IPSEC hinter router | Tunnel steht aber kein Traffic

vendredi 25 septembre 2015

Hallo Forum,

nach langer Forumabstinenz hab ich mal wieder ein Problem.

ich möchte gerne zwei Raspberry über IPSEC verbinden. Folgende Schema:

Code:

--------------------      ----------------------    ------------    ----------------------    --------------------
| Raspberry A      |  =>  | Fritzbox 7330      |  => | Internet |  => | SonicWall tz170    |  => | Raspberry B      |
| LAN: 192.168.0.9 |      | LAN: 192.168.0.1  |    ------------    | LAN: 192.168.2.254 |    | LAN 192.168.2.70 |
--------------------      | WAN: 151.19.172.16 |                      | WAN: 86.17.23.53  |    --------------------
                          ----------------------                      ----------------------

Die Ports 500 UDP, 4500 UDP und das Protokol ESP sind auf den Routern zum Weiterleiten eingerichtet.

dann kommt die Konfiguration von racoon / IPSEC:

Raspberry A

/etc/ipsec-tools.conf
Code:

spdadd 192.168.0.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/192.168.0.9-86.17.23.53/require;
spdadd 192.168.2.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/86.17.23.53-192.168.0.9/require;

/etc/racoon/racoon.conf
Code:

log info;
path pre_shared_key "/etc/racoon/psk.txt";

listen {
        isakmp 192.168.0.9 [500];
        isakmp_natt 192.168.0.9 [4500];
}

padding {
        maximum_length 20; # maximum padding length.
        randomize off; # enable randomize length.
        strict_check off; # enable strict check.
        exclusive_tail off; # extract last one octet.
}

remote anonymous {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        generate_policy off;
        my_identifier address 151.19.172.16;
}

sainfo anonymous {
    pfs_group modp768;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

/etc/racoon/psk.txt
Code:

86.17.23.53 <irgendetwas_super_geheimes>
Raspberry B

/etc/ipsec-tools.conf
Code:

spdadd 192.168.2.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/192.168.2.70-151.19.172.16/require;
spdadd 192.168.0.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/151.19.172.16-192.168.2.70/require;

/etc/racoon/racoon.conf
Code:

log info;
path pre_shared_key "/etc/racoon/psk.txt";

listen {
        isakmp 192.168.2.70 [500];
        isakmp_natt 192.168.2.70 [4500];
}

padding {
        maximum_length 20; # maximum padding length.
        randomize off; # enable randomize length.
        strict_check off; # enable strict check.
        exclusive_tail off; # extract last one octet.
}

remote anonymous {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        generate_policy off;
        my_identifier address 86.17.23.53;
        verify_identifier off;
}

sainfo anonymous {
    pfs_group modp768;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

/etc/racoon/psk.txt
Code:

151.19.172.16 <irgendetwas_super_geheimes>

Der Tunnel wird mMn. aufgebaut:

Raspberry A

/var/log/syslog
Code:

INFO: ISAKMP-SA established 192.168.0.9[500]-86.17.23.53[500] spi:0d1cbdbae1ddf3cc:dee264f519436cc3
[86.17.23.53] INFO: received INITIAL-CONTACT
INFO: initiate new phase 2  negotiation: 192.168.0.9[500]<=>86.17.23.53[500]
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.9[500]->86.17.23.53[500] spi=110913255(0x69c66e7)
INFO: IPsec-SA established: ESP/Tunnel 192.168.0.9[500]->86.17.23.53[500] spi=99622605(0x5f01ecd)

racoonctl show-sa esp
Code:

192.168.0.9 86.17.23.53
        esp mode=tunnel spi=99622605(0x05f01ecd) reqid=0(0x00000000)
        E: 3des-cbc  9edbd2a9 7bbba30e be024f8f b892727d ae997e3b 9dbc5cb3
        A: hmac-sha1  aa0ca7e3 a17404ae a82efa7a cbe22d67 7f372e4b
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 25 12:44:57 2015  current: Sep 25 13:44:30 2015
        diff: 3573(s)  hard: 28800(s)  soft: 23040(s)
        last: Sep 25 12:44:58 2015      hard: 0(s)      soft: 0(s)
        current: 3864(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 46  hard: 0 soft: 0
        sadb_seq=1 pid=27320 refcnt=0
86.17.23.53 192.168.0.9
        esp mode=tunnel spi=110913255(0x069c66e7) reqid=0(0x00000000)
        E: 3des-cbc  590ad32a beb28766 1ee7bb09 a40f4767 a94e714f 85be3ec3
        A: hmac-sha1  388ec394 66f834f5 8fce49e3 5870247b 50466761
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 25 12:44:57 2015  current: Sep 25 13:44:30 2015
        diff: 3573(s)  hard: 28800(s)  soft: 23040(s)
        last:                          hard: 0(s)      soft: 0(s)
        current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=27320 refcnt=0

Raspberry B

/var/log/syslog
Code:

INFO: ISAKMP-SA established 192.168.2.70[500]-151.19.172.16[500] spi:0d1cbdbae1ddf3cc:dee264f519436cc3
[151.19.172.16] INFO: received INITIAL-CONTACT
INFO: respond new phase 2 negotiation: 192.168.2.70[500]<=>151.19.172.16[500]
INFO: IPsec-SA established: ESP/Tunnel 192.168.2.70[500]->151.19.172.16[500] spi=99622605(0x5f01ecd)
INFO: IPsec-SA established: ESP/Tunnel 192.168.2.70[500]->151.19.172.16[500] spi=110913255(0x69c66e7)

racoonctl show-sa esp
Code:

192.168.2.70 151.19.172.16
        esp mode=tunnel spi=110913255(0x069c66e7) reqid=0(0x00000000)
        E: 3des-cbc  590ad32a beb28766 1ee7bb09 a40f4767 a94e714f 85be3ec3
        A: hmac-sha1  388ec394 66f834f5 8fce49e3 5870247b 50466761
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 25 12:44:57 2015  current: Sep 25 13:48:52 2015
        diff: 3835(s)  hard: 28800(s)  soft: 23040(s)
        last:                          hard: 0(s)      soft: 0(s)
        current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=11292 refcnt=0
151.19.172.16 192.168.2.70
        esp mode=tunnel spi=99622605(0x05f01ecd) reqid=0(0x00000000)
        E: 3des-cbc  9edbd2a9 7bbba30e be024f8f b892727d ae997e3b 9dbc5cb3
        A: hmac-sha1  aa0ca7e3 a17404ae a82efa7a cbe22d67 7f372e4b
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep 25 12:44:57 2015  current: Sep 25 13:48:52 2015
        diff: 3835(s)  hard: 28800(s)  soft: 23040(s)
        last: Sep 25 12:44:58 2015      hard: 0(s)      soft: 0(s)
        current: 3864(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 46  hard: 0 soft: 0
        sadb_seq=0 pid=11292 refcnt=0

Leider kann ich die Gegenseite nicht pingen. Wenn ich vom Raspberry A aus den Raspberry B anpingen möchte, bekomme 100% packet loss.
Mit tcpdump auf dem Raspberry B sehe ich jedoch die ankommenden Pakete, aber nicht die Antwort

tcpdump -v icmp -n
Code:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:51:09.376843 IP (tos 0x0, ttl 64, id 59516, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 1, length 64
13:51:10.372682 IP (tos 0x0, ttl 64, id 59551, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 2, length 64
13:51:11.374399 IP (tos 0x0, ttl 64, id 59638, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 3, length 64
13:51:12.372166 IP (tos 0x0, ttl 64, id 59700, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.0.9 > 192.168.2.9: ICMP echo request, id 27951, seq 4, length 64

Ich bin mit meine Latein am Ende und hoffe ihr könnt mir weiterhelfen.

Vielen Dank


0 commentaires:

Enregistrer un commentaire

 

Lorem

Ipsum

Dolor