VPN Tunnel zwischen OpenSwan und Astaro

vendredi 6 mai 2016

Hallo

Seit Monaten kämpfe ich um einen VPN Tunnel zwischen einem Suse Linux System im OpenSwan 2.6.46 und einer Astaro Firewall (V9) aufzubauen.
Leider habe ich auf die Astaro keinen Zugriff (Firmenzusammenschluss, anderer Provider), somit kann ich nur von der Linux-Seite beschreiben.
Grundsätzlich: Zwischen 2 OpenSwan Systemen kann ich einen VPN-Tunnel aufbauen. Daher sollten meine Firewall-Einstellungen korrekt sein.

Ich habe 2 Anliegen:
1) ipsec verify
Der Test schreibt einige Fehler, ich finde aber keine guten Beschreibungen was mir das sagen soll bzw. wie die zu beheben sind.

Code:
grisu:~ # ipsec verify
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path                          [OK]
Openswan U2.6.46/K3.7.10-1.45-default (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel                      [OK]
 NETKEY: Testing XFRM related proc values
        ICMP default/send_redirects                      [OK]
        ICMP default/accept_redirects                    [OK]
        XFRM larval drop                                [OK]
Hardware random device check                              [N/A]
Two or more interfaces found, checking IP forwarding        [OK]
Checking rp_filter                                        [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                    [ENABLED]
Checking that pluto is running                            [OK]
 Pluto listening for IKE on udp 500                      [OK]
 Pluto listening for IKE on tcp 500                      [NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500                [DISABLED]
 Pluto listening for IKE/NAT-T on tcp 4500                [NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)            [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing                            [TEST INCOMPLETE]
Checking 'ip' command                                    [OK]
Checking 'iptables' command                              [OK]

ipsec verify: encountered errors
a) Was bedeutet "Test incomplete" bei NAT und wie kann ich das beheben?
b) "not implemented" ... fehlen mir da ev. Pakete?

2) Verbindung zu Astaro
Wie schon gesagt der VPN Tunnel will einfach nicht.
Kann mir da jemand bei der Suche nach dem Grund helfen?

Meine OpenSwan Config:
Code:
# /etc/ipsec.conf - Openswan IPsec configuration file

# basic configuration
config setup
        # interfaces="ipsec0=eth1"
        interfaces=%defaultroute
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # plutodebug=all
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        # protostack=auto
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        plutostderrlog=/var/log/pluto

# Add connections here

include /etc/ipsec.d/*.conf
Code:
# /etc/ipsec.d/krokus.config

conn HBH-Krokus
        type=tunnel
        left=%eth1
        leftid=@grisu.hbh.at
        leftsubnet=192.168.5.0/24
        leftnexthop=%defaultroute
        leftprotoport=udp/1701
        # rsakey AQPrgP4cv
        leftrsasigkey=0sAQPrg....RZ
        right=213.47.173.15
        rightid=@mail.krokus.at
        rightsubnets={ 192.168.0.0/24 192.168.1.0/24 }
        rightprotoport=udp/1701
        rightrsasigkey=0sAQPo....cw==
        authby=rsasig
        # authby=secret
        auto=start
        # pfs=yes
        ## phase 1 ##
        # keyexchange=ike
        # ike=aes128-sha1;modp1024
        # ikelifetime = 130m
        # lifetime = 1h
        ## phase 2 ##
        # phase2=esp
        # esp = aes128;sha1
        # phase2alg=aes128-sha1
        # rekey=yes
Mit den verschiedenen Parametern habe ich schon herum probiert. Erfolglos!

Pluto Log:
Code:
Plutorun started on Thu May 5 14:03:53 CEST 2016
adjusting ipsec.d to /etc/ipsec.d
Labelled IPsec not enabled; value 32001 ignored.
Starting Pluto (Openswan Version 2.6.46; Vendor ID OSWqwPd@^IAE) pid:22500
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to off
  port floating activation criteria nat_t=0/port_float=1
  NAT-Traversal support  [disabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=22504 (fd:4)
Using Linux XFRM/NETKEY IPsec interface code on 3.7.10-1.45-default
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
adding connection: "HBH-Krokus/0x1"
adding connection: "HBH-Krokus/0x2"
listening for IKE messages
adding interface vlan9/vlan9 192.168.9.5:500
adding interface vlan7/vlan7 192.168.7.5:500
adding interface vlan5:ast/vlan5:ast 192.168.5.4:500
adding interface vlan5/vlan5 192.168.5.5:500
adding interface eth1/eth1 213.47.7.15:500
adding interface lo/lo 127.0.0.1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key for keyid: PPK_RSA:AQO6/QIDl
initiating all conns with alias='HBH-Krokus'
"HBH-Krokus/0x2" #1: initiating Main Mode
packet from 213.47.173.15:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
packet from 213.47.173.15:500: received Vendor ID payload [Cisco-Unity]
packet from 213.47.173.15:500: received Vendor ID payload [XAUTH]
packet from 213.47.173.15:500: received Vendor ID payload [Dead Peer Detection]
"HBH-Krokus/0x1" #2: responding to Main Mode
"HBH-Krokus/0x1" #2: policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD
"HBH-Krokus/0x1" #2: no acceptable Oakley Transform
"HBH-Krokus/0x1" #2: sending notification NO_PROPOSAL_CHOSEN to 213.47.173.15:500
"HBH-Krokus/0x1" #2: deleting state #2 (STATE_MAIN_R0)
packet from 213.47.173.15:500: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]
packet from 213.47.173.15:500: received Vendor ID payload [Cisco-Unity]
packet from 213.47.173.15:500: received Vendor ID payload [XAUTH]
packet from 213.47.173.15:500: received Vendor ID payload [Dead Peer Detection]
"HBH-Krokus/0x1" #3: responding to Main Mode
"HBH-Krokus/0x1" #3: policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD
"HBH-Krokus/0x1" #3: no acceptable Oakley Transform
"HBH-Krokus/0x1" #3: sending notification NO_PROPOSAL_CHOSEN to 213.47.173.15:500
"HBH-Krokus/0x1" #3: deleting state #3 (STATE_MAIN_R0)
Die letzten 9 Zeilen kommen immer wieder.

Die aktive Config sieht meiner Meinung nach nicht so schlecht aus.
Die Strecke wird korrekt erkannt.

Code:
grisu:~ # ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 213.47.7.15
000 interface vlan5/vlan5 192.168.5.5
000 interface vlan5:ast/vlan5:ast 192.168.5.4
000 interface vlan7/vlan7 192.168.7.5
000 interface vlan9/vlan9 192.168.9.5
000 %myid = (none)
000 debug none
000 
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000 
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000 
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000 
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000 
000 "HBH-Krokus/0x1": 192.168.5.0/24===213.47.7.15<%eth1>[@grisu.hbh.at]:17/1701---213.47.7.1...213.47.173.15<213.47.173.15>[@mail.krokus.at]:17/1701===192.168.0.0/24; unrouted; eroute owner: #0
000 "HBH-Krokus/0x1":    myip=unset; hisip=unset;
000 "HBH-Krokus/0x1":  ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "HBH-Krokus/0x1":  policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth1; kind=CK_PERMANENT
000 "HBH-Krokus/0x1":  newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
000 "HBH-Krokus/0x1":  aliases: HBH-Krokus
000 "HBH-Krokus/0x2": 192.168.5.0/24===213.47.7.15<%eth1>[@grisu.hbh.at]:17/1701---213.47.7.1...213.47.173.15<213.47.173.15>[@mail.krokus.at]:17/1701===192.168.1.0/24; unrouted; eroute owner: #0
000 "HBH-Krokus/0x2":    myip=unset; hisip=unset;
000 "HBH-Krokus/0x2":  ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "HBH-Krokus/0x2":  policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: eth1; kind=CK_PERMANENT
000 "HBH-Krokus/0x2":  newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
000 "HBH-Krokus/0x2":  aliases: HBH-Krokus
000 
000 #1: "HBH-Krokus/0x2":500 IKEv1.0 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 28s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "HBH-Krokus/0x1" replacing #0
000 #1: pending Phase 2 for "HBH-Krokus/0x2" replacing #0
Hat jemand eine Idee dazu?
Für jede Hilfe wäre ich dankbar.

Grüsse robi


Publié par cv à 05:47
Libellés :

0 commentaires:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)
 

Lorem

Ipsum

Dolor