''라고 생각한다면 troubleshooting IPsec is tedious내 기록을 잊어버리세요. let me know the implementation process'나는 여전히 혼란스럽고 어떤 정보라도 도움이 될 것입니다.
SPI를 제거했는데 이것이 내 IP 매핑입니다.
Our private IP address:
10.1.1.2
Our S-NAT IP address:
172.16.0.1
Our Pubic/EIP address:
1.1.1.1
CheckPoint GW:
2.2.2.2
Instance behind CheckPoint:
192.168.1.1
왼쪽에는 1:1 NAT 뒤의 AWS EC2 인스턴스에 StrongSWAN이 있고 탄력적 IP가 다음과 같이 구성되어 있습니다.
/etc/ipsec.conf:
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="ike 2, knl 2, cfg 2"
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp2048
ikelifetime=86400s
esp=aes256-sha256-modp2048
lifetime=10800s
keyingtries=%forever
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
conn Tunnel1
auto=start
left=10.1.1.2 # Our private IP address
leftsubnet=172.16.0.1/32 # Our S-NAT IP address
leftauth=psk
leftid=1.1.1.1 # Our Pubic/EIP address
right=2.2.2.2 # CheckPoint GW
rightsubnet=192.168.1.1/32 # Instance behind CheckPoint
rightauth=psk
rightid=2.2.2.2 # CheckPoint GW
type=tunnel
compress=no
mark=42
/etc/ipsec.secrets:
1.1.1.1 2.2.2.2 : PSK "OURSECRET"
/etc/strongswan.d/charon.conf:
install_routes = no
install_virtual_ip = no
오른쪽에는 패킷 소스가 172.16.0.1/32이고 대상이 192.168.1.1/32인 경우에만 정책을 수락하는 방화벽 뒤에 있는 CheckPoint 장치가 있습니다.
하지만 내 인터페이스에는 해당 IP가 없습니다. 오른쪽(CheckPoint)에서 개인 범위를 숨기는 데 사용되는 가짜 IP입니다.
이 인스턴스는 라우터 역할을 하고 IPsec 터널을 통해 다른 인스턴스의 트래픽을 전달해야 하지만 각 패킷은 172.16.0.1/32로 SNAT되어야 합니다.
StongSWAN을 시작합니다.
systemctl start strongswan && systemctl status -l strongswan
Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2019-07-23 10:20:22 EEST; 12s ago
Process: 2163 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
Process: 2160 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
Main PID: 2190 (starter)
Tasks: 18
Memory: 12.2M
CPU: 54ms
CGroup: /system.slice/strongswan.service
├─2190 /usr/lib/ipsec/starter --daemon charon
└─2191 /usr/lib/ipsec/charon --use-syslog --debug-ike 2 --debug-knl 2 --debug-cfg 2
iptable을 구성합니다.
iptables --append INPUT -s 2.2.2.2 -j ACCEPT
iptables --append INPUT -d 2.2.2.2 -j ACCEPT
iptables --table mangle --append FORWARD -o Tunnel1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
IKEv2가 성공했는지 확인: ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1087-aws, x86_64):
uptime: 79 seconds, since Jul 23 10:20:22 2019
malloc: sbrk 1646592, mmap 0, used 568016, free 1078576
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
10.1.1.2
Connections:
Tunnel1: 10.1.1.2...2.2.2.2 IKEv2, dpddelay=30s
Tunnel1: local: [1.1.1.1] uses pre-shared key authentication
Tunnel1: remote: [2.2.2.2] uses pre-shared key authentication
Tunnel1: child: 172.16.0.1/32 === 192.168.1.1/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
Tunnel1[1]: ESTABLISHED 79 seconds ago, 10.1.1.2[1.1.1.1]...2.2.2.2[2.2.2.2]
Tunnel1[1]: IKEv2 SPIs: ##**REMOVED**##* ##**REMOVED**##, pre-shared key reauthentication in 23 hours
Tunnel1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Tunnel1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c05ce72f_i 35f8fdaa_o
Tunnel1{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours
Tunnel1{1}: 172.16.0.1/32 === 192.168.1.1/32
XFRM 정책이 추가되었는지 확인하십시오: ip -s -s xfrm 정책:
src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
dir fwd action allow index 82 priority 2819 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-07-23 10:20:22 use -
mark 0x2a/0xffffffff
tmpl src 2.2.2.2 dst 10.1.1.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
dir in action allow index 72 priority 2819 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-07-23 10:20:22 use -
mark 0x2a/0xffffffff
tmpl src 2.2.2.2 dst 10.1.1.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.16.0.1/32 dst 192.168.1.1/32 uid 0
dir out action allow index 65 priority 2819 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-07-23 10:20:22 use -
mark 0x2a/0xffffffff
tmpl src 10.1.1.2 dst 2.2.2.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
ip -s -s xfrm 상태:
src 10.1.1.2 dst 2.2.2.2
proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 0x2a/0xffffffff
auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
enc cbc(aes) ##**REMOVED**## (256 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 9745(sec), hard 10800(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-07-23 10:20:22 use -
stats:
replay-window 0 replay 0 failed 0
src 2.2.2.2 dst 10.1.1.2
proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
mark 0x2a/0xffffffff
auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
enc cbc(aes) ##**REMOVED**## (256 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 10057(sec), hard 10800(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-07-23 10:20:22 use -
stats:
replay-window 0 replay 0 failed 0
VTI 장치를 만듭니다.
ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42
ip addr add 172.16.0.1/32 remote 192.168.1.1/32 dev Tunnel1
ip link set Tunnel1 up mtu 1419
터널 정책을 비활성화하고 iptables TCPMSS를 추가합니다.
sysctl -w net.ipv4.conf.Tunnel1.disable_policy=1
iptables --table mangle --append FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables --table mangle --append FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
그러나 소스 172.16.0.1을 사용하여 192.168.1.1을 핑하면 Destination Host Unreachable.
ping 192.168.1.1 OR ping -I 172.16.0.1 192.168.1.1 OR ping -I Tunnel1 192.168.1.1
ping -c 3 -I 172.16.0.1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) from 172.16.0.1 Tunnel1: 56(84) bytes of data.
From 172.16.0.1 icmp_seq=1 Destination Host Unreachable
From 172.16.0.1 icmp_seq=2 Destination Host Unreachable
From 172.16.0.1 icmp_seq=3 Destination Host Unreachable
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1998ms
다른 로그는 다음과 같습니다. IP 주소는 다음과 같습니다.
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1
link/ipip 10.1.1.2 peer 2.2.2.2
inet 172.16.0.1 peer 192.168.1.1/32 scope global Tunnel1
valid_lft forever preferred_lft forever
ip -s -s 링크는 다음을 보여줍니다:
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 0
4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
link/ipip 10.1.1.2 peer 2.2.2.2
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 14 0 14 0
TX errors: aborted fifo window heartbeat transns
0 0 0 0 0
ip -s 터널은 터널 1을 표시합니다.
Tunnel1: ip/ip remote 2.2.2.2 local 10.1.1.2 ttl inherit key 42
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
0 0 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
0 0 14 0 14 0
ifconfig -a:
Tunnel1 Link encap:IPIP Tunnel HWaddr
inet addr:172.16.0.1 P-t-P:192.168.1.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1419 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:14 dropped:0 overruns:0 carrier:14
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ip_vti0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
AWS EC2에서 소스 및 대상 검사를 비활성화하고 AWS 보안 그룹의 모든 트래픽에 대해 올바른(체크포인트) IP 주소를 화이트리스트에 추가했습니다. NAT 통과가 지원된다고 확신하며 tcpdump: tcpdump -i any -를 사용하여 해당 트래픽을 볼 수 있습니다. nnnNq 호스트 2.2.2.2
10:32:02.983136 IP 10.1.1.2.500 > 2.2.2.2.500: UDP, length 1084
10:32:03.035572 IP 2.2.2.2.500 > 10.1.1.2.500: UDP, length 708
10:32:03.044827 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 372
10:32:03.108335 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 276
10:32:27.042735 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
10:32:33.110661 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84
10:32:33.159623 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 84
10:32:57.043342 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
10:33:03.110977 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84
CheckPoint는 터널이 설정되었다고 표시하지만 ping 패킷을 보낼 때 어떤 tcpdump도 수신하지 않습니다. Journalctl -fu Strongswan은 여기에서 사용할 수 있습니다.
VTI 엔드포인트에서도 이 방법을 시도했지만 아무런 변화가 없었습니다.
ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42
ip addr add 172.16.0.1/32 remote 0.0.0.0/0 dev Tunnel1
ip link set Tunnel1 up mtu 1419
이 구조를 올바르게 구현했습니까? VTI 장치에 가짜 IP를 설정해야 합니까? 이와 같은 MARK 규칙을 적용하려면 다른 iptables 규칙을 추가해야 합니까?
iptables -t mangle -A INPUT -p esp -s 2.2.2.2 -d 1.1.1.1 -j MARK --set-xmark 42
Versions:
IPsec --버전:
Linux strongSwan U5.3.5/K4.4.0-1087-aws
lsb_release -a:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
dpkg -l | dpkg -l | grep -i 스트롱스완:
ii libcharon-extra-plugins 5.3.5-1ubuntu3.8 amd64 strongSwan charon library (extra plugins)
ii libstrongswan 5.3.5-1ubuntu3.8 amd64 strongSwan utility and crypto library
ii libstrongswan-standard-plugins 5.3.5-1ubuntu3.8 amd64 strongSwan utility and crypto library (standard plugins)
ii strongswan 5.3.5-1ubuntu3.8 all IPsec VPN solution metapackage
ii strongswan-charon 5.3.5-1ubuntu3.8 amd64 strongSwan Internet Key Exchange daemon
ii strongswan-libcharon 5.3.5-1ubuntu3.8 amd64 strongSwan charon library
ii strongswan-starter 5.3.5-1ubuntu3.8 amd64 strongSwan daemon starter and configuration file parser
ii strongswan-tnc-base 5.3.5-1ubuntu3.8 amd64 strongSwan Trusted Network Connect's (TNC) - base files
도움을 주셔서 미리 감사드립니다.
답변1
우리는 약 한 달 후에 StrongSWAN 작업을 중단하고 CHR(Mikrotik Cloud Hosted Router)로 이전했습니다. CHR(Mikrotik Cloud Hosted Router)은 설치가 빠르고 쉬웠으며 지난 2개월 동안 아무런 문제도 없었습니다.
따라서 이 질문을 읽는 사람은 누구나 다음으로 전환할 수 있습니다.CHR에는 무료 라이센스가 있습니다또는 테스트VTI의 LibreSWAN을 사용하는 경로 기반 VPN.