Strongswan Site 2 Site mit beidseitiger NAT

[SirNibo]

Hallo,

ich kriege es in meiner Testumgebung nicht hin eine IPSec Verbindung zwischen zwei Seiten zu erstellen, wenn beide Seiten hinter einer NAT sind.
Ohne NAT geht es ohne Probleme.
Anscheinend reicht es nicht wenn man auf der Firewall eine NAT Regel für die UDP Ports 500 und 4500 erstellt.
Das hängt wohl mit dieser NAT-T Geschichte zusammen, die ich aber nicht blicke und ich finde nur Anleitungen wenn die VPN Server direkt erreichbar sind.

Bei OpenVPN reicht es ja wirklich nur eine NAT Regel zu erstellen.

Beim Status bekomme ich folgendes zu sehen.

Seite A

Code: Alles auswählen

root@ipsec-a:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-14-686-pae, i686):
  uptime: 47 minutes, since Feb 02 16:33:08 2021
  malloc: sbrk 688128, mmap 0, used 356952, free 331176
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
  192.168.0.1
Connections:
      a-to-b:  %any...192.168.188.180  IKEv2, dpddelay=30s
      a-to-b:   local:  [C=DE, O=strongSwan, CN=ipsec-a.test.lab] uses public key authentication
      a-to-b:    cert:  "C=DE, O=strongSwan, CN=ipsec-a.test.lab"
      a-to-b:   remote: [C=DE, O=strongSwan, CN=ipsec-b.test.lab] uses public key authentication
      a-to-b:   child:  192.168.0.0/24 === 192.168.10.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 1 connecting):
      a-to-b[1]: CONNECTING, 192.168.0.1[%any]...192.168.188.180[%any]
      a-to-b[1]: IKEv2 SPIs: 8ab4bef8c0cac0cf_i* 0000000000000000_r
      a-to-b[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

Seite B

Code: Alles auswählen

root@ipsec-b:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-14-686-pae, i686):
  uptime: 50 minutes, since Feb 02 16:33:04 2021
  malloc: sbrk 688128, mmap 0, used 358344, free 329784
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
  192.168.10.1
Connections:
      b-to-a:  %any...192.168.188.181  IKEv2, dpddelay=30s
      b-to-a:   local:  [C=DE, O=strongSwan, CN=ipsec-b.test.lab] uses public key authentication
      b-to-a:    cert:  "C=DE, O=strongSwan, CN=ipsec-b.test.lab"
      b-to-a:   remote: [C=DE, O=strongSwan, CN=ipsec-a.test.lab] uses public key authentication
      b-to-a:   child:  192.168.10.0/24 === 192.168.0.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 1 connecting):
      b-to-a[1]: CONNECTING, 192.168.10.1[%any]...192.168.188.181[%any]
      b-to-a[1]: IKEv2 SPIs: f9e1c289dbf93051_i* 0000000000000000_r
      b-to-a[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

Hier erstmal der Aufbau

IPSec-A-VPN-GW 192.168.0.1---------------192.168.0.254 IPSec-A-GW 192.168.188.181---------------192.168.188.180 IPSec-B-GW 192.168.10.254---------------192.168.10.1 IPSec-B-VPN-GW

Seite A
Router (IPSec-A-GW)
WAN eth0: 192.168.188.181
LAN1 eth1: 192.168.0.254

VPN Server (IPSec-A-VPN-GW)
LAN1 eth0: 192.168.0.1

Seite B
Router (IPSec-B-GW)
WAN eth0: 192.168.188.180
LAN1 eth1: 192.168.10.254

VPN Server (IPSec-B-VPN-GW)
LAN1 eth0: 192.168.10.1

Seite A
ipsec.conf

Code: Alles auswählen

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
conn a-to-b #
        left=%any
        leftsubnet=192.168.0.0/24
        right=192.168.188.180
        rightsubnet=192.168.10.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        #authby=secret
        auto=start
        keyexchange=ikev2
        type=tunnel
        leftcert=ipsec-a_cert.pem
        leftid="C=DE, O=strongSwan, CN=ipsec-a.test.lab"
        rightid="C=DE, O=strongSwan, CN=ipsec-b.test.lab"

ipsec.server

Code: Alles auswählen

: RSA ipsec-a_key.pem

IPSec-A-GW
iptables

Code: Alles auswählen

root@ipsec-a:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@ipsec-a:/etc# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:2222 to:192.168.0.1:22
DNAT       udp  --  anywhere             anywhere             udp dpt:isakmp to:192.168.0.1:500
DNAT       udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t to:192.168.0.1:4500

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

IPSec-A-VPN-GW
iptables

Code: Alles auswählen

root@ipsec-a:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@ipsec-a:/etc# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Seite B
ipsec.conf

Code: Alles auswählen

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
conn b-to-a #
        left=%any
        leftsubnet=192.168.10.0/24
        right=192.168.188.181
        rightsubnet=192.168.0.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        #authby=secret
        auto=start
        keyexchange=ikev2
        type=tunnel
        leftcert=ipsec-b_cert.pem
        leftid="C=DE, O=strongSwan, CN=ipsec-b.test.lab"
        rightid="C=DE, O=strongSwan, CN=ipsec-a.test.lab"

ipsec.server

Code: Alles auswählen

: RSA ipsec-b_key.pem

IPsec-B-GW
iptables

Code: Alles auswählen

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@ipsec-b-fw:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:2222 to:192.168.10.1:22
DNAT       udp  --  anywhere             anywhere             udp dpt:isakmp to:192.168.10.1:500
DNAT       udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t to:192.168.10.1:4500

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

IPsec-B-VPN-GW

Code: Alles auswählen

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@ipsec-b:/etc# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Über jedliche Unterstützung wäre ich sehr dankbar.

[schorsch_76]

Ich hab einen Client den ich speziel behandeln muss. Andere Clients brauchen keinen Eintrag am Server. Du kannst den ganzen special Kram löschen Die CA hab ich mit strongswan-pki gemacht.

Das ist mein swanctl.conf Client

Code: Alles auswählen

connections {
    ikev2-pubkey {
        version = 2
        local_addrs  = %any4
        remote_addrs = myserver
        vips = 0.0.0.0,::

        local-1 {
            auth = pubkey
            certs = mypeer-cert.pem
        }
        remote-1 {
            auth = pubkey
            id = myserver
        }
        children {
            ikev2-pubkey {
                remote_ts = 0.0.0.0/0,::/0
                
                # autostart
                close_action=start
                start_action=start
            }
        }
    }
}

Das der Server

Code: Alles auswählen

connections {
    ikev2-pubkey {
        version = 2
        proposals = aes256-sha512-modp4096
        rekey_time = 0s
        pools = primary-pool-ipv4, primary-pool-ipv6
        fragmentation = yes
        dpd_delay = 30s
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
        local-1 {
            certs = myserver.der
            auth = pubkey
            id = myserver
        }
        remote-1 {
            # defaults are fine.
            auth = pubkey
        }
        children {
            ikev2-pubkey {
                local_ts = 0.0.0.0/0,::/0
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes256-sha512-modp4096
            }
        }
    }

# special handling
    special {
        version = 2
        proposals = aes256-sha512-modp4096
        rekey_time = 0s
        pools = special-pool-ipv4, special-pool-ipv6
        fragmentation = yes
        dpd_delay = 30s
        # dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
        local-1 {
            certs = myserver.der
            auth = pubkey
            id = myserver
        }
        remote-1 {
            # defaults are fine.
            auth = pubkey
            certs = special-cert.pem
        }
        children {
            vps {
                local_ts = 192.168.0.0/16,fdxxx::/64,fdxx/64
                remote_ts = 192.168.200.10/32,fdxx::10/128
                rekey_time = 0s
                dpd_action = clear
                esp_proposals = aes256-sha512-modp4096
            }
        }
    }
}

pools {
    primary-pool-ipv4 {
        addrs = 192.168.200.20-192.168.200.100
        dns = 192.168.xx.xx,fdxx:10::1
    }
    primary-pool-ipv6 {
        addrs = fdxx:80::11-fdxx:80::7f
    }
    vps-pool-ipv4 {
        addrs = 192.168.200.10
        dns = 192.168.xx.xx,fdxx:10::1
    }
    vps-pool-ipv6 {
        addrs = fdxx:80::10
    }
}