Hallo allerseits,
Ich habe Strongswan aufgesetzt. Die Verbindung mit Android klappt. Leider kann ich weder lokale Netzteilnehmer noch Teilnehmer im Internet erreichen. DNS Auflösung und pingen klappt nicht.
Zum Setup:
Virtuelle Maschine:
Ubuntu Server 20.04 (frisch aufgesetzt)
IP 10.0.0.100
Verbunden mit Bridge, Zugriff auf Lokal- und Internet funktioniert.
/etc/ipsec.conf
config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 #ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! #esp=aes256-sha256,aes256-sha1,3des-sha1! fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no # server side left=%any leftid=@vpn.my.dns.org leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 leftfirewall=yes # client side right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.0.1.10-10.0.1.40 rightdns=10.0.0.10 rightsendcert=never # quiery user credentials eap_identity=%identity
/etc/ufw/before.rules (changes from the standard file marked)
*nat -A POSTROUTING -s 10.0.1.0/23 -o ens3 -m policy --pol ipsec --dir out -j ACCEPT -A POSTROUTING -s 10.0.1.0/23 -o ens3 -j MASQUERADE COMMIT *mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.0.1.0/23 -o ens3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines -A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.0.1.0/23 -j ACCEPT -A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.0.1.0/23 -j ACCEPT ...
ufw status
Status: active To Action From -- ------ ---- 14500,18500/udp ALLOW Anywhere Anywhere ALLOW 10.0.0.0/23 14500,18500/udp (v6) ALLOW Anywhere (v6)
Host
Ubuntu Server 20.04
Libvirt als VM
Netzwerk Bridged mit VM, Bereich 10.0.0.0/23
ifconfig eno1 && ifconfig br0
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether e0:d5:5e:XX:XX:XX txqueuelen 1000 (Ethernet) RX packets 1567855 bytes 459897473 (459.8 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1212098 bytes 664221670 (664.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 16 memory 0xf7300000-f7320000 br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.0.10 netmask 255.255.254.0 broadcast 10.1.1.255 inet6 fe80::e2d5:5eff:fe6a:939 prefixlen 64 scopeid 0x20<link> ether e0:d5:5e:XX:XX:XX txqueuelen 1000 (Ethernet) RX packets 1234399 bytes 200889311 (200.8 MB) RX errors 0 dropped 225921 overruns 0 frame 0 TX packets 858030 bytes 633736972 (633.7 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Log Files
Virtuelle Maschine /var/log/syslog:
Jun 16 05:59:30 net ipsec[4091]: 13[IKE] authentication of 'roadwarrior' with EAP successful Jun 16 05:59:30 net ipsec[4091]: 13[IKE] authentication of 'vpn.my.dns.org' (myself) with EAP Jun 16 05:59:30 net ipsec[4091]: 13[IKE] IKE_SA ikev2-vpn[1] established between 10.0.0.102[vpn.my.dns.org]...123.45.123.45[roadwarrior] Jun 16 05:59:30 net ipsec[4091]: 13[IKE] peer requested virtual IP %any Jun 16 05:59:30 net ipsec[4091]: 13[IKE] assigning virtual IP 10.0.1.10 to peer 'roadwarrior' Jun 16 05:59:30 net ipsec[4091]: 13[IKE] peer requested virtual IP %any6 Jun 16 05:59:30 net ipsec[4091]: 13[IKE] no virtual IP found for %any6 requested by 'roadwarrior' Jun 16 05:59:30 net ipsec[4091]: 13[IKE] CHILD_SA ikev2-vpn{1} established with SPIs c3c5484e_i 693e4d06_o and TS 0.0.0.0/0 === 10.0.1.10/32 Jun 16 05:59:30 net charon: 13[NET] sending packet: from 10.0.0.102[14500] to 123.45.123.45[62333] (240 bytes) Jun 16 05:59:50 net charon: 15[IKE] sending keep alive to 123.45.123.45[62333] Jun 16 06:00:10 net charon: 06[IKE] sending keep alive to 123.45.123.45[62333]
Android Log:
Jun 16 07:59:29 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Jun 16 07:59:29 00[DMN] Starting IKE service (strongSwan 5.8.4, Android 9 - 2.3.9_20200511-1446/2020-05-01, Linux 4.4.153-perf+, aarch64) Jun 16 07:59:29 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509 Jun 16 07:59:29 00[JOB] spawning 16 worker threads Jun 16 07:59:29 00[LIB] all CRL validation disabled Jun 16 07:59:29 06[IKE] initiating IKE_SA android[15] to <SERVER-IP> Jun 16 07:59:29 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jun 16 07:59:29 06[NET] sending packet: from 10.70.213.1[37387] to <SERVER-IP>[14500] (716 bytes) Jun 16 07:59:29 07[NET] received packet: from <SERVER-IP>[14500] to 10.70.213.1[37387] (280 bytes) Jun 16 07:59:29 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] Jun 16 07:59:29 07[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256 Jun 16 07:59:29 07[IKE] local host is behind NAT, sending keep alives Jun 16 07:59:29 07[IKE] remote host is behind NAT Jun 16 07:59:29 07[IKE] sending cert request for "CN=VPN CA" Jun 16 07:59:29 07[IKE] establishing CHILD_SA android{13} Jun 16 07:59:29 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Jun 16 07:59:29 07[ENC] splitting IKE message (3200 bytes) into 3 fragments Jun 16 07:59:29 07[ENC] generating IKE_AUTH request 1 [ EF(1/3) ] Jun 16 07:59:29 07[ENC] generating IKE_AUTH request 1 [ EF(2/3) ] Jun 16 07:59:29 07[ENC] generating IKE_AUTH request 1 [ EF(3/3) ] Jun 16 07:59:29 07[NET] sending packet: from 10.70.213.1[44945] to <SERVER-IP>[14500] (1364 bytes) Jun 16 07:59:29 07[NET] sending packet: from 10.70.213.1[44945] to <SERVER-IP>[14500] (1364 bytes) Jun 16 07:59:29 07[NET] sending packet: from 10.70.213.1[44945] to <SERVER-IP>[14500] (612 bytes) Jun 16 07:59:29 09[NET] received packet: from <SERVER-IP>[14500] to 10.70.213.1[44945] (1236 bytes) Jun 16 07:59:29 09[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] Jun 16 07:59:29 09[ENC] received fragment #1 of 2, waiting for complete IKE message Jun 16 07:59:29 10[NET] received packet: from <SERVER-IP>[14500] to 10.70.213.1[44945] (724 bytes) Jun 16 07:59:29 10[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] Jun 16 07:59:29 10[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1888 bytes) Jun 16 07:59:29 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ] Jun 16 07:59:29 10[IKE] received end entity cert "CN=vpn.my.dns.org" Jun 16 07:59:29 10[CFG] using certificate "CN=vpn.my.dns.org" Jun 16 07:59:29 10[CFG] using trusted ca certificate "CN=VPN CA" Jun 16 07:59:29 10[CFG] checking certificate status of "CN=vpn.my.dns.org" Jun 16 07:59:29 10[CFG] reached self-signed root ca with a path length of 0 Jun 16 07:59:29 10[IKE] authentication of 'vpn.my.dns.org' with RSA_EMSA_PKCS1_SHA2_384 successful Jun 16 07:59:29 10[IKE] server requested EAP_MSCHAPV2 authentication (id 0x15) Jun 16 07:59:29 10[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ] Jun 16 07:59:29 10[NET] sending packet: from 10.70.213.1[44945] to <SERVER-IP>[14500] (144 bytes) Jun 16 07:59:29 11[NET] received packet: from <SERVER-IP>[14500] to 10.70.213.1[44945] (144 bytes) Jun 16 07:59:29 11[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] Jun 16 07:59:29 11[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan' Jun 16 07:59:29 11[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] Jun 16 07:59:29 11[NET] sending packet: from 10.70.213.1[44945] to <SERVER-IP>[14500] (80 bytes) Jun 16 07:59:30 12[NET] received packet: from <SERVER-IP>[14500] to 10.70.213.1[44945] (80 bytes) Jun 16 07:59:30 12[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ] Jun 16 07:59:30 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established Jun 16 07:59:30 12[IKE] authentication of 'roadwarrior' (myself) with EAP Jun 16 07:59:30 12[ENC] generating IKE_AUTH request 4 [ AUTH ] Jun 16 07:59:30 12[NET] sending packet: from 10.70.213.1[44945] to <SERVER-IP>[14500] (96 bytes) Jun 16 07:59:30 13[NET] received packet: from <SERVER-IP>[14500] to 10.70.213.1[44945] (240 bytes) Jun 16 07:59:30 13[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Jun 16 07:59:30 13[IKE] authentication of 'vpn.my.dns.org' with EAP successful Jun 16 07:59:30 13[IKE] IKE_SA android[15] established between 10.70.213.1[roadwarrior]...<SERVER-IP>[vpn.my.dns.org] Jun 16 07:59:30 13[IKE] scheduling rekeying in 35507s Jun 16 07:59:30 13[IKE] maximum IKE_SA lifetime 37307s Jun 16 07:59:30 13[IKE] installing DNS server 10.0.0.10 Jun 16 07:59:30 13[IKE] installing new virtual IP 10.0.1.10 Jun 16 07:59:30 13[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ Jun 16 07:59:30 13[IKE] CHILD_SA android{13} established with SPIs 693e4d06_i c3c5484e_o and TS 10.0.1.10/32 === 0.0.0.0/0 Jun 16 07:59:30 13[DMN] setting up TUN device for CHILD_SA android{13} Jun 16 07:59:30 13[DMN] successfully created TUN device Jun 16 07:59:30 13[IKE] peer supports MOBIKE Jun 16 08:03:03 00[IKE] deleting IKE_SA android[15] between 10.70.213.1[roadwarrior]...<SERVER-IP>[vpn.my.dns.org] Jun 16 08:03:03 00[IKE] sending DELETE for IKE_SA android[15] Jun 16 08:03:03 00[ENC] generating INFORMATIONAL request 5 [ D ] Jun 16 08:03:03 00[NET] sending packet: from 10.70.213.1[44945] to <SERVER-IP>[14500] (80 bytes)
Habt Ihr eine Idee wo ich da am Besten anfangen soll? Ich gehe mal davon aus, dass das Provider NAT (10.70.213/30) mir da nicht dazwischen funkt.
Besten Dank für Eure Hilfe