.346457 IP #@nasze_publiczne_ip@#.500 > #@ich_publiczne_ip@#.500: isakmp: phase 2/others I oakley-quick[E]

Plus ping z mojej strony:

Kod: Zaznacz cały

17:54:56.565791 IP #@nasze_publiczne_ip@# > #@ich_publiczne_ip@#: ESP(spi=0x8292ce41,seq=0x1), length 132
17:54:56.592203 IP #@ich_publiczne_ip@# > #@nasze_publiczne_ip@#: ESP(spi=0xba185a38,seq=0x1), length 132
17:54:57.567485 IP #@nasze_publiczne_ip@# > #@ich_publiczne_ip@#: ESP(spi=0x8292ce41,seq=0x2), length 132
17:54:57.592156 IP #@ich_publiczne_ip@# > #@nasze_publiczne_ip@#: ESP(spi=0xba185a38,seq=0x2), length 132

Czy ktoś jest mi w stanie jakoś pomóc?