[linux-support] IPSEC site-to-site openswan <-> strongswan multiple remote subnetworks
Rene Moser
mail at renemoser.net
Mon Apr 24 14:50:57 CEST 2017
Hallo zäme
Ich versuche ein site-to-site VPN zwischen einem openswan gateway und
strongswan herzustellen.
10.222.0.0/16 via 82.82.82.82 <-> 3.3.3.3 via
10.100.45.0/24,10.100.0.0/24,10.100.11.0/24,10.100.1.0/24
Das klappt soweit auch jedoch nur mit einem subnet e.g. 10.100.45.0/24.
Die Netze 10.100.0.0/24,10.100.11.0/24,10.100.1.0/24 sind nicht erreichbar.
Wenn ich die konfig entsprechend ändere bekomme ich aber auch mit diesen
Networks einen Tunnel hin aber nur jeweils 1 Netz.
(Leider ist es mir "technisch" nicht möglch, jeweils eine Config pro
Netz zu erstellen aufgrund limitation cloud software...)
# ip xfrm policy
src 10.222.0.0/16 dst 10.100.45.0/24
dir out priority 2600 ptype main
tmpl src 82.82.82.82 dst 3.3.3.3
proto esp reqid 16417 mode tunnel
src 10.100.45.0/24 dst 10.222.0.0/16
dir fwd priority 2600 ptype main
tmpl src 3.3.3.3 dst 82.82.82.82
proto esp reqid 16417 mode tunnel
src 10.100.45.0/24 dst 10.222.0.0/16
dir in priority 2600 ptype main
tmpl src 3.3.3.3 dst 82.82.82.82
proto esp reqid 16417 mode tunnel
Hier die konfigs:
strongswan:
conn strongswan-conn
keyexchange=ikev2
left=3.3.3.3
right=82.82.82.82
type=tunnel
authby=secret
leftid="fooo.example.com"
rightid="82.82.82.82"
compress=no
ike=aes256-sha1-modp1024!
esp=aes256-sha1-modp1024!
lifetime=3600
ikelifetime=10800
dpdaction=restart
dpddelay=30s
keyingtries=300
auto=start
mark=1076887561
reqid=65536
leftupdown=/usr/lib/ipsec/updown-cvpn cvti9 6040 2040
leftsubnet=10.100.45.0/24,10.100.0.0/24,10.100.11.0/24,10.100.1.0/24
rightsubnet=10.222.0.0/16
openswan:
conn openswan-conn
left=82.82.82.82
leftsubnet=10.222.0.0/16
leftnexthop=82.82.82.1
right=3.3.3.3
rightsubnets={10.100.0.0/24 10.100.1.0/24 10.100.11.0/24 10.100.45.0/24}
type=tunnel
authby=secret
keyexchange=ike
ike=aes256-sha1;modp1024
ikelifetime=10800s
esp=aes256-sha1
salifetime=3600s
pfs=no
keyingtries=2
auto=start
IPsec status sagt bei den 3 nicht erreichbaren Netzen "unrouted". Bei
erreichbaren "erouted".
# ipsec auto status
...
000 "vpn-3.3.3.3/0x3":
10.222.0.0/16===82.82.82.82<82.82.82.82>[+S=C]---82.82.82.1...3.3.3.3<3.3.3.3>[+S=C]===10.100.11.0/24;
unrouted; eroute owner: #0
000 "vpn-3.3.3.3/0x3": myip=unset; hisip=unset;
000 "vpn-3.3.3.3/0x3": ike_life: 10800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
000 "vpn-3.3.3.3/0x3": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24;
interface: eth1;
000 "vpn-3.3.3.3/0x3": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn-3.3.3.3/0x3": aliases: vpn-3.3.3.3
000 "vpn-3.3.3.3/0x3": IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "vpn-3.3.3.3/0x3": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "vpn-3.3.3.3/0x3": ESP algorithms wanted: AES(12)_256-SHA1(2)_000;
flags=-strict
000 "vpn-3.3.3.3/0x3": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "vpn-3.3.3.3/0x4":
10.222.0.0/16===82.82.82.82<82.82.82.82>[+S=C]---82.82.82.1...3.3.3.3<3.3.3.3>[+S=C]===10.100.45.0/24;
erouted; eroute owner: #577
000 "vpn-3.3.3.3/0x4": myip=unset; hisip=unset;
000 "vpn-3.3.3.3/0x4": ike_life: 10800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
000 "vpn-3.3.3.3/0x4": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24;
interface: eth1;
000 "vpn-3.3.3.3/0x4": newest ISAKMP SA: #576; newest IPsec SA: #577;
000 "vpn-3.3.3.3/0x4": aliases: vpn-3.3.3.3
000 "vpn-3.3.3.3/0x4": IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "vpn-3.3.3.3/0x4": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "vpn-3.3.3.3/0x4": IKE algorithm newest: _256-SHA1-MODP1024
000 "vpn-3.3.3.3/0x4": ESP algorithms wanted: AES(12)_256-SHA1(2)_000;
flags=-strict
000 "vpn-3.3.3.3/0x4": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "vpn-3.3.3.3/0x4": ESP algorithm newest: AES_256-HMAC_SHA1;
pfsgroup=<N/A>
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
CONNMARK all -- anywhere anywhere state NEW
CONNMARK set 0x1
CONNMARK all -- anywhere anywhere state
RELATED,ESTABLISHED CONNMARK restore
ACL_OUTBOUND_eth2 all -- 10.222.1.0/24 !10.222.1.1
state NEW
Chain INPUT (policy ACCEPT)
target prot opt source destination
MARK all -- 10.100.0.0/24 10.222.0.0/16 MARK set 0x524
MARK all -- 10.100.1.0/24 10.222.0.0/16 MARK set 0x524
MARK all -- 10.100.11.0/24 10.222.0.0/16 MARK set 0x524
MARK all -- 10.100.45.0/24 10.222.0.0/16 MARK set 0x524
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MARK all -- 10.100.45.0/24 10.222.0.0/16 MARK set 0x524
MARK all -- 10.222.0.0/16 10.100.45.0/24 MARK set 0x525
MARK all -- 10.100.11.0/24 10.222.0.0/16 MARK set 0x524
MARK all -- 10.222.0.0/16 10.100.11.0/24 MARK set 0x525
MARK all -- 10.100.1.0/24 10.222.0.0/16 MARK set 0x524
MARK all -- 10.222.0.0/16 10.100.1.0/24 MARK set 0x525
MARK all -- 10.100.0.0/24 10.222.0.0/16 MARK set 0x524
MARK all -- 10.222.0.0/16 10.100.0.0/24 MARK set 0x525
VPN_STATS_eth1 all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CHECKSUM udp -- anywhere anywhere udp
dpt:bootpc CHECKSUM fill
MARK all -- 10.222.0.0/16 10.100.0.0/24 MARK set 0x525
MARK all -- 10.222.0.0/16 10.100.1.0/24 MARK set 0x525
MARK all -- 10.222.0.0/16 10.100.11.0/24 MARK set 0x525
MARK all -- 10.222.0.0/16 10.100.45.0/24 MARK set 0x525
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain ACL_OUTBOUND_eth2 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain VPN_STATS_eth1 (1 references)
target prot opt source destination
all -- anywhere anywhere mark match
0x525
all -- anywhere anywhere mark match
0x524
Tipps?
Gruss
René
More information about the Linux-support
mailing list