Hallo, ich versuche gerade mein erstes VPN mit IPSEC zu bauen. Bisher habe ich nur mit OpenVPN zu tun geahbt, irgendwie blicke ich bei IPSEC nicht durch...
Eigentlich sieht es schon gar nicht so übel aus - einen Ping auf die andere Seite bekomme ich aber nicht hin. Der Admin der Gegenseite sagt, dass die Pakete unverschlüsselt ankommen. Es handelt sich dort um eine Checkpoint-Firewall.
Kann mir bitte jemand einen guten Tipp geben?
Viele Grüße
Thomas
Hier mal ein paar Daten:
Was passiert:
gw1:~# setkey -F;setkey -PF;/etc/init.d/ipsec restart;sleep 5;ipsec auto --up eberhard
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec does not appear to be running!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec 2.4.6...
ipsec_setup: insmod /lib/modules/2.6.17-2-686/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.17-2-686/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.17-2-686/kernel/net/xfrm/xfrm_user.ko
104 "eberhard" #1: STATE_MAIN_I1: initiate
106 "eberhard" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "eberhard" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "eberhard" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "eberhard" #2: STATE_QUICK_I1: initiate
004 "eberhard" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1ff86b15 <0xf1ee5c81 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
Ein bisschen Routen:
gw1:~# route -n
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
213.99.1.172 0.0.0.0 255.255.255.252 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
193.13.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 213.99.1.173 0.0.0.0 UG 0 0 0 eth1
gw1:~# ip route show
213.99.1.172/30 dev eth1 proto kernel scope link src 213.99.1.174
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.119
193.13.31.0/24 dev eth1 scope link
default via 213.99.1.173 dev eth1
gw1:~# ifconfig
eth0 Protokoll:Ethernet Hardware Adresse 00:E0:7D:7C:92:4C
inet Adresse:192.168.1.119 Bcast:192.168.1.255 Maske:255.255.255.0
inet6 Adresse: fe80::2e0:7dff:fe7c:924c/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2597633 errors:0 dropped:0 overruns:0 frame:0
TX packets:16675 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:346158200 (330.1 MiB) TX bytes:2757947 (2.6 MiB)
Interrupt:9 Basisadresse:0xdc00
eth1 Protokoll:Ethernet Hardware Adresse 00:E0:7D:78:7F:F5
inet Adresse:213.99.1.174 Bcast:213.99.1.175 Maske:255.255.255.252
inet6 Adresse: fe80::2e0:7dff:fe78:7ff5/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39690 errors:0 dropped:0 overruns:0 frame:0
TX packets:32425 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:2 Sendewarteschlangenlänge:1000
RX bytes:9182701 (8.7 MiB) TX bytes:2035148 (1.9 MiB)
Interrupt:10 Basisadresse:0xde00
lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Die Ausgabe von setkey:
gw1:~# setkey -PD
193.13.31.0/24[any] 192.168.1.0/24[any] any
in ipsec
esp/tunnel/195.253.14.38-213.99.1.174/unique#16385
created: Dec 14 15:44:33 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1720 seq=12 pid=11692
refcnt=1
192.168.1.0/24[any] 193.13.31.0/24[any] any
out ipsec
esp/tunnel/213.99.1.174-195.253.14.38/unique#16385
created: Dec 14 15:44:33 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1737 seq=11 pid=11692
refcnt=1
193.13.31.0/24[any] 192.168.1.0/24[any] any
fwd ipsec
esp/tunnel/195.253.14.38-213.99.1.174/unique#16385
created: Dec 14 15:44:33 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1730 seq=10 pid=11692
refcnt=1
(per-socket policy)
in none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1707 seq=9 pid=11692
refcnt=1
(per-socket policy)
in none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1691 seq=8 pid=11692
refcnt=1
(per-socket policy)
in none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1675 seq=7 pid=11692
refcnt=1
(per-socket policy)
in none
created: Dec 14 15:44:29 2006 lastused: Dec 14 15:44:33 2006
lifetime: 0(s) validtime: 0(s)
spid=1659 seq=6 pid=11692
refcnt=1
(per-socket policy)
in none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1643 seq=5 pid=11692
refcnt=1
(per-socket policy)
out none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1716 seq=4 pid=11692
refcnt=1
(per-socket policy)
out none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1700 seq=3 pid=11692
refcnt=1
(per-socket policy)
out none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1684 seq=2 pid=11692
refcnt=1
(per-socket policy)
out none
created: Dec 14 15:44:29 2006 lastused: Dec 14 15:44:34 2006
lifetime: 0(s) validtime: 0(s)
spid=1668 seq=1 pid=11692
refcnt=1
(per-socket policy)
out none
created: Dec 14 15:44:29 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1652 seq=0 pid=11692
refcnt=1
gw1:~# setkey -D
195.253.14.38 213.99.1.174
esp mode=tunnel spi=4058930305(0xf1ee5c81) reqid=16385(0x00004001)
E: 3des-cbc fc88d545 26471c19 9a4d8d0b 48f1faaa 54bc58f4 971399f7
A: hmac-md5 bd0bf8c3 aedac418 3c814634 3030bccb
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Dec 14 15:44:33 2006 current: Dec 14 16:09:05 2006
diff: 1472(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=11694 refcnt=0
213.99.1.174 195.253.14.38
esp mode=tunnel spi=536374037(0x1ff86b15) reqid=16385(0x00004001)
E: 3des-cbc 07f55e75 81711e41 78a04115 43c4b37e b0d25301 70f461f1
A: hmac-md5 101cc488 dd4a9a51 3bf46e59 e40206bd
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Dec 14 15:44:33 2006 current: Dec 14 16:09:05 2006
diff: 1472(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=11694 refcnt=0
Und nun die ipsec.conf:
gw1:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
uniqueids=no
# plutodebug=all #"control parsing"
interfaces="ipsec0=eth1 %defaultroute"
# Add connections here
conn eberhard
type=tunnel
keyingtries=0
pfs=yes
authby=secret
# Soll die Verbindung automatisch starten, dann statt "add" einfach "start" setzen
auto=add
# Left security gateway, subnet behind it, next hop toward right.
# leftid=213.99.1.174
# left=213.99.1.174
left=%defaultroute
leftsubnet=192.168.1.0/24
# leftnexthop=%defaultroute
# Right security gateway, subnet behind it, next hop toward left.
# rightid=195.253.14.38
right=195.253.14.38
rightsubnet=193.13.31.0/24
esp=3des-md5
ike=3des-md5
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
gw1:~#
VPN/ OpenSWAN-Probleme
Die Verbindung wurde überhaupt nicht aufgebaut ? "ipsec auto --status"
Ist die Firewall aktiv? Da in der Konfgurationsdatei ipsec0=eth1 steht, aber der Dienst beim Laden den IPSEC-Stack des 2.6 Kernels läd, frag ich mal ob das gewollt ist? Nur beim openswan-Ipsec-Stack gibt es die ipsecX interfaces, was z.B. die Firewall konfiguration etwas erleichtert.
Ist die Firewall aktiv? Da in der Konfgurationsdatei ipsec0=eth1 steht, aber der Dienst beim Laden den IPSEC-Stack des 2.6 Kernels läd, frag ich mal ob das gewollt ist? Nur beim openswan-Ipsec-Stack gibt es die ipsecX interfaces, was z.B. die Firewall konfiguration etwas erleichtert.
Vielen Dank für die Antwort!
Das mit dem ipsec0-Interface habe ich aus Beispielkonfigurationen, vermisst habe ich es auch schon - ich weiss es halt nicht besser...
Auch ohne Firewall geht es nicht.
Vielleicht helfen folgende Angaben weiter:
uname -r
2.6.17-2-686
iptables -nvxL
Chain INPUT (policy ACCEPT 40 packets, 3874 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1144 bytes)
pkts bytes target prot opt in out source destination
ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.119
000 interface eth1/eth1 213.99.1.174
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,336} attrs={0,2,224}
000
000 "eberhard": 192.168.1.0/24===213.160.20.174...195.253.13.37===193.13.31.0/24; erouted; eroute owner: #2
000 "eberhard": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "eberhard": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "eberhard": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1;
000 "eberhard": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "eberhard": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, flags=strict
000 "eberhard": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
000 "eberhard": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "eberhard": ESP algorithms wanted: 3_000-1, flags=strict
000 "eberhard": ESP algorithms loaded: 3_000-1, flags=strict
000 "eberhard": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "eberhard":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27754s; newest IPSEC; eroute owner
000 #2: "eberhard" esp.2d8766c2@195.253.14.38 esp.f36fc1d@213.99.1.174 tun.0@195.253.14.38 tun.0@213.99.1.174
000 #1: "eberhard":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2708s; newest ISAKMP; nodpd
Das mit dem ipsec0-Interface habe ich aus Beispielkonfigurationen, vermisst habe ich es auch schon - ich weiss es halt nicht besser...
Auch ohne Firewall geht es nicht.
Vielleicht helfen folgende Angaben weiter:
uname -r
2.6.17-2-686
iptables -nvxL
Chain INPUT (policy ACCEPT 40 packets, 3874 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1144 bytes)
pkts bytes target prot opt in out source destination
ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.119
000 interface eth1/eth1 213.99.1.174
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,336} attrs={0,2,224}
000
000 "eberhard": 192.168.1.0/24===213.160.20.174...195.253.13.37===193.13.31.0/24; erouted; eroute owner: #2
000 "eberhard": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "eberhard": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "eberhard": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1;
000 "eberhard": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "eberhard": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, flags=strict
000 "eberhard": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
000 "eberhard": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "eberhard": ESP algorithms wanted: 3_000-1, flags=strict
000 "eberhard": ESP algorithms loaded: 3_000-1, flags=strict
000 "eberhard": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "eberhard":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27754s; newest IPSEC; eroute owner
000 #2: "eberhard" esp.2d8766c2@195.253.14.38 esp.f36fc1d@213.99.1.174 tun.0@195.253.14.38 tun.0@213.99.1.174
000 #1: "eberhard":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2708s; newest ISAKMP; nodpd