strongSwan 5.6.2 e xl2tp 1.3.12 no Ubuntu 18.04 SA estabelecido mas sem tráfego

Question

strongSwan 5.6.2 e xl2tp 1.3.12 no Ubuntu 18.04 SA estabelecido mas sem tráfego

#1 resposta do (1 votos)

3

Desde a atualização do strongSwan e do xl2tpd para as últimas versões disponíveis para o Ubuntu, encontro um problema com o ESP e o AH no L2TP.

Configuração do servidor:

Interface for generating traffic

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.219.1 netmask 255.255.255.252 broadcast 192.168.219.3

ppp0 interface created by xl2tpd

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.231.1 netmask 255.255.255.255 destination 192.168.231.2

Configuração do cliente:

Interface for generating traffic

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.219.5 netmask 255.255.255.252 broadcast 192.168.219.7

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.231.2 netmask 255.255.255.255 destination 192.168.231.1

quando começo a fazer ping do cliente para o servidor [192.168.219.5 - > 192.168.219.1] no cliente eu tenho 100% de perda.

tcpdump do lado do cliente para o IPSec ESP:

11:53:39.729306 Out ethertype IPv4 (0x0800), length 100: 192.168.231.2 > 192.168.219.1: ICMP echo request, id 8318, seq 27, length 64
11:53:39.735978 In ethertype IPv4 (0x0800), length 100: 192.168.219.1 > 192.168.231.2: ICMP echo reply, id 8318, seq 27, length 64
11:54:07.956148 Out ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:07.967355 In ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:07.973795 Out ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:07.992232 In ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:08.017478 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.017518 Out ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.042533 In ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:08.042751 In ethertype IPv4 (0x0800), length 992: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:08.773279 Out ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x1), length 132
11:54:09.796992 Out ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x2), length 132

tcpdump do lado do servidor para o IPSec ESP

11:53:40.661518 In ethertype IPv4 (0x0800), length 100: 192.168.231.2 > 192.168.219.1: ICMP echo request, id 8318, seq 27, length 64
11:53:40.661547 Out ethertype IPv4 (0x0800), length 100: 192.168.219.1 > 192.168.231.2: ICMP echo reply, id 8318, seq 27, length 64
11:54:08.892269 In ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:08.893831 Out ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:08.907962 In ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:08.918575 Out ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:08.952164 In ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.952427 In ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.968649 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:08.968759 Out ethertype IPv4 (0x0800), length 992: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:09.705686 In ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x1), length 132
11:54:09.705686 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 56, length 64
11:54:10.729687 In ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x2), length 132
11:54:10.729687 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 57, length 64

Mudando para o IPSec AH:

Cliente:

11:56:45.057757 Out ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:45.068383 In ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:45.075626 Out ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:45.095453 In ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:45.117129 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:45.117185 Out ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:45.142557 In ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:45.142567 In ethertype IPv4 (0x0800), length 976: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:45.309776 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x1): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64 (ipip-proto-4)
11:56:46.340981 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x2): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64 (ipip-proto-4)
11:56:47.364966 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x3): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 211, length 64 (ipip-proto-4)

Servidor:

11:56:45.999222 In ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:46.000323 Out ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:46.016453 In ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:46.027356 Out ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:46.059588 In ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:46.059840 In ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:46.074470 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:46.074522 Out ethertype IPv4 (0x0800), length 976: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:46.249345 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x1): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64 (ipip-proto-4)
11:56:46.249345 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64
11:56:47.280994 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x2): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64 (ipip-proto-4)
11:56:47.280994 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64
11:56:48.305921 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x3): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 211, length 64 (ipip-proto-4)


[lns L2TPserver]
ip range = 192.168.231.2 - 192.168.231.254
local ip = 192.168.231.1
require chap = no
refuse pap = yes
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
lac = 88.134.0.0 - 88.134.254.254
lac = 100.70.0.0 - 100.70.254.254



[lac L2TPserver]
;lns = 192.168.21.33
lns = 100.80.1.252
redial = yes
redial timeout = 5
local ip = 192.168.231.2
require chap = no
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.client
require pap = no
autodial = yes
name = cpe
length bit = yes

Servidor conf conf IPSec

keyexchange=ikev2
auto=add
left=%any
leftid=192.168.231.1
leftsubnet=192.168.219.0/30
leftcert=vpnHostCert_192.168.231.1.der
leftsendcert=always
right=%any
rightcert=VPNclientESPL2TPCert.der
rightsourceip=192.168.219.5/32
rightsubnet=192.168.219.4/30
mobike=no

IPSec conf no cliente

conn l2tp-ikev2-rw-esp
right=192.168.231.1
rightid=%192.168.231.1
rightsubnet=192.168.219.0/30
rightauth=pubkey
leftsourceip=%config
leftauth=pubkey
leftcert=VPNclientESPL2TPCert.der
leftsubnet=192.168.219.4/30
auto=start

Cliente

root@vsrv-bicab-2u:/home/VPN# ip ro get 192.168.219.1
192.168.219.1 via 192.168.231.1 dev ppp0 table 220 src 192.168.219.5 uid 0
cache

Servidor

root@vsrv-bicab-1u:/home/VPN# ip ro get 192.168.219.5
192.168.219.5 via 192.168.231.2 dev ppp0 table 220 src 192.168.219.1 uid 0
cache

O problema é que 8.0.219.x, que não era o caso antes da atualização.

ipsec ubuntu strongswan l2tp xl2tpd

por Boris 02.10.2018 / 13:13

1 resposta

Tags ipsec ubuntu strongswan l2tp xl2tpd

Qual é o objetivo da instrução VOLUME em um Dockerfile? Edgerouter DNSmasq envia atualizações para o BIND

score 1 · Accepted Answer

Existe um bug conhecido no kernel do Linux 4.15, que o Ubuntu 18.04 envia, que faz com que o endereço IP seja alterado desta forma.

Foi causada por 5efec5c655dd ("xfrm: corrija eth_hdr (skb) - > h_proto para refletir a versão interna do IP") e mais tarde foi corrigido com 87cdf3148b11 ("xfrm: verifique se o cabeçalho MAC existe antes de sobrescrever eth_hdr (skb) - > h_proto"), que fazia parte das fontes do kernel 4.16.

Esta correção aparentemente nunca foi backportada para o 4.15 (não é parte do linux-4.15.y ramo estável) e os mantenedores de pacotes do kernel do Ubuntu também não o adicionaram. Você pode querer notificar os desenvolvedores de kernel sobre o backport ausente para estável (via lista de discussão netdev ) e / ou arquive um bug com os desenvolvedores do Ubuntu.