Roteamento entre os túneis OpenSWAN / IPSEC

1

Estou tentando conectar várias Amazon VPCs (em várias regiões) usando o OpenSWAN e o Amazon VGW. A instância do roteador pode fazer ping para os hosts nas duas VPCs, e o tráfego está tentando atravessar o roteador, mas está sendo descartado.

EDIT: Eu vejo o contador XfrmInNoPols incrementando quando os pings não estão sendo encaminhados.

Nesse cenário, há duas VPCs sendo conectadas e uma instância que está em uma terceira VPC está executando o roteamento e agindo como um hub. Eu estou tentando essencialmente reimplementar a função de trânsito VPC ( link ), sem o Cisco CSR e configuração lambda automatizada.

Meu problema é que o hub é capaz de alcançar o leste e o oeste, mas os pacotes de qualquer extremidade chegam ao hub, mas não chegam mais longe.

Topologia:

West (172.19.0.0/16) - (hub) - East (172.18.0.0/16) . O hub está se conectando a ambas as extremidades via VGW, portanto, os pacotes de texto puro para o leste / oeste nunca saem do Hub. De acordo com o comportamento normal do VGW, existem dois túneis entre cada extremidade e o HUB.

A base para essa configuração é o link , modificado para dar suporte a um segundo conjunto de túneis. Uma peculiaridade sobre esse script é configurar um 'namespace de rede' ( link ) para lidar com todos os ipsec e roteamento.

O hub pode fazer ping nos nós no leste e oeste através dos túneis IPSEC. Os VGW concordam que o ipsec e o BGP estão ativos, as sub-redes Leste / Oeste vêem as rotas propagadas. O hub tem rotas para o leste e o oeste. O Iptables está totalmente aberto. rp_filter é definido como 0 e o encaminhamento / ip_forward é definido como 1 no sysctl.

Eu configurei um gerador de ping no West que está tentando fazer o ping para o leste. Os pacotes alcançam o namespace da rede openswan no hub:

16:38:49.311665 IP 35.163.220.45 > 169.254.255.3: ESP(spi=0x0a790d98,seq=0x4f5), length 132
16:38:49.311665 IP 172.19.58.64 > 172.18.57.207: ICMP echo request, id 411, seq 1113, length 64

Eu tenho a configuração NFLOG / ulogd2 no iptables. Mostra:

RAW-PREROUTING IN=eth0 OUT= MAC=d6:fd:61:4b:73:42:6a:3a:bb:e2:33:75:08:00 SRC=172.19.58.64 DST=172.18.57.207 LEN=84 TOS=00 PREC=0x00 TTL=254 ID=49803 DF PROTO=ICMP TYPE=8 CODE=0 ID=411 SEQ=1155 MARK=0
NAT-PREROUTING IN=eth0 OUT= MAC=d6:fd:61:4b:73:42:6a:3a:bb:e2:33:75:08:00 SRC=172.19.58.64 DST=172.18.57.207 LEN=84 TOS=00 PREC=0x00 TTL=254 ID=49803 DF PROTO=ICMP TYPE=8 CODE=0 ID=411 SEQ=1155 MARK=0

No entanto, o pacote nunca alcança a cadeia FORWARD do iptables:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Ping de leste para oeste falha de maneira semelhante.

O hub pode fazer o ping da origem e do destino:

# ping -c 1 172.18.57.207
64 bytes from 172.18.57.207: icmp_seq=1 ttl=254 time=1.74 ms
# ping -c 1 172.19.58.64
64 bytes from 172.19.58.64: icmp_seq=1 ttl=254 time=94.3 ms

Alguma sugestão sobre o que pode estar bloqueando pacotes do hub em trânsito?

O host é uma AWS EC2 AMI, versão mais recente:

Linux version 4.4.30-32.54.amzn1.x86_64 (mockbuild@gobi-build-60008) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu Nov 10 15:52:05 UTC 2016ux
Linux Openswan U2.6.37/K4.4.30-32.54.amzn1.x86_64 (netkey)

Minhas regras do iptables (todas ACCEPT, somente NFLOGs):

# Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
*mangle
:PREROUTING ACCEPT [3648:404080]
:INPUT ACCEPT [2490:306808]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1802:171212]
:POSTROUTING ACCEPT [1802:171212]
-A INPUT -j NFLOG --nflog-prefix  MAN-INPUT --nflog-group 5
-A OUTPUT -j NFLOG --nflog-prefix  MAN-OUTPUT --nflog-group 5
-A POSTROUTING -j NFLOG --nflog-prefix  MAN-POSTROUTING --nflog-group 5
COMMIT
# Completed on Fri Nov 18 16:40:41 2016
# Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
*filter
:INPUT ACCEPT [2490:306808]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1802:171212]
-A INPUT -j NFLOG --nflog-prefix  FLT-INPUT --nflog-group 5
-A OUTPUT -j NFLOG --nflog-prefix  FLT-OUTPUT --nflog-group 5
COMMIT
# Completed on Fri Nov 18 16:40:41 2016
# Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
*raw
:PREROUTING ACCEPT [3648:404080]
:OUTPUT ACCEPT [1802:171212]
-A PREROUTING -j NFLOG --nflog-prefix  RAW-PREROUTING --nflog-group 5
-A OUTPUT -j NFLOG --nflog-prefix  RAW-OUTPUT --nflog-group 5
COMMIT
# Completed on Fri Nov 18 16:40:41 2016
# Generated by iptables-save v1.4.18 on Fri Nov 18 16:40:41 2016
*nat
:PREROUTING ACCEPT [1158:97272]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j NFLOG --nflog-prefix  NAT-PREROUTING --nflog-group 5
-A POSTROUTING -j NFLOG --nflog-prefix  NAT-POSTROUTING --nflog-group 5
COMMIT

Configuração do IPSec:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        protostack=netkey
        nat_traversal=no
        virtual_private=
        oe=off

conn awstunnel1
        authby=secret
        auto=start
        left=169.254.255.2
        leftid=169.254.255.2
        right=35.163.197.247
        rightid=35.163.197.247
        type=tunnel
        ikelifetime=8h
        keylife=1h
        phase2alg=aes128-sha1;modp1024
        ike=aes128-sha1
        auth=esp
        keyingtries=%forever
        aggrmode=no
        keyexchange=ike
        ikev2=never
        leftsubnet=169.254.12.53/30
        rightsubnet=0.0.0.0/0
        dpddelay=10
        dpdtimeout=30
        dpdaction=restart_by_peer
conn awstunnel2
        authby=secret
        auto=start
        left=169.254.255.3
        leftid=169.254.255.3
        right=35.163.220.45
        rightid=35.163.220.45
        type=tunnel
        ikelifetime=8h
        keylife=1h
        phase2alg=aes128-sha1;modp1024
        ike=aes128-sha1
        auth=esp
        keyingtries=%forever
        aggrmode=no
        keyexchange=ike
        ikev2=never
        leftsubnet=169.254.12.221/30
        rightsubnet=0.0.0.0/0
        dpddelay=10
        dpdtimeout=30
        dpdaction=restart_by_peer
conn awstunnel3
        authby=secret
        auto=start
        left=169.254.255.4
        leftid=169.254.255.4
        right=52.45.134.147
        rightid=52.45.134.147
        type=tunnel
        ikelifetime=8h
        keylife=1h
        phase2alg=aes128-sha1;modp1024
        ike=aes128-sha1
        auth=esp
        keyingtries=%forever
        aggrmode=no
        keyexchange=ike
        ikev2=never
        leftsubnet=169.254.47.13/30
        rightsubnet=0.0.0.0/0
        dpddelay=10
        dpdtimeout=30
        dpdaction=restart_by_peer
conn awstunnel4
        authby=secret
        auto=start
        left=169.254.255.5
        leftid=169.254.255.5
        right=52.45.232.151
        rightid=52.45.232.151
        type=tunnel
        ikelifetime=8h
        keylife=1h
        phase2alg=aes128-sha1;modp1024
        ike=aes128-sha1
        auth=esp
        keyingtries=%forever
        aggrmode=no
        keyexchange=ike
        ikev2=never
        leftsubnet=169.254.47.1/30
        rightsubnet=0.0.0.0/0
        dpddelay=10
        dpdtimeout=30
        dpdaction=restart_by_peer

(estou omitindo os segredos)

Configuração do BGP:

# cat /etc/quagga/bgpd.conf
hostname ip-172-28-10-214
password xx
enable password xx
!
log file /var/log/quagga/bgpd.log
debug bgp events
debug bgp zebra
debug bgp updates
debug bgp filters
debug bgp fsm
!
router bgp 65001
    bgp router-id 52.55.78.109
    network 169.254.12.54/30
    neighbor 169.254.12.53 remote-as 7224
    neighbor 169.254.12.53 soft-reconfiguration inbound
    neighbor 169.254.12.53 route-map rm_peer_1_out out
    network 169.254.12.222/30
    neighbor 169.254.12.221 remote-as 7224
    neighbor 169.254.12.221 soft-reconfiguration inbound
    neighbor 169.254.12.221 route-map rm_peer_1_out out
    network 169.254.47.14/30
    neighbor 169.254.47.13 remote-as 7224
    neighbor 169.254.47.13 soft-reconfiguration inbound
    neighbor 169.254.47.13 route-map rm_peer_1_out out
    network 169.254.47.2/30
    neighbor 169.254.47.1 remote-as 7224
    neighbor 169.254.47.1 soft-reconfiguration inbound
    neighbor 169.254.47.1 route-map rm_peer_1_out out
line vty
!
ip prefix-list localprefix seq 5 permit 172.18.0.0/16
ip prefix-list remoteprefix seq 5 permit any
! Suppress the AWS AS
route-map rm_peer_1_out permit 5
 match ip address prefix-list localprefix
 set as-path exclude 7224
! Suppress the AWS AS, synthetically extend the AS PATH
! For any vpc that isn't in the same region
route-map rm_peer_1_out permit 6
 match ip address prefix-list remoteprefix
 set as-path prepend 65001
 set as-path exclude 7224
! Suppress advertisement for non-VPC addresses
access-list vpcprefixes permit 172.0.0.0/8
!

Tabela de rotas:

default via 169.254.255.1 dev eth0
169.254.12.52/30 dev eth0  proto kernel  scope link  src 169.254.12.54
169.254.12.220/30 dev eth0  proto kernel  scope link  src 169.254.12.222
169.254.47.0/30 dev eth0  proto kernel  scope link  src 169.254.47.2
169.254.47.12/30 dev eth0  proto kernel  scope link  src 169.254.47.14
169.254.255.0/28 dev eth0  proto kernel  scope link  src 169.254.255.2
172.18.0.0/16 via 169.254.47.13 dev eth0  proto zebra  metric 100
172.19.0.0/16 via 169.254.12.221 dev eth0  proto zebra  metric 100

sysctl:

net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.veth1.forwarding = 1
net.ipv4.ip_forward = 1

ipsec auto --status:

000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 169.254.255.2
000 interface eth0/eth0 169.254.12.54
000 interface eth0/eth0 169.254.12.222
000 interface eth0/eth0 169.254.47.14
000 interface eth0/eth0 169.254.47.2
000 interface eth0/eth0 169.254.255.3
000 interface eth0/eth0 169.254.255.4
000 interface eth0/eth0 169.254.255.5
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
[SNIP algorithms]
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,8,64} trans={0,8,3072} attrs={0,8,2048}
000
000 "awstunnel1": 169.254.12.52/30===169.254.255.2<169.254.255.2>[+S=C]...35.163.197.247<35.163.197.247>[+S=C]===0.0.0.0/0; erouted; eroute owner: #8
000 "awstunnel1":     myip=unset; hisip=unset;
000 "awstunnel1":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "awstunnel1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
000 "awstunnel1":   dpd: action:restart_by_peer; delay:10; timeout:30;
000 "awstunnel1":   newest ISAKMP SA: #1; newest IPsec SA: #8;
000 "awstunnel1":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "awstunnel1":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "awstunnel1":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "awstunnel1":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "awstunnel1":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "awstunnel1":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
000 "awstunnel2": 169.254.12.220/30===169.254.255.3<169.254.255.3>[+S=C]...35.163.220.45<35.163.220.45>[+S=C]===0.0.0.0/0; erouted; eroute owner: #7
000 "awstunnel2":     myip=unset; hisip=unset;
000 "awstunnel2":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "awstunnel2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
000 "awstunnel2":   dpd: action:restart_by_peer; delay:10; timeout:30;
000 "awstunnel2":   newest ISAKMP SA: #2; newest IPsec SA: #7;
000 "awstunnel2":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "awstunnel2":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "awstunnel2":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "awstunnel2":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "awstunnel2":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "awstunnel2":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
000 "awstunnel3": 169.254.47.12/30===169.254.255.4<169.254.255.4>[+S=C]...52.45.134.147<52.45.134.147>[+S=C]===0.0.0.0/0; erouted; eroute owner: #5
000 "awstunnel3":     myip=unset; hisip=unset;
000 "awstunnel3":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "awstunnel3":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
000 "awstunnel3":   dpd: action:restart_by_peer; delay:10; timeout:30;
000 "awstunnel3":   newest ISAKMP SA: #3; newest IPsec SA: #5;
000 "awstunnel3":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "awstunnel3":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "awstunnel3":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "awstunnel3":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "awstunnel3":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "awstunnel3":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
000 "awstunnel4": 169.254.47.0/30===169.254.255.5<169.254.255.5>[+S=C]...52.45.232.151<52.45.232.151>[+S=C]===0.0.0.0/0; erouted; eroute owner: #6
000 "awstunnel4":     myip=unset; hisip=unset;
000 "awstunnel4":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "awstunnel4":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK+lKOD+rKOD; prio: 30,0; interface: eth0;
000 "awstunnel4":   dpd: action:restart_by_peer; delay:10; timeout:30;
000 "awstunnel4":   newest ISAKMP SA: #4; newest IPsec SA: #6;
000 "awstunnel4":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "awstunnel4":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "awstunnel4":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "awstunnel4":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "awstunnel4":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "awstunnel4":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=MODP1024
000
000 #8: "awstunnel1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 881s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #8: "awstunnel1" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #1: "awstunnel1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26389s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #7: "awstunnel2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1114s; newest IPSEC; eroute owner; isakmp#2; idle; import:admin initiate
000 #7: "awstunnel2" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #2: "awstunnel2":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26003s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #5: "awstunnel3":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1083s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate
000 #5: "awstunnel3" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #3: "awstunnel3":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26042s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #6: "awstunnel4":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 864s; newest IPSEC; eroute owner; isakmp#4; idle; import:admin initiate
000 #6: "awstunnel4" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #4: "awstunnel4":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26073s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000

estado do BGP:

# vtysh -c 'show ip bgp summary'
BGP router identifier 52.55.78.109, local AS number 65001
RIB entries 11, using 1056 bytes of memory
Peers 4, using 18 KiB of memory

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
169.254.12.53   4  7224     185     188        0    0    0 00:30:21        1
169.254.12.221  4  7224     185     187        0    0    0 00:30:23        1
169.254.47.1    4  7224     185     188        0    0    0 00:30:22        1
169.254.47.13   4  7224     185     187        0    0    0 00:30:22        1

# vtysh -c 'show ip bgp'
BGP table version is 0, local router ID is 52.55.78.109
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 169.254.12.52/30 0.0.0.0                  0         32768 i
*> 169.254.12.220/30
                    0.0.0.0                  0         32768 i
*> 169.254.47.0/30  0.0.0.0                  0         32768 i
*> 169.254.47.12/30 0.0.0.0                  0         32768 i
*> 172.18.0.0       169.254.47.13          100             0 7224 i
*                   169.254.47.1           200             0 7224 i
*  172.19.0.0       169.254.12.53          200             0 7224 i
*>                  169.254.12.221         100             0 7224 i

ip xfrm state (chaves cortadas) dentro do namespace:

# ip xfrm state
src 35.163.197.247 dst 169.254.255.2
    proto esp spi 0x7db002d9 reqid 16385 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0xfc, oseq 0x0, bitmap 0xffffffff
src 169.254.255.2 dst 35.163.197.247
    proto esp spi 0x5759bbc6 reqid 16385 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0x0, oseq 0x180, bitmap 0x00000000
src 35.163.220.45 dst 169.254.255.3
    proto esp spi 0x0a790d98 reqid 16389 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0x8c0, oseq 0x0, bitmap 0xffffffff
src 169.254.255.3 dst 35.163.220.45
    proto esp spi 0xc817fa78 reqid 16389 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0x0, oseq 0x14b, bitmap 0x00000000
src 52.45.232.151 dst 169.254.255.5
    proto esp spi 0x80005db1 reqid 16397 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0xe9, oseq 0x0, bitmap 0xffffffff
src 169.254.255.5 dst 52.45.232.151
    proto esp spi 0x7f07c4fa reqid 16397 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0x0, oseq 0x180, bitmap 0x00000000
src 52.45.134.147 dst 169.254.255.4
    proto esp spi 0x70f458c4 reqid 16393 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0xfc, oseq 0x0, bitmap 0xffffffff
src 169.254.255.4 dst 52.45.134.147
    proto esp spi 0x98c8c16a reqid 16393 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha1) x 96
    enc cbc(aes) x
    anti-replay context: seq 0x0, oseq 0x17f, bitmap 0x00000000

política ip xfrm dentro do namespace:

# ip xfrm policy
src 169.254.12.52/30 dst 0.0.0.0/0
    dir out priority 2176 ptype main
    tmpl src 169.254.255.2 dst 35.163.197.247
        proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 169.254.12.52/30
    dir fwd priority 2176 ptype main
    tmpl src 35.163.197.247 dst 169.254.255.2
        proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 169.254.12.52/30
    dir in priority 2176 ptype main
    tmpl src 35.163.197.247 dst 169.254.255.2
        proto esp reqid 16385 mode tunnel
src 169.254.12.220/30 dst 0.0.0.0/0
    dir out priority 2176 ptype main
    tmpl src 169.254.255.3 dst 35.163.220.45
        proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 169.254.12.220/30
    dir fwd priority 2176 ptype main
    tmpl src 35.163.220.45 dst 169.254.255.3
        proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 169.254.12.220/30
    dir in priority 2176 ptype main
    tmpl src 35.163.220.45 dst 169.254.255.3
        proto esp reqid 16389 mode tunnel
src 169.254.47.0/30 dst 0.0.0.0/0
    dir out priority 2176 ptype main
    tmpl src 169.254.255.5 dst 52.45.232.151
        proto esp reqid 16397 mode tunnel
src 0.0.0.0/0 dst 169.254.47.0/30
    dir fwd priority 2176 ptype main
    tmpl src 52.45.232.151 dst 169.254.255.5
        proto esp reqid 16397 mode tunnel
src 0.0.0.0/0 dst 169.254.47.0/30
    dir in priority 2176 ptype main
    tmpl src 52.45.232.151 dst 169.254.255.5
        proto esp reqid 16397 mode tunnel
src 169.254.47.12/30 dst 0.0.0.0/0
    dir out priority 2176 ptype main
    tmpl src 169.254.255.4 dst 52.45.134.147
        proto esp reqid 16393 mode tunnel
src 0.0.0.0/0 dst 169.254.47.12/30
    dir fwd priority 2176 ptype main
    tmpl src 52.45.134.147 dst 169.254.255.4
        proto esp reqid 16393 mode tunnel
src 0.0.0.0/0 dst 169.254.47.12/30
    dir in priority 2176 ptype main
    tmpl src 52.45.134.147 dst 169.254.255.4
        proto esp reqid 16393 mode tunnel
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
[repeats snipped]

lista de regras ip dentro do namespace:

# ip rule list
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default

ip addr list dentro do namespace:

# ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
6: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d6:fd:61:4b:73:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.255.2/28 scope global eth0
       valid_lft forever preferred_lft forever
    inet 169.254.12.54/30 scope global eth0
       valid_lft forever preferred_lft forever
    inet 169.254.12.222/30 scope global eth0
       valid_lft forever preferred_lft forever
    inet 169.254.47.14/30 scope global eth0
       valid_lft forever preferred_lft forever
    inet 169.254.47.2/30 scope global eth0
       valid_lft forever preferred_lft forever
    inet 169.254.255.3/28 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet 169.254.255.4/28 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet 169.254.255.5/28 scope global secondary eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::d4fd:61ff:fe4b:7342/64 scope link
       valid_lft forever preferred_lft forever
8: veth1@if7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 8e:9a:f6:27:83:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0

ifconfig dentro do namespace:

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr D6:FD:61:4B:73:42
          inet addr:169.254.255.2  Bcast:0.0.0.0  Mask:255.255.255.240
          inet6 addr: fe80::d4fd:61ff:fe4b:7342/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3803 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2076 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:570566 (557.1 KiB)  TX bytes:270108 (263.7 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

veth1     Link encap:Ethernet  HWaddr 8E:9A:F6:27:83:FE
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Pfkey:

# cat /proc/net/pfkey
sk       RefCnt Rmem   Wmem   User   Inode

Configuração do Kernel:

CONFIG_XFRM=y
CONFIG_XFRM_ALGO=m
CONFIG_XFRM_USER=m
CONFIG_XFRM_SUB_POLICY=y
CONFIG_XFRM_MIGRATE=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_IPCOMP=m
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_SECURITY_NETWORK_XFRM=y
    
por Jason Martin 18.11.2016 / 19:48

1 resposta

0

Pelo que vejo no geral, seu roteamento parece estar bem. e o fato de que você pode fazer ping de um lado para o outro e o fato de o túnel ipsec estar ativo indica claramente que existe uma comunicação de rede estabelecida entre os roteadores. Então, podemos nos afastar da camada 3 parte do problema

A chave em situações como esta é identificar primeiro o problema e depois isolá-lo. A melhor maneira de encontrá-lo seria farejar o tráfego de rede da origem do último salto responsivo até o destino. Que tipo de tráfego atravessa o túnel? Alguma chance de você ter quadros Jumbo (MTU acima de 1500)? Existe algum tráfego de armazenamento como ISCSI ou FcOE? É a causa mais comum de tráfego sendo descartado em VPNs baseadas em Unix. Alguns drivers não suportam MTU acima de 1500.

Se esse for o caso e os drivers suportarem, aumente a MTU das interfaces TUN para 9000 em todas as extremidades (clientes e servidores) Olhe para o traço que você cheirou, você está olhando para duas coisas. Se os jumbo-frames forem bons e você tiver muitos timeouts, pode ser um problema baseado em túnel ou um problema baseado em software. Nesse ponto, você terá que determinar onde os pacotes são descartados. Para eliminar problemas de túnel, ele pode ser descartado na saída ou entrada de qualquer dispositivo, em qualquer ponto do fluxo. traceroute (de dentro do túnel) é extremamente valioso, caso contrário você terá que farejar a origem e o destino ponto a ponto até identificar onde está a queda. Se você recebe um monte de TCP Reset, é baseado em software, por isso é um problema de camada 1, e eu não posso te ajudar com isso desde que eu não sou um programador;)

    
por 23.11.2016 / 05:51