Strongswan과 VPN racoon 사이의 여러 서브넷 문제

tag-icon tag-icon linux networking vpn strongswan
Strongswan과 VPN racoon 사이의 여러 서브넷 문제

현재 racoon 데몬을 일부 라우터의 Strongswan으로 마이그레이션해야 합니다. 실제로 이 작업을 수행하려면 VPN을 실행하기 위해 racoon 데몬을 사용해야 하는 Strongswan을 한 번에 조금씩 설치할 수 있어야 합니다. racoon을 사용하면 모든 라우터, 특히 여러 개의 ikev1 서브넷이 있는 라우터에서 모든 VPN 구성을 실행할 수 있습니다.

최대한 명확하게 설명하기 위해 다이어그램을 첨부하겠습니다.

________________ro1___             ______________cli1_
|10.80.81.254/24 ens7-|------------|10.80.81.1/24 ens7|
|                     |            |10.50.81.1/24 ens3|
|                     |            |GW 10.80.81.254   |
|                     |            |__________________|
|                     |            
|10.70.71.1/24 ens9 | | 
|___________________|_|
                    |
                    |
________________ro2_|_ 
|10.70.71.2/24 ens9 | |
|                     |
|                     |            ______________cli2_
|GW 10.70.71.1        |            |GW 10.80.82.254   |
|10.80.82.254/24 ens7-|------------|10.80.82.1/24 ens7| 
|_____________________|            |__________________|

ip route ls cli1
default via 10.80.81.254 dev ens7 onlink
10.50.81.0/24 dev ens3 proto kernel scope link src 10.50.81.1
10.80.81.0/24 dev ens7 proto kernel scope link src 10.80.81.1

ip route ls cli2
default via 10.80.82.254 dev ens7 onlink
10.80.82.0/24 dev ens7 proto kernel scope link src 10.80.82.1

ip route ls ro1
10.50.81.0/24 dev ens7 scope link
10.70.71.0/24 dev ens9 proto kernel scope link src 10.70.71.1
10.70.72.0/24 dev ens10 proto kernel scope link src 10.70.72.1
10.80.81.0/24 dev ens7 proto kernel scope link src 10.80.81.254
10.80.82.0/24 via 10.70.71.2 dev ens9

ip route ls ro2
default via 10.70.71.1 dev ens9 onlink
10.70.71.0/24 dev ens9 proto kernel scope link src 10.70.71.2
10.70.72.0/24 dev ens10 proto kernel scope link src 10.70.72.2
10.80.82.0/24 dev ens7 proto kernel scope link src 10.80.82.254

cli1에 활성 VPN이 없으면 cli2로 ping하고 cli2에서 cli1로 ping할 수 있습니다.

ping cli1 -> cli2
root@cli1:~# ping cli2
PING cli2 (10.80.82.1) 56(84) bytes of data.
64 bytes from cli2 (10.80.82.1): icmp_seq=1 ttl=62 time=0.850 ms
64 bytes from cli2 (10.80.82.1): icmp_seq=2 ttl=62 time=1.16 ms


ping cli2 -> cli1
root@cli2:~# ping cli1
PING cli1 (10.80.81.1) 56(84) bytes of data.
64 bytes from cli1 (10.80.81.1): icmp_seq=1 ttl=62 time=0.927 ms
64 bytes from cli1 (10.80.81.1): icmp_seq=2 ttl=62 time=0.976 ms

root@cli2:~# ping 10.50.81.1
PING 10.50.81.1 (10.50.81.1) 56(84) bytes of data.
64 bytes from 10.50.81.1: icmp_seq=1 ttl=62 time=0.963 ms
64 bytes from 10.50.81.1: icmp_seq=2 ttl=62 time=1.14 ms

VPN 구성을 첨부합니다:

vpn ro1 racoon.conf

remote 10.70.71.2 {
        exchange_mode main;
        nat_traversal off;
        initial_contact on;
        generate_policy require;
        lifetime time 12 hours;

        #script "/etc/racoon/router2.up.sh" phase1_up;
        #script "/etc/racoon/router2.down.sh" phase1_down;

        proposal {
                encryption_algorithm 'aes 128';
                authentication_method pre_shared_key;
                hash_algorithm sha1;
                dh_group modp2048;
        }
}

sainfo address 10.80.81.0/24 any address 10.80.82.0/24 any {
        encryption_algorithm 'aes 128';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 4 hours;
        pfs_group modp1024;
}

sainfo address 10.50.81.0/24 any address 10.80.82.0/24 any {
        encryption_algorithm 'aes 128';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 4 hours;
        pfs_group modp1024;
}

vpn ro2 ipsec.conf (strongswan)
conn router1_lin1_loc
   type=tunnel
   authby=secret
   auto=start
   compress=no
   leftfirewall=yes
   rightfirewall=yes
   rekey=yes
   reauth=no
   mobike=no
   left=10.70.71.2
   leftsubnet=10.80.82.0/24
   right=10.70.71.1
   rightsubnet=10.80.81.0/24
   dpdaction = none
   keyexchange=ikev1
   ike=aes128-sha1-modp2048
   ikelifetime=12h
   esp=aes128-sha1-modp1024
   lifetime=4h

conn router1_lin1_dmz
   also=router1_lin1_loc
   leftsubnet=10.80.82.0/24
   rightsubnet=10.50.81.0/24
   auto=route

VPN 서비스를 시작하면 모든 것이 정상입니다

root@ro2:/etc/ipsec.d# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
  uptime: 101 seconds, since Nov 19 10:40:36 2019
  malloc: sbrk 2564096, mmap 0, used 710448, free 1853648
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
  10.70.72.2
  10.80.82.254
  10.70.71.2
Connections:
router1_lin1_loc:  10.70.71.2...10.70.71.1  IKEv1
router1_lin1_loc:   local:  [10.70.71.2] uses pre-shared key authentication
router1_lin1_loc:   remote: [10.70.71.1] uses pre-shared key authentication
router1_lin1_loc:   child:  10.80.82.0/24 === 10.80.81.0/24 TUNNEL
router1_lin1_dmz:   child:  10.80.82.0/24 === 10.50.81.0/24 TUNNEL
Routed Connections:
router1_lin1_dmz{1}:  ROUTED, TUNNEL, reqid 1
router1_lin1_dmz{1}:   10.80.82.0/24 === 10.50.81.0/24
Security Associations (1 up, 0 connecting):
router1_lin1_loc[1]: ESTABLISHED 101 seconds ago, 10.70.71.2[10.70.71.2]...10.70.71.1[10.70.71.1]
router1_lin1_loc[1]: IKEv1 SPIs: 7d0ae014b65151bb_i* e9d01ba24b15ce56_r, rekeying in 11 hours
router1_lin1_loc[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
router1_lin1_loc{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd333ba9_i 0d825538_o
router1_lin1_loc{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 2016 bytes_i (24 pkts, 0s ago), 2016 bytes_o (24 pkts, 0s ago), rekeying in 3 hours
router1_lin1_loc{2}:   10.80.82.0/24 === 10.80.81.0/24

실제로 첫 번째 연결은 자동으로 활성화되며 두 클라이언트 모두 승리하기 위해 핑을 보내고 VPN에서 수신한 패킷을 확인하지만 VPN "router1_lin_dmz"가 활성화되면 두 클라이언트 모두 핑을 중지하고 cli2에서 10.50.81.1로 핑만 작동합니다.

root@ro2:/etc/ipsec.d# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
  uptime: 20 minutes, since Nov 19 10:40:36 2019
  malloc: sbrk 2564096, mmap 0, used 775440, free 1788656
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
  10.70.72.2
  10.80.82.254
  10.70.71.2
Connections:
router1_lin1_loc:  10.70.71.2...10.70.71.1  IKEv1
router1_lin1_loc:   local:  [10.70.71.2] uses pre-shared key authentication
router1_lin1_loc:   remote: [10.70.71.1] uses pre-shared key authentication
router1_lin1_loc:   child:  10.80.82.0/24 === 10.80.81.0/24 TUNNEL
router1_lin1_dmz:   child:  10.80.82.0/24 === 10.50.81.0/24 TUNNEL
Routed Connections:
router1_lin1_dmz{1}:  ROUTED, TUNNEL, reqid 1
router1_lin1_dmz{1}:   10.80.82.0/24 === 10.50.81.0/24
Security Associations (1 up, 0 connecting):
router1_lin1_loc[1]: ESTABLISHED 20 minutes ago, 10.70.71.2[10.70.71.2]...10.70.71.1[10.70.71.1]
router1_lin1_loc[1]: IKEv1 SPIs: 7d0ae014b65151bb_i* e9d01ba24b15ce56_r, rekeying in 11 hours
router1_lin1_loc[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
router1_lin1_loc{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd333ba9_i 0d825538_o
router1_lin1_loc{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 183708 bytes_i (2187 pkts, 7s ago), 183708 bytes_o (2187 pkts, 15s ago), rekeying in 3 hours
router1_lin1_loc{2}:   10.80.82.0/24 === 10.80.81.0/24
router1_lin1_dmz{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c667b3db_i 05449ccb_o
router1_lin1_dmz{3}:  AES_CBC_128/HMAC_SHA1_96/MODP_1024, 2184 bytes_i (26 pkts, 0s ago), 1092 bytes_o (13 pkts, 0s ago), rekeying in 3 hours
router1_lin1_dmz{3}:   10.80.82.0/24 === 10.50.81.0/24

이상하게도 VPN "router1_lin_dmz"를 활성화한 후 카운터가 증가함에 따라 10.80.xx 네트워크의 모든 트래픽이 마지막 VPN에서 끝나는 이유는 무엇입니까?

또 다른 흥미로운 점은 두 개의 강한 백조를 사용한 동일한 구성이 잘 작동한다는 것입니다.

root@cli2:~# ping -w 2 -c 3 cli1
PING cli1 (10.80.81.1) 56(84) bytes of data.

--- cli1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 21ms

root@cli2:~# ping -w 2 -c 3 10.50.81.1
PING 10.50.81.1 (10.50.81.1) 56(84) bytes of data.
64 bytes from 10.50.81.1: icmp_seq=1 ttl=62 time=1.08 ms
64 bytes from 10.50.81.1: icmp_seq=2 ttl=62 time=1.04 ms

--- 10.50.81.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 1.037/1.056/1.075/0.019 ms

답변1

racoon은 모든 IPsec 정책 generate_policy require에 대해 동일한 정책을 사용 합니다 reqid. 즉, 가장 최근에 설정된 IPsec SA를 통해 모든 데이터를 보냅니다. 이는 각 정책에 대해 별도의 reqids/SA를 사용하는 StrongSwan에서는 작동하지 않습니다. 즉, 일치하는 정책에 대해 인바운드 데이터를 사용할 수 없는 경우 해당 데이터가 삭제됩니다 reqid.

이 구성을 수정하기 위해 generate_policy uniqueraccoon은 reqids단일/고유도 사용합니다.

관련 정보