Hallo,
ich kriege es in meiner Testumgebung nicht hin eine IPSec Verbindung zwischen zwei Seiten zu erstellen, wenn beide Seiten hinter einer NAT sind. Ohne NAT geht es ohne Probleme. Anscheinend reicht es nicht wenn man auf der Firewall eine NAT Regel für die UDP Ports 500 und 4500 erstellt. Das hängt wohl mit dieser NAT-T Geschichte zusammen, die ich aber nicht blicke und ich finde nur Anleitungen wenn die VPN Server direkt erreichbar sind.
Bei OpenVPN reicht es ja wirklich nur eine NAT Regel zu erstellen.
Beim Status bekomme ich folgendes zu sehen.
Seite A
root@ipsec-a:/etc# ipsec statusall Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-14-686-pae, i686): uptime: 47 minutes, since Feb 02 16:33:08 2021 malloc: sbrk 688128, mmap 0, used 356952, free 331176 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters Listening IP addresses: 192.168.0.1 Connections: a-to-b: %any...192.168.188.180 IKEv2, dpddelay=30s a-to-b: local: [C=DE, O=strongSwan, CN=ipsec-a.test.lab] uses public key authentication a-to-b: cert: "C=DE, O=strongSwan, CN=ipsec-a.test.lab" a-to-b: remote: [C=DE, O=strongSwan, CN=ipsec-b.test.lab] uses public key authentication a-to-b: child: 192.168.0.0/24 === 192.168.10.0/24 TUNNEL, dpdaction=restart Security Associations (0 up, 1 connecting): a-to-b[1]: CONNECTING, 192.168.0.1[%any]...192.168.188.180[%any] a-to-b[1]: IKEv2 SPIs: 8ab4bef8c0cac0cf_i* 0000000000000000_r a-to-b[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
Seite B
root@ipsec-a:/etc# ipsec statusall Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-14-686-pae, i686): uptime: 47 minutes, since Feb 02 16:33:08 2021 malloc: sbrk 688128, mmap 0, used 356952, free 331176 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters Listening IP addresses: 192.168.0.1 Connections: a-to-b: %any...192.168.188.180 IKEv2, dpddelay=30s a-to-b: local: [C=DE, O=strongSwan, CN=ipsec-a.test.lab] uses public key authentication a-to-b: cert: "C=DE, O=strongSwan, CN=ipsec-a.test.lab" a-to-b: remote: [C=DE, O=strongSwan, CN=ipsec-b.test.lab] uses public key authentication a-to-b: child: 192.168.0.0/24 === 192.168.10.0/24 TUNNEL, dpdaction=restart Security Associations (0 up, 1 connecting): a-to-b[1]: CONNECTING, 192.168.0.1[%any]...192.168.188.180[%any] a-to-b[1]: IKEv2 SPIs: 8ab4bef8c0cac0cf_i* 0000000000000000_r a-to-b[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
Hier erstmal der Aufbau.
IPSec-A-VPN-GW 192.168.0.1-––––––--192.168.0.254 IPSec-A-GW 192.168.188.181-––––––--192.168.188.180 IPSec-B-GW 192.168.10.254-––––––--192.168.10.1 IPSec-B-VPN-GW
Seite A
Router (IPSec-A-GW)
WAN eth0: 192.168.188.181
LAN1 eth1: 192.168.0.254
VPN Server (IPSec-A-VPN-GW)
LAN1 eth0: 192.168.0.1
Seite B
Router (IPSec-B-GW)
WAN eth0: 192.168.188.180
LAN1 eth1: 192.168.10.254
VPN Server (IPSec-B-VPN-GW)
LAN1 eth0: 192.168.10.1
Seite A ipsec.conf
config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn a-to-b # left=%any leftsubnet=192.168.0.0/24 right=192.168.188.180 rightsubnet=192.168.10.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart #authby=secret auto=start keyexchange=ikev2 type=tunnel leftcert=ipsec-a_cert.pem leftid="C=DE, O=strongSwan, CN=ipsec-a.test.lab" rightid="C=DE, O=strongSwan, CN=ipsec-b.test.lab"
ipsec.server
: RSA ipsec-a_key.pem
IPSec-A-GW
iptables
root@ipsec-a:/etc# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@ipsec-a:/etc# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:2222 to:192.168.0.1:22 DNAT udp -- anywhere anywhere udp dpt:isakmp to:192.168.0.1:500 DNAT udp -- anywhere anywhere udp dpt:ipsec-nat-t to:192.168.0.1:4500 Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
IPSec-A-VPN-GW
iptables
root@ipsec-a:/etc# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@ipsec-a:/etc# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Seite B
ipsec.conf
config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn b-to-a # left=%any leftsubnet=192.168.10.0/24 right=192.168.188.181 rightsubnet=192.168.0.0/24 ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=120 dpdaction=restart #authby=secret auto=start keyexchange=ikev2 type=tunnel leftcert=ipsec-b_cert.pem leftid="C=DE, O=strongSwan, CN=ipsec-b.test.lab" rightid="C=DE, O=strongSwan, CN=ipsec-a.test.lab"
ipsec.server
: RSA ipsec-b_key.pem
IPsec-B-GW
iptables
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@ipsec-b-fw:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:2222 to:192.168.10.1:22 DNAT udp -- anywhere anywhere udp dpt:isakmp to:192.168.10.1:500 DNAT udp -- anywhere anywhere udp dpt:ipsec-nat-t to:192.168.10.1:4500 Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
IPsec-B-VPN-GW
iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@ipsec-b:/etc# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Über jedliche Unterstützung wäre ich sehr dankbar.