[Suche] Empfehlung für Router mit Kabel Deutschland unter openWRT

ATD · 2. November 2015

Firewall Itegration:

1. Anlegen: die Zone vpn mit LuCI, kein Masquerading bei lan! Bild unten.

2. Anlegen:

Code

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'


config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option src_ip '88.xx.xx.220'


config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option src_ip '88.xx.xx.220'


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'


config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'


config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'


config forwarding
        option src 'lan'
        option dest 'wan'


config include
        option path '/etc/firewall.user'
        option reload 1

Alles anzeigen

3. Anlegen:

/etc/firewall.user

4. Anlegen (. /etc/functions.sh gegen . /lib/functions.sh getauscht):

/etc/ipsec/firewall.sh

Code

#/etc/ipsec/firewall.sh


#!/bin/sh
#/etc/ipsec/firewall.sh - version 2
 
. /lib/functions.sh
 
GetZone() {
  config_get zone "$1" zone vpn
}
 
GetTunnel() {
  local remote_subnet
  local local_subnet
  local local_nat
 
  config_get remote_subnet "$1" remote_subnet
  config_get local_subnet  "$1" local_subnet
  config_get local_nat     "$1" local_nat ""
  iptables -A zone_${zone}_ACCEPT -d $remote_subnet -j ACCEPT
  iptables -A zone_${zone}_ACCEPT -s $remote_subnet -j ACCEPT
  iptables -A zone_${zone}_REJECT -d $remote_subnet -j reject
  iptables -A zone_${zone}_REJECT -s $remote_subnet -j reject
  iptables -A zone_${zone}_INPUT -s $remote_subnet -j zone_${zone}
  iptables -A zone_${zone}_FORWARD -s $remote_subnet -j zone_${zone}_forward
 
  if [ "$local_nat" == "" ]; then
    iptables -t nat -A zone_${zone}_nat -d $remote_subnet -j ACCEPT
  else
    iptables -t nat -A zone_${zone}_nat -d $remote_subnet \
             -s $local_subnet -j NETMAP --to $local_nat
    iptables -t nat -A prerouting_${zone} -s $remote_subnet \
             -d $local_nat -j NETMAP --to $local_subnet
  fi
}
 
GetRemote() {
  local enabled
  local gateway
 
  config_get_bool enabled "$1" enabled 0
  config_get      gateway "$1" gateway
  [[ "$enabled" == "0" ]] && return
 
  config_list_foreach "$1" tunnel GetTunnel
}
 
GetDevice() {
  . /lib/functions/network.sh
  local interface="$1"
  network_get_device listen "$interface"
  # open IPsec endpoint
  if [ "$listen" == "" ]; then
    iptables -A zone_${zone}_gateway -p esp -j ACCEPT
    iptables -A zone_${zone}_gateway -p udp --dport 500 -j ACCEPT
    iptables -A zone_${zone}_gateway -p udp --dport 4500 -j ACCEPT
    if [ $has_ip6tables -eq 1 ]; then
      ip6tables -A zone_${zone}_gateway -p esp -j ACCEPT
      ip6tables -A zone_${zone}_gateway -p udp --dport 500 -j ACCEPT
      ip6tables -A zone_${zone}_gateway -p udp --dport 4500 -j ACCEPT
    fi
  else
    iptables -A zone_${zone}_gateway -i $listen -p esp -j ACCEPT
    iptables -A zone_${zone}_gateway -i $listen -p udp --dport 500 -j ACCEPT
    iptables -A zone_${zone}_gateway -i $listen -p udp --dport 4500 -j ACCEPT
    if [ $has_ip6tables -eq 1 ]; then
      ip6tables -A zone_${zone}_gateway -i $listen -p esp -j ACCEPT
      ip6tables -A zone_${zone}_gateway -i $listen -p udp --dport 500 -j ACCEPT
      ip6tables -A zone_${zone}_gateway -i $listen -p udp --dport 4500 -j ACCEPT
    fi
  fi
 
}
 
GetInterface() {
  config_list_foreach "$1" listen GetDevice
}
 
zone=vpn
config_load ipsec
config_foreach GetZone ipsec
 
if [ -x /usr/sbin/ip6tables ]; then
  has_ip6tables=1
else
  has_ip6tables=0
fi
 
iptables -F zone_${zone}_ACCEPT
if [ $has_ip6tables -eq 1 ]; then
  ip6tables -F zone_${zone}_ACCEPT
fi
 
iptables -N zone_${zone}_gateway
iptables -I input -j zone_${zone}_gateway
if [ $has_ip6tables -eq 1 ]; then
  ip6tables -N zone_${zone}_gateway
  ip6tables -I input -j zone_${zone}_gateway
fi
config_foreach GetInterface ipsec
 
iptables -t nat -F zone_${zone}_nat
iptables -t nat -I POSTROUTING 2 -j zone_${zone}_nat
iptables -t nat -I PREROUTING 2 -j zone_${zone}_prerouting
 
# sort VPN rules to top of forward zones and insert VPN reject marker afterwards
ForwardZones=`iptables -S | awk '/.N.*zone.*_forward/{print $2}' | grep -v ${zone}`
for ForwardZone in $ForwardZones ; do
  echo "iptables -F $ForwardZone" > /tmp/fwrebuild
  iptables -S $ForwardZone | grep zone_${zone}_ACCEPT | \
    grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild
  echo "iptables -A $ForwardZone -j zone_${zone}_REJECT" >> /tmp/fwrebuild
  iptables -S $ForwardZone | grep -v zone_${zone}_ACCEPT | \
    grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild
 
  chmod +x /tmp/fwrebuild
  /tmp/fwrebuild
  rm /tmp/fwrebuild
done
 
# link zone_vpn via zone_vpn_INPUT
iptables -N zone_${zone}_INPUT
iptables -I input -j zone_${zone}_INPUT
 
# link zone_vpn_forward via zone_vpn_FORWARD
iptables -N zone_${zone}_FORWARD
iptables -I forward -j zone_${zone}_FORWARD
 
config_foreach GetRemote remote

Alles anzeigen

5. Das aufmerksam lesen:

"Finally we have a look at the script. It injects all the additionally required settings according to /etc/config/ipsec into the OpenWrt firewall. Save it as /etc/ipsec/firewall.sh and put a calling line into /etc/firewall.user so it gets loaded automatically. REMARK: This script only enables VPN firewall rules that have been set in the LUCI web interface. There is no guarantee that manually implemented rules in /etc/config/firewall will work!"

Albert

kls · 2. November 2015

Ich habe (hoffe ich) alles so gemacht, wie du es beschrieben hast.

strongswan.conf

ipsec.conf

ipsec statusall

In /etc/firewall.user habe ich einen Aufruf der firewall.sh eingetragen (*nicht* firewall.ipsec, denn die gibt es nicht).
Ein Aufruf von '/etc/init.d/firewall restart' ergibt aber Fehler:

/etc/init.d/firewall restart

[/code]
Warning: Section @zone[0] (vpn) has no device, network, subnet or extra options
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule #7
* Rule #8
* Forward 'lan' -> 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule #7
* Rule #8
* Forward 'lan' -> 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_prerouting':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_forward':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
[/code]

nobanzai: "left" und "right" sind per Konvention mit "local" bzw. "remote" assoziiert. "left" bzw. "local" ist dabei immer die Seite, auf der sich die jeweils betrachtete Datei befindet.

Klaus

ATD · 3. November 2015

Er währt sich. Was sagt ipsec status? Geht was bei gestoppten Firewall durch, /etc/init.d/firewall stop?

In basics sind vier Pakete als Mindestvoraussetzung genannt:

- strongswan-default: everything needed for IPsec tunnels
- ip: Required to make scripting easier
- iptables-mod-nat-extra: For VPN networks with overlapping IP addresses
- djbdns-tools: for simpler name resolving than nslookup

sind alle installiert?

Albert

kls · 3. November 2015

Code

root@OpenWrt:~# ipsec status
Security Associations (0 up, 0 connecting):
  none

So wie es aussieht wird mit der jüngsten Variante der Tunnel gar nicht aufgebaut.

Mit gestoppter Firewall geht gar nichts, nichtmal ein "ping heise.de".

strongswan-default war nicht installiert, ip und iptables-mod-nat-extra schon.
djbdns-tools gibt es anscheinend nicht, aber mit DNS hab ich ja keine Probleme.

Ich habe strongswan-default installiert und zunächst mit meiner ursprünglichen Konfiguration probiert, ohne Erfolg. Der Tunnel wird zwar aufgebaut, aber es gehen keine Daten durch.

Danach hab ich wieder mit deinen Scripts getestet, wobei ich die aber nicht nach /etc/init.d kopiert habe, um mir nicht gleich alles zu zerschießen ;-).
Der Output war dieser hier:

Code

root@OpenWrt:/etc# /root/firewall.sh
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn_nat':No such file or directory


Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_prerouting':No such file or directory


Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory


Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_REJECT':No such file or directory


Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.4.21: Couldn't load target `zone_vpn':No such file or directory


Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: Couldn't load target `zone_vpn_forward':No such file or directory


Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
root@OpenWrt:/etc# /root/ipsec.sh restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
root@OpenWrt:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
  uptime: 8 seconds, since Nov 03 22:08:01 2015
  malloc: sbrk 90112, mmap 0, used 86160, free 3952
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
  188.xx.xx.113
  192.168.1.1
  fd4c:dd00:f364::1
Connections:
racoon-racoon_lan:  188.xx.xx.113...88.xx.xx.220  IKEv1
racoon-racoon_lan:   local:  [cougar.tvdr.de] uses pre-shared key authentication
racoon-racoon_lan:   remote: [racoon.tvdr.de] uses pre-shared key authentication
racoon-racoon_lan:   child:  192.168.1.0/24 === 88.xx.xx.220/32 TUNNEL
Security Associations (0 up, 1 connecting):
racoon-racoon_lan[1]: CONNECTING, 188.xx.xx.113[cougar.tvdr.de]...88.xx.xx.220[%any]
racoon-racoon_lan[1]: IKEv1 SPIs: 8415d1662ce5142e_i* 073e05438a70238e_r
racoon-racoon_lan[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
racoon-racoon_lan[1]: Tasks queued: QUICK_MODE 
racoon-racoon_lan[1]: Tasks active: ISAKMP_VENDOR MAIN_MODE

Alles anzeigen

Leider alles ohne Erfolg...

Klaus

ATD · 3. November 2015

Ist auch der Kernel Modul xt_recent Installiert (lsmod | grep xt_recent)?

Wenn ja, dann werde ich wohl noch einmal alles durchgehen. Für mich gilt die Aussage von dem Autor:

"The VPN concept I designed and wrote down in the wiki consists of four parts.
1) Define a standard openwrt /etc/config file that takes informations about the VPN infrastructure. E.g. foreing endpoints tunneled networks, credentials and so on. You can see it just like the usual strongswan/racoon configuration but in the openwrt style.
2) The part that is essential for the IKE damons is read out in the provided start scripts. These do nothing more than translating the new syntax into a daemon-specific standard syntax.
3) The config part with the network definitions must be mergend into the openwrt firewall. So we can route the traffic. The additional firewall script takes care of this.
4) with 1-3 in place we should have a working VPN solution but it will deny all traffic (to be safe and to emulate other firewalls). So we must add firewall rules between the newly created VPN zone and the existing zones manually in the web interface or the openwrt standard config files.
To sum it up: I tried to create a fully integrated solution that might be a little harder to understand and implement. But if everything works the rest is just the usual firewall-rule-clicking.

Albert

ATD · 3. November 2015

Entferne die Zeile option 'zone' 'vpn' aus der /etc/config/ipsec. In dem Script wird sie doch namentlich genannt. Nur:

Code

#/etc/config/ipsec
config 'ipsec'
  list listen ''

Der Rest bleibt, auch wenn conn racoon-racoon_lan eleganter gestaltet werden könnte.

Albert

ATD · 3. November 2015

In dem Script /etc/init.d/ipsec befindet sich die Zeile:

echo " keyexchange=ikev1" >> $FileConn

Ggf. sie auf ikev2 ändern, denn Du hast es schon erwähnt, dass die Tunnel nur mit ikev2 aufgebaut wird.

Dann sollte in der ipsec.conf entsprechend keyexchange=ikev2 stehen.

Albert

vdrchuck · 4. November 2015

Hallo,

ich habe jetzt hier nicht alles durchgelesen, aber soweit verstanden das ein IPSEC Tunnel aufgebaut wird und kein Traffic durch den Tunnel geht.
Hast du die Möglichkeit den Router bei einem anderen Provider zu testen, ich habe es soweit verstanden das es sich um Kabel Deutschland handelt.

Hintergrund ist, dass ich gelesen habe das dieses Problem im Moment bei Unitymdia mit IPSEC und IOS als Client (>=9,x) auftritt.

http://forum.golem.de/kommenta…4280390,4280390,read.html

https://forums.developer.apple.com/thread/16699

Evtl. Iptables Lösung:
http://www.ip-phone-forum.de/showthread.php?t=281439&page=11&p=2121611&viewfull=1#post2121611

Das Problem scheint in den o.g. Fällen zwar UM und Apple spezifisch zu sein, aber wer weiss schon was die Netzbetreiber in Ihren Netzen so alles anstellen .

Gruss,
Chuck

9000H · 4. November 2015

Hi,

vielleicht ist auch SoftEther auch mal einen Blick wert, ist Opensource GPL2 mit GUI fuer Server/Client und beherrscht SSL-VPN, OpenVPN, IPsec, L2TP, MS-SSTP, L2TPv3 und EtherIP. Damit müsste man alle Netzwerk Unwägbarkeiten meistern können.

CU
9000h

kls · 4. November 2015

Zitat von ATD

Ist auch der Kernel Modul xt_recent Installiert (lsmod | grep xt_recent)?

Nein, dieses Modul ist nicht geladen.

Klaus

kls · 4. November 2015

Zitat von ATD

Entferne die Zeile option 'zone' 'vpn' aus der /etc/config/ipsec

Zitat von ATD

Ggf. sie auf ikev2 ändern

Hab ich beides gemacht, aber es kommt kein Tunnel zustande.

Irgendwie war ich da mit der ursprünglichen Variante schon weiter...

Klaus

kls · 4. November 2015

Zitat von vdrchuck

Hast du die Möglichkeit den Router bei einem anderen Provider zu testen

Leider nicht.

Klaus

kls · 4. November 2015

Zitat von 9000H

vielleicht ist auch SoftEther auch mal einen Blick wert

Ich würde schon gerne bei StrongSwan bleiben. Die Konfiguration ist ja eigentlich denkbar einfach. Hier in meinem konkreten Fall muß halt wohl nur irgend eine Kleinigkeit nicht stimmen...

Klaus

ATD · 4. November 2015

Zitat von kls

Hab ich beides gemacht, aber es kommt kein Tunnel zustande.

Probiere bitte mit dem ipsec.conf von hier die Tunnel hoch zu bekommen. Der letzte /etc/config/ipsec bleibt.

Das xt_recent sollte für den firewall.sh relevant sein. Damit haben Leute die Fehlermeldungen beim Umsortieren wegbekommen. Kannst Du es mit laden!?

Die erste Zeile ist Warnung aber ohne Belang. Sie hat sogar recht, die Zone vpn soll aber keinen Interface haben.

Albert

kls · 4. November 2015

Es gibt auf meinem Router kein xt_recent.ko.

root@OpenWrt:/etc# find / | grep recent
root@OpenWrt:/etc#

Klaus

ATD · 4. November 2015

Das steckt in kmod-ipt-conntrack-extra.

Albert

ATD · 4. November 2015

Klaus, das Script aus basics lassen wir links liegen. Es ist nicht einmal alpha. Ob Charon loggt oder nicht, ist mir egal. Unter einer "clean integration into the OpenWrt" verstehe ich etwas anderes. Es ist einfach schlampig geschrieben. Die drei Dateien, die wir brauchen, die haben wir schon.

Morgen versuche ich die /etc/config/ipsec passend zu der ipsec.conf zu gestalten. Hoffen wir mal, dass dann die /etc/ipsec/firewall.sh seine Arbeit verrichtet.

Du schaust bitte wegen die kmod-ipt-conntrack-extra und dass der Tunnel steht (Posting 78, die strongswan.conf und ipsec.conf kurz vor Ende).

Offensichtlich treten wir hier an einer Stelle, was bei OpenWRT kein Entwicklungsschwerpunkt zu sein scheint.

Albert

kls · 5. November 2015

kmod-ipt-conntrack-extra habe ich jetzt installiert und xt_recent ist geladen.

strongswan.conf und ipsec.conf sind wieder so wie in Posting 78, und der Tunnel steht:

Code

root@OpenWrt:/etc# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
  uptime: 5 seconds, since Nov 05 10:03:47 2015
  malloc: sbrk 266240, mmap 0, used 233368, free 32872
  worker threads: 5 of 16 idle, 7/0/4/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Listening IP addresses:
  188.xx.xx.113
  192.168.1.1
  fd4c:dd00:f364::1
Connections:
      tunnel:  %any...88.xx.xx.220  IKEv1/2
      tunnel:   local:  [cougar.tvdr.de] uses pre-shared key authentication
      tunnel:   remote: [racoon.tvdr.de] uses pre-shared key authentication
      tunnel:   child:  192.168.1.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
      tunnel[1]: ESTABLISHED 4 seconds ago, 188.xx.xx.113[cougar.tvdr.de]...88.xx.xx.220[racoon.tvdr.de]
      tunnel[1]: IKEv2 SPIs: 3cea163cea5c273a_i* 3997e2ba98165a85_r, pre-shared key reauthentication in 2 hours
      tunnel[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

Alles anzeigen

Daten gehen allerdings nach wie vor keine drüber.

Klaus

iNOB · 5. November 2015

Nachfolgend ein vollständiger Verbindungsaufbau (Log vom Server) zwischen einem Android Client mit Strongswan App und einer IPfire (Firewall). Eventuell hilft es weiter:

Spoiler anzeigen

Code

[root@ipfire ~]# tail -f /var/log/messages | grep charon
Nov  5 10:34:33 ipfire charon: 16[NET] received packet: from 82.122.101.43[17680] to 192.168.101.3[500] (1012 bytes)
Nov  5 10:34:33 ipfire charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Nov  5 10:34:33 ipfire charon: 16[IKE] 82.122.101.43 is initiating an IKE_SA
Nov  5 10:34:33 ipfire charon: 16[IKE] 82.122.101.43 is initiating an IKE_SA
Nov  5 10:34:33 ipfire charon: 16[IKE] local host is behind NAT, sending keep alives
Nov  5 10:34:33 ipfire charon: 16[IKE] remote host is behind NAT
Nov  5 10:34:33 ipfire charon: 16[IKE] DH group MODP_2048 inacceptable, requesting MODP_4096
Nov  5 10:34:33 ipfire charon: 16[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Nov  5 10:34:33 ipfire charon: 16[NET] sending packet: from 192.168.101.3[500] to 82.122.101.43[17680] (38 bytes)
Nov  5 10:34:34 ipfire charon: 04[NET] received packet: from 82.122.101.43[17680] to 192.168.101.3[500] (1268 bytes)
Nov  5 10:34:34 ipfire charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Nov  5 10:34:34 ipfire charon: 04[IKE] 82.122.101.43 is initiating an IKE_SA
Nov  5 10:34:34 ipfire charon: 04[IKE] 82.122.101.43 is initiating an IKE_SA
Nov  5 10:34:34 ipfire charon: 04[IKE] local host is behind NAT, sending keep alives
Nov  5 10:34:34 ipfire charon: 04[IKE] remote host is behind NAT
Nov  5 10:34:34 ipfire charon: 04[IKE] sending cert request for "C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=xxxxx, E=xxx@xxx.com"
Nov  5 10:34:34 ipfire charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Nov  5 10:34:34 ipfire charon: 04[NET] sending packet: from 192.168.101.3[500] to 82.122.101.43[17680] (745 bytes)
Nov  5 10:34:35 ipfire charon: 14[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:36 ipfire charon: 14[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ]
Nov  5 10:34:36 ipfire charon: 14[ENC] received fragment #2 of 5, waiting for complete IKE message
Nov  5 10:34:36 ipfire charon: 14[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:36 ipfire charon: 14[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ]
Nov  5 10:34:36 ipfire charon: 14[ENC] received fragment #1 of 5, waiting for complete IKE message
Nov  5 10:34:36 ipfire charon: 01[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:36 ipfire charon: 01[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ]
Nov  5 10:34:36 ipfire charon: 01[ENC] received fragment #4 of 5, waiting for complete IKE message
Nov  5 10:34:36 ipfire charon: 01[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:36 ipfire charon: 01[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ]
Nov  5 10:34:36 ipfire charon: 01[ENC] received fragment #3 of 5, waiting for complete IKE message
Nov  5 10:34:36 ipfire charon: 01[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (676 bytes)
Nov  5 10:34:36 ipfire charon: 01[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ]
Nov  5 10:34:36 ipfire charon: 01[ENC] received fragment #5 of 5, reassembling fragmented IKE message
Nov  5 10:34:36 ipfire charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov  5 10:34:36 ipfire charon: 01[IKE] received cert request for "C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=xxxxx, E=xxx@xxx.com"
Nov  5 10:34:36 ipfire charon: 01[IKE] received 162 cert requests for an unknown ca
Nov  5 10:34:36 ipfire charon: 01[IKE] received end entity cert "C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx"
Nov  5 10:34:36 ipfire charon: 01[CFG] looking for peer configs matching 192.168.101.3[%any]...82.122.101.43[C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx]
Nov  5 10:34:36 ipfire charon: 01[CFG] selected peer config 'rw04'
Nov  5 10:34:36 ipfire charon: 01[CFG]   using trusted ca certificate "C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=xxxxx, E=xxx@xxx.com"
Nov  5 10:34:37 ipfire charon: 01[CFG] checking certificate status of "C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx"
Nov  5 10:34:37 ipfire charon: 01[CFG] certificate status is not available
Nov  5 10:34:37 ipfire charon: 01[CFG]   reached self-signed root ca with a path length of 0
Nov  5 10:34:37 ipfire charon: 01[CFG]   using trusted certificate "C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx"
Nov  5 10:34:37 ipfire charon: 01[IKE] authentication of 'C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx' with RSA_EMSA_PKCS1_SHA256 successful
Nov  5 10:34:37 ipfire charon: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov  5 10:34:37 ipfire charon: 01[IKE] peer supports MOBIKE
Nov  5 10:34:37 ipfire charon: 01[IKE] authentication of 'C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=dyn.dns.xxx' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Nov  5 10:34:37 ipfire charon: 01[IKE] IKE_SA rw04[9] established between 192.168.101.3[C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=dyn.dns.xxx]...82.122.101.43[C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx]
Nov  5 10:34:37 ipfire charon: 01[IKE] IKE_SA rw04[9] established between 192.168.101.3[C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=dyn.dns.xxx]...82.122.101.43[C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx]
Nov  5 10:34:37 ipfire charon: 01[IKE] scheduling reauthentication in 3001s
Nov  5 10:34:37 ipfire charon: 01[IKE] maximum IKE_SA lifetime 3541s
Nov  5 10:34:37 ipfire charon: 01[IKE] sending end entity cert "C=DE, ST=xxxxx, L=xxxxx, O=xxxxx, OU=xxxxx, CN=dyn.dns.xxx"
Nov  5 10:34:37 ipfire charon: 01[IKE] peer requested virtual IP %any
Nov  5 10:34:37 ipfire charon: 01[CFG] reassigning offline lease to 'C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx'
Nov  5 10:34:37 ipfire charon: 01[IKE] assigning virtual IP 10.0.8.4 to peer 'C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx'
Nov  5 10:34:37 ipfire charon: 01[IKE] peer requested virtual IP %any6
Nov  5 10:34:37 ipfire charon: 01[IKE] no virtual IP found for %any6 requested by 'C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=android-Clientxxx'
Nov  5 10:34:37 ipfire charon: 01[IKE] CHILD_SA rw04{4} established with SPIs ccb0151e_i bb269725_o and TS 0.0.0.0/0 === 10.0.8.0/24
Nov  5 10:34:37 ipfire charon: 01[IKE] CHILD_SA rw04{4} established with SPIs ccb0151e_i bb269725_o and TS 0.0.0.0/0 === 10.0.8.0/24
Nov  5 10:34:38 ipfire charon: 01[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Nov  5 10:34:38 ipfire charon: 01[ENC] splitting IKE message with length of 2288 bytes into 5 fragments
Nov  5 10:34:38 ipfire charon: 01[ENC] generating IKE_AUTH response 1 [ EF(1/5) ]
Nov  5 10:34:38 ipfire charon: 01[ENC] generating IKE_AUTH response 1 [ EF(2/5) ]
Nov  5 10:34:38 ipfire charon: 01[ENC] generating IKE_AUTH response 1 [ EF(3/5) ]
Nov  5 10:34:38 ipfire charon: 01[ENC] generating IKE_AUTH response 1 [ EF(4/5) ]
Nov  5 10:34:38 ipfire charon: 01[ENC] generating IKE_AUTH response 1 [ EF(5/5) ]
Nov  5 10:34:38 ipfire charon: 01[NET] sending packet: from 192.168.101.3[4500] to 82.122.101.43[23712] (532 bytes)
Nov  5 10:34:38 ipfire charon: 01[NET] sending packet: from 192.168.101.3[4500] to 82.122.101.43[23712] (500 bytes)
Nov  5 10:34:38 ipfire charon: 13[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:38 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ]
Nov  5 10:34:38 ipfire charon: 13[ENC] received fragment #1 of 5, waiting for complete IKE message
Nov  5 10:34:38 ipfire charon: 03[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:38 ipfire charon: 03[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ]
Nov  5 10:34:38 ipfire charon: 03[ENC] received fragment #2 of 5, waiting for complete IKE message
Nov  5 10:34:38 ipfire charon: 02[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:38 ipfire charon: 02[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ]
Nov  5 10:34:38 ipfire charon: 02[ENC] received fragment #3 of 5, waiting for complete IKE message
Nov  5 10:34:38 ipfire charon: 05[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (1364 bytes)
Nov  5 10:34:39 ipfire charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ]
Nov  5 10:34:39 ipfire charon: 05[ENC] received fragment #4 of 5, waiting for complete IKE message
Nov  5 10:34:39 ipfire charon: 16[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (676 bytes)
Nov  5 10:34:39 ipfire charon: 16[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ]
Nov  5 10:34:39 ipfire charon: 16[ENC] received fragment #5 of 5, reassembling fragmented IKE message
Nov  5 10:34:39 ipfire charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov  5 10:34:39 ipfire charon: 16[IKE] received retransmit of request with ID 1, retransmitting response
Nov  5 10:34:39 ipfire charon: 16[NET] sending packet: from 192.168.101.3[4500] to 82.122.101.43[23712] (532 bytes)
Nov  5 10:34:39 ipfire charon: 16[NET] sending packet: from 192.168.101.3[4500] to 82.122.101.43[23712] (500 bytes)
Nov  5 10:34:39 ipfire charon: 04[NET] received packet: from 82.122.101.43[23712] to 192.168.101.3[4500] (96 bytes)
Nov  5 10:34:39 ipfire charon: 04[ENC] parsed INFORMATIONAL request 2 [ N(NO_ADD_ADDR) ]
Nov  5 10:34:39 ipfire charon: 04[ENC] generating INFORMATIONAL response 2 [ ]
Nov  5 10:34:39 ipfire charon: 04[NET] sending packet: from 192.168.101.3[4500] to 82.122.101.43[23712] (96 bytes)

Alles anzeigen

Externe IP: 82.122.101.43 (= dyn.dns.xxx)
LAN-IP der Firewall: 192.168.101.3
Subnetz für IPSec-VPN-Clients: 10.0.8.0/24
kein PSK sondern Zertifikate!
rw04 ist die Client-Config auf der IPfire
IKEv2 mit charon

ipsec statusall

Spoiler anzeigen

Code

Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.14.43-ipfire, i686):
  uptime: 30 days, since Oct 05 16:10:47 2015
  malloc: sbrk 411680, mmap 0, used 298688, free 112992
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp
Virtual IP pools (size/online/offline):
  10.0.8.4: 1/1/0
Listening IP addresses:
  10.0.2.1
  192.168.101.3
  10.0.3.1
  10.0.4.1
  10.0.9.1
Connections:
        rw04:  %any...%any  IKEv2, dpddelay=30s
        rw04:   local:  [C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=dyn.dns.xxx] uses public key authentication
        rw04:    cert:  "C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=dyn.dns.xxx"
        rw04:   remote: [C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=android-clientxxx] uses public key authentication
        rw04:    cert:  "C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=android-clientxxx"
        rw04:   child:  0.0.0.0/0 === 10.0.8.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
        rw04[9]: ESTABLISHED 34 minutes ago, 192.168.101.3[C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=dyn.dns.xxx]...82.122.101.43[C=DE, ST=xxxxx, O=xxxxx, OU=xxxxx, CN=android-clientxxx]
        rw04[9]: IKEv2 SPIs: f021839ba105393f_i 36d78bbe5da432cf_r*, public key reauthentication in 15 minutes
        rw04[9]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096
        rw04{4}:  INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: ccb0151e_i bb269725_o
        rw04{4}:  AES_CBC_128/HMAC_SHA1_96, 66369 bytes_i (617 pkts, 4s ago), 299369 bytes_o (579 pkts, 103s ago), rekeying in 7 hours
        rw04{4}:   0.0.0.0/0 === 10.0.8.0/24

Alles anzeigen

Gruß
iNOB

ATD · 5. November 2015

Klaus, hier wird es langsam unübersichtlich, deshalb fasse ich es zusammen:

/etc/init.d/ipsec

Bash

#!/bin/sh /etc/rc.common
#/etc/init.d/ipsec - version 5 - 2015/02/19
 
NAME=ipsec
START=60
STOP=60
 
. $IPKG_INSTROOT/lib/functions.sh
. $IPKG_INSTROOT/lib/functions/service.sh
 
FileSecrets=/var/ipsec/ipsec.secrets
FileConn=/var/ipsec/ipsec.conf
FileCommon=/var/ipsec/strongswan.conf
 
FolderCerts=/var/ipsec/ipsec.d
 
ConfigUser()
{
  local enabled
  local xauth
  local name
  local password
  local crt_subject
 
  config_get_bool enabled $1 enabled 0
  [[ "$enabled" == "0" ]] && return
 
  config_get_bool xauth       $1 xauth       0
  config_get      name        $1 name        ""
  config_get      password    $1 password    ""
 
  if [ $xauth -eq 1 -a "$name" != "" -a "$password" != "" ]; then
    echo "$name : XAUTH \"$password\"" >> $FileSecrets
  fi
}
 
 
ConfigPhase1() {
  local encryption_algorithm
  local hash_algorithm
  local dh_group
 
  config_get encryption_algorithm  "$1" encryption_algorithm
  config_get hash_algorithm        "$1" hash_algorithm
  config_get dh_group              "$1" dh_group
 
  Phase1Proposal=${Phase1Proposal}","${encryption_algorithm}-${hash_algorithm}-${dh_group}
}
 
ConfigTunnel() {
  local local_subnet
  local local_nat
  local remote_subnet
  local p2_proposal
  local pfs_group
  local encryption_algorithm
  local authentication_algorithm
 
  config_get local_subnet             "$1"           local_subnet
  config_get local_nat                "$1"           local_nat ""
  config_get remote_subnet            "$1"           remote_subnet
  config_get p2_proposal              "$1"           p2_proposal
  config_get pfs_group                "$p2_proposal" pfs_group
  config_get encryption_algorithm     "$p2_proposal" encryption_algorithm
  config_get authentication_algorithm "$p2_proposal" authentication_algorithm
 
  [[ "$local_nat" != "" ]] && local_subnet=$local_nat
 
  p2_proposal="${encryption_algorithm}-${authentication_algorithm}-${pfs_group}"
 
  echo "conn $ConfigName-$1" >> $FileConn
  echo "  keyexchange=ikev2" >> $FileConn
  echo "  left=$LocalGateway" >> $FileConn
  echo "  right=$RemoteGateway" >> $FileConn
  echo "  leftsubnet=$local_subnet" >> $FileConn
  if [ "$AuthenticationMethod" = "psk" ]; then
    echo "  leftauth=psk" >> $FileConn
    echo "  rightauth=psk" >> $FileConn
    echo "  rightsubnet=$remote_subnet" >> $FileConn
# should be auto=route when going to 5.0.1
    echo "  auto=start" >> $FileConn
  elif [ "$AuthenticationMethod" = "xauth_psk_server" ]; then
    echo "  authby=xauthpsk" >> $FileConn
    echo "  xauth=server" >> $FileConn
    echo "  modeconfig=pull" >> $FileConn
    echo "  rightsourceip=$remote_subnet" >> $FileConn
    echo "  auto=add" >> $FileConn
  fi
  if [ "$LocalIdentifier" != "" ]; then
    echo "  leftid=$LocalIdentifier" >> $FileConn
  fi
  if [ "$RemoteIdentifier" != "" ]; then
    echo "  rightid=$RemoteIdentifier" >> $FileConn
  fi
 
#  echo "  auth=esp" >> $FileConn
  echo "  esp=$p2_proposal" >> $FileConn
  echo "  ike=$Phase1Proposal" >> $FileConn
  echo "  type=tunnel" >> $FileConn
}
 
ConfigRemote() {
  local enabled
  local gateway
  local pre_shared_key
  local authentication_method
  local local_identifier
  local remote_identifier
 
  ConfigName=$1
 
  config_get_bool enabled "$1" enabled 0
  [[ "$enabled" == "0" ]] && return
 
  config_get gateway               "$1" gateway
  config_get pre_shared_key        "$1" pre_shared_key
  config_get authentication_method "$1" authentication_method
  config_get local_identifier      "$1" local_identifier
  config_get remote_identifier     "$1" remote_identifier
 
  AuthenticationMethod=$authentication_method
  LocalIdentifier=$local_identifier
  RemoteIdentifier=$remote_identifier
 
  RemoteGateway=$gateway
  if [ "$RemoteGateway" = "any" ]; then
    RemoteGateway="%any"
    LocalGateway=`ip route get 1.1.1.1 | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
  else
    LocalGateway=`ip route get $RemoteGateway | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
  fi
  echo "$LocalGateway $RemoteGateway : PSK \"$pre_shared_key\"" >> $FileSecrets
 
  Phase1Proposal=""
  config_list_foreach "$1" p1_proposal ConfigPhase1
  Phase1Proposal=`echo $Phase1Proposal | cut -b 2-`
 
  config_list_foreach "$1" tunnel ConfigTunnel
}
 
PrepareEnvironment() {
  local debug
 
  for d in cacerts aacerts ocspcerts crls acerts; do
    mkdir -p $FolderCerts/$d 2>/dev/null
  done
 
  if [ ! -L /etc/ipsec.d ]; then
    rm -rf /etc/ipsec.d 2>/dev/null
    ln -s $FolderCerts /etc/ipsec.d
  fi
 
  if [ ! -L /etc/ipsec.secrets ]; then
    rm /etc/ipsec.secrets 2>/dev/null
    ln -s $FileSecrets /etc/ipsec.secrets
  fi
 
  if [ ! -L /etc/strongswan.conf ]; then
    rm /etc/strongswan.conf 2>/dev/null
    ln -s $FileCommon /etc/strongswan.conf
  fi
 
  if [ ! -L /etc/ipsec.conf ]; then
    rm /etc/ipsec.conf 2>/dev/null
    ln -s $FileConn /etc/ipsec.conf
  fi
 
  config_get debug "$1" debug 0
 
  echo "# generated by /etc/init.d/ipsec" > $FileCommon
  echo "charon {" >> $FileCommon
  echo "  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown" >> $FileCommon
  echo "  filelog {" >> $FileCommon
  echo "    /var/log/charon.log {" >> $FileCommon
  echo "      time_format = %b %e %T" >> $FileCommon
  echo "      ike_name = yes" >> $FileCommon
  echo "      append = no" >> $FileCommon
  echo "      default = " $debug >> $FileCommon
  echo "      flush_line = yes" >> $FileCommon
  echo "    }" >> $FileCommon
  echo "  }" >> $FileCommon
  echo "}" >> $FileCommon
 
}
 
CheckInstallation() {
  if [ ! -x /usr/sbin/ip ]; then
    echo /usr/sbin/ip missing
    echo install with \"opkg install ip\"
    exit
  fi
 
  for f in aes authenc cbc hmac md5 sha1; do
    if [ `opkg list kmod-crypto-$f | wc -l` -eq 0 ]; then
      echo kmod-crypto-$f missing
      echo install with  \"opkg install kmod-crypto-$f --nodeps\"
      exit
    fi
  done
 
  for f in aes gmp hmac kernel-netlink md5 random sha1 updown attr resolve; do
    if [ ! -f /usr/lib/ipsec/plugins/libstrongswan-${f}.so ]; then
      echo /usr/lib/ipsec/plugins/$f missing
      echo install with \"opkg install strongswan-mod-$f --nodeps\"
      exit
    fi
  done
}
 
start() {
  CheckInstallation
 
  config_load ipsec
  config_foreach PrepareEnvironment ipsec
  config_foreach ConfigRemote remote
 
  config_load users
  config_foreach ConfigUser user
 
  /usr/sbin/ipsec start
}
 
stop() {
  /usr/sbin/ipsec stop
}

Alles anzeigen

/etc/config/ipsec

/etc/config/firewall

Code

#/etc/config/firewall
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'IPSec ESP'
        option src 'wan'
        option proto 'esp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'IPSec IKE'
        option src 'wan'
        option dest_port '500'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'IPSec NAT-T'
        option src 'wan'
        option dest_port '4500'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Auth Header'
        option src 'wan'
        option proto 'ah'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'forward_vpn'
        option src 'lan'
        option dest 'vpn'
        option dest_ip '88.xx.xx.220/32'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'nat_vpn'
        option src 'lan'
        option dest 'vpn'
        option dest_ip '88.xx.xx.220/32'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'


config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'


config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'


config zone
        option name 'vpn'
        option network ' '
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'


config forwarding
        option src 'lan'
        option dest 'wan'


config include
        option path '/etc/firewall.user'
        option reload 1

Alles anzeigen

/etc/firewall.user

/etc/ipsec/firewall.sh

Bash

#!/bin/sh
#/etc/ipsec/firewall.sh - version 2
 
. /lib/functions.sh
 
GetZone() {
  config_get zone "$1" zone vpn
}
 
GetTunnel() {
  local remote_subnet
  local local_subnet
  local local_nat
 
  config_get remote_subnet "$1" remote_subnet
  config_get local_subnet  "$1" local_subnet
  config_get local_nat     "$1" local_nat ""
  iptables -A zone_${zone}_ACCEPT -d $remote_subnet -j ACCEPT
  iptables -A zone_${zone}_ACCEPT -s $remote_subnet -j ACCEPT
  iptables -A zone_${zone}_REJECT -d $remote_subnet -j reject
  iptables -A zone_${zone}_REJECT -s $remote_subnet -j reject
  iptables -A zone_${zone}_INPUT -s $remote_subnet -j zone_${zone}
  iptables -A zone_${zone}_FORWARD -s $remote_subnet -j zone_${zone}_forward
 
  if [ "$local_nat" == "" ]; then
    iptables -t nat -A zone_${zone}_nat -d $remote_subnet -j ACCEPT
  else
    iptables -t nat -A zone_${zone}_nat -d $remote_subnet \
             -s $local_subnet -j NETMAP --to $local_nat
    iptables -t nat -A prerouting_${zone} -s $remote_subnet \
             -d $local_nat -j NETMAP --to $local_subnet
  fi
}
 
GetRemote() {
  local enabled
  local gateway
 
  config_get_bool enabled "$1" enabled 0
  config_get      gateway "$1" gateway
  [[ "$enabled" == "0" ]] && return
 
  config_list_foreach "$1" tunnel GetTunnel
}
 
GetDevice() {
  . /lib/functions/network.sh
  local interface="$1"
  network_get_device listen "$interface"
  # open IPsec endpoint
  if [ "$listen" == "" ]; then
    iptables -A zone_${zone}_gateway -p esp -j ACCEPT
    iptables -A zone_${zone}_gateway -p udp --dport 500 -j ACCEPT
    iptables -A zone_${zone}_gateway -p udp --dport 4500 -j ACCEPT
    if [ $has_ip6tables -eq 1 ]; then
      ip6tables -A zone_${zone}_gateway -p esp -j ACCEPT
      ip6tables -A zone_${zone}_gateway -p udp --dport 500 -j ACCEPT
      ip6tables -A zone_${zone}_gateway -p udp --dport 4500 -j ACCEPT
    fi
  else
    iptables -A zone_${zone}_gateway -i $listen -p esp -j ACCEPT
    iptables -A zone_${zone}_gateway -i $listen -p udp --dport 500 -j ACCEPT
    iptables -A zone_${zone}_gateway -i $listen -p udp --dport 4500 -j ACCEPT
    if [ $has_ip6tables -eq 1 ]; then
      ip6tables -A zone_${zone}_gateway -i $listen -p esp -j ACCEPT
      ip6tables -A zone_${zone}_gateway -i $listen -p udp --dport 500 -j ACCEPT
      ip6tables -A zone_${zone}_gateway -i $listen -p udp --dport 4500 -j ACCEPT
    fi
  fi
 
}
 
GetInterface() {
  config_list_foreach "$1" listen GetDevice
}
 
zone=vpn
config_load ipsec
config_foreach GetZone ipsec
 
if [ -x /usr/sbin/ip6tables ]; then
  has_ip6tables=1
else
  has_ip6tables=0
fi
 
iptables -F zone_${zone}_ACCEPT
if [ $has_ip6tables -eq 1 ]; then
  ip6tables -F zone_${zone}_ACCEPT
fi
 
iptables -N zone_${zone}_gateway
iptables -I input -j zone_${zone}_gateway
if [ $has_ip6tables -eq 1 ]; then
  ip6tables -N zone_${zone}_gateway
  ip6tables -I input -j zone_${zone}_gateway
fi
config_foreach GetInterface ipsec
 
iptables -t nat -F zone_${zone}_nat
iptables -t nat -I POSTROUTING 2 -j zone_${zone}_nat
iptables -t nat -I PREROUTING 2 -j zone_${zone}_prerouting
 
# sort VPN rules to top of forward zones and insert VPN reject marker afterwards
ForwardZones=`iptables -S | awk '/.N.*zone.*_forward/{print $2}' | grep -v ${zone}`
for ForwardZone in $ForwardZones ; do
  echo "iptables -F $ForwardZone" > /tmp/fwrebuild
  iptables -S $ForwardZone | grep zone_${zone}_ACCEPT | \
    grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild
  echo "iptables -A $ForwardZone -j zone_${zone}_REJECT" >> /tmp/fwrebuild
  iptables -S $ForwardZone | grep -v zone_${zone}_ACCEPT | \
    grep -v "^-N" | awk '{ print "iptables " $0}' >> /tmp/fwrebuild
 
  chmod +x /tmp/fwrebuild
  /tmp/fwrebuild
  rm /tmp/fwrebuild
done
 
# link zone_vpn via zone_vpn_INPUT
iptables -N zone_${zone}_INPUT
iptables -I input -j zone_${zone}_INPUT
 
# link zone_vpn_forward via zone_vpn_FORWARD
iptables -N zone_${zone}_FORWARD
iptables -I forward -j zone_${zone}_FORWARD
 
config_foreach GetRemote remote

Alles anzeigen

/etc/strongswan.conf

/etc/ipsec.conf

Bitte iptables -t nat -L | grep prerouting_ posten!

Albert

[Suche] Empfehlung für Router mit Kabel Deutschland unter openWRT

Jetzt mitmachen!

Teilen