IPsec falha com debian e strongswan com PSK

1

Estou tendo um problema com a minha nova configuração de IPsec, testando entre dois nós. O nó de Eveery está conectado à internet usando IP estático e os logs mostram como há problemas com ipsec.secrets, mas não consigo ver onde.

Nó A: Servidor com IP Público

Nó B Server com IP privado com NAT externo

Config A /etc/ipsec.conf/usr/share/applications/thunderbird.desktop

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default

conn    ipsec-test
        left=MyPublicIPA
        leftid=MyPublicIPA
        leftsourceip=MyPublicIPA
        right=MyPublicIPB
        rightid=MyPublicIPB
        rightsubnet=10.0.1.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        authby=secret
        auto=start
        keyexchange=ikev2
        type=tunnel

/etc/ipsec.secrets

MyPublicIPA MyPublicIPB : PSK "test1234"

Logs:

Jul 13 15:30:06 vpnserver2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64)
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 13 15:30:06 vpnserver2 charon: 00[CFG]   loaded IKE secret for MyPublicIPB
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
Jul 13 15:30:06 vpnserver2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jul 13 15:30:06 vpnserver2 charon: 00[JOB] spawning 16 worker threads
Jul 13 15:30:06 vpnserver2 charon: 11[CFG] received stroke: add connection 'ipsec-test'
Jul 13 15:30:06 vpnserver2 charon: 11[CFG] added configuration 'ipsec-test'
Jul 13 15:30:06 vpnserver2 charon: 12[CFG] received stroke: initiate 'ipsec-test'
Jul 13 15:30:06 vpnserver2 charon: 12[IKE] initiating IKE_SA ipsec-test[1] to MyPublicIPB
Jul 13 15:30:06 vpnserver2 charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 13 15:30:06 vpnserver2 charon: 12[NET] sending packet: from MyPublicIPA[500] to MyPublicIPB[500] (304 bytes)
Jul 13 15:30:06 vpnserver2 charon: 15[NET] received packet: from MyPublicIPB[500] to MyPublicIPA[500] (312 bytes)
Jul 13 15:30:06 vpnserver2 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] remote host is behind NAT
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] authentication of 'MyPublicIPA' (myself) with pre-shared key
Jul 13 15:30:06 vpnserver2 charon: 15[IKE] establishing CHILD_SA ipsec-test
Jul 13 15:30:06 vpnserver2 charon: 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 13 15:30:06 vpnserver2 charon: 15[NET] sending packet: from MyPublicIPA[4500] to MyPublicIPB[4500] (288 bytes)
Jul 13 15:30:06 vpnserver2 charon: 06[NET] received packet: from MyPublicIPB[4500] to MyPublicIPA[4500] (80 bytes)
Jul 13 15:30:06 vpnserver2 charon: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 13 15:30:06 vpnserver2 charon: 06[IKE] received AUTHENTICATION_FAILED notify error

Configuração B:

/etc/ipsec.conf

config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default

conn    ipsec-test
        left=10.0.1.5
    leftid=10.0.1.5
    leftsubnet=10.0.1.0/24
        right=MyPublicIPA
        rightid=MyPublicIPA
    ike=aes256-sha2_256-modp1024!
    esp=aes256-sha2_256!
    keyingtries=0
    ikelifetime=1h
    lifetime=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    authby=secret
    auto=start
    keyexchange=ikev2
    type=tunnel

/etc/ipsec.secrets

MyPublicIPA : PSK "test1234"

Logs:

Jul 13 15:30:06 vpnserver charon: 16[NET] received packet: from MyPublicIPA[500] to 10.0.1.5[500] (304 bytes)
Jul 13 15:30:06 vpnserver charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 13 15:30:06 vpnserver charon: 16[IKE] MyPublicIPA is initiating an IKE_SA
Jul 13 15:30:06 vpnserver charon: 16[IKE] local host is behind NAT, sending keep alives
Jul 13 15:30:06 vpnserver charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 13 15:30:06 vpnserver charon: 16[NET] sending packet: from 10.0.1.5[500] to MyPublicIPA[500] (312 bytes)
Jul 13 15:30:06 vpnserver charon: 05[NET] received packet: from MyPublicIPA[4500] to 10.0.1.5[4500] (288 bytes)
Jul 13 15:30:06 vpnserver charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 13 15:30:06 vpnserver charon: 05[CFG] looking for peer configs matching 10.0.1.5[MyPublicIPB]...MyPublicIPA[MyPublicIPA]
Jul 13 15:30:06 vpnserver charon: 05[CFG] no matching peer config found
Jul 13 15:30:06 vpnserver charon: 05[IKE] peer supports MOBIKE
Jul 13 15:30:06 vpnserver charon: 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 13 15:30:06 vpnserver charon: 05[NET] sending packet: from 10.0.1.5[4500] to MyPublicIPA[4500] (80 bytes)

Provavelmente vou usar certifciates, mas primeiro prefiro saber onde falha essa configuração. Sugestões?

Verificando descobri problema semelhante, mas testei modificando ipsec.secrets e continuei com falha

    
por deconya 13.07.2017 / 17:24

0 respostas