LINUX.ORG.RU
ФорумAdmin

Strongswan и split-include в IKEv2

 charon, , , ,


0

1

На MikroTik поднят IKEv2-сервер с eap-авторизацией и кучей маршрутов в split-includes.

Windows 10 - подключается и импортирует все эти маршруты. А вот Linux (в том числе Android) со strongSwan - только первый из этой портянки.

Я нашел аналогичную проблему на askubuntu.com и она без решения.

charon-nm: 16[ENC] parsed IKE_AUTH response 5 [ CERT CERT IDr AUTH CPRP(ADDR MASK SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET DNS DNS) TSi TSr SA ]
charon-nm: 16[IKE] authentication of 'vpn.example.ru' with EAP successful
charon-nm: 16[IKE] IKE_SA vpn.example.ru (IKEv2)[2] established between 192.168.0.100[turbid]...1.2.3.4[vpn.example.ru]
charon-nm: 16[IKE] scheduling rekeying in 35981s
charon-nm: 16[IKE] maximum IKE_SA lifetime 36581s
charon-nm: 16[CFG] handling INTERNAL_IP4_NETMASK attribute failed
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5784] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: VPN connection: (IP Config Get) reply received.
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5790] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: VPN plugin: state changed: started (4)
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5791] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: VPN connection: (IP4 Config Get) reply received
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
kded5[1213]: plasma-nm: Unhandled VPN connection state change:  4
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5799] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data: VPN Gateway: 1.2.3.4
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data: Tunnel Device: (null)
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data: IPv4 configuration:charon-nm: 16[ENC] parsed IKE_AUTH response 5 [ CERT CERT IDr AUTH CPRP(ADDR MASK SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET SUBNET DNS DNS) TSi TSr SA ]
charon-nm: 16[IKE] authentication of 'vpn.seti-sk.ru' with EAP successful
charon-nm: 16[IKE] IKE_SA vpn.seti-sk.ru (IKEv2)[2] established between 192.168.0.100[demyanov-ia]...194.85.112.5[vpn.seti-sk.ru]
charon-nm: 16[IKE] scheduling rekeying in 35981s
charon-nm: 16[IKE] maximum IKE_SA lifetime 36581s
charon-nm: 16[CFG] handling INTERNAL_IP4_NETMASK attribute failed
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5784] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: VPN connection: (IP Config Get) reply received.
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5790] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: VPN plugin: state changed: started (4)
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5791] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: VPN connection: (IP4 Config Get) reply received
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
kded5[1213]: plasma-nm: Unhandled VPN connection state change:  4
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5799] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data: VPN Gateway: 194.85.112.5
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data: Tunnel Device: (null)
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data: IPv4 configuration:
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data:   Internal Address: 10.126.39.244
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data:   Internal Prefix: 32
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data:   Internal Point-to-Point Address: 10.126.39.244
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data:   Internal DNS: 192.168.77.235
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data:   Internal DNS: 192.168.77.236
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data:   DNS Domain: '(none)'
charon-nm: 16[IKE] installing new virtual IP 10.126.39.244
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: Data: No IPv6 configuration
avahi-daemon[644]: Registering new address record for 10.126.39.244 on enp3s0.IPv4.
NetworkManager[649]: <info>  [1628233106.5814] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.seti-sk.ru (IKEv2)",0]: VPN connection: (IP Config Get) complete
charon-nm: 16[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data:   Internal Address: 10.126.39.244
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data:   Internal Prefix: 32
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5800] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data:   Internal Point-to-Point Address: 10.126.39.244
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data:   Internal DNS: 192.168.77.235
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data:   Internal DNS: 192.168.77.236
charon-nm: 16[CFG] handling INTERNAL_IP4_SUBNET attribute failed
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data:   DNS Domain: '(none)'
charon-nm: 16[IKE] installing new virtual IP 10.126.39.244
NetworkManager[649]: <info>  [1628233106.5801] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: Data: No IPv6 configuration
avahi-daemon[644]: Registering new address record for 10.126.39.244 on enp3s0.IPv4.
NetworkManager[649]: <info>  [1628233106.5814] vpn-connection[0x563d6c68a4f0,65764ea9-4823-4be6-935f-599aa4b3b3a5,"vpn.example.ru (IKEv2)",0]: VPN connection: (IP Config Get) complete
charon-nm: 16[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
★★★★★

Последнее исправление: Turbid (всего исправлений: 1)
GCP Google Managed SSL без HTTPS Load Balancer
Добавить в 389server второй directory manager

Продолжай наблюдения.

anonymous
()
Ответ на: комментарий от anc

Момент подключения:

$ sudo ip xfrm monitor 
Updated src 1.2.3.4 dst 192.168.0.100
        proto esp spi 0xcc6ff9ae reqid 3 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 0xaa0409d6c92dba9d611ab240e63165f968685aaa805c0ee4b0ad1fff8752e2c9 128
        enc cbc(aes) 0x1ed10fa4ebe59d18c5b8d12ee7813dc98e9169cea6725c435057ad4e51047d90
        encap type espinudp sport 4500 dport 47221 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 192.168.0.100 dst 1.2.3.4
        proto esp spi 0x0f1e800a reqid 3 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0xed2e05d276c983cb13ff05277b2a4617ec19715e5b85c1ffa39a1bcb65b533a8 128
        enc cbc(aes) 0x1b9036bf9faa246c594dd6953a56f86cd971d0a10aa70029448b684e2e6d1eb6
        encap type espinudp sport 47221 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.126.0.0/24 dst 10.126.39.244/32 
        dir in priority 371327 
        tmpl src 1.2.3.4 dst 192.168.0.100
                proto esp reqid 3 mode tunnel
src 10.126.0.0/24 dst 10.126.39.244/32 
        dir fwd priority 371327 
        tmpl src 1.2.3.4 dst 192.168.0.100
                proto esp reqid 3 mode tunnel
src 10.126.39.244/32 dst 10.126.0.0/24 
        dir out priority 371327 
        tmpl src 192.168.0.100 dst 1.2.3.4
                proto esp spi 0x0f1e800a reqid 3 mode tunnel
src 192.168.0.1/32 dst 192.168.0.1/32 
        dir out priority 167231 
src 192.168.0.1/32 dst 192.168.0.1/32 
        dir in priority 167231 
src 192.168.0.1/32 dst 192.168.0.1/32 
        dir fwd priority 167231

10.126.0.0/24 - это одна из сетей, стоящая первая в split-include.

$ sudo ip xfrm state
src 192.168.0.100 dst 194.85.112.5
        proto esp spi 0x0f1e800a reqid 3 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0xed2e05d276c983cb13ff05277b2a4617ec19715e5b85c1ffa39a1bcb65b533a8 128
        enc cbc(aes) 0x1b9036bf9faa246c594dd6953a56f86cd971d0a10aa70029448b684e2e6d1eb6
        encap type espinudp sport 47221 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 194.85.112.5 dst 192.168.0.100
        proto esp spi 0xcc6ff9ae reqid 3 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 0xaa0409d6c92dba9d611ab240e63165f968685aaa805c0ee4b0ad1fff8752e2c9 128
        enc cbc(aes) 0x1ed10fa4ebe59d18c5b8d12ee7813dc98e9169cea6725c435057ad4e51047d90
        encap type espinudp sport 4500 dport 47221 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
Turbid ★★★★★
() автор топика

попробуй другую реализацию клиента

zgen ★★★★★
()
Ответ на: комментарий от Turbid

1. На всякий случай уточню, у вас чисто случайно где-нибудь keyexchange=ikev1 не пробежал ? Дело в том, что как раз ikev1 «умеет только в одну подсеть».
2. Что бы исключить, что от микрота и не прилетало, включите отладку, в ipsec.conf секция config setup параметр charondebug = ike 4, cfg 4, net 4 и после соединения посмотрите логи, прилетают все подсети или нет.

anc ★★★★★
()
Последнее исправление: anc (всего исправлений: 1)
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
GCP Google Managed SSL без HTTPS Load Balancer
Admin
Добавить в 389server второй directory manager