Eu tenho a necessidade de configurar o modo de túnel IPsec entre um gateway com NAT estático (digamos que seu IP público é 172.31.0.105 ) e um número de clientes que estão por trás do NAT dinâmico.
Lendo alguns recursos (como este , isso e isso ) descobri que o a configuração do roadwarrior deve funcionar para o meu caso.
Eu consegui configurar corretamente e iniciar o racoon no meu gateway e em um cliente de teste e, quando tento configurar a VPN do cliente ( racoonctl vc -u user 172.31.0.105 ), obtenho o banner especificado no servidor.
Mas de alguma forma, algo está errado e eles não podem se comunicar.
Aqui está o racoon.conf no gateway:
path certificate "/etc/racoon/certs";
listen {
adminsock disabled;
isakmp 172.31.0.105[500];
isakmp_natt 172.31.0.105[4500];
}
timer
{
natt_keepalive 600 sec;
}
# Phase 1 configuration
remote anonymous {
exchange_mode aggressive;
my_identifier asn1dn;
certificate_type x509 "cert.pem" "key.pem";
proposal_check claim;
generate_policy on;
verify_cert off;
nat_traversal on;
dpd_delay 20;
ike_frag on;
proposal {
authentication_method hybrid_rsa_server;
encryption_algorithm 3des;
hash_algorithm md5;
dh_group 2;
}
}
# Local network information
mode_cfg {
network4 172.31.0.200;
netmask4 255.255.255.0;
dns4 8.8.8.8;
#wins4 10.0.12.1;
pool_size 10;
auth_source system;
banner "/etc/racoon/motd";
pfs_group 2;
}
# Phase 2 proposal
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Aqui está o racoon.conf no cliente de teste:
path certificate "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
listen {
adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}
# Here is the address of the VPN gateway
remote 172.31.0.105 {
exchange_mode aggressive;
ca_type x509 "cacert.pem";
proposal_check obey;
nat_traversal on;
ike_frag on;
mode_cfg on;
passive off;
verify_cert off;
script "/etc/racoon/phase1-up.sh" phase1_up;
script "/etc/racoon/phase1-down.sh" phase1_down;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method hybrid_rsa_client;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
Aqui está o despejo das entradas do SPD, enquanto o conjunto de entradas do SAD está vazio:
root@test-client:/etc/racoon# setkey -PD
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:49 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=267 seq=1 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:49 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=276 seq=2 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:49 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=283 seq=3 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:49 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=292 seq=4 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:50 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=299 seq=5 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:50 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=308 seq=6 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:50 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=315 seq=7 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Jan 1 02:28:50 1970 lastused:
lifetime: 0(s) validtime: 0(s)
spid=324 seq=8 pid=2489
refcnt=1
172.31.0.200[any] 0.0.0.0/0[any] any
out prio def ipsec
esp/tunnel/192.168.66.105-172.31.0.105/require
created: May 23 13:30:05 2014 lastused:
lifetime: 0(s) validtime: 0(s)
spid=345 seq=9 pid=2489
refcnt=1
0.0.0.0/0[any] 172.31.0.200[any] any
in prio def ipsec
esp/tunnel/172.31.0.105-192.168.66.105/require
created: May 23 13:30:05 2014 lastused:
lifetime: 0(s) validtime: 0(s)
spid=352 seq=10 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: May 23 13:38:00 2014 lastused:
lifetime: 0(s) validtime: 0(s)
spid=371 seq=11 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: May 23 13:38:00 2014 lastused:
lifetime: 0(s) validtime: 0(s)
spid=380 seq=12 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: May 23 13:38:01 2014 lastused:
lifetime: 0(s) validtime: 0(s)
spid=387 seq=13 pid=2489
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: May 23 13:38:01 2014 lastused:
lifetime: 0(s) validtime: 0(s)
spid=396 seq=0 pid=2489
refcnt=1
O cliente configurou com sucesso uma nova interface de rede:
eth0:1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:172.31.0.200 Bcast:172.31.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
mas quando do gateway eu tento pingar o cliente (ou também para estabelecer uma sessão netcat) usando esse IP virtual ( 172.31.0.200 ) eu recebo um
Destination Host Unreachable