現在、racoonデーモンを一部のルーターのStrongswanに移行する必要があります。実際にこれを行うには、VPNを実行するためにracoonデーモンを使用する必要があるStrongswanを一度に少しずつインストールできる必要があります。 racoonを使用すると、すべてのルーター、特に複数のikev1サブネットを持つルーターですべてのVPN構成を実行できます。
できるだけ明確に説明するために図を添付します。
________________ro1___ ______________cli1_
|10.80.81.254/24 ens7-|------------|10.80.81.1/24 ens7|
| | |10.50.81.1/24 ens3|
| | |GW 10.80.81.254 |
| | |__________________|
| |
|10.70.71.1/24 ens9 | |
|___________________|_|
|
|
________________ro2_|_
|10.70.71.2/24 ens9 | |
| |
| | ______________cli2_
|GW 10.70.71.1 | |GW 10.80.82.254 |
|10.80.82.254/24 ens7-|------------|10.80.82.1/24 ens7|
|_____________________| |__________________|
ip route ls cli1
default via 10.80.81.254 dev ens7 onlink
10.50.81.0/24 dev ens3 proto kernel scope link src 10.50.81.1
10.80.81.0/24 dev ens7 proto kernel scope link src 10.80.81.1
ip route ls cli2
default via 10.80.82.254 dev ens7 onlink
10.80.82.0/24 dev ens7 proto kernel scope link src 10.80.82.1
ip route ls ro1
10.50.81.0/24 dev ens7 scope link
10.70.71.0/24 dev ens9 proto kernel scope link src 10.70.71.1
10.70.72.0/24 dev ens10 proto kernel scope link src 10.70.72.1
10.80.81.0/24 dev ens7 proto kernel scope link src 10.80.81.254
10.80.82.0/24 via 10.70.71.2 dev ens9
ip route ls ro2
default via 10.70.71.1 dev ens9 onlink
10.70.71.0/24 dev ens9 proto kernel scope link src 10.70.71.2
10.70.72.0/24 dev ens10 proto kernel scope link src 10.70.72.2
10.80.82.0/24 dev ens7 proto kernel scope link src 10.80.82.254
cli1にアクティブなVPNがない場合は、cli2でpingしてcli2からcli1にpingできます。
ping cli1 -> cli2
root@cli1:~# ping cli2
PING cli2 (10.80.82.1) 56(84) bytes of data.
64 bytes from cli2 (10.80.82.1): icmp_seq=1 ttl=62 time=0.850 ms
64 bytes from cli2 (10.80.82.1): icmp_seq=2 ttl=62 time=1.16 ms
ping cli2 -> cli1
root@cli2:~# ping cli1
PING cli1 (10.80.81.1) 56(84) bytes of data.
64 bytes from cli1 (10.80.81.1): icmp_seq=1 ttl=62 time=0.927 ms
64 bytes from cli1 (10.80.81.1): icmp_seq=2 ttl=62 time=0.976 ms
root@cli2:~# ping 10.50.81.1
PING 10.50.81.1 (10.50.81.1) 56(84) bytes of data.
64 bytes from 10.50.81.1: icmp_seq=1 ttl=62 time=0.963 ms
64 bytes from 10.50.81.1: icmp_seq=2 ttl=62 time=1.14 ms
VPN設定を添付します。
vpn ro1 racoon.conf
remote 10.70.71.2 {
exchange_mode main;
nat_traversal off;
initial_contact on;
generate_policy require;
lifetime time 12 hours;
#script "/etc/racoon/router2.up.sh" phase1_up;
#script "/etc/racoon/router2.down.sh" phase1_down;
proposal {
encryption_algorithm 'aes 128';
authentication_method pre_shared_key;
hash_algorithm sha1;
dh_group modp2048;
}
}
sainfo address 10.80.81.0/24 any address 10.80.82.0/24 any {
encryption_algorithm 'aes 128';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 4 hours;
pfs_group modp1024;
}
sainfo address 10.50.81.0/24 any address 10.80.82.0/24 any {
encryption_algorithm 'aes 128';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 4 hours;
pfs_group modp1024;
}
vpn ro2 ipsec.conf (strongswan)
conn router1_lin1_loc
type=tunnel
authby=secret
auto=start
compress=no
leftfirewall=yes
rightfirewall=yes
rekey=yes
reauth=no
mobike=no
left=10.70.71.2
leftsubnet=10.80.82.0/24
right=10.70.71.1
rightsubnet=10.80.81.0/24
dpdaction = none
keyexchange=ikev1
ike=aes128-sha1-modp2048
ikelifetime=12h
esp=aes128-sha1-modp1024
lifetime=4h
conn router1_lin1_dmz
also=router1_lin1_loc
leftsubnet=10.80.82.0/24
rightsubnet=10.50.81.0/24
auto=route
VPNサービスを開始すると、すべてが正常です
root@ro2:/etc/ipsec.d# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
uptime: 101 seconds, since Nov 19 10:40:36 2019
malloc: sbrk 2564096, mmap 0, used 710448, free 1853648
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
10.70.72.2
10.80.82.254
10.70.71.2
Connections:
router1_lin1_loc: 10.70.71.2...10.70.71.1 IKEv1
router1_lin1_loc: local: [10.70.71.2] uses pre-shared key authentication
router1_lin1_loc: remote: [10.70.71.1] uses pre-shared key authentication
router1_lin1_loc: child: 10.80.82.0/24 === 10.80.81.0/24 TUNNEL
router1_lin1_dmz: child: 10.80.82.0/24 === 10.50.81.0/24 TUNNEL
Routed Connections:
router1_lin1_dmz{1}: ROUTED, TUNNEL, reqid 1
router1_lin1_dmz{1}: 10.80.82.0/24 === 10.50.81.0/24
Security Associations (1 up, 0 connecting):
router1_lin1_loc[1]: ESTABLISHED 101 seconds ago, 10.70.71.2[10.70.71.2]...10.70.71.1[10.70.71.1]
router1_lin1_loc[1]: IKEv1 SPIs: 7d0ae014b65151bb_i* e9d01ba24b15ce56_r, rekeying in 11 hours
router1_lin1_loc[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
router1_lin1_loc{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd333ba9_i 0d825538_o
router1_lin1_loc{2}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 2016 bytes_i (24 pkts, 0s ago), 2016 bytes_o (24 pkts, 0s ago), rekeying in 3 hours
router1_lin1_loc{2}: 10.80.82.0/24 === 10.80.81.0/24
実際、最初の接続は自動的に有効になり、両方のクライアントが勝つためにpingを送信し、VPNから受信したパケットを確認しますが、VPN "router1_lin_dmz"が有効になると、両方のクライアントがpingを停止し、cli2から10.50.81.1にpingのみが機能します。
root@ro2:/etc/ipsec.d# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64):
uptime: 20 minutes, since Nov 19 10:40:36 2019
malloc: sbrk 2564096, mmap 0, used 775440, free 1788656
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
10.70.72.2
10.80.82.254
10.70.71.2
Connections:
router1_lin1_loc: 10.70.71.2...10.70.71.1 IKEv1
router1_lin1_loc: local: [10.70.71.2] uses pre-shared key authentication
router1_lin1_loc: remote: [10.70.71.1] uses pre-shared key authentication
router1_lin1_loc: child: 10.80.82.0/24 === 10.80.81.0/24 TUNNEL
router1_lin1_dmz: child: 10.80.82.0/24 === 10.50.81.0/24 TUNNEL
Routed Connections:
router1_lin1_dmz{1}: ROUTED, TUNNEL, reqid 1
router1_lin1_dmz{1}: 10.80.82.0/24 === 10.50.81.0/24
Security Associations (1 up, 0 connecting):
router1_lin1_loc[1]: ESTABLISHED 20 minutes ago, 10.70.71.2[10.70.71.2]...10.70.71.1[10.70.71.1]
router1_lin1_loc[1]: IKEv1 SPIs: 7d0ae014b65151bb_i* e9d01ba24b15ce56_r, rekeying in 11 hours
router1_lin1_loc[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
router1_lin1_loc{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cd333ba9_i 0d825538_o
router1_lin1_loc{2}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 183708 bytes_i (2187 pkts, 7s ago), 183708 bytes_o (2187 pkts, 15s ago), rekeying in 3 hours
router1_lin1_loc{2}: 10.80.82.0/24 === 10.80.81.0/24
router1_lin1_dmz{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c667b3db_i 05449ccb_o
router1_lin1_dmz{3}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 2184 bytes_i (26 pkts, 0s ago), 1092 bytes_o (13 pkts, 0s ago), rekeying in 3 hours
router1_lin1_dmz{3}: 10.80.82.0/24 === 10.50.81.0/24
奇妙なことに、VPN "router1_lin_dmz"を有効にした後にカウンタが増えるにつれて、10.80.xxネットワーク上のすべてのトラフィックが最後のVPNで終わるのはなぜですか?
もう一つの興味深い点は、2つの強い白鳥を使用した同じ構成がうまく機能することです。
root@cli2:~# ping -w 2 -c 3 cli1
PING cli1 (10.80.81.1) 56(84) bytes of data.
--- cli1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 21ms
root@cli2:~# ping -w 2 -c 3 10.50.81.1
PING 10.50.81.1 (10.50.81.1) 56(84) bytes of data.
64 bytes from 10.50.81.1: icmp_seq=1 ttl=62 time=1.08 ms
64 bytes from 10.50.81.1: icmp_seq=2 ttl=62 time=1.04 ms
--- 10.50.81.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 1.037/1.056/1.075/0.019 ms
ベストアンサー1
racoonは、すべてのIPsecポリシーgenerate_policy require
に対して同じポリシーを使用しますreqid
。つまり、最後に設定されたIPsec SAを介してすべてのデータを送信します。これは、ポリシーごとに別々の reqids/SA を使用する StrongSwan では機能しません。つまり、一致するポリシーでインバウンドデータが利用できない場合、そのデータは削除されますreqid
。
この設定を変更するために、generate_policy unique
raccoonはreqids
シングル/ユニークを使用します。