problem s ipsecem

rpev na seznam.cz rpev na seznam.cz
Pátek Duben 7 12:23:13 CEST 2006 

Dobry den,
resim nasleduji problem: 
 mam zprovoznen ipsec tunel host-to-net:  left...right====rightsubnet
 Stroj left slouzi jako ipsec gateway a firewall, provadi se NAT.
 Vse je funkcni, pokud pingnu pocitac v righsubnet z pocitace left (stroje
v
 rightsubnet maji verejna IP..).
 Pokud ale zkusim ping ze stroje, ktery je za left (tj. z privatni site, s
tim, 
 ze na stroji left se dela maskarada), pakety neprojdou ipsec tunelem.
 Tj. potreboval bych vedet, jak mam pakety "donutit" pouzit tunel..
 Predem diky za napady...


 pomocne udaje:
 ----
 kernel 2.6.8, pouziva se nativni implementace ipsecu + openswan 2.2.0
 ----
 ipsec.conf

  conn pokus
        authby=secret
        left=xxx.xxx.xxx.xxx
        right=yyy.yyy.yyy.yyy
        rightsubnet=zzz.zzz.zzz.zzz/24
        ikelifetime=120m
        keylife=3600s
        pfs=no
        keyingtries=0
        disablearrivalcheck=yes
        auth=esp
        esp=3des-sha1
        rekey=yes
        compress=no
        auto=start
 ----
 pravidlo ve firewallu na stroji left:
 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to xxx.xxx.xxx.xxx
 ----
 tcpdump 
 
 ping na stroj v siti rightsubnet - zzz.zzz.zzz.zzz

 1) ping primo z left - vse OK
 #ping zzz.zzz.zzz.zzz
 64 bytes from zzz.zzz.zzz.zzz: icmp_seq=1 ttl=254 time=15.1 ms

 # tcpdump -i eth1 -n
 tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
 listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
 13:55:17.621575 IP xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy:
ESP(spi=0x618b2837,seq=0x1f)
 13:55:17.628497 IP yyy.yyy.yyy.yyy > xxx.xxx.xxx.xxx:
ESP(spi=0xd688505a,seq=0x1f)
 13:55:17.628497 IP zzz.zzz.zzz.zzz > xxx.xxx.xxx.xxx: icmp 64: echo reply
seq 1
 13:55:18.621786 IP xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy:
ESP(spi=0x618b2837,seq=0x20)
 13:55:18.627393 IP yyy.yyy.yyy.yyy > xxx.xxx.xxx.xxx:
ESP(spi=0xd688505a,seq=0x20)
 13:55:18.627393 IP zzz.zzz.zzz.zzz > xxx.xxx.xxx.xxx: icmp 64: echo reply
seq 2


 2) ping z pocitace za left - pakety nejdou tunelem
 #ping zzz.zzz.zzz.zzz
 From aaa.aaa.aaa.aaa icmp_seq=1 Packet filtered
 From aaa.aaa.aaa.aaa icmp_seq=2 Packet filtered

 aaa.aaa.aaa.aaa - nejake IP nesouvisejici s tunelem

 # tcpdump -i eth1 -n

 13:56:45.989568 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: icmp 64: echo
request seq 1
 13:56:46.026350 IP aaa.aaa.aaa.aaa > xxx.xxx.xxx.xxx: icmp 36: host
zzz.zzz.zzz.zzz unreachable - admin prohibited filter
 13:56:46.994649 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: icmp 64: echo
request seq 2
 13:56:47.000502 IP aaa.aaa.aaa.aaa > xxx.xxx.xxx.xxx: icmp 36: host
zzz.zzz.zzz.zzz unreachable - admin prohibited filter

Další informace o konferenci Linux