как реализовать объединение сетей и l2tp/ipsec

Форум — Admin

Очень нужен совет по тому как объединить локальные сети по ipsec, и при этом чтобы была возможность использовать vpn-сервер для принятия l2tp-подключений. Как вариант, думаю использовать схему LAN1=>GRE=>ESP(реальные IP) <=> (реальные IP)ESP<=GRE<=LAN2, естественно с NAT. Использую CentOS 6.3+OpenSWAN. Без NAT работает объединение (это сейчас сделано тестово), с NAT естественно l2tp . Вроде бы как OpenSWAN использует либо tunel, либо transport. Возможно ли их все-таки использовать для каждого подключения?

Если схема LAN1=>GRE=>ESP(реальные IP) <==type=transport==> (реальные IP)ESP<=GRE<=LAN2 работает - можно ли примеры, ссылки. Кто-то реализовывал подобное?

centos, ipsec, l2tp, openswan

kulakov
(21.03.13 15:52:44 MSK)

12 комментариев

не удается настроить IPSec на CentOS 6.3/OpenSWAN

Форум — Admin

С администрированием linux-систем еще не приходилось сталкиваться, потому и спотыкаюсь думаю. Man´ы вроде бы уже все причитал, но что-то не сходится. К сути. Нужно соединить локальные сети. Пока для теста объединить 2 локалки, в дальнейшем же потребуется объединить порядка 16 локалок.
Для центрального офиса думаю использовать шлюз на CentOS 6.3, на удаленных объектах шлюзы ZyWALL USG 50 и 100 (кол-во устройств-пользователей от 5 до 20).

Сделал следующее:
1) установил OpenSWAN:

yum install openswan

2) сделал настройку:
2.1) /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	# klipsdebug=none
	plutodebug="all" #Все пишем для отладки
	plutostderrlog=/var/log/pluto.log #Путь сохранения лога
	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
	protostack=netkey
	nat_traversal=yes
	virtual_private=%v4:172.16.101.0/24
	oe=off
	# Enable this if you see "failed to find any available worker"
	# nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

2.2) /etc/ipsec.d/conn.test2.conf

conn test2
	type=tunnel
	authby=secret
	ike=aes128-sha1;modp1024
	phase2=esp
	phase2alg=aes128-sha1
	pfs=no
	left=172.16.100.100
	leftsubnet=192.168.0.0/24
	leftnexthop=%defaultroute
	right=172.16.100.99
	rightsubnet=172.16.6.0/24
	rightnexthop=%defaultroute
	keyingtries=%forever
	dpdaction=clear
	auto=add

2.3) /etc/ipsec.secrets (пробовал отдельный файлом через include. Пока на этом остановился)

172.16.100.100 172.16.100.99: PSK ¨123test123¨

Но при запуске

service ipsec start

в логах pluto встречается следующее:

Plutorun started on Tue Mar 5 13:27:28 MSK 2013
adjusting ipsec.d to /etc/ipsec.d
nss directory plutomain: /etc/ipsec.d
NSS Initialized
Non-fips mode set in /proc/sys/crypto/fips_enabled
Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:10964
Non-fips mode set in /proc/sys/crypto/fips_enabled
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [enabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
| event added at head of queue
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper (thread) pid=140134062548736 (fd:9)
Using Linux 2.6 IPsec interface code on 2.6.32-279.el6.x86_64 (experimental code)
| process 10964 listening for PF_KEY_V2 on file descriptor 13
| finish_pfkey_msg: K_SADB_REGISTER message 1 for AH 
|   02 07 00 02  02 00 00 00  01 00 00 00  d4 2a 00 00
| status value returned by setting the priority of this thread (id=0) 22
| helper 0 waiting on fd: 10
| pfkey_get: K_SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP 
|   02 07 00 03  02 00 00 00  02 00 00 00  d4 2a 00 00
| pfkey_get: K_SADB_REGISTER message 2
| alg_init():memset(0x7f7386810880, 0, 2048) memset(0x7f7386811080, 0, 2048) 
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72
| kernel_alg_add():satype=3, exttype=14, alg_id=251
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
......................
alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=13
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=18
| kernel_alg_add():satype=3, exttype=15, alg_id=19
| kernel_alg_add():satype=3, exttype=15, alg_id=20
| kernel_alg_add():satype=3, exttype=15, alg_id=14
| kernel_alg_add():satype=3, exttype=15, alg_id=15
| kernel_alg_add():satype=3, exttype=15, alg_id=16
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
| ESP registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP 
|   02 07 00 09  02 00 00 00  03 00 00 00  d4 2a 00 00
| pfkey_get: K_SADB_REGISTER message 3
| IPCOMP registered with kernel.
Could not change to directory '/etc/ipsec.d/cacerts': /
Could not change to directory '/etc/ipsec.d/aacerts': /
Could not change to directory '/etc/ipsec.d/ocspcerts': /
Could not change to directory '/etc/ipsec.d/crls'
| selinux support is NOT enabled. 
| inserting event EVENT_LOG_DAILY, timeout in 37952 seconds
| event added after event EVENT_REINIT_SECRET
| next event EVENT_PENDING_DDNS in 60 seconds
| 
| *received whack message
| alg_info_parse_str() ealg_buf=aes aalg_buf=sha1eklen=128  aklen=0
| enum_search_prefix () calling enum_search(0x7f73867f2540, "OAKLEY_AES")
| enum_search_ppfixi () calling enum_search(0x7f73867f2540, "OAKLEY_AES_CBC")
| parser_alg_info_add() ealg_getbyname("aes")=7
| enum_search_prefix () calling enum_search(0x7f73867f2560, "OAKLEY_SHA1")
Non-fips mode set in /proc/sys/crypto/fips_enabled
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x7f73867f25a0, "OAKLEY_GROUP_MODP1024")
| parser_alg_info_add() modp_getbyname("modp1024")=2
| __alg_info_ike_add() ealg=7 aalg=2 modp_id=2, cnt=1
| Added new connection test2 with policy PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK
| from whack: got --esp=aes128-sha1
| alg_info_parse_str() ealg_buf=aes aalg_buf=sha1eklen=128  aklen=0
| enum_search_prefix () calling enum_search(0x7f73867f2400, "ESP_AES")
| parser_alg_info_add() ealg_getbyname("aes")=12
| enum_search_prefix () calling enum_search(0x7f73867eca00, "AUTH_ALGORITHM_HMAC_SHA1")
Non-fips mode set in /proc/sys/crypto/fips_enabled
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=12 aalg=2 cnt=1
| esp string values: AES(12)_128-SHA1(2)_000; flags=-strict
| ike (phase1) algorihtm values: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
| loopback=0 labeled_ipsec=0, policy_label=(null)
| counting wild cards for 172.16.100.100 is 0
| counting wild cards for 172.16.100.99 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "test2"
| 192.168.0.0/24===172.16.100.100<172.16.100.100>[+S=C]---192.168.0.10...192.168.0.10---172.16.100.99<172.16.100.99>[+S=C]===172.16.6.0/24
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK
| * processed 0 messages from cryptographic helpers 
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
| 
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 192.168.0.236
| found eth1 with address 172.16.100.100
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
| NAT-Traversal: Trying old style NAT-T
adding interface eth1/eth1 172.16.100.100:500
adding interface eth1/eth1 172.16.100.100:4500
adding interface eth0/eth0 192.168.0.236:500
adding interface eth0/eth0 192.168.0.236:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
| connect_to_host_pair: 172.16.100.100:500 172.16.100.99:500 -> hp:none 
loading secrets from "/etc/ipsec.secrets"
| id type added to secret(0x7f7387843cd0) PPK_PSK: 172.16.100.100
| id type added to secret(0x7f7387843cd0) PPK_PSK: 172.16.100.99
| Processing PSK at line 1: PSK data malformed (input does not begin with format prefix): \302\250123test123\302\250
"/etc/ipsec.secrets" line 1: PSK data malformed (input does not begin with format prefix): \302\250123test123\302\250
| * processed 0 messages from cryptographic helpers 
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds

Можете посоветовать что дальше делать? похоже, что сам я уже запутался.

centos, ipsec, openswan

kulakov
(05.03.13 13:33:44 MSK)

13 комментариев

Сообщения kulakov

как реализовать объединение сетей и l2tp/ipsec

не удается настроить IPSec на CentOS 6.3/OpenSWAN