Oct 24, 2016

3947

Host-to-Site VPN zwischen Openswan und Fritzboxen

Einen schönen guten Abend,

ich habe hier eine Herausforderung, bezüglich einer Openswan Konfiguration zwischen einem Debian Jessie Host und mehreren Fritzbox Netzwerken.

Am Schluss soll bei Hosting-Anbieter xy eine CheckMK Instanz laufen, die via IPsec VPN mit mehreren unabhängigen Netzwerken (10-15 Netzwerke) verbunden ist und diese überwacht.

Jetzt versuche ich CheckMK-01 (KVM VM bei Hosting-Anbieter | Feste öffentliche IP direkt im Netz) mit Netz-A (PAT-Router mit dynamischer IP | DDNS Anbieter vorhanden, wird zur Auflösung verwendet) zu verbinden um eine funktionierende Verbindung zu haben, worauf alle folgenden von der Konfiguration her aufbauen.

Soviel zum Plan!

Hier kommt die Herausforderung:

Erstmal die Configs, die ich mir aus vielen verschiedenen Anleitungen zusammengesaugt habe.
Hier ein paar Beispiele:

Meine ipsec.conf auf dem CheckMK-01

Angepasste Zeilen sind mit zwei Sternchen am Anfang und am Ende markiert (**)

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Do not set debug options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combation from below:  
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"  
	# eg:
	**plutodebug="all"**  
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	#
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"  
	#
	# Enable core dumps (might require system changes, like ulimit -C)
	# This is required for abrtd to work properly
	# Note: incorrect SElinux policies might prevent pluto writing the core
	dumpdir=/var/run/pluto/
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=yes
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
	# using 25/8 as "private" address space on their 3G network.  
	# This range has not been announced via BGP (at least upto 2010-12-21)
	virtual_private=%v4:123.123.123.0/24
	# OE is now off by default. Uncomment and change to on, to enable.
	oe=off
	# which IPsec stack to use. auto will try netkey, then klips then mast
	protostack=auto
	# Use this to log to a file, or disable logging on embedded systems (like openwrt)
	**plutostderrlog=/var/log/openswan.log**

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#		# Left security gateway, subnet behind it, nexthop toward right.
#		left=10.0.0.1
#		leftsubnet=172.16.0.0/24
#		leftnexthop=10.22.33.44
#		# Right security gateway, subnet behind it, nexthop toward left.
#		right=10.12.12.1
#		rightsubnet=192.168.0.0/24
#		rightnexthop=10.101.102.103
#		# To authorize this connection, but not actually start it, 
#		# at startup, uncomment this.
#		#auto=add
**conn xyz
	left=%defaultroute
	leftsubnet=123.123.123.123/32
	right=remote.ddns.yz
	rightsubnet=123.123.123.0/24
	auth=esp
	auto=start
	authby=secret
	###ff9933|type=tunnel##
	aggrmode=yes
	ike=aes256-sha1;modp2048
	phase2=esp
	phase2alg=aes256-sha1;modp2048**

ipsec.secrets auf dem CheckMK-01

**remote.ddns.yz : PSK "hierstehteigentlichpsk"**

sysctl.conf auf dem CheckMK-01

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
**net.ipv4.ip_forward=1**

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
**net.ipv4.conf.all.accept_redirects = 0**
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
**net.ipv4.conf.all.send_redirects = 0**
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

ipsec verify Ergebnis auf dem CheckMK-01

Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.16.0-4-amd64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]  
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]  
Opportunistic Encryption Support                                [DISABLED]

vpn.cfg auf einer der Fritten

**vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "CheckMK-01 Cloud";  
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = 123.123.123.123;
                remote_virtualip = 0.0.0.0;
                localid {
                        fqdn = local.ddns.yz;
                }
                remoteid {
                        ipaddr = 123.123.123.123;
                }
                mode = phase1_mode_aggressive;
                phase1ss = "all/all/all";  
                keytype = connkeytype_pre_shared;
                key = "hierstehteigentlichpsk";  
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 123.123.123.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 123.123.123.123;
                                mask = 255.255.255.255;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";  
                accesslist = "permit ip any 123.123.123.123 255.255.255.255";  
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",   
                            "udp 0.0.0.0:4500 0.0.0.0:4500";  
}**

openswan.log auf dem CheckMK-01

Plutorun started on Mon Oct 24 18:22:49 CEST 2016
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:3606
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   NAT-Traversal support  [enabled]
| opening /dev/urandom
using /dev/urandom as source of random entropy
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
| event added at head of queue
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=3609 (fd:4)
Kernel interface auto-pick
Using Linux 2.6 IPsec interface code on 3.16.0-4-amd64 (experimental code)
| process 3606 listening for PF_KEY_V2 on file descriptor 8
| finish_pfkey_msg: K_SADB_REGISTER message 1 for AH 
|   02 07 00 02  02 00 00 00  01 00 00 00  16 0e 00 00
| opening /dev/urandom
using /dev/urandom as source of random entropy
! helper 0 waiting on fd: 5
| pfkey_get: K_SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP 
|   02 07 00 03  02 00 00 00  02 00 00 00  16 0e 00 00
| pfkey_get: K_SADB_REGISTER message 2
| alg_init():memset(0x7fa290d8d660, 0, 2016) memset(0x7fa290d8de40, 0, 2048) 
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72
| kernel_alg_add():satype=3, exttype=14, alg_id=251
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg, exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=5
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=6
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=8
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=9
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=88
| kernel_alg_add():satype=3, exttype=15, alg_id=11
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=6
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=12
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=252
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=22
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=253
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=13
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=18
| kernel_alg_add():satype=3, exttype=15, alg_id=19
| kernel_alg_add():satype=3, exttype=15, alg_id=20
| kernel_alg_add():satype=3, exttype=15, alg_id=14
| kernel_alg_add():satype=3, exttype=15, alg_id=15
| kernel_alg_add():satype=3, exttype=15, alg_id=16
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
| ESP registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP 
|   02 07 00 09  02 00 00 00  03 00 00 00  16 0e 00 00
| pfkey_get: K_SADB_REGISTER message 3
| IPCOMP registered with kernel.
Changed path to directory '/etc/ipsec.d/cacerts'  
Changed path to directory '/etc/ipsec.d/aacerts'  
Changed path to directory '/etc/ipsec.d/ocspcerts'  
Changing to directory '/etc/ipsec.d/crls'  
  Warning: empty directory
| inserting event EVENT_LOG_DAILY, timeout in 20231 seconds
| event added after event EVENT_REINIT_SECRET
| next event EVENT_PENDING_DDNS in 60 seconds
|  
| *received whack message
connection must specify host IP address for our side
attempt to load incomplete connection
| * processed 0 messages from cryptographic helpers 
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|  
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 185.101.93.99
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
adding interface eth0/eth0 185.101.93.99:500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
adding interface eth0/eth0 185.101.93.99:4500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"  
| id type added to secret(0x7fa291e4c740) PPK_PSK: 217.80.136.194
"/etc/ipsec.secrets" line 1: unterminated string  
| Processing PSK at line 1: passed
| * processed 0 messages from cryptographic helpers 
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|  
| *received whack message
| * processed 0 messages from cryptographic helpers 
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|  
| *received whack message
initiating all conns with alias='berg'   
| * processed 0 messages from cryptographic helpers 
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|  
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 60 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| next event EVENT_PENDING_DDNS in 60 seconds
|  
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 0 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added after event EVENT_PENDING_PHASE2
| handling event EVENT_PENDING_PHASE2
| event after this is EVENT_PENDING_DDNS in 60 seconds
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
| next event EVENT_PENDING_DDNS in 60 seconds
...
...

Ich vermute halt ab Zeile 84 im Log schon den ersten Fehler.
Kann aber auch nach weiterer Suche nicht viel damit anfangen.
Genauso auch die weiteren Fehler.

Die Verbindung sollte eigentlich nach einem neustarten des Dienstes aufgebaut werden.
Dies bleibt aber aus.

Dazu kommt, das sobald ich das VPN-Profil in der FritzBox aktiviere,
ich vom CheckMK-01 die Box nicht mehr erreiche und aus dem Netz der Fritzbox ich den CheckMK-01 nicht erreiche.
Beide Richtungen gehen also nicht mehr, sobald ich das Profil erstelle.

Das Problem ist also folgendes.
Keine Verbidnung kommt zwischen CheckMK-01 und Netz-A zustande
Sie erreichen sich aber auch via ICMP und HTTP gegenseitig nicht mehr sobald das VPN-Profil in der Fritte überhaupt aktiviert wird, was ja nach einem Grundsatzproblem aussieht.

Wie löse ich die genannten Probleme, habt ihr eine Idee?

MFG
Leonard

P.S.
Die Fritzbox kommt nach dem aktivieren des VPN-Profils mit einem "Timeout"

Please also mark the comments that contributed to the solution of the article

Content-Key: 318981

Url: https://administrator.de/contentid/318981

Printed on: April 20, 2024 at 04:04 o'clock

2 Comments

Latest comment

Einige Antworten findest du in den hiesigen IPsec Tutorials:
IPsec VPN Praxis mit Standort Vernetzung Cisco, Mikrotik, pfSense, FritzBox u.a
und
IPsec VPNs einrichten mit Cisco, Mikrotik, pfSense Firewall, FritzBox, Smartphone sowie Shrew Client Software

Aber laut Best Practice CheckMK Hosting ist dein Problem ja eh jetzt gelöst.
Fehlt dann eigentlich ja nur noch
How can I mark a post as solved?

Vielen Dank für deine Hilfe.

In dem von dir von mir verlinkten Thread habe ich geschrieben das ich mich dann noch um diesen Thread kümmern werde bzw. eine Lösung posten möchte.
Ist dies erledigt wird der Thread auf "gelöst" gesetzt.

German Question Linux Network Linux

Hotly discussed

Check of ZFW Firewallgleixnerd - 3 Comments

How to set up and configure a Linux GRE tunnelAlexWisha - 3 Comments

WIREGUARD VPN ON UDM PRO BEHIND FRITZBOX - HANDSHAKE DID NOT COMPLETEjstricker - 3 Comments

End of Support dates for Office 2016, 2019 Apps und Productivity ServersDani - 1 Comment