너구리를 Strongswan으로 교체

너구리를 Strongswan으로 교체

racoon 데몬(더 이상 사용되지 않음)에서 새 데모 Charon Strongswan으로 전환해야 합니다. 실제로는 약 12개의 공급자가 있으며 "한 번에" 모든 VPN을 변경할 수 있습니다. 나는 모든 구성을 Raccoon에서 Strongswan으로 "복사"하여 다시 만들었습니다. 10명 중 3명만이 연결에 실패했습니다. 이제 단순화를 위해 그 중 하나만 나열됩니다. 실제로 1단계는 연결할 수 있지만 2단계 터널링은 설정할 수 없습니다. 일부 경우(이 로그에는 없음) 또는 일반적으로 처음 시작할 때 터널이 설정되고 연결되지만 몇 분 후에 터널이 닫히고 더 이상 작동하지 않습니다.

너구리 회의 (직장에서)

remote 2.2.2.2 {
        my_identifier address 1.1.1.1;
        exchange_mode main;
        nat_traversal off;
        initial_contact on;
        #generate_policy on;

        lifetime time 86400 sec;

        nonce_size 16;
        support_proxy on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 'aes 256';
                authentication_method pre_shared_key;
                hash_algorithm sha1;
                dh_group 5;
        }
}

sainfo address 1.1.1.1/32 any address 2.2.2.2/32 any {
        encryption_algorithm 'aes 256';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 sec;
        pfs_group 5;
}

sainfo address 2.2.2.2/32 any address 1.1.1.1/32 any {
        encryption_algorithm 'aes 256';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 sec;
        pfs_group 5;
}

sainfo address 172.16.0.0/29 any address 10.1.0.0/19 any {
        encryption_algorithm 'aes 256';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 sec;
        pfs_group 5;
}

sainfo address 10.1.0.0/19 any address 172.16.0.0/29 any {
        encryption_algorithm 'aes 256';
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 sec;
        pfs_group 5;
}

ipsec-tools.conf
spdadd 1.1.1.1/32      2.2.2.2/32     any -P out ipsec
       esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32       1.1.1.1/32    any -P in  ipsec
       esp/tunnel/2.2.2.2-1.1.1.1/require;

spdadd 172.16.0.0/29        10.1.0.0/19       any -P out ipsec
       esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 10.1.0.0/19         172.16.0.0/29      any -P in  ipsec
       esp/tunnel/2.2.2.2-1.1.1.1/require;

conn.conf (strongswan)

conn conn
   type=tunnel
   authby=secret
   auto=route
   compress=no
   leftfirewall=yes
   rightfirewall=yes
   rekey=yes
   reauth=no
   mobike=no
   left=1.1.1.1
   leftsourceip=1.1.1.1
   leftsubnet=172.16.0.0/29
   # Clients
   right=2.2.2.2
   rightsubnet=10.1.0.0/19
   # recommended dpd/liveness to cleanup vanished clients
   dpdaction=none
   #dpddelay=30
   #dpdtimeout=120
   aggressive=no
   keyexchange=ikev1
   ike=aes256-sha1-modp1536!
   ikelifetime=24h
   fragmentation=no
   esp=aes256-sha1-modp1536!
   lifetime=1h

IPsec 상태 모두

Connections:
    conn:  1.1.1.1...2.2.2.2  IKEv1, dpddelay=30s
    conn:   local:  [1.1.1.1] uses pre-shared key authentication
    conn:   remote: [2.2.2.2] uses pre-shared key authentication
    conn:   child:  172.16.0.0/29 === 10.1.0.0/19 TUNNEL, dpdaction=clear
Routed Connections:
    conn{1}:  ROUTED, TUNNEL, reqid 1
    conn{1}:   172.16.0.0/29 === 10.1.0.0/19
Security Associations (1 up, 0 connecting):
    conn[3]: ESTABLISHED 11 seconds ago, 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
    conn[3]: IKEv1 SPIs: f8b3195f00f2368e_i* 311a423d5e714f05_r, rekeying in 23 hours
    conn[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
    conn[3]: Tasks queued: QUICK_MODE
    conn[3]: Tasks active: MODE_CONFIG

레코드 카론

Dec  3 22:21:31 moon charon: 14[KNL] creating acquire job for policy 1.1.1.10/32[tcp/46993] === 2.2.2.50/32[tcp/1414] with reqid {1}
Dec  3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_VENDOR task
Dec  3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_CERT_PRE task
Dec  3 22:21:31 moon charon: 14[IKE] queueing MAIN_MODE task
Dec  3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_CERT_POST task
Dec  3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_NATD task
Dec  3 22:21:31 moon charon: 14[IKE] queueing QUICK_MODE task
Dec  3 22:21:31 moon charon: 14[IKE] activating new tasks
Dec  3 22:21:31 moon charon: 14[IKE]   activating ISAKMP_VENDOR task
Dec  3 22:21:31 moon charon: 14[IKE]   activating ISAKMP_CERT_PRE task
Dec  3 22:21:31 moon charon: 14[IKE]   activating MAIN_MODE task
Dec  3 22:21:31 moon charon: 14[IKE]   activating ISAKMP_CERT_POST task
Dec  3 22:21:31 moon charon: 14[IKE]   activating ISAKMP_NATD task
Dec  3 22:21:31 moon charon: 14[IKE] sending XAuth vendor ID
Dec  3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec  3 22:21:31 moon charon: 14[IKE] sending DPD vendor ID
Dec  3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec  3 22:21:31 moon charon: 14[IKE] sending FRAGMENTATION vendor ID
Dec  3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec  3 22:21:31 moon charon: 14[IKE] sending NAT-T (RFC 3947) vendor ID
Dec  3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec  3 22:21:31 moon charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec  3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec  3 22:21:31 moon charon: 14[IKE] initiating Main Mode IKE_SA conn[2] to 2.2.2.2
Dec  3 22:21:31 moon charon: 14[IKE] IKE_SA conn[2] state change: CREATED => CONNECTING
...
ec  3 22:21:31 moon charon: 16[IKE] received DPD vendor ID
Dec  3 22:21:31 moon charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Dec  3 22:21:31 moon charon: 16[ENC] received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
Dec  3 22:21:31 moon charon: 16[IKE] reinitiating already active tasks
Dec  3 22:21:31 moon charon: 16[IKE]   ISAKMP_VENDOR task
Dec  3 22:21:31 moon charon: 16[IKE]   MAIN_MODE task
Dec  3 22:21:31 moon charon: 16[ENC] added payload of type KEY_EXCHANGE_V1 to message
Dec  3 22:21:31 moon charon: 16[ENC] added payload of type NONCE_V1 to message
...
Dec  3 22:21:31 moon charon: 16[ENC] added payload of type NAT_D_V1 to message
Dec  3 22:21:31 moon charon: 16[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec  3 22:21:31 moon charon: 16[ENC] not encrypting payloads
Dec  3 22:21:31 moon charon: 16[ENC] generating payload of type HEADER
Dec  3 22:21:31 moon charon: 16[ENC]   generating rule 0 IKE_SPI
...
Dec  3 22:21:31 moon charon: 06[ENC] parsed ID_PROT response 0 [ ID HASH ]
Dec  3 22:21:31 moon charon: 06[IKE] IKE_SA conn[2] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Dec  3 22:21:31 moon charon: 06[IKE] IKE_SA conn[2] state change: CONNECTING => ESTABLISHED
Dec  3 22:21:31 moon charon: 06[IKE] scheduling rekeying in 85857s
Dec  3 22:21:31 moon charon: 06[IKE] maximum IKE_SA lifetime 86397s
Dec  3 22:21:31 moon charon: 06[IKE] queueing MODE_CONFIG task
Dec  3 22:21:31 moon charon: 06[IKE] activating new tasks
Dec  3 22:21:31 moon charon: 06[IKE]   activating MODE_CONFIG task
Dec  3 22:21:31 moon charon: 06[ENC] added payload of type CONFIGURATION_V1 to message
Dec  3 22:21:31 moon charon: 06[ENC] order payloads in message
Dec  3 22:21:31 moon charon: 06[ENC] added payload of type CONFIGURATION_V1 to message
Dec  3 22:21:31 moon charon: 06[ENC] generating TRANSACTION request 1557479715 [ HASH CPRQ(ADDR DNS) ]
Dec  3 22:21:31 moon charon: 06[ENC] insert payload HASH_V1 into encrypted payload
Dec  3 22:21:31 moon charon: 06[ENC] insert payload CONFIGURATION_V1 into encrypted payload
Dec  3 22:21:31 moon charon: 06[ENC] generating payload of type HEADER
Dec  3 22:21:31 moon charon: 06[ENC]   generating rule 0 IKE_SPI
...
Dec  3 22:21:31 moon charon: 08[ENC] parsed content of encrypted payload
Dec  3 22:21:31 moon charon: 08[ENC] insert decrypted payload of type HASH_V1 at end of list
Dec  3 22:21:31 moon charon: 08[ENC] verifying message structure
Dec  3 22:21:31 moon charon: 08[ENC] found payload of type HASH_V1
Dec  3 22:21:31 moon charon: 08[ENC] payload of type CONFIGURATION_V1 not occurred 1 times (0)
Dec  3 22:21:31 moon charon: 08[IKE] **message verification failed**
Dec  3 22:21:31 moon charon: 08[ENC] added payload of type NOTIFY_V1 to message
Dec  3 22:21:31 moon charon: 08[ENC] order payloads in message
Dec  3 22:21:31 moon charon: 08[ENC] added payload of type NOTIFY_V1 to message
Dec  3 22:21:31 moon charon: 08[ENC] generating INFORMATIONAL_V1 request 3329228680 [ HASH N(PLD_MAL) ]
Dec  3 22:21:31 moon charon: 08[ENC] insert payload HASH_V1 into encrypted payload
Dec  3 22:21:31 moon charon: 08[ENC] insert payload NOTIFY_V1 into encrypted payload
...
Dec  3 22:21:31 moon charon: 08[ENC]   generating rule 14 SPI
Dec  3 22:21:31 moon charon: 08[ENC]   generating rule 15 CHUNK_DATA
Dec  3 22:21:31 moon charon: 08[ENC] generating NOTIFY_V1 payload finished
Dec  3 22:21:31 moon charon: 08[ENC] generated content in encrypted payload
Dec  3 22:21:31 moon charon: 08[ENC] generating payload of type ENCRYPTED_V1
Dec  3 22:21:31 moon charon: 08[ENC]   generating rule 0 ENCRYPTED_DATA
Dec  3 22:21:31 moon charon: 08[ENC] generating ENCRYPTED_V1 payload finished
Dec  3 22:21:31 moon charon: 08[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Dec  3 22:21:31 moon charon: 08[IKE] TRANSACTION response with message ID 1557479715 processing failed
Dec  3 22:21:35 moon charon: 05[IKE] sending retransmit 1 of request message ID 1557479715, seq 4
Dec  3 22:21:35 moon charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Dec  3 22:21:37 moon charon: 03[ENC] parsing header of message
Dec  3 22:21:37 moon charon: 03[ENC] parsing HEADER payload, 248 bytes left
Dec  3 22:21:37 moon charon: 03[ENC]   parsing rule 0 IKE_SPI
Dec  3 22:21:37 moon charon: 03[ENC]   parsing rule 1 IKE_SPI
Dec  3 22:21:37 moon charon: 03[ENC]   parsing rule 2 U_INT_8
...
Dec  3 22:22:19 moon charon: 03[ENC]   parsing rule 12 FLAG
Dec  3 22:22:19 moon charon: 03[ENC]   parsing rule 13 FLAG
Dec  3 22:22:19 moon charon: 03[ENC]   parsing rule 14 U_INT_32
Dec  3 22:22:19 moon charon: 03[ENC]   parsing rule 15 HEADER_LENGTH
Dec  3 22:22:19 moon charon: 03[ENC] parsing HEADER payload finished
Dec  3 22:22:19 moon charon: 03[ENC] parsed a ID_PROT message header
Dec  3 22:22:27 moon charon: 00[DMN] signal of type SIGINT received. Shutting down
Dec  3 22:22:27 moon charon: 00[IKE] queueing ISAKMP_DELETE task
Dec  3 22:22:27 moon charon: 00[IKE] activating new tasks
Dec  3 22:22:27 moon charon: 00[IKE]   activating ISAKMP_DELETE task
Dec  3 22:22:27 moon charon: 00[IKE] deleting IKE_SA conn[2] between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Dec  3 22:22:27 moon charon: 00[ENC] added payload of type DELETE_V1 to message
Dec  3 22:22:27 moon charon: 00[IKE] sending DELETE for IKE_SA conn[2]
Dec  3 22:22:27 moon charon: 00[IKE] IKE_SA conn[2] state change: ESTABLISHED => DELETING
Dec  3 22:22:27 moon charon: 00[ENC] order payloads in message
Dec  3 22:22:27 moon charon: 00[ENC] added payload of type DELETE_V1 to message
Dec  3 22:22:27 moon charon: 00[ENC] generating INFORMATIONAL_V1 request 4291887391 [ HASH D ]
Dec  3 22:22:27 moon charon: 00[ENC] insert payload HASH_V1 into encrypted payload
Dec  3 22:22:27 moon charon: 00[ENC] insert payload DELETE_V1 into encrypted payload
Dec  3 22:22:27 moon charon: 00[ENC] generating payload of type HEADER
Dec  3 22:22:27 moon charon: 00[ENC]   generating rule 0 IKE_SPI

** 참고... 메시지 유효성 검사에 실패했습니다.

... 메시지 ID 1557479715**에 대한 TRANSACTION 응답 처리에 실패했습니다.

불행하게도 콘솔에 메모리가 부족하여 SPI가 일치하지 않습니다!

상대방은 내가 관리하지 않습니다. 이 경우에는 그들이 어떤 라우터(아마도 Cisco)를 사용하는지 알 수 없으며 변경을 요청하는 것은 매우 복잡한 반면, 다른 두 경우에는 Checkpoint 및 Zeroshell 라우터를 사용한다는 것을 알고 있습니다.

답변1

구성으로 leftsourceip인해 StrongSwan 요청이 발생함가상 IP 주소응답자로부터. 이는 원격 액세스/roadwarrrior 시나리오에 가장 유용하지만 트래픽 선택기( )가 여기에서 암시하는 사이트 간 연결에는 덜 유용합니다 left|rightsubnet(즉, 모두 서브넷임).

IKEv1의 경우 가상 IP를 요청한다는 것은 구성 속성의 모드 구성(TRANSACTION) 교환을 요청하는 것을 의미합니다(실제로 두 가지 모드가 있지만 기본값은 "풀" 모드입니다). 피어가 이러한 추가 교환을 원하지 않으면(여기의 경우) 연결이 성공적으로 설정되지 않습니다. 따라서 이 문제를 해결하려면 해당 옵션을 제거/주석 처리하면 됩니다 leftsourceip.

터널 내에서 이 호스트가 사용하는 실제 소스 IP는 협상된 로컬 트래픽 선택기( )에 의해 결정됩니다 leftsubnet. 호스트가 협상된 로컬 서브넷 중 하나에 IP 주소를 가지고 있는 경우 StrongSwan은 자동으로 라우팅 테이블 220에 경로를 설치하여 해당 IP 주소를 원격 서브넷에 대한 트래픽 소스로 강제합니다.

관련 정보