IPSec / NAT 1:1

Jan Rezab honza na rezab.eu
Neděle Prosinec 9 21:58:29 CET 2007


Dobry den.

Mam problem s IPSec.

Situace je nasledujici:

192.168.5.0/24 <-> firewall A (IPSec GW) <-> ADSL router <-> internet <-> firewall B <-> 192.168.2.0/24


V logu viz nize je, ze IPSEC se nahodi v poradku. Ze site 192.168.5.0 do site 192.168.2.0 to funguje dobre (ping i telnet). Ale obracene se
uz nedostanu ani pingem ani telnetem. Vubec netusim proc. V iptables problem neni, protoze i kdyz iptables vypnu tak se to chova stejne.
Muzete mne trochu nasmerovat co s tim? Predem podotykam, ze s googlem jsem si povidal cely vikend.

Predem diky.



Firewall A slouzi jako firewall, NAT a IPSec GW. Eth0 = 192.168.1.10.

ADSL router slouzi pro pripojen k internet. Je na nem nastaven NAT 1:1 a vypnty firewall. WAN = XXX.XXX.XXX.XXX natovana jedna ku jedne na
192.168.1.10.

Firewall B slouzi jako firewall, NAT a IPSec GW. Eth0 = YYY.YYY.YYY.YYY

Nataveni firewall A:
------------------------------------------------------------------------
#!/usr/sbin/setkey -f
flush;
spdflush;


spdadd 192.168.2.0/24           192.168.5.0/24          any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;
spdadd 192.168.2.0/24           192.168.1.10/32         any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;
spdadd YYY.YYY.YYY.YYY/32       192.168.1.10/32         any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;
spdadd YYY.YYY.YYY.YYY/32       192.168.5.0/24          any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;

spdadd 192.168.5.0/24           192.168.2.0/24          any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
spdadd 192.168.5.0/24           YYY.YYY.YYY.YYY/32      any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
spdadd 192.168.1.10/32          YYY.YYY.YYY.YYY/32      any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
spdadd 192.168.1.10/32          192.168.2.0/24          any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
------------------------------------------------------------------------
#/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log notify;

listen {
        isakmp 192.168.1.10;
        strict_address;
}

remote YYY.YYY.YYY.YYY {
        exchange_mode main;
        send_cr off;
        send_cert off;
        proposal {
                encryption_algorithm blowfish;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 192.168.5.0/24 any address 192.168.2.0/24 any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address 192.168.1.10/32 any address 192.168.2.0/24 any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address 192.168.1.10/32 any address YYY.YYY.YYY.YYY any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address 192.168.5.0/24 any address YYY.YYY.YYY.YYY/32 any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
------------------------------------------------------------------------


Nataveni firewall B:
------------------------------------------------------------------------
flush;
spdflush;

spdadd 192.168.2.0/24           192.168.5.0/24          any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
spdadd 192.168.2.0/24           XXX.XXX.XXX.XXX/32      any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
spdadd YYY.YYY.YYY.YYY/32       XXX.XXX.XXX.XXX/32      any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
spdadd YYY.YYY.YYY.YYY/32       192.168.5.0/24          any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;

spdadd 192.168.5.0/24           192.168.2.0/24          any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd 192.168.5.0/24           YYY.YYY.YYY.YYY/32      any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd XXX.XXX.XXX.XXX/32       YYY.YYY.YYY.YYY/32      any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd XXX.XXX.XXX.XXX/32       192.168.2.0/24          any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
------------------------------------------------------------------------
#/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log notify;

listen {
        isakmp YYY.YYY.YYY.YYY;
        strict_address;
}


remote XXX.XXX.XXX.XXX {
        exchange_mode main;
        send_cr off;
        send_cert off;
        proposal {
                encryption_algorithm blowfish;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 192.168.2.0/24 any address 192.168.5.0/24 any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address YYY.YYY.YYY.YYY/24 any address 192.168.5.0/24 any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address YYY.YYY.YYY.YYY/24 any address XXX.XXX.XXX.XXX/32 any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address 192.168.2.0/24 any address XXX.XXX.XXX.XXX/32 any
{
        pfs_group 2;
        encryption_algorithm blowfish;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
------------------------------------------------------------------------


Ukazka logu (firewall A):
Dec  9 20:02:26 Firewall A racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Dec  9 20:02:38 Firewall A racoon: INFO: respond new phase 1 negotiation: 192.168.1.10[500]<=>YYY.YYY.YYY.YYY[500]
Dec  9 20:02:38 Firewall A racoon: INFO: begin Identity Protection mode.
Dec  9 20:02:38 Firewall A racoon: INFO: received Vendor ID: DPD
Dec  9 20:02:38 Firewall A racoon: INFO: ISAKMP-SA established 192.168.1.10[500]-YYY.YYY.YYY.YYY[500] spi:2ac7c217b0990d29:9135535761c9c63d
Dec  9 20:02:39 Firewall A racoon: INFO: initiate new phase 2 negotiation: 192.168.1.10[500]<=>YYY.YYY.YYY.YYY[500]
Dec  9 20:02:39 Firewall A racoon: INFO: respond new phase 2 negotiation: 192.168.1.10[500]<=>YYY.YYY.YYY.YYY[500]
Dec  9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->192.168.1.10[0] spi=251162039(0xef86db7)
Dec  9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.10[0]->YYY.YYY.YYY.YYY[0] spi=217528202(0xcf7378a)
Dec  9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->192.168.1.10[0] spi=236517284(0xe18f7a4)
Dec  9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.10[0]->YYY.YYY.YYY.YYY[0] spi=216996803(0xcef1bc3)
Dec  9 20:02:43 Firewall A racoon: INFO: received Vendor ID: DPD
Dec  9 20:02:43 Firewall A racoon: INFO: ISAKMP-SA established 192.168.1.10[500]-YYY.YYY.YYY.YYY[500] spi:c913c7ca21e16755:b386ad01c9aa5926


Ukazka logu (firewall B):
Dec  9 20:02:34 Firewall B racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Dec  9 20:02:34 Firewall B racoon: INFO: @(#)This product linked OpenSSL 0.9.8c 05 Sep 2006 (http://www.openssl.org/)
Dec  9 20:02:35 Firewall B racoon: INFO: YYY.YYY.YYY.YYY[500] used as isakmp port (fd=7)
Dec  9 20:02:35 Firewall B racoon: INFO: YYY.YYY.YYY.YYY[500] used for NAT-T
Dec  9 20:02:35 Firewall B racoon: INFO: IPsec-SA request for XXX.XXX.XXX.XXX queued due to no phase1 found.
Dec  9 20:02:35 Firewall B racoon: INFO: initiate new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[500]
Dec  9 20:02:35 Firewall B racoon: INFO: begin Identity Protection mode.
Dec  9 20:02:36 Firewall B racoon: INFO: received Vendor ID: DPD
Dec  9 20:02:36 Firewall B racoon: INFO: ISAKMP-SA established YYY.YYY.YYY.YYY[500]-XXX.XXX.XXX.XXX[500] spi:2ac7c217b0990d29:9135535761c9c6
Dec  9 20:02:37 Firewall B racoon: INFO: initiate new phase 2 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[500]
Dec  9 20:02:37 Firewall B racoon: INFO: respond new phase 2 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[500]
Dec  9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->YYY.YYY.YYY.YYY[0] spi=216996803(0xcef1bc3)
Dec  9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->XXX.XXX.XXX.XXX[0] spi=236517284(0xe18f7a4)
Dec  9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->YYY.YYY.YYY.YYY[0] spi=217528202(0xcf7378a)
Dec  9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->XXX.XXX.XXX.XXX[0] spi=251162039(0xef86db7)



Další informace o konferenci Linux