IPsec nat-to-nat 連接的問題...求救~

Gentoo 管理、通用套件相關問題 (如 iptables、apache、*sql、*ftpd...) 請在此討論。

版主: Forums Team

IPsec nat-to-nat 連接的問題...求救~

文章rich0203 » 週二 8月 16, 2011 5:52 pm

HIHI~~我又來問問題囉~~小弟最近在測試ipsec nat to nat 環境
環境大致如下:
Left: Wan:192.168.1.63 Lan:10.0.0.1 Subnet:10.0.0.0/24
Right: Wan:192.168.1.16 Lan:192.168.0.1 Subnet:192.168.0.0/24

Left設置:
/etc/ipsec/ipsec.conf
conn net-to-net
left=192.168.1.63
leftsubnet=10.0.0.0/24
leftid=@tux.abc.com
leftrsasigkey=0sAQOgyVNzzXTIZow5dn707jTd/odTGR1zYAAo+isrfAhMwBtL3r0ARhFdnIJlNWdv5uZuFUnSjmqxuo1t3rThxDa/jb450kuP8Eto/WEfEq5P$(後面省略)
leftnexthop=%defaultroute
right=192.168.1.16
rightsubnet=192.168.0.0/24
rightid=@iparts.abc.com
rightrsasigkey=0sAQNZ7vjJuruesXh2UEOJuxMBLLRowdjYzGiz6sbKycCfuoeiN7Fb9VJFz/mRceYpDax1piDHOHeOqDUOp5ajjUxIC8V4TUIqZWKFCd9e/5U$(後面省略)
rightnexthop=%defaultroute
auto=add

#ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.15/K2.6.38-gentoo-r6 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [DISABLED]
ipsec showhostkey: multiple default keys found!?!
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

#ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 10.0.0.1
000 interface eth1/eth1 10.0.0.1
000 interface eth0/eth0 192.168.1.63
000 interface eth0/eth0 192.168.1.63
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "net-to-net": 10.0.0.0/24===192.168.1.63[@tux.abc.com]---192.168.1.1...192.168.1.1---192.168.1.16[@iparts.abc.com]===192.168.0.0/24; unrouted; eroute owner: #0
000 "net-to-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0; encap: esp;
000 "net-to-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

Right:
/etc/ipsec/ipsec.conf
conn net-to-net
left=192.168.1.63
leftsubnet=10.0.0.0/24
leftid=@tux.abc.com
leftrsasigkey=0sAQOgyVNzzXTIZow5dn707jTd/odTGR1zYAAo+isrfAhMwBtL3r0ARhFdnIJlNWdv5uZuFUnSjmqxuo1t3rThxDa/jb450kuP8Eto/WEfEq5Pfpizq2eq$(後面省略)
leftnexthop=%defaultroute
right=192.168.1.16
rightsubnet=192.168.0.0/24
rightid=@iparts.abc.com
rightrsasigkey=0sAQNZ7vjJuruesXh2UEOJuxMBLLRowdjYzGiz6sbKycCfuoeiN7Fb9VJFz/mRceYpDax1piDHOHeOqDUOp5ajjUxIC8V4TUIqZWKFCd9e/5UzPI5vJS0$(後面省略)
rightnexthop=%defaultroute
auto=add

#ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.15/K2.6.39-gentoo-r3 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

#ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.16
000 interface eth0/eth0 192.168.1.16
000 interface eth1/eth1 192.168.0.1
000 interface eth1/eth1 192.168.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "net-to-net": 192.168.0.0/24===192.168.1.16[@iparts.abc.com]---192.168.1.1...192.168.1.1---192.168.1.63[@tux.abc.com]===10.0.0.0/24; unrouted; eroute owner: #0
000 "net-to-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; encap: esp;
000 "net-to-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #4: "net-to-net":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 15s; nodpd
000 #4: pending Phase 2 for "net-to-net" replacing #0
000

但我測試的結果
#ipsec auto --up net-to-net
104 "net-to-net" #1: STATE_MAIN_I1: initiate
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
031 "net-to-net" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
000 "net-to-net" #1: starting keying attempt 2 of an unlimited number, but releasing whack

請問我是哪個地方設置錯誤了嗎?
最後由 rich0203 於 週二 8月 16, 2011 6:39 pm 編輯,總共編輯了 2 次。
rich0203
 
文章: 8
註冊時間: 週三 8月 03, 2011 6:38 pm

Re: IPsec nat-to-nat 連接的問題...求救~

文章rich0203 » 週二 8月 16, 2011 5:58 pm

兩台iptables設定

Left: iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
ACCEPT gre -- anywhere 192.168.1.63
ACCEPT tcp -- anywhere 192.168.1.63 tcp dpt:1723
ACCEPT tcp -- anywhere 192.168.1.63 tcp dpt:l2tp
ACCEPT udp -- anywhere 192.168.1.63 udp dpt:isakmp
ACCEPT udp -- anywhere 192.168.1.63 udp dpt:l2tp
ACCEPT tcp -- anywhere 192.168.1.63 tcp dpt:l2tp
ACCEPT tcp -- anywhere 192.168.1.63 tcp dpt:isakmp
ACCEPT udp -- 192.168.1.63 10.0.0.1 udp dpt:isakmp
ACCEPT udp -- 192.168.1.63 10.0.0.1 udp dpt:ipsec-nat-t
ACCEPT esp -- 192.168.1.63 10.0.0.1
ACCEPT ah -- 192.168.1.63 10.0.0.1
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
ACCEPT udp -- 192.168.0.0/24 10.0.0.0/24 udp dpt:isakmp
ACCEPT udp -- 192.168.0.0/24 10.0.0.0/24 udp dpt:ipsec-nat-t
ACCEPT esp -- 192.168.0.0/24 10.0.0.0/24
ACCEPT ah -- 192.168.0.0/24 10.0.0.0/24

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere 10.0.0.0/24
DROP all -- anywhere 192.168.0.0/16
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere 10.0.0.0/24
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere


Right:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
ACCEPT udp -- 10.0.0.0/24 192.168.0.0 udp dpt:isakmp
ACCEPT udp -- 10.0.0.0/24 192.168.0.0 udp dpt:ipsec-nat-t
ACCEPT esp -- 10.0.0.0/24 192.168.0.0
ACCEPT ah -- 10.0.0.0/24 192.168.0.0

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere 192.168.0.0/24
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere 192.168.0.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

請各位幫幫小弟看一下!非常感謝!!
rich0203
 
文章: 8
註冊時間: 週三 8月 03, 2011 6:38 pm

Re: IPsec nat-to-nat 連接的問題...求救~

文章rich0203 » 週五 8月 19, 2011 2:01 pm

小弟我已經將ipsec建立起來了~~
問題是我從left可以ping到right lan ip
但是卻ping 不到lan端的電腦ip,(一直顯示無回應)

反向也是一樣~請問是ipsec.conf問題還是iptables設定問題?
rich0203
 
文章: 8
註冊時間: 週三 8月 03, 2011 6:38 pm

Re: IPsec nat-to-nat 連接的問題...求救~

文章rich0203 » 週三 8月 24, 2011 9:55 am

哈~~這裡真的很冷清~~
小弟還是沒日沒夜地搞出來了~~
rich0203
 
文章: 8
註冊時間: 週三 8月 03, 2011 6:38 pm


回到 Gentoo 服務與管理

誰在線上

正在瀏覽這個版面的使用者:沒有註冊會員 和 12 位訪客

cron