LINUX.ORG.RU
ФорумAdmin

ipsec cisco + strongswan

 , , ,


0

2

Доброго времени суток, господа! Не получается «сдружить» маршрутизатор cisco и strongswan.

[root@auk strongswan]# hostnamectl
   Static hostname: auk
         Icon name: computer
        Machine ID: 2a81fad8a00047d5aef38735137e3bef
           Boot ID: e0e5ce8db3ce4844b29cf91dc3315566
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-327.13.1.el7.x86_64
      Architecture: x86-64


[root@auk strongswan]# strongswan version
Linux strongSwan U5.4.0/K3.10.0-327.13.1.el7.x86_64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'strongswan --copyright' for copyright information.

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        #strictcrlpolicy=yes
        charondebug="ike 4, knl 4, cfg 2"    #useful debugs
        # uniqueids = no

conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=psk
        auto=add

conn ciscoios
        left=***.153.223.38
        leftsubnet=10.4.62.14/32
        leftid=***.153.223.38
        leftfirewall=yes
        right=***.113.52.42
        rightsubnet=***.113.52.42/32
        rightid=***.113.52.42
       
        ike=aes128-md5-modp1536, aes256-sha1-modp1024, aes128-sha1-modp1024, aes128-sha1-modp1536
        esp=aes256-sha1-modp1024, aes128-sha1-modp1024, aes128-sha1, 3des-md5
        rightallowany=yes
        auto=add

interface Tunnel621
 description Tunnel to Web-site Club 2
 bandwidth 2048
 ip address 10.4.62.13 255.255.255.252
 ip mtu 1400
 ip access-group Tunnel_Web in
 ip access-group Tunnel_Web out
 load-interval 30
 tunnel source GigabitEthernet0/0/0.6
 tunnel destination ***.113.52.42
 tunnel protection ipsec profile VPN_WebSite

Перепробовал все что можно.

Ответ на: комментарий от trancefer
Nov 28 11:33:45 auk charon[11018]: 14[CFG] received stroke: initiate 'ciscoios'
Nov 28 11:33:45 auk charon[11018]: 12[IKE] queueing CHILD_CREATE task
Nov 28 11:33:45 auk charon[11018]: 12[IKE] delaying task initiation, IKE_SA_INIT exchange in progress
Nov 28 11:33:45 auk charon[11018]: 13[IKE] retransmit 4 of request with message ID 0
Nov 28 11:33:45 auk charon[11018]: 13[NET] sending packet: from 212.113.52.42[500] to 94.153.223.38[500] (1472 bytes)
Nov 28 11:34:27 auk charon[11018]: 15[IKE] retransmit 5 of request with message ID 0
Nov 28 11:34:27 auk charon[11018]: 15[NET] sending packet: from 212.113.52.42[500] to 94.153.223.38[500] (1472 bytes)
Nov 28 11:35:42 auk charon[11018]: 11[IKE] giving up after 5 retransmits
Nov 28 11:35:42 auk charon[11018]: 11[IKE] establishing IKE_SA failed, peer not responding
Nov 28 11:35:42 auk charon[11018]: 11[IKE] IKE_SA ciscoios[1] state change: CONNECTING => DESTROYING
demjanok ()
Ответ на: комментарий от trancefer

Правила есть:


-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT

[\code]

demjanok ()

(Зачем было звездить в конфиге, если потом оставлять оригинальные IP в логах?)

isakmp на циске включён?

frob ★★★★★ ()
Ответ на: комментарий от frob

немного зазвезделся))) а вот и политики

crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 50
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication rsa-encr
!
crypto isakmp policy 200
 encr 3des
 hash md5
 authentication rsa-encr
 group 2
!
crypto isakmp policy 300
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 400
 encr 3des
 hash md5
 authentication pre-share
 group 2

demjanok ()
Ответ на: комментарий от trancefer

CISCO RV180+StrongSwan

Помогите пожалуйста, несколько дней бьюсь с настройкой CISCO RV180 в качестве клиента и strongswan на Debian в качестве сервера. Никак не могу понять какие настройки надо сделать на Debian, чтобы подключалась циска. Что имеется: CISCO выступает в роли роутера к которому подключаются клиенты (LAN - 192.168.1.0/24). Далее портом WAN (192.168.0.199) циска подключена в порт LAN (192.168.0.0/24) роутера TP-Link провайдера, на порту WAN TP-Link реальный динамический IP (DynamicIP). Сервер VPS в Интернете с белым статическим IP (X.X.138.131) и Debian на борту. Что хочется: CISCO роутер создает защищенное соединение с VPS сервером и все клиенты локальной сети выходят в инет через VPS. Использование строго IPSec.

Текущие настройки CISCO RV180:

http://www.imageup.ru/img81/2702990/cisco-rv180-ike-policy-cofiguration.jpg.html

http://www.imageup.ru/img81/2702991/cisco-rv180-vpn-policy-cofiguration.jpg.html

http://www.imageup.ru/img81/2702992/cisco-rv180-connection-status.jpg.html

Сервер VPS:

root@bondingserver:~# hostnamectl
   Static hostname: bondingserver.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: %%%%%55ea4fb44a6bb5ae5b2623%%%%%
           Boot ID: %%%%%687e9224f26a542ae99201%%%%%
    Virtualization: kvm
  Operating System: Debian GNU/Linux 8 (jessie)
            Kernel: Linux 3.16.0-4-amd64
      Architecture: x86-64
root@bondingserver:~# ipsec version
Linux strongSwan U5.2.1/K3.16.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@bondingserver:~# cat /etc/ipsec.conf
config setup
conn %default
     ikelifetime=120m
     keylife=60m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev1
     authby=secret
conn ciscorouter
       left=X.X.138.131
       right=%any
       auto=add
       keyexchange=ike
       ike=aes256-sha384-modp1024!
       type=tunnel
conn VPS
        keyexchange=ike
        authby=xauthpsk
        xauth=server
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftfirewall=yes
        right=%any
        rightsourceip=%dhcp
        rightsubnet=X.X.138.131/32
        forceencaps=yes
        auto=add
include /var/lib/strongswan/ipsec.conf.inc

При попытке подключения (нажатии Connect на странице статуса соединения CISCO) статус соединения не меняется, но на стороне сервера при выполнении ipsec statusall видно:

root@bondingserver:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
  uptime: 58 seconds, since Mar 08 14:15:52 2017
  malloc: sbrk 1486848, mmap 0, used 397744, free 1089104
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  X.X.138.131
Connections:
 ciscorouter:  X.X.138.131...%any  IKEv1/2
 ciscorouter:   local:  [X.X.138.131] uses pre-shared key authentication
 ciscorouter:   remote: uses pre-shared key authentication
 ciscorouter:   child:  dynamic === dynamic TUNNEL
         VPS:  %any...%any  IKEv1/2
         VPS:   local:  uses pre-shared key authentication
         VPS:   remote: uses pre-shared key authentication
         VPS:   remote: uses XAuth authentication: any
         VPS:   child:  192.168.1.0/24 === X.X.138.131/32 TUNNEL
Security Associations (1 up, 0 connecting):
 ciscorouter[1]: ESTABLISHED 15 seconds ago, X.X.138.131[X.X.138.131]...DynamicIP[192.168.0.199]
 ciscorouter[1]: IKEv1 SPIs: 747d227a0432ce3b_i 98adb13127ce8f2f_r*, pre-shared key reauthentication in 115 minutes
 ciscorouter[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024

При этом клиенты локальной сети не пингуют X.X.138.131, а другие хосты в Инете пингуются нормально.

Если в /etc/ipsec.conf в настройку соединения добавляю

esp=aes128-sha1

то и на стороне сервера соединение не поднимается.

orarun ()
Ответ на: CISCO RV180+StrongSwan от orarun

CISCO RV180+StrongSwan

Кусок лога ipsec:

Mar  8 14:23:50 09[ENC] parsing header of message
Mar  8 14:23:50 09[ENC] parsing HEADER payload, 124 bytes left
Mar  8 14:23:50 09[ENC]   parsing rule 0 IKE_SPI
Mar  8 14:23:50 09[ENC]   parsing rule 1 IKE_SPI
Mar  8 14:23:50 09[ENC]   parsing rule 2 U_INT_8
Mar  8 14:23:50 09[ENC]   parsing rule 3 U_INT_4
Mar  8 14:23:50 09[ENC]   parsing rule 4 U_INT_4
Mar  8 14:23:50 09[ENC]   parsing rule 5 U_INT_8
Mar  8 14:23:50 09[ENC]   parsing rule 6 RESERVED_BIT
Mar  8 14:23:50 09[ENC]   parsing rule 7 RESERVED_BIT
Mar  8 14:23:50 09[ENC]   parsing rule 8 FLAG
Mar  8 14:23:50 09[ENC]   parsing rule 9 FLAG
Mar  8 14:23:50 09[ENC]   parsing rule 10 FLAG
Mar  8 14:23:50 09[ENC]   parsing rule 11 FLAG
Mar  8 14:23:50 09[ENC]   parsing rule 12 FLAG
Mar  8 14:23:50 09[ENC]   parsing rule 13 FLAG
Mar  8 14:23:50 09[ENC]   parsing rule 14 U_INT_32
Mar  8 14:23:50 09[ENC]   parsing rule 15 HEADER_LENGTH
Mar  8 14:23:50 09[ENC] parsing HEADER payload finished
Mar  8 14:23:50 09[ENC] parsed a INFORMATIONAL_V1 message header
Mar  8 14:23:50 09[NET] waiting for data on sockets
Mar  8 14:23:50 11[MGR] checkout IKE_SA by message
Mar  8 14:23:50 11[MGR] IKE_SA ciscorouter[1] successfully checked out
Mar  8 14:23:50 11[NET] <ciscorouter|1> received packet: from DynamicIP[4500] to X.X.138.131[4500] (124 bytes)
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsing body of message, first payload is HASH_V1
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsing ENCRYPTED_V1 payload, 96 bytes left
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 0 ENCRYPTED_DATA
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsing ENCRYPTED_V1 payload finished
Mar  8 14:23:50 11[ENC] <ciscorouter|1> process payload of type ENCRYPTED_V1
Mar  8 14:23:50 11[ENC] <ciscorouter|1> found an encrypted payload
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsing HASH_V1 payload, 96 bytes left
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 0 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 1 RESERVED_BYTE
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 2 PAYLOAD_LENGTH
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 3 CHUNK_DATA
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsing HASH_V1 payload finished
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsing NOTIFY_V1 payload, 44 bytes left
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 0 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 1 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 2 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 3 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 4 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 5 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 6 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 7 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 8 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 9 PAYLOAD_LENGTH
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 10 U_INT_32
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 11 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 12 SPI_SIZE
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 13 U_INT_16
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 14 SPI
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   parsing rule 15 CHUNK_DATA
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsing NOTIFY_V1 payload finished
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsed content of encrypted payload
Mar  8 14:23:50 11[ENC] <ciscorouter|1> insert decrypted payload of type HASH_V1 at end of list
Mar  8 14:23:50 11[ENC] <ciscorouter|1> insert decrypted payload of type NOTIFY_V1 at end of list
Mar  8 14:23:50 11[ENC] <ciscorouter|1> verifying message structure
Mar  8 14:23:50 11[ENC] <ciscorouter|1> found payload of type NOTIFY_V1
Mar  8 14:23:50 11[ENC] <ciscorouter|1> found payload of type NOTIFY_V1
Mar  8 14:23:50 11[ENC] <ciscorouter|1> parsed INFORMATIONAL_V1 request 2458686096 [ HASH N(DPD) ]
Mar  8 14:23:50 11[IKE] <ciscorouter|1> queueing ISAKMP_DPD task
Mar  8 14:23:50 11[IKE] <ciscorouter|1> activating new tasks
Mar  8 14:23:50 11[IKE] <ciscorouter|1>   activating ISAKMP_DPD task
Mar  8 14:23:50 11[ENC] <ciscorouter|1> added payload of type NOTIFY_V1 to message
Mar  8 14:23:50 11[ENC] <ciscorouter|1> order payloads in message
Mar  8 14:23:50 11[ENC] <ciscorouter|1> added payload of type NOTIFY_V1 to message
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating INFORMATIONAL_V1 request 508369730 [ HASH N(DPD_ACK) ]
Mar  8 14:23:50 11[ENC] <ciscorouter|1> insert payload HASH_V1 into encrypted payload
Mar  8 14:23:50 11[ENC] <ciscorouter|1> insert payload NOTIFY_V1 into encrypted payload
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating payload of type HEADER

orarun ()
Ответ на: CISCO RV180+StrongSwan от orarun

CISCO RV180+StrongSwan

продолжение

Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 0 IKE_SPI
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 1 IKE_SPI
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 2 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 3 U_INT_4
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 4 U_INT_4
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 5 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 6 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 7 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 8 FLAG
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 9 FLAG
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 10 FLAG
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 11 FLAG
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 12 FLAG
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 13 FLAG
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 14 U_INT_32
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 15 HEADER_LENGTH
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating HEADER payload finished
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating payload of type HASH_V1
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 0 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 1 RESERVED_BYTE
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 2 PAYLOAD_LENGTH
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 3 CHUNK_DATA
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating HASH_V1 payload finished
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating payload of type NOTIFY_V1
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 0 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 1 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 2 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 3 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 4 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 5 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 6 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 7 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 8 RESERVED_BIT
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 9 PAYLOAD_LENGTH
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 10 U_INT_32
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 11 U_INT_8
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 12 SPI_SIZE
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 13 U_INT_16
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 14 SPI
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 15 CHUNK_DATA
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating NOTIFY_V1 payload finished
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generated content in encrypted payload
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating payload of type ENCRYPTED_V1
Mar  8 14:23:50 11[ENC] <ciscorouter|1>   generating rule 0 ENCRYPTED_DATA
Mar  8 14:23:50 11[ENC] <ciscorouter|1> generating ENCRYPTED_V1 payload finished
Mar  8 14:23:50 11[NET] <ciscorouter|1> sending packet: from X.X.138.131[4500] to DynamicIP[4500] (124 bytes)
Mar  8 14:23:50 11[IKE] <ciscorouter|1> activating new tasks
Mar  8 14:23:50 11[IKE] <ciscorouter|1> nothing to initiate
Mar  8 14:23:50 11[MGR] <ciscorouter|1> checkin IKE_SA ciscorouter[1]
Mar  8 14:23:50 11[MGR] <ciscorouter|1> check-in of IKE_SA successful.
Mar  8 14:23:50 10[NET] sending packet: from X.X.138.131[4500] to DynamicIP[4500]

orarun ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.