Hey Leute,
ich bin im Moment dabei einen ipsec Tunnel zwischen einer Fritzbox und einem OpenSwan Server zu konfigurieren. Der OpenSwan Server läuft auf einer Nethserver Installation und diese wiederrum in einer Virtuellen Maschine auf einem Proxmox Node.
Der Nethserver dient als Router in meinem Heimnetzwerk und hängt direkt an einer Glasfaser Leitung mit dyndns. Die Fritzbox hängt an einem normalen 16.000er DSL Anschluss der Telekom, ebenfalls mit dyndns.
Hier meine Konfiguration (NS = Nethserver):
/etc/ipsec.conf
# basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private=%v4:192.168.179.0./24,%v4:192.168.177.0./24 oe=off # Enable this if you see "failed to find any available worker" # nhelpers= conn Site-to-Site authby=secret auto=add type=tunnel aggrmode=yes left= NS PUBLIC IP leftid= NS DYNDNS FQDN leftnexthop=%defaultroute leftsourceip=192.168.177.21 leftsubnet=192.168.177.0/24 right=%any rightsubnet=192.168.179.0/24 rightid= FRITZBOX DYNDNS FQDN ike=aes256-sha1;modp2048 phase2=esp phase2alg=aes256-sha1;modp2048
/etc/ipsec.secrets
NS PUBLIC IP %any: PSK "PRE-SHARED-KEY"
Fritzbox config:
vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = "NS FQDN"; always_renew = yes; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = PUBLIC IP NS; remote_virtualip = 0.0.0.0; localid { fqdn = "FRITZBOX FQDN"; } remoteid { fqdn = "NS FQDN"; } mode = phase1_mode_aggressive; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "PRE SHARED KEY"; cert_do_server_auth = no; use_nat_t = yes; use_xauth = yes; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.179.0; mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 192.168.177.0; mask = 255.255.255.0; } } phase2ss = "esp-all-all/ah-none/comp-all/pfs"; accesslist = "permit ip any 192.168.177.0 255.255.255.0"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } // EOF
Es wird aber keine Verbindung aufgebaut. Im Logfile vom OpenSwan Server steht das hier:
Sep 26 12:44:34 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [XAUTH] Sep 26 12:44:34 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [Dead Peer Detection] Sep 26 12:44:34 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [RFC 3947] Sep 26 12:44:34 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Sep 26 12:44:34 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b] Sep 26 12:44:34 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: initial Aggressive Mode message from 79.235.28.32 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW Sep 26 12:44:36 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [XAUTH] Sep 26 12:44:36 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [Dead Peer Detection] Sep 26 12:44:36 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [RFC 3947] Sep 26 12:44:36 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Sep 26 12:44:36 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b] Sep 26 12:44:36 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: initial Aggressive Mode message from 79.235.28.32 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW Sep 26 12:44:40 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [XAUTH] Sep 26 12:44:40 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [Dead Peer Detection] Sep 26 12:44:40 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [RFC 3947] Sep 26 12:44:40 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Sep 26 12:44:40 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b] Sep 26 12:44:40 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: initial Aggressive Mode message from 79.235.28.32 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW Sep 26 12:44:48 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [XAUTH] Sep 26 12:44:48 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [Dead Peer Detection] Sep 26 12:44:48 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: received Vendor ID payload [RFC 3947] Sep 26 12:44:48 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Sep 26 12:44:48 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b] Sep 26 12:44:48 NET01 pluto[8477]: packet from PUBLIC IP FRITZBOX: initial Aggressive Mode message from 79.235.28.32 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Diese Meldung wird ca. alle 10 Sekunden in die Logfile geschrieben. Kann mir jemand sagen woran das liegt?