[Suche] Empfehlung für Router mit Kabel Deutschland unter openWRT

ATD · November 21, 2015 at 12:38 AM

Schade, dass es mit strongSwan nicht geklappt hat, lag aber bestimmt an uns. Mit OpenVPN hast Du wenigstens einen Interface und eine gute Anleitung.

Albert

kls · November 22, 2015 at 1:34 PM

Das mit OpenVPN hat zwar zunächst gut ausgesehen, aber als ich es dann auf dem openSUSE Server aufsetzen wollte, wurde die Sache für meinen Geschmack immer komplexer und unübersichtlicher. Irgendwie bin ich halt von der Einfachheit bei ipsec begeistert...

Also bin ich nochmal zurück zu StrongSwan und habe (auch unter Zuhilfenahme von http://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) folgende Config-Files erzeugt:

/etc/ipsec.conf

Code

# ipsec.conf - strongSwan IPsec configuration file


# basic configuration


config setup
        # strictcrlpolicy=yes
        # uniqueids = no


# Add connections here.


conn cougar
        leftid=@cougar.tvdr.de
        left=%defaultroute
        leftfirewall=yes


conn racoon-cougarnet
        also=racoon
        also=cougar
        leftsubnet=192.168.1.0/24
        authby=secret
        auto=start


conn racoon
        rightid=@racoon.tvdr.de
        right=88.198.76.220

Display More

/etc/strongswan.conf

Code

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files


charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

Display More

/etc/firewall.user

Code

iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT

/etc/config/firewall

Code

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'


config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'


config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'


config forwarding
        option src 'lan'
        option dest 'wan'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'


config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'


config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'


config include
        option path '/etc/firewall.user'


config rule
        option name 'IPSec ESP'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'


config rule
        option name 'IPSec IKE'
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'


config rule
        option name 'IPSec NAT-T'
        option src 'wan'
        option dest_port '4500'
        option proto 'udp'
        option target 'ACCEPT'


config rule
        option name 'Auth Header'
        option src 'wan'
        option proto 'ah'
        option target 'ACCEPT'

Display More

Serverseitig habe ich auch "leftfirewall=yes" angegeben, ansonsten ist dort alles so wie vorher geblieben.

Nach Neustart der Firewall und von ipsec erhalte ich im Log:

ipsec start log

Code

Sun Nov 22 13:25:42 2015 authpriv.info ipsec_starter[12312]: Starting strongSwan 5.3.3 IPsec [starter]...
Sun Nov 22 13:25:42 2015 daemon.err modprobe: ah4 is already loaded
Sun Nov 22 13:25:42 2015 daemon.err modprobe: esp4 is already loaded
Sun Nov 22 13:25:42 2015 daemon.err modprobe: ipcomp is already loaded
Sun Nov 22 13:25:42 2015 daemon.err modprobe: xfrm4_tunnel is already loaded
Sun Nov 22 13:25:42 2015 daemon.err modprobe: xfrm_user is already loaded
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips)
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[LIB] curl SSL backend 'PolarSSL/1.3.11' not supported, https:// disabled
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] disabling load-tester plugin, not configured
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[LIB] created TUN device: ipsec0
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] attr-sql plugin: database URI not set
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG]   loaded IKE secret for @cougar.tvdr.de @racoon.tvdr.de
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] sql plugin: database URI not set
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] loaded 0 RADIUS server configurations
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] HA config misses local/remote address
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[CFG] coupling file path unspecified
Sun Nov 22 13:25:42 2015 daemon.info syslog: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uSun Nov 22 13:25:42 2015 daemon.info syslog: 00[JOB] spawning 16 worker threads
Sun Nov 22 13:25:42 2015 authpriv.info ipsec_starter[12342]: charon (12343) started after 380 ms
Sun Nov 22 13:25:42 2015 daemon.info syslog: 11[CFG] received stroke: add connection 'racoon-cougarnet'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 11[CFG] added configuration 'racoon-cougarnet'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 11[CFG] received stroke: initiate 'racoon-cougarnet'
Sun Nov 22 13:25:42 2015 daemon.info syslog: 11[IKE] initiating IKE_SA racoon-cougarnet[1] to 88.198.76.220
Sun Nov 22 13:25:42 2015 authpriv.info syslog: 11[IKE] initiating IKE_SA racoon-cougarnet[1] to 88.198.76.220
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[NET] sending packet: from 188.192.80.168[500] to 88.198.76.220[500] (1436 bytes)
Sun Nov 22 13:25:43 2015 daemon.info syslog: 16[NET] received packet: from 88.198.76.220[500] to 188.192.80.168[500] (440 bytes)
Sun Nov 22 13:25:43 2015 daemon.info syslog: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sun Nov 22 13:25:43 2015 daemon.info syslog: 16[IKE] faking NAT situation to enforce UDP encapsulation
Sun Nov 22 13:25:43 2015 daemon.info syslog: 16[IKE] authentication of 'cougar.tvdr.de' (myself) with pre-shared key
Sun Nov 22 13:25:43 2015 daemon.info syslog: 16[IKE] establishing CHILD_SA racoon-cougarnet
Sun Nov 22 13:25:43 2015 authpriv.info syslog: 16[IKE] establishing CHILD_SA racoon-cougarnet
Sun Nov 22 13:25:43 2015 daemon.info syslog: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Sun Nov 22 13:25:43 2015 daemon.info syslog: 16[NET] sending packet: from 188.192.80.168[4500] to 88.198.76.220[4500] (444 bytes)
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[NET] received packet: from 88.198.76.220[4500] to 188.192.80.168[4500] (236 bytes)
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] authentication of 'racoon.tvdr.de' with pre-shared key successful
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] IKE_SA racoon-cougarnet[1] established between 188.192.80.168[cougar.tvdr.de]...88.198.76.220[racoon.tvdr.de]
Sun Nov 22 13:25:43 2015 authpriv.info syslog: 11[IKE] IKE_SA racoon-cougarnet[1] established between 188.192.80.168[cougar.tvdr.de]...88.198.76.220[racoon.tvdr.de]
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] scheduling reauthentication in 10255s
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] maximum IKE_SA lifetime 10795s
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[KNL] can't install route for 192.168.1.0/24 === 88.198.76.220/32 out, "
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[KNL] can't install route for 192.168.1.0/24 === 88.198.76.220/32 out, conflicts with IKE traffic
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] unable to install IPsec policies (SPD) in kernel
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] failed to establish CHILD_SA, keeping IKE_SA
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] peer supports MOBIKE
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[IKE] sending DELETE for ESP CHILD_SA with SPI 79ff376f
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[ENC] generating INFORMATIONAL request 2 [ D ]
Sun Nov 22 13:25:43 2015 daemon.info syslog: 11[NET] sending packet: from 188.192.80.168[4500] to 88.198.76.220[4500] (76 bytes)
Sun Nov 22 13:25:43 2015 daemon.info syslog: 12[NET] received packet: from 88.198.76.220[4500] to 188.192.80.168[4500] (76 bytes)
Sun Nov 22 13:25:43 2015 daemon.info syslog: 12[ENC] parsed INFORMATIONAL response 2 [ D ]

Display More

Interessant sind hier die Zeilen 48 bis 51. Wegen eines Konflikts kann die Route nicht erzeugt werden, und daher scheitert die zweite Phase des Tunnel-Aufbaus. Ob diese Fehlermeldung bei meinen vorherigen Versuchen auch schon gekommen ist, weiß ich leider nicht. Aber vielleicht fürht uns das ja in die richtige Richtung. Allerdings hat eine erste Google-Suche nach "conflicts with IKE traffic" zwar ergeben, daß wohl auch andere deises Problem haben, eine Lösung konnte ich aber noch nicht finden...

Klaus

kls · November 22, 2015 at 3:40 PM

Jetzt bin ich vielleicht einen wichtigen Schritt weiter gekommen.
Wenn ich das von hier https://git.strongswan.org/?p=strongswan.…mmit;h=1ff63f15 mache, dann wird anscheinend der Tunnel tatsächlich komplett aufgebaut:

log

Code

Sun Nov 22 15:17:09 2015 authpriv.info ipsec_starter[13532]: Starting strongSwan 5.3.3 IPsec [starter]...
Sun Nov 22 15:17:09 2015 daemon.err modprobe: ah4 is already loaded
Sun Nov 22 15:17:09 2015 daemon.err modprobe: esp4 is already loaded
Sun Nov 22 15:17:09 2015 daemon.err modprobe: ipcomp is already loaded
Sun Nov 22 15:17:09 2015 daemon.err modprobe: xfrm4_tunnel is already loaded
Sun Nov 22 15:17:09 2015 daemon.err modprobe: xfrm_user is already loaded
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips)
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[LIB] curl SSL backend 'PolarSSL/1.3.11' not supported, https:// disabled
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] disabling load-tester plugin, not configured
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[LIB] created TUN device: ipsec0
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] attr-sql plugin: database URI not set
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG]   loaded IKE secret for @cougar.tvdr.de @racoon.tvdr.de
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] sql plugin: database URI not set
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] loaded 0 RADIUS server configurations
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] HA config misses local/remote address
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[CFG] coupling file path unspecified
Sun Nov 22 15:17:09 2015 daemon.info syslog: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uSun Nov 22 15:17:09 2015 daemon.info syslog: 00[JOB] spawning 16 worker threads
Sun Nov 22 15:17:09 2015 authpriv.info ipsec_starter[13545]: charon (13546) started after 380 ms
Sun Nov 22 15:17:09 2015 daemon.info syslog: 13[CFG] received stroke: add connection 'racoon-cougarnet'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 13[CFG] added configuration 'racoon-cougarnet'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 04[CFG] received stroke: initiate 'racoon-cougarnet'
Sun Nov 22 15:17:09 2015 daemon.info syslog: 04[IKE] initiating IKE_SA racoon-cougarnet[1] to 88.198.76.220
Sun Nov 22 15:17:09 2015 authpriv.info syslog: 04[IKE] initiating IKE_SA racoon-cougarnet[1] to 88.198.76.220
Sun Nov 22 15:17:09 2015 daemon.info syslog: 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Sun Nov 22 15:17:09 2015 daemon.info syslog: 04[NET] sending packet: from 188.192.80.168[500] to 88.198.76.220[500] (1436 bytes)
Sun Nov 22 15:17:10 2015 daemon.info syslog: 01[NET] received packet: from 88.198.76.220[500] to 188.192.80.168[500] (440 bytes)
Sun Nov 22 15:17:10 2015 daemon.info syslog: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sun Nov 22 15:17:10 2015 daemon.info syslog: 01[IKE] faking NAT situation to enforce UDP encapsulation
Sun Nov 22 15:17:10 2015 daemon.info syslog: 01[IKE] authentication of 'cougar.tvdr.de' (myself) with pre-shared key
Sun Nov 22 15:17:10 2015 daemon.info syslog: 01[IKE] establishing CHILD_SA racoon-cougarnet
Sun Nov 22 15:17:10 2015 authpriv.info syslog: 01[IKE] establishing CHILD_SA racoon-cougarnet
Sun Nov 22 15:17:10 2015 daemon.info syslog: 01[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Sun Nov 22 15:17:10 2015 daemon.info syslog: 01[NET] sending packet: from 188.192.80.168[4500] to 88.198.76.220[4500] (444 bytes)
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[NET] received packet: from 88.198.76.220[4500] to 188.192.80.168[4500] (236 bytes)
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[IKE] authentication of 'racoon.tvdr.de' with pre-shared key successful
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[IKE] IKE_SA racoon-cougarnet[1] established between 188.192.80.168[cougar.tvdr.de]...88.198.76.220[racoon.tvdr.de]
Sun Nov 22 15:17:10 2015 authpriv.info syslog: 03[IKE] IKE_SA racoon-cougarnet[1] established between 188.192.80.168[cougar.tvdr.de]...88.198.76.220[racoon.tvdr.de]
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[IKE] scheduling reauthentication in 9870s
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[IKE] maximum IKE_SA lifetime 10410s
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[IKE] CHILD_SA racoon-cougarnet{1} established with SPIs 84d92b40_i cfe0ffa4_o and TS 192.168.1.0/24 === 88.198.76.220/32
Sun Nov 22 15:17:10 2015 authpriv.info syslog: 03[IKE] CHILD_SA racoon-cougarnet{1} established with SPIs 84d92b40_i cfe0ffa4_o and TS 192.168.1.0/24 === 88.198.76.220/32
Sun Nov 22 15:17:10 2015 local0.notice vpn: + racoon.tvdr.de 88.198.76.220 -- 188.192.80.168 == 192.168.1.0/24
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[IKE] received AUTH_LIFETIME of 9932s, scheduling reauthentication in 9392s
Sun Nov 22 15:17:10 2015 daemon.info syslog: 03[IKE] peer supports MOBIKE

Display More

ipsec statusall (client)

Code

Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
 uptime: 4 seconds, since Nov 22 15:18:20 2015
 malloc: sbrk 266240, mmap 0, used 244936, free 21304
 worker threads: 5 of 16 idle, 7/0/4/0 working, job queue: 0/0/0/0, scheduled: 7
 loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Listening IP addresses:
 188.192.80.168
 192.168.1.1
 fd4c:dd00:f364::1
Connections:
racoon-cougarnet:  %any...88.198.76.220  IKEv1/2
racoon-cougarnet:   local:  [cougar.tvdr.de] uses pre-shared key authentication
racoon-cougarnet:   remote: [racoon.tvdr.de] uses pre-shared key authentication
racoon-cougarnet:   child:  192.168.1.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
racoon-cougarnet[1]: ESTABLISHED 3 seconds ago, 188.192.80.168[cougar.tvdr.de]...88.198.76.220[racoon.tvdr.de]
racoon-cougarnet[1]: IKEv2 SPIs: 7ba41a5d24d128e0_i* f0f0aee5676e1022_r, pre-shared key reauthentication in 2 hours
racoon-cougarnet[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
racoon-cougarnet{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 2dec895f_i c8668647_o
racoon-cougarnet{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
racoon-cougarnet{1}:   192.168.1.0/24 === 88.198.76.220/32

Display More

ipsec statusall (server)

Code

Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-29-default, x86_64):
 uptime: 29 minutes, since Nov 22 15:03:12 2015
 malloc: sbrk 2838528, mmap 0, used 685120, free 2153408
 worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 15
 loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
 88.198.76.220
Connections:
racoon-panthernet:  88.198.76.220...%any  IKEv1
racoon-panthernet:   local:  [racoon.tvdr.de] uses pre-shared key authentication
racoon-panthernet:   remote: [panther.tvdr.de] uses pre-shared key authentication
racoon-panthernet:   child:  dynamic === 192.168.100.0/24 TUNNEL
racoon-cougarnet:  88.198.76.220...%any  IKEv2
racoon-cougarnet:   local:  [racoon.tvdr.de] uses pre-shared key authentication
racoon-cougarnet:   remote: [cougar.tvdr.de] uses pre-shared key authentication
racoon-cougarnet:   child:  dynamic === 192.168.1.0/24 TUNNEL
Security Associations (2 up, 0 connecting):
racoon-cougarnet[9]: ESTABLISHED 25 seconds ago, 88.198.76.220[racoon.tvdr.de]...188.192.80.168[cougar.tvdr.de]
racoon-cougarnet[9]: IKEv2 SPIs: 3ef7d53470a8d1a6_i a926f7ef27a51b2b_r*, pre-shared key reauthentication in 2 hours
racoon-cougarnet[9]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
racoon-cougarnet{7}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c6b341db_i bb633518_o
racoon-cougarnet{7}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 44 minutes
racoon-cougarnet{7}:   88.198.76.220/32 === 192.168.1.0/24
racoon-panthernet[3]: ESTABLISHED 26 minutes ago, 88.198.76.220[racoon.tvdr.de]...93.212.212.151[panther.tvdr.de]
racoon-panthernet[3]: IKEv1 SPIs: 414b47b418fc5e92_i fe121360b564cf0e_r*, pre-shared key reauthentication in 2 hours
racoon-panthernet[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
racoon-panthernet{1}:  INSTALLED, TUNNEL, ESP SPIs: cd20d667_i 8a6c003c_o
racoon-panthernet{1}:  AES_CBC_128/HMAC_SHA1_96, 5667039 bytes_i (6087 pkts, 16s ago), 631419 bytes_o (5311 pkts, 21s ago), rekeying in 16 minutes
racoon-panthernet{1}:   88.198.76.220/32 === 192.168.100.0/24

Display More

Allerdings brechen dann bestehende ssh-Verbindungen zum Server ab und es ist auch nicht mehr möglich, neue aufzubauen oder den Server zu pingen. Nachdem ipsec aber anscheinend einen vollständigen Tunnel erzeugt hat, kann das wohl nur noch eine winzige Kleinigkeit sein.

In der Server-Firewall ist 192.168.1.0/24 als "trusted net" eingetragen.

Vielleicht hat ja noch jemand den entscheidenden Hinweis ;-).

Klaus

M-Reimer · November 22, 2015 at 5:00 PM

Wenn ATD nicht noch eine Idee hat, dann wäre das vielleicht der Punkt das ganze hier zu schildern: https://forum.openwrt.org/

Ich weiß nicht wie exotisch StrongSwan ist, aber die Chance, da jemanden zu finden, der das ganze unter OpenWRT schon eingerichtet hat, ist sicher deutlich größer als hier.

ATD · November 22, 2015 at 5:11 PM

Quote from kls

Vielleicht hat ja noch jemand den entscheidenden Hinweis ;-).

Aber nur vielleicht. Versuch über /etc/firewall.user:

/etc/firewall.user

Code

iptables -I INPUT  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD  -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I OUTPUT   -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -s 88.198.76.220/32 -j ACCEPT
iptables -I FORWARD -d 88.198.76.220/32 -j ACCEPT

Albert

kls · November 22, 2015 at 5:26 PM

ATD: hat leider nicht wirklich geholfen.
Statt "ssh: connect to host racoon port 22: Connection refused" kommt jetzt einfach gar keine Response.

Klaus

ATD · November 22, 2015 at 5:45 PM

Quote from kls

Allerdings brechen dann bestehende ssh-Verbindungen zum Server ab und es ist auch nicht mehr möglich, neue aufzubauen oder den Server zu pingen.

Heißt es, dass mit Deinem neuen Konfiguration das pingen funktioniert hat?

Albert

kls · November 22, 2015 at 6:18 PM

Nein, auch 'ping' geht damit nicht. Aber zumindest ist laut Log und 'ipsec statusall' der Tunnel komplett aufgebaut. Ich bin zuversichtlich, daß der Rest nur noch eine Kleinigkeit ist.

Klaus

ATD · November 22, 2015 at 6:21 PM

Quote from kls

Nein, auch 'ping' geht damit nicht. Aber zumindest ist laut Log und 'ipsec statusall' der Tunnel komplett aufgebaut.

Ja, der Tunnel steht. Wir laufen aber bei der Adresse in einem REJECT rein oder das Paket nimmt die Adresse der NAT an.

Geht der Ping von dem gemieteten Server aus auf die Lokale Adresse?

Albert

kls · November 22, 2015 at 6:31 PM

Ping weiß ich nicht, aber ich habe einen traceroute von dort initiiert und der lieferte außer seiner eigenen IP keine Hops.

Klaus

ATD · November 22, 2015 at 7:49 PM

Zeige mal eine aktuelle iptables-save > /etc/iptables/rules.v4.

Albert

kls · November 22, 2015 at 8:08 PM

iptables-save

Code

# Generated by iptables-save v1.4.21 on Sun Nov 22 20:06:03 2015
*nat
:PREROUTING ACCEPT [4814:890520]
:INPUT ACCEPT [754:67233]
:OUTPUT ACCEPT [532:45665]
:POSTROUTING ACCEPT [78:12040]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Sun Nov 22 20:06:03 2015
# Generated by iptables-save v1.4.21 on Sun Nov 22 20:06:03 2015
*raw
:PREROUTING ACCEPT [533952:490607630]
:OUTPUT ACCEPT [3831:549358]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Sun Nov 22 20:06:03 2015
# Generated by iptables-save v1.4.21 on Sun Nov 22 20:06:03 2015
*mangle
:PREROUTING ACCEPT [533957:490607890]
:INPUT ACCEPT [2704:364617]
:FORWARD ACCEPT [529602:489586256]
:OUTPUT ACCEPT [3835:549758]
:POSTROUTING ACCEPT [533437:490136014]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Nov 22 20:06:03 2015
# Generated by iptables-save v1.4.21 on Sun Nov 22 20:06:03 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -j delegate_input
-A FORWARD -d 88.198.76.220/32 -j ACCEPT
-A FORWARD -s 88.198.76.220/32 -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j delegate_forward
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "IPSec ESP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "IPSec IKE" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "IPSec NAT-T" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "Auth Header" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -j reject
COMMIT
# Completed on Sun Nov 22 20:06:03 2015

Display More

Klaus

ATD · November 23, 2015 at 12:31 AM

/etc/firewall.user

Code

iptables -I INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -I FORWARD -i eth0 -s 88.198.76.220/32 -d 192.168.1.0/24 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -o eth0 -s 192.168.1.0/24 -d 88.198.76.220/32 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -s 88.198.76.220/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT

iptables-save ?

Albert

kls · November 23, 2015 at 2:06 PM

iptables-save

Code

# Generated by iptables-save v1.4.21 on Mon Nov 23 14:03:10 2015
*nat
:PREROUTING ACCEPT [1:158]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -s 88.198.76.220/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Mon Nov 23 14:03:10 2015
# Generated by iptables-save v1.4.21 on Mon Nov 23 14:03:10 2015
*raw
:PREROUTING ACCEPT [87:6310]
:OUTPUT ACCEPT [82:10940]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Mon Nov 23 14:03:10 2015
# Generated by iptables-save v1.4.21 on Mon Nov 23 14:03:10 2015
*mangle
:PREROUTING ACCEPT [89:6414]
:INPUT ACCEPT [89:6414]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84:11204]
:POSTROUTING ACCEPT [84:11204]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Nov 23 14:03:10 2015
# Generated by iptables-save v1.4.21 on Mon Nov 23 14:03:10 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -j delegate_input
-A FORWARD -s 192.168.1.0/24 -d 88.198.76.220/32 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -s 88.198.76.220/32 -d 192.168.1.0/24 -i eth0 -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j delegate_forward
-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "IPSec ESP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "IPSec IKE" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "IPSec NAT-T" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "Auth Header" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -j reject
COMMIT
# Completed on Mon Nov 23 14:03:10 2015

Display More

Klaus

ATD · November 23, 2015 at 10:10 PM

Klaus, hier noch ein Versuch.

/etc/firewall.user

Code

iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
iptables -I FORWARD -i eth0 -s 88.198.76.220/32 -d 192.168.1.0/24 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -o eth1 -s 192.168.1.0/24 -d 88.198.76.220/32 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
iptables -t nat -I PREROUTING -s 88.198.76.220/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT

iptables-save ?

Bitte den Ping beidseitig versuchen.

Hilft es auch nicht, dann schließe ich mich M-Reimer (Post 144) an.

Siehst Du oder irgendwer eine Möglichkeit OpenWRT in eine VM irgendwie soweit zu bekommen, dass ich die LuCI Oberfläche nutzen könnte? Ohne LuCI kann ich die Zone/Rule Einträge in der /etc/config/firewall nicht nachvollziehen und damit ist mir der "ofizieller" Weg versperrt.

Albert

sparkie · November 24, 2015 at 4:45 AM

Quote from ATD

Siehst Du oder irgendwer eine Möglichkeit OpenWRT in eine VM irgendwie soweit zu bekommen, dass ich die LuCI Oberfläche nutzen könnte?

ich verstehe ehrlich gesagt nicht, wie man mit so Spezial-Systemen wie 'OpenWRT' ueberhaupt so viel Zeit verschwenden kann. Warum das Ganze? Nur damit es auf einer Billighardware laeuft? Das oben im Thread genannte pc-engines APU Board + eine Standard Linux Distribution -> und schon passt die reichlich vorhandene Standard-Dokumentation zu den angesprochenen Themen.

iNOB · November 24, 2015 at 6:50 AM

Manchmal ist der Weg das Ziel, dass einen glücklich macht.

Gruß
iNOB

M-Reimer · November 24, 2015 at 8:52 AM

Normalerweise ist OpenWRT unproblematisch. Klaus hat eine Konfiguration vor, die die meisten Nutzer nicht brauchen. Vielleicht gibt es an der Stelle tatsächlich einen Bug, der noch nicht aufgefallen ist. Großer Vorteil der "Fertigrouter" ist halt, neben dem Preis, der geringe Stromverbrauch. Bei einem Gerät, was 24/7 läuft ist das zumindest für mich ein wichtiges Argument.

sparkie · November 24, 2015 at 9:15 AM

Quote from M-Reimer

Normalerweise ist OpenWRT unproblematisch.

das mag sein. Wenn man das macht was 95% der anderen Nutzer machen.

Quote

Klaus hat eine Konfiguration vor, die die meisten Nutzer nicht brauchen. Vielleicht gibt es an der Stelle tatsächlich einen Bug, der noch nicht aufgefallen ist

und das ist genau der Punkt. Warum die eigene Zeit nicht lieber in 'allgemeingueltiges' Wissen, das Quasi-Standard ist investieren? Entscheidend ist die dort vorhandene Dokumentation, die meist sehr gut ist. Wenn ich dort noch Bugs finde beteilige ich mich gerne daran einen Fix zu finden. Mir waere aber meine Zeit zu schade die hochspeziellen Bugs irgendwelcher (obendrein noch schlecht dokumentierter) Spezialdistributionen zu debuggen.

Quote

Großer Vorteil der "Fertigrouter" ist halt, neben dem Preis, der geringe Stromverbrauch

die heutzutage erhaeltliche routerfaehige PC-Hardware braucht kaum mehr Leistung als die (teil)-vernagelten Fertigloesungen.

zudem laesst sich Standard-Hardware auch auf lange Sicht automatisch mit der Distribution deines Vertrauens updaten. Bei Spezialdistributionen ist man immer auf das Wohlwollen der Mainplayer angewiesen.

just my 2c

kls · November 24, 2015 at 11:05 AM

iptables-save

Code

# Generated by iptables-save v1.4.21 on Tue Nov 24 10:59:16 2015
*nat
:PREROUTING ACCEPT [112:32260]
:INPUT ACCEPT [20:1823]
:OUTPUT ACCEPT [12:4386]
:POSTROUTING ACCEPT [2:524]
:delegate_postrouting - [0:0]
:delegate_prerouting - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -s 88.198.76.220/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A PREROUTING -j delegate_prerouting
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A POSTROUTING -j delegate_postrouting
-A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
-A delegate_postrouting -o br-lan -j zone_lan_postrouting
-A delegate_postrouting -o eth0 -j zone_wan_postrouting
-A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
-A delegate_prerouting -i br-lan -j zone_lan_prerouting
-A delegate_prerouting -i eth0 -j zone_wan_prerouting
-A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
COMMIT
# Completed on Tue Nov 24 10:59:16 2015
# Generated by iptables-save v1.4.21 on Tue Nov 24 10:59:16 2015
*raw
:PREROUTING ACCEPT [1257:267132]
:OUTPUT ACCEPT [373:67467]
:delegate_notrack - [0:0]
-A PREROUTING -j delegate_notrack
COMMIT
# Completed on Tue Nov 24 10:59:16 2015
# Generated by iptables-save v1.4.21 on Tue Nov 24 10:59:16 2015
*mangle
:PREROUTING ACCEPT [1257:267132]
:INPUT ACCEPT [472:36303]
:FORWARD ACCEPT [716:202104]
:OUTPUT ACCEPT [373:67467]
:POSTROUTING ACCEPT [1083:269067]
:fwmark - [0:0]
:mssfix - [0:0]
-A PREROUTING -j fwmark
-A FORWARD -j mssfix
-A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Nov 24 10:59:16 2015
# Generated by iptables-save v1.4.21 on Tue Nov 24 10:59:16 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:delegate_forward - [0:0]
:delegate_input - [0:0]
:delegate_output - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -j delegate_input
-A FORWARD -s 192.168.1.0/24 -d 88.198.76.220/32 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -s 88.198.76.220/32 -d 192.168.1.0/24 -i eth0 -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -j delegate_forward
-A OUTPUT -j delegate_output
-A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
-A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_forward -i br-lan -j zone_lan_forward
-A delegate_forward -i eth0 -j zone_wan_forward
-A delegate_forward -j reject
-A delegate_input -i lo -j ACCEPT
-A delegate_input -m comment --comment "user chain for input" -j input_rule
-A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
-A delegate_input -i br-lan -j zone_lan_input
-A delegate_input -i eth0 -j zone_wan_input
-A delegate_output -o lo -j ACCEPT
-A delegate_output -m comment --comment "user chain for output" -j output_rule
-A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A delegate_output -o br-lan -j zone_lan_output
-A delegate_output -o eth0 -j zone_wan_output
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
-A syn_flood -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
-A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_lan_forward -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_lan_input -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
-A zone_lan_output -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -j reject
-A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
-A zone_wan_forward -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment Allow-IGMP -j ACCEPT
-A zone_wan_input -p esp -m comment --comment "IPSec ESP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "IPSec IKE" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "IPSec NAT-T" -j ACCEPT
-A zone_wan_input -p ah -m comment --comment "Auth Header" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
-A zone_wan_input -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
-A zone_wan_output -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -j reject
COMMIT
# Completed on Tue Nov 24 10:59:16 2015

Display More

Mit deiner jüngsten firewall.user geht es leider auch nicht, und der ping geht von beiden Seiten nicht.

Ich werde dann wohl mal mein Glück im OpenWRT-Forum versuchen...

Jedenfalls nochmal danke für deine Mühe.
Ich werde das Ergebnis hier posten, falls ich es zum Laufen bekomme.

Klaus

Participate now!