problem s ipsecem
rpev na seznam.cz
rpev na seznam.cz
Pátek Duben 7 12:23:13 CEST 2006
Dobry den,
resim nasleduji problem:
mam zprovoznen ipsec tunel host-to-net: left...right====rightsubnet
Stroj left slouzi jako ipsec gateway a firewall, provadi se NAT.
Vse je funkcni, pokud pingnu pocitac v righsubnet z pocitace left (stroje
v
rightsubnet maji verejna IP..).
Pokud ale zkusim ping ze stroje, ktery je za left (tj. z privatni site, s
tim,
ze na stroji left se dela maskarada), pakety neprojdou ipsec tunelem.
Tj. potreboval bych vedet, jak mam pakety "donutit" pouzit tunel..
Predem diky za napady...
pomocne udaje:
----
kernel 2.6.8, pouziva se nativni implementace ipsecu + openswan 2.2.0
----
ipsec.conf
conn pokus
authby=secret
left=xxx.xxx.xxx.xxx
right=yyy.yyy.yyy.yyy
rightsubnet=zzz.zzz.zzz.zzz/24
ikelifetime=120m
keylife=3600s
pfs=no
keyingtries=0
disablearrivalcheck=yes
auth=esp
esp=3des-sha1
rekey=yes
compress=no
auto=start
----
pravidlo ve firewallu na stroji left:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to xxx.xxx.xxx.xxx
----
tcpdump
ping na stroj v siti rightsubnet - zzz.zzz.zzz.zzz
1) ping primo z left - vse OK
#ping zzz.zzz.zzz.zzz
64 bytes from zzz.zzz.zzz.zzz: icmp_seq=1 ttl=254 time=15.1 ms
# tcpdump -i eth1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:55:17.621575 IP xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy:
ESP(spi=0x618b2837,seq=0x1f)
13:55:17.628497 IP yyy.yyy.yyy.yyy > xxx.xxx.xxx.xxx:
ESP(spi=0xd688505a,seq=0x1f)
13:55:17.628497 IP zzz.zzz.zzz.zzz > xxx.xxx.xxx.xxx: icmp 64: echo reply
seq 1
13:55:18.621786 IP xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy:
ESP(spi=0x618b2837,seq=0x20)
13:55:18.627393 IP yyy.yyy.yyy.yyy > xxx.xxx.xxx.xxx:
ESP(spi=0xd688505a,seq=0x20)
13:55:18.627393 IP zzz.zzz.zzz.zzz > xxx.xxx.xxx.xxx: icmp 64: echo reply
seq 2
2) ping z pocitace za left - pakety nejdou tunelem
#ping zzz.zzz.zzz.zzz
From aaa.aaa.aaa.aaa icmp_seq=1 Packet filtered
From aaa.aaa.aaa.aaa icmp_seq=2 Packet filtered
aaa.aaa.aaa.aaa - nejake IP nesouvisejici s tunelem
# tcpdump -i eth1 -n
13:56:45.989568 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: icmp 64: echo
request seq 1
13:56:46.026350 IP aaa.aaa.aaa.aaa > xxx.xxx.xxx.xxx: icmp 36: host
zzz.zzz.zzz.zzz unreachable - admin prohibited filter
13:56:46.994649 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: icmp 64: echo
request seq 2
13:56:47.000502 IP aaa.aaa.aaa.aaa > xxx.xxx.xxx.xxx: icmp 36: host
zzz.zzz.zzz.zzz unreachable - admin prohibited filter
Další informace o konferenci Linux