» »

IPSEC & l2tp linux

IPSEC & l2tp linux

SasoS ::

Poskušam nastavit IPSEC & l2tp VPN na linuxu. Setup mi dela že kar nekaj časa lepo z Windows klienti, ne dela pa z vsemi ostalimi (iOS, android...). Zdaj to poskušam debugirat. Ena zadeva, ki mi ne gre v račun, je sledeča: Če delam tcpdump na ipsec0 interfacu (openswan 2.6.35), se windows promet lepo vidi: 
08:56:34.921997 IP 192.168.100.20.1701 > 84.xx.xx.xx.1701:  l2tp:[L](65399/64548) {LCP, Conf-Request (0x01), id 0, length 23}
Androidov promet, pa pride z zunanjim ip-jem (!), znotraj (!) tunela: 
08:56:29.299893 IP 84.xx.xx.xx.54855 > 84.xx.xx.xx.1701:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *HOST_NAME(anonymous) *FRAMING_CAP(AS) *ASSND_TUN_ID(31212) *RECV_WIN_SIZE(1)
Reply-ji pa grejo zato ven mimo ipseca ven na net. Kako je možno, da pride na ipsec0 promet z zunanjim IP-jem, klient v izvornem omrežju ga niti ne bi smel vedeti? V ipsec logu pa je lepo videti, da se zmenita za NAT: 
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: responding to Main Mode from unknown peer 84.xx.xx.xx
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.100.39'
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[3] 84.xx.xx.xx #3: switched from "my-clients" to "my-clients"
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #3: deleting connection "my-clients" instance with peer 84.xx.xx.xx {isakmp=#0/ipsec=#0}
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #3: new NAT mapping for #3, was 84.xx.xx.xx:61, now 84.xx.xx.xx:1084
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #3: received and ignored informational message
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #3: the peer proposed: 84.xx.xx.xx/32:17/1701 -> 192.168.100.39/32:17/0
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #4: responding to Quick Mode proposal {msgid:b9374ad0}
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #4:     us: 84.xx.xx.xx<84.xx.xx.xx>[+S=C]:17/1701
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #4:   them: 84.xx.xx.xx[192.168.100.39,+S=C]:17/0===192.168.100.39/32
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 28 08:56:03 OpenWrt authpriv.warn pluto[2765]: "my-clients"[4] 84.xx.xx.xx #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0a5c6908 <0x76633b1d xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=84.xx.xx.xx:1084 DPD=none}
Promet bi moral znotraj tunela imeti src ip 192.168.100.39, tako kot se postavi tudi route na ipsec0? 
conn my-clients
        authby=secret
        pfs=no
        rekey=no
        type=transport
        left=84.xx.xx.xx
        leftprotoport=17/1701
        right=%any
        rightsubnet=vhost:%priv,%no
        rightprotoport=17/0
        auto=add
  • spremenilo: SasoS ()

Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

IP WIFI kamera - spremenjen ip - ne dela

Oddelek: Pomoč in nasveti		173592 (3126) refosk
»

MikroTik in default rule

Oddelek: Omrežja in internet		174184 (3421) nejcsuha
»

obtožba DoS napada!? (strani: 1 2 )

Oddelek: Informacijska varnost		668843 (5634) treker
»

Dodajanje nove statične route?

Oddelek: Omrežja in internet		112102 (1947) BlueRunner
»

Laserski tiskalnik Minolta PagePro 1100

Oddelek: Pomoč in nasveti		81979 (1888) kinca

Več podobnih tem