IPSec / NAT 1:1
Jan Rezab
honza na rezab.eu
Neděle Prosinec 9 21:58:29 CET 2007
Dobry den.
Mam problem s IPSec.
Situace je nasledujici:
192.168.5.0/24 <-> firewall A (IPSec GW) <-> ADSL router <-> internet <-> firewall B <-> 192.168.2.0/24
V logu viz nize je, ze IPSEC se nahodi v poradku. Ze site 192.168.5.0 do site 192.168.2.0 to funguje dobre (ping i telnet). Ale obracene se
uz nedostanu ani pingem ani telnetem. Vubec netusim proc. V iptables problem neni, protoze i kdyz iptables vypnu tak se to chova stejne.
Muzete mne trochu nasmerovat co s tim? Predem podotykam, ze s googlem jsem si povidal cely vikend.
Predem diky.
Firewall A slouzi jako firewall, NAT a IPSec GW. Eth0 = 192.168.1.10.
ADSL router slouzi pro pripojen k internet. Je na nem nastaven NAT 1:1 a vypnty firewall. WAN = XXX.XXX.XXX.XXX natovana jedna ku jedne na
192.168.1.10.
Firewall B slouzi jako firewall, NAT a IPSec GW. Eth0 = YYY.YYY.YYY.YYY
Nataveni firewall A:
------------------------------------------------------------------------
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;
spdadd 192.168.2.0/24 192.168.1.10/32 any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;
spdadd YYY.YYY.YYY.YYY/32 192.168.1.10/32 any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;
spdadd YYY.YYY.YYY.YYY/32 192.168.5.0/24 any -P in ipsec esp/tunnel/YYY.YYY.YYY.YYY-192.168.1.10/require;
spdadd 192.168.5.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
spdadd 192.168.5.0/24 YYY.YYY.YYY.YYY/32 any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
spdadd 192.168.1.10/32 YYY.YYY.YYY.YYY/32 any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
spdadd 192.168.1.10/32 192.168.2.0/24 any -P out ipsec esp/tunnel/192.168.1.10-YYY.YYY.YYY.YYY/require;
------------------------------------------------------------------------
#/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log notify;
listen {
isakmp 192.168.1.10;
strict_address;
}
remote YYY.YYY.YYY.YYY {
exchange_mode main;
send_cr off;
send_cert off;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.5.0/24 any address 192.168.2.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address 192.168.1.10/32 any address 192.168.2.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address 192.168.1.10/32 any address YYY.YYY.YYY.YYY any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address 192.168.5.0/24 any address YYY.YYY.YYY.YYY/32 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
------------------------------------------------------------------------
Nataveni firewall B:
------------------------------------------------------------------------
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
spdadd 192.168.2.0/24 XXX.XXX.XXX.XXX/32 any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
spdadd YYY.YYY.YYY.YYY/32 XXX.XXX.XXX.XXX/32 any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
spdadd YYY.YYY.YYY.YYY/32 192.168.5.0/24 any -P out ipsec esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
spdadd 192.168.5.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd 192.168.5.0/24 YYY.YYY.YYY.YYY/32 any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd XXX.XXX.XXX.XXX/32 YYY.YYY.YYY.YYY/32 any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd XXX.XXX.XXX.XXX/32 192.168.2.0/24 any -P in ipsec esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
------------------------------------------------------------------------
#/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log notify;
listen {
isakmp YYY.YYY.YYY.YYY;
strict_address;
}
remote XXX.XXX.XXX.XXX {
exchange_mode main;
send_cr off;
send_cert off;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.2.0/24 any address 192.168.5.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address YYY.YYY.YYY.YYY/24 any address 192.168.5.0/24 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address YYY.YYY.YYY.YYY/24 any address XXX.XXX.XXX.XXX/32 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address 192.168.2.0/24 any address XXX.XXX.XXX.XXX/32 any
{
pfs_group 2;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
------------------------------------------------------------------------
Ukazka logu (firewall A):
Dec 9 20:02:26 Firewall A racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Dec 9 20:02:38 Firewall A racoon: INFO: respond new phase 1 negotiation: 192.168.1.10[500]<=>YYY.YYY.YYY.YYY[500]
Dec 9 20:02:38 Firewall A racoon: INFO: begin Identity Protection mode.
Dec 9 20:02:38 Firewall A racoon: INFO: received Vendor ID: DPD
Dec 9 20:02:38 Firewall A racoon: INFO: ISAKMP-SA established 192.168.1.10[500]-YYY.YYY.YYY.YYY[500] spi:2ac7c217b0990d29:9135535761c9c63d
Dec 9 20:02:39 Firewall A racoon: INFO: initiate new phase 2 negotiation: 192.168.1.10[500]<=>YYY.YYY.YYY.YYY[500]
Dec 9 20:02:39 Firewall A racoon: INFO: respond new phase 2 negotiation: 192.168.1.10[500]<=>YYY.YYY.YYY.YYY[500]
Dec 9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->192.168.1.10[0] spi=251162039(0xef86db7)
Dec 9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.10[0]->YYY.YYY.YYY.YYY[0] spi=217528202(0xcf7378a)
Dec 9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->192.168.1.10[0] spi=236517284(0xe18f7a4)
Dec 9 20:02:40 Firewall A racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.10[0]->YYY.YYY.YYY.YYY[0] spi=216996803(0xcef1bc3)
Dec 9 20:02:43 Firewall A racoon: INFO: received Vendor ID: DPD
Dec 9 20:02:43 Firewall A racoon: INFO: ISAKMP-SA established 192.168.1.10[500]-YYY.YYY.YYY.YYY[500] spi:c913c7ca21e16755:b386ad01c9aa5926
Ukazka logu (firewall B):
Dec 9 20:02:34 Firewall B racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Dec 9 20:02:34 Firewall B racoon: INFO: @(#)This product linked OpenSSL 0.9.8c 05 Sep 2006 (http://www.openssl.org/)
Dec 9 20:02:35 Firewall B racoon: INFO: YYY.YYY.YYY.YYY[500] used as isakmp port (fd=7)
Dec 9 20:02:35 Firewall B racoon: INFO: YYY.YYY.YYY.YYY[500] used for NAT-T
Dec 9 20:02:35 Firewall B racoon: INFO: IPsec-SA request for XXX.XXX.XXX.XXX queued due to no phase1 found.
Dec 9 20:02:35 Firewall B racoon: INFO: initiate new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[500]
Dec 9 20:02:35 Firewall B racoon: INFO: begin Identity Protection mode.
Dec 9 20:02:36 Firewall B racoon: INFO: received Vendor ID: DPD
Dec 9 20:02:36 Firewall B racoon: INFO: ISAKMP-SA established YYY.YYY.YYY.YYY[500]-XXX.XXX.XXX.XXX[500] spi:2ac7c217b0990d29:9135535761c9c6
Dec 9 20:02:37 Firewall B racoon: INFO: initiate new phase 2 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[500]
Dec 9 20:02:37 Firewall B racoon: INFO: respond new phase 2 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[500]
Dec 9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->YYY.YYY.YYY.YYY[0] spi=216996803(0xcef1bc3)
Dec 9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->XXX.XXX.XXX.XXX[0] spi=236517284(0xe18f7a4)
Dec 9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[0]->YYY.YYY.YYY.YYY[0] spi=217528202(0xcf7378a)
Dec 9 20:02:37 Firewall B racoon: INFO: IPsec-SA established: ESP/Tunnel YYY.YYY.YYY.YYY[0]->XXX.XXX.XXX.XXX[0] spi=251162039(0xef86db7)
Další informace o konferenci Linux