Portál AbcLinuxu, 1. listopadu 2024 00:43
root@ipsec:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-89-generic, x86_64): uptime: 14 minutes, since Dec 05 16:19:01 2023 malloc: sbrk 2162688, mmap 0, used 1412912, free 749776 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Listening IP addresses: 192.168.15.22 Connections: cisco_asa: 192.168.15.22...xx.xx.xx.xx IKEv2, dpddelay=30s cisco_asa: local: [192.168.15.22] uses pre-shared key authentication cisco_asa: remote: [xx.xx.xx.xx] uses pre-shared key authentication cisco_asa: child: 10.110.6.128/25 === 10.100.7.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): cisco_asa_spp[1]: ESTABLISHED 14 minutes ago, 192.168.15.22[192.168.15.22]...xx.xx.xx.xx[xx.xx.xx.xx] cisco_asa_spp[1]: IKEv2 SPIs: 2fe2f55bdc316605_i* d4acb220cb97c7f5_r, pre-shared key reauthentication in 23 hours cisco_asa_spp[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 cisco_asa_spp{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cd7c311e_i c9e1ebd7_o cisco_asa_spp{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes cisco_asa_spp{1}: 10.110.6.128/25 === 10.100.7.0/24výpis sítě:
root@ipsec:~# ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens18: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether fe:ba:67:72:7b:12 brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 192.168.15.22/24 brd 192.168.15.255 scope global ens18 valid_lft forever preferred_lft forever inet6 fe80::acbf:67ff:fe72:7b12/64 scope link valid_lft forever preferred_lft foreverNašel jsem, že by stím mohlo mít něco společného v iptables policy
policy This module matches the policy used by IPsec for handling a packet. --dir {in|out} Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation. in is valid in the PREROUTING, INPUT and FORWARD chains, out is valid in the POSTROUTING, OUTPUT and FORWARD chains. --pol {none|ipsec} Matches if the packet is subject to IPsec processing. --pol none cannot be combined with --strict. --strict Selects whether to match the exact policy or match if any rule of the policy matches the given policy. For each policy element that is to be described, one can use one or more of the following options. When --strict is in effect, at least one must be used per element. [!] --reqid id Matches the reqid of the policy rule. The reqid can be specified with setkey(8) using unique:id as level. [!] --spi spi Matches the SPI of the SA. [!] --proto {ah|esp|ipcomp} Matches the encapsulation protocol. [!] --mode {tunnel|transport} Matches the encapsulation mode. [!] --tunnel-src addr[/mask] Matches the source end-point address of a tunnel mode SA. Only valid with --mode tunnel. [!] --tunnel-dst addr[/mask] Matches the destination end-point address of a tunnel mode SA. Only valid with --mode tunnel. --next Start the next element in the policy specification. Can only be used with --strict.Může mě prosím někdo posunout?
ip xfrm policy list ip xfrm state list ip route list table 220
nano /etc/rc.local ip link add ipsec0-pobocka1 type xfrm dev ens224 if_id 10 ip link set dev ipsec0-pobocka1 up ip route add 192.168.1.0/24 dev ipsec0-pobocka1 ip route add 192.168.2.0/24 dev ipsec0-pobocka1 ip route add 192.168.3.0/24 dev ipsec0-pobocka1
Ten "if_id 10" je identifikátor iface, který rozpozná i Strongswan. Tzn., že pak ve Strongswanu říkáš, přes který iface se má routovat ipsec provoz konkrétního tunelu:
nano /etc/swanctl/conf.d/pobocky-ikev2.conf ... if_id_in = 10 if_id_out = 10 ...Snad je to takto dostatečné.
ip link add ip_vti0 type xfrm dev ens18 if_id 42 RTNETLINK answers: File exists
ip tunnel add ip_vti0 local 192.168.15.22 remote 10.100.7.100 mode vti key 42
3: ip_vti0@NONE: NOARP mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0
root@ipsec:~# cat /etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file config setup charondebug=all uniqueids=yes # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=1440m keylife=60m rekeymargin=3m authby=secret conn cisco_asa_spp left=192.168.15.22 leftsubnet=10.110.6.128/25 leftid=192.168.15.22 leftauth=psk leftfirewall=yes right=xx.xx.xx.x rightsubnet=10.100.7.0/24 rightid=xx.xx.xx.x rightauth=psk auto=start esp=aes256-sha256-ecp384! ike=aes256-sha256-ecp384! keyexchange=ikev2 dpddelay=30s dpdtimeout=120s dpdaction=restart keyingtries=%forever close|dpdaction=restart type=tunnel mark=42
root@ipsec:~# ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens18: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether ae:bf:67:72:7b:12 brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 192.168.15.22/24 brd 192.168.15.255 scope global ens18 valid_lft forever preferred_lft forever inet6 fe80::acbf:67ff:fe72:7b12/64 scope link valid_lft forever preferred_lft forever 3: ip_vti0@NONE: NOARP mtu 1480 qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0
root@ipsec:~# ip link set ip_vti0 up root@ipsec:~# ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens18: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether ae:bf:67:72:7b:12 brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 192.168.15.22/24 brd 192.168.15.255 scope global ens18 valid_lft forever preferred_lft forever inet6 fe80::acbf:67ff:fe72:7b12/64 scope link valid_lft forever preferred_lft forever 3: ip_vti0@NONE: NOARP,UP,LOWER_UP mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0
root@ipsec:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-91-generic, x86_64): uptime: 3 seconds, since Dec 21 12:42:07 2023 malloc: sbrk 2138112, mmap 0, used 1254176, free 883936 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Listening IP addresses: 192.168.15.22 Connections: cisco_asa_spp: 192.168.15.22...xxx.xx.xx.x IKEv2, dpddelay=30s cisco_asa_spp: local: [192.168.15.22] uses pre-shared key authentication cisco_asa_spp: remote: [xxx.xx.xx.x] uses pre-shared key authentication cisco_asa_spp: child: 192.168.15.0/24 === 10.100.7.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): cisco_asa_spp[1]: ESTABLISHED 2 seconds ago, 192.168.15.22[192.168.15.22]...xxx.xx.xx.x[xxx.xx.xx.x] cisco_asa_spp[1]: IKEv2 SPIs: 9d1360962da496ee_i* b785f60b7c2c1101_r, pre-shared key reauthentication in 23 hours cisco_asa_spp[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
ip link add ip_xfrm type xfrm dev ens18 if_id 42 ip link set ip_xfrm up ip route add 10.100.7.0/24 dev ip_xfrm
root@ipsec:~# ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens18: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether ae:bf:67:72:7b:12 brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 192.168.15.22/24 brd 192.168.15.255 scope global ens18 valid_lft forever preferred_lft forever inet6 fe80::acbf:67ff:fe72:7b12/64 scope link valid_lft forever preferred_lft forever 3: ip_xfrm@ens18: NOARP,UP,LOWER_UP mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet6 fe80::8f49:cec4:e408:5047/64 scope link stable-privacy valid_lft forever preferred_lft forever
root@ipsec:~# ip route list default via 192.168.15.1 dev ens18 proto static 10.100.7.0/24 dev ip_xfrm scope link 10.110.6.128/25 dev ip_xfrm scope link 192.168.15.0/24 dev ens18 proto kernel scope link src 192.168.15.22
root@ipsec:~# traceroute 10.100.7.131 traceroute to 10.100.7.131 (10.100.7.131), 30 hops max, 60 byte packets 1 ipsec (192.168.15.22) 0.018 ms !H 0.005 ms !H 0.004 ms !H root@ipsec:~# ping 10.100.7.131 PING 10.100.7.131 (10.100.7.131): 56 data bytes 92 bytes from ipsec (192.168.15.22): Destination Host Unreachable 92 bytes from ipsec (192.168.15.22): Destination Host Unreachable ^C--- 10.100.7.131 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss root@ipsec:~#
root@ipsec:~# sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1
root@ipsec:~# ip route list default via 192.168.15.1 dev ens18 proto static 10.100.7.0/24 dev ens18 proto kernel scope link src 10.110.6.129 10.110.6.128/25 dev ens18 proto kernel scope link src 10.110.6.129 192.168.15.0/24 dev ens18 proto kernel scope link src 192.168.15.22Po ping na 10.100.7.1 je v statusu stále 0 bytes_i, 0 bytes_o. Když zkoušíme ping z druhé strany na 10.110.6.129 je tam 40 bytes_i, 0 bytes_o. Evidentně je chyba pouze u mě.
Tiskni Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.