» »

Problem z IPSec tunnelom

Problem z IPSec tunnelom

psychoshorty ::

Pozdrav,

imam en dokaj "zanimiv" problem, katerega enostavno ne znam vec resit. Gre se za IPSec tunnel med dvema tockama. Na tocki A je OPNSense virtualka, na tocki B pa je mikrotik router. Pojavla se je potreba po dodatni fazi 2 zaradi novega subneta na tocki A.

Nastavitve na tocki A:

 Nastavitve IPsec

Nastavitve IPsec



V logih za nov vnos faze 2 vedno dobim sledece sporocilo:

traffic selectors 10.99.3.0/24 === 10.101.11.0/24 unacceptable

Na drugi strani je microtik, kjer je IPSec tunnel vzpostavljen, kakor tudi faze 2. Le za tale vnos, mi microtik vedno javlja, da ni faze 2.

Nastavitve:

 Microtik

Microtik



Na obeh straneh so nastavitve kaj se IPSeca tice, popolnoma iste (shared key, enkripcija ipd). Problem je, da ne razumem, zakaj mi opnsense mece tisto sporocilo ven. Hvala za vaso pomoc!

Shorty

llc ::

Daj malo povečaj nivo logiranja na obeh straneh. Iz tvojega opisa mi tudi ni jasno, kdo pravzaprav zavrne vzpostavitev tunela, točka A ali točka B.

psychoshorty ::

Sem. Na tocki A OPNSense dobim tole:

2021-09-14T20:37:05 charon 62079 09 KNL con1 10 updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:37:05 charon 62079 09 KNL con1 10 deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:37:05 charon 62079 09 KNL con1 10 no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:37:05 charon 62079 09 KNL con1 10 getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:37:05 charon 62079 09 KNL con1 10 policy 10.101.11.0/24 === 10.99.3.0/24 in already exists, increasing refcount
2021-09-14T20:31:24 charon 62079 11 KNL con1 8 updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:24 charon 62079 11 KNL con1 8 deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:24 charon 62079 11 KNL con1 8 no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:31:24 charon 62079 11 KNL con1 8 getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:31:18 charon 62079 14 KNL con1 6 updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:18 charon 62079 14 KNL con1 6 deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:31:18 charon 62079 14 KNL con1 6 no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:31:18 charon 62079 14 KNL con1 6 getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:30:12 charon 62079 12 KNL con1 5 updating policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:30:12 charon 62079 12 KNL con1 5 deleting policy 10.101.11.0/24 === 10.99.3.0/24 in
2021-09-14T20:30:12 charon 62079 12 KNL con1 5 no local address found in traffic selector 10.99.3.0/24
2021-09-14T20:30:12 charon 62079 12 KNL con1 5 getting a local address in traffic selector 10.99.3.0/24
2021-09-14T20:30:12 charon 62079 07 KNL con1 5 policy 10.101.11.0/24 === 10.99.3.0/24 in already exists, increasing refcount

Na tocki B na microtiku pa dobim ce zelim ipsec reenablat: microtik ipsec error unable to apply address config. Pri IPSec policy pise "no phase 2", kar verjetno referencira na tocko A na opnsense.

Ni mi jasno, na kateri tocki je napaka, da se faza 2 ne vzpostavi. Vse ostale, kot lahko vidite v prvem postu na opnsensu se vedno vzpostavijo.

NoName ::

A si na mikrotiku na firewallu dodal
/ip firewall nat add chain=srcnat place-before=0 action=accept src=10.101.11.0/24 dst=10.99.3.0/24
... da s tem preprečiš, da bi ga pohopsal SNAT/MASQUERADE?
I can see dumb people...They're all around us... Look, they're even on this forum!

psychoshorty ::

NoName je izjavil:

A si na mikrotiku na firewallu dodal
/ip firewall nat add chain=srcnat place-before=0 action=accept src=10.101.11.0/24 dst=10.99.3.0/24
... da s tem preprečiš, da bi ga pohopsal SNAT/MASQUERADE?


Ce skusam dodati tvoj ukaz v terminalu od mikrotika dobim to:

value of range cannot contain '.' character, start and end values should be separated by '-'

(Se sploh ne spoznam na terminal in komande v mikrotiku).

llc ::

Tale izvleček loga ne vsebuje napake.
A ima OPNSense tudi CLI dostop? Če ja, kaj pravi "ipsec statusall" in "ipsec up [ime_povezave]"

psychoshorty ::

IPsec statusall pravi:

Listening IP addresses:
10.99.1.10
10.99.0.253
10.99.0.252
10.99.2.253
10.98.0.1
10.98.16.1
Connections:
con1: 10.99.1.10...xx.xxx.xx.xx IKEv2 -> xxx so nas public ip
con1: local: [vpn.nasadomena.com] uses pre-shared key authentication
con1: remote: [xx.xxx.xx.xx] uses pre-shared key authentication
con1: child: 10.99.3.0/24 === 10.101.12.0/24 TUNNEL
con1-001: child: 10.99.0.0/24 === 10.101.12.0/24 TUNNEL
con1-002: child: 10.99.0.0/24 === 10.101.10.0/24 TUNNEL
con1-003: child: 10.99.0.0/24 === 10.101.11.0/24 TUNNEL
con1-004: child: 10.99.0.0/24 === 10.113.12.0/24 TUNNEL
con1-005: child: 10.98.0.0/24 === 10.101.11.0/24 TUNNEL
Routed Connections:
con1-005{29}: ROUTED, TUNNEL, reqid 5
con1-005{29}: 10.98.0.0/24 === 10.101.11.0/24
con1-004{28}: ROUTED, TUNNEL, reqid 4
con1-004{28}: 10.99.0.0/24 === 10.113.12.0/24
con1-003{27}: ROUTED, TUNNEL, reqid 3
con1-003{27}: 10.99.0.0/24 === 10.101.11.0/24
con1-002{26}: ROUTED, TUNNEL, reqid 2
con1-002{26}: 10.99.0.0/24 === 10.101.10.0/24
con1-001{25}: ROUTED, TUNNEL, reqid 1
con1-001{25}: 10.99.0.0/24 === 10.101.12.0/24
con1{24}: ROUTED, TUNNEL, reqid 7
con1{24}: 10.99.3.0/24 === 10.101.12.0/24
Security Associations (1 up, 0 connecting):
con1[46]: ESTABLISHED 6 minutes ago, 10.99.1.10[vpn.nasadomena.com]...xx.xx.xx.xx[xx.xx.xx.xx]
con1[46]: IKEv2 SPIs: 3b2c3caf12c2ab2b_i* 924ee645628a06d8_r, pre-shared key reauthentication in 7 hours
con1[46]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1-005{141}: INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: c1e77d0d_i 0e5d311f_o
con1-005{141}: AES_CBC_256/HMAC_SHA2_256_128, 1471 bytes_i (2 pkts, 1s ago), 346480 bytes_o (2720 pkts, 1s ago), rekeying in 36 minutes
con1-005{141}: 10.98.0.0/24 === 10.101.11.0/24
con1-003{142}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: ca1f9729_i 07391316_o
con1-003{142}: AES_CBC_256/HMAC_SHA2_256_128, 1608 bytes_i (2 pkts, 132s ago), 1416 bytes_o (6 pkts, 121s ago), rekeying in 38 minutes
con1-003{142}: 10.99.0.0/24 === 10.101.11.0/24
con1-004{143}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: ce70238c_i 0f721d42_o
con1-004{143}: AES_CBC_256/HMAC_SHA2_256_128, 3068964 bytes_i (4684 pkts, 0s ago), 2472976 bytes_o (4944 pkts, 0s ago), rekeying in 43 minutes
con1-004{143}: 10.99.0.0/24 === 10.113.12.0/24
con1-001{144}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c6722e19_i 0fadf2ff_o
con1-001{144}: AES_CBC_256/HMAC_SHA2_256_128, 462192 bytes_i (605 pkts, 184s ago), 0 bytes_o (0 pkts, 171s ago), rekeying in 44 minutes
con1-001{144}: 10.99.0.0/24 === 10.101.12.0/24
con1-002{145}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c90d0896_i 0f443b19_o
con1-002{145}: AES_CBC_256/HMAC_SHA2_256_128, 2747596 bytes_i (3486 pkts, 152s ago), 1524 bytes_o (11 pkts, 14s ago), rekeying in 45 minutes
con1-002{145}: 10.99.0.0/24 === 10.101.10.0/24

psychoshorty ::

ipsec up con1 pa da:

no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
establishing CHILD_SA con1{146}
generating CREATE_CHILD_SA request 6 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
sending packet: from 10.99.1.10[4500] to xx.xx.xx.xx[4500] (208 bytes)
received packet: from xx.xx.xx.xx[4500] to 10.99.1.10[4500] (240 bytes)
parsed CREATE_CHILD_SA response 6 [ No TSi TSr SA ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA con1{146} established with SPIs c7c7dc6b_i 0a58c052_o and TS 10.99.3.0/24 === 10.101.12.0/24

Zanimivo je, da ko sprozim ta ukaz, se tudi routa re-kreira in je dejansko vzpostavljena med obema tockama, a pri naslednjem rekeyu spet vse pade dol:

con1{146}: 10.99.3.0/24 === 10.101.12.0/24
con1{147}: INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c9a9a898_i 0b85d650_o
con1{147}: AES_CBC_256/HMAC_SHA2_256_128, 3162493 bytes_i (5661 pkts, 737s ago), 0 bytes_o (0 pkts, 737s ago), rekeying in 40 minutes
con1{147}: 10.99.3.0/24 === 10.101.12.0/24

llc ::

No, potem pa še "ipsec stroke rekey con1{147}", ker do sedaj ni bilo še nikjer nobene napake videt...

psychoshorty ::

Ok, se to sprozim pa output pastam kle.

Heh, napise mi: no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf' potem pa dalje nic.

Zgodovina sprememb…

llc ::

Namesto {147} vnesi tisto cifro, ki ti jo da "ipsec statusall"

oziroma celo ime "ipsec stroke rekey con1-nnn{xxx}"

Zgodovina sprememb…

  • spremenilo: llc ()

psychoshorty ::

Torej, ce mi statusall da zdaj to:
Routed Connections:
con1-005{29}: ROUTED, TUNNEL, reqid 5
con1-005{29}: 10.98.0.0/24 === 10.101.11.0/24
con1-004{28}: ROUTED, TUNNEL, reqid 4
con1-004{28}: 10.99.0.0/24 === 10.113.12.0/24
con1-003{27}: ROUTED, TUNNEL, reqid 3
con1-003{27}: 10.99.0.0/24 === 10.101.11.0/24
con1-002{26}: ROUTED, TUNNEL, reqid 2
con1-002{26}: 10.99.0.0/24 === 10.101.10.0/24
con1-001{25}: ROUTED, TUNNEL, reqid 1
con1-001{25}: 10.99.0.0/24 === 10.101.12.0/24
con1{24}: ROUTED, TUNNEL, reqid 7
con1{24}: 10.99.3.0/24 === 10.101.12.0/24
Potem ipsec stroke rekey con1{24} right?

Hvala ti za pomoc, se bom s nekaj naucil. :)

llc ::

Najprej mora biti tunel vzpostavljen. ROUTED pomeni (vsaj tako se spomnim), da se bo tunel avtomatsko vzpostavil, ko bo kakšen promet prišel za v ta tunel.
Tunel mora biti INSTALLED. Če ni, ga najprej vzpostaviš z "ipsec up ...", Ko je enkrat vzpostavljen, pa lahko potem narediš rekey z "ipsec stroke rekey ..."

llc ::

Skratka, spisek aktivnih tunelov je v sekciji "Security Associations". Če ga tam ni, ga najprej ustvariš z "ipsec up con1". Potem bi ga moral videti tudi med aktivnimi tuneli. Nato pa lahko vsiliš rekey z ukazom "ipsec stroke rekey con1{nnn}".

Tole šofiranje z "ipsec ..." ukazom je sicer zastarelo. Ali imaš na voljo tudi "swanctl" (lahko probaš "swanctl -list-conns" in/ali "swanctl -list-sas")

psychoshorty ::

Ja, dejansko s swanctl tudi dela. TO je verjetno kaksen "podaljsek" strongswana.

Oba ukaza delujeta in dasta output.

llc ::

Oboje je podaljšek strongswana. Kaj pravijo dnevniki sedaj?

psychoshorty ::

Torej, skusal sem izvesti rekey, a enostavno ne najde necesa. Ko sem naredil ipsec up con1:

con1: child: 10.99.3.0/24 === 10.101.12.0/24 TUNNEL
con1-001: child: 10.99.0.0/24 === 10.101.12.0/24 TUNNEL
con1-002: child: 10.99.0.0/24 === 10.101.10.0/24 TUNNEL
con1-003: child: 10.99.0.0/24 === 10.101.11.0/24 TUNNEL
con1-004: child: 10.99.0.0/24 === 10.113.12.0/24 TUNNEL
con1-005: child: 10.98.0.0/24 === 10.101.11.0/24 TUNNEL
Routed Connections:
con1-005{29}: ROUTED, TUNNEL, reqid 5
con1-005{29}: 10.98.0.0/24 === 10.101.11.0/24
con1-004{28}: ROUTED, TUNNEL, reqid 4
con1-004{28}: 10.99.0.0/24 === 10.113.12.0/24
con1-003{27}: ROUTED, TUNNEL, reqid 3
con1-003{27}: 10.99.0.0/24 === 10.101.11.0/24
con1-002{26}: ROUTED, TUNNEL, reqid 2
con1-002{26}: 10.99.0.0/24 === 10.101.10.0/24
con1-001{25}: ROUTED, TUNNEL, reqid 1
con1-001{25}: 10.99.0.0/24 === 10.101.12.0/24
con1{24}: ROUTED, TUNNEL, reqid 7
con1{24}: 10.99.3.0/24 === 10.101.12.0/24
Security Associations (1 up, 0 connecting):
con1[62]: ESTABLISHED 30 minutes ago, 10.99.1.10[vpn.nasadomena.com]...xx.xx.xx.xx[xx.xx.xx.xx]
con1[62]: IKEv2 SPIs: 955180722e65e2aa_i* 3d672b595c10e44c_r, pre-shared key reauthentication in 7 hours
con1[62]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
con1-004{190}: INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: ce007316_i 058636f7_o
con1-004{190}: AES_CBC_256/HMAC_SHA2_256_128, 1121 bytes_i (2 pkts, 20s ago), 215360 bytes_o (896 pkts, 20s ago), rekeying in 13 minutes
con1-004{190}: 10.99.0.0/24 === 10.113.12.0/24
con1-003{191}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cf0ec38c_i 0e35bb36_o
con1-003{191}: AES_CBC_256/HMAC_SHA2_256_128, 6272 bytes_i (61 pkts, 7s ago), 9900 bytes_o (53 pkts, 7s ago), rekeying in 13 minutes
con1-003{191}: 10.99.0.0/24 === 10.101.11.0/24
con1-001{192}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbe3a80b_i 0d55c9ab_o
con1-001{192}: AES_CBC_256/HMAC_SHA2_256_128, 1513 bytes_i (21 pkts, 1713s ago), 0 bytes_o (0 pkts, 21s ago), rekeying in 13 minutes
con1-001{192}: 10.99.0.0/24 === 10.101.12.0/24
con1-002{193}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cbc775de_i 0f112c24_o
con1-002{193}: AES_CBC_256/HMAC_SHA2_256_128, 70263 bytes_i (884 pkts, 361s ago), 4644 bytes_o (35 pkts, 6s ago), rekeying in 15 minutes
con1-002{193}: 10.99.0.0/24 === 10.101.10.0/24
con1{194}: INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c509efb3_i 0351b8d9_o
con1{194}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o (0 pkts, 8s ago), rekeying in 43 minutes
con1{194}: 10.99.3.0/24 === 10.101.12.0/24

Probal sem z con1{194} napise: no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf' probam z con1{24} spet isto, da ni kao nekega confa.


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

Quake Champions (Quake 5) (strani: 1 2 3 )

Oddelek: Igre
13913025 (3466) scipascapa
»

Fotoaparati in DxOmark

Oddelek: Zvok in slika
181163 (838) technolog
»

Cisco Soho 851 router in msn messenger ne dela

Oddelek: Omrežja in internet
111680 (1518) bacho
»

Poštni strežnik na Fedori

Oddelek: Operacijski sistemi
71260 (1003) operater
»

DEBIAN problem

Oddelek: Omrežja in internet
161365 (1175) AirBladE

Več podobnih tem