Инструменты пользователя

Инструменты сайта


краткое_руководство_по_поиску_проблем_ipsec

ipsec

Краткий план

проверки работоспособности IPSec политики

и

поиска проблем

для прошивок на базе лицензированной NETSHe OS

Для проверки работоспособности и поиска проблем следует выполнить последовательность шагов

Убедиться, что политика загружена

Например, политика gost-ipsec

swanctl —list-conns

pass-mcast: IKEv1/2, no reauthentication, rekeying every 14400s

local: %any

remote: 127.0.0.1

local unspecified authentication:

remote unspecified authentication:

pass-mcast: PASS, no rekeying

local: 0.0.0.0/0

remote: 224.0.0.0/4

gost-ipsec: IKEv2, reauthentication every 28800s, rekeying every 86400s, dpd delay 15s

local: 192.168.25.182

remote: 192.168.25.49

local pre-shared key authentication:

id: 192.168.25.182

remote pre-shared key authentication:

id: 192.168.25.49

gost-ipsec: TUNNEL, rekeying every 86400s, dpd action is restart

local: 192.168.58.0/24

remote: 192.168.59.0/24

Убедиться, что для политки есть SA записи

swanctl —list-sas

gost-ipsec: #1, ESTABLISHED, IKEv2, e947e9f4292464b7_i 28fb87626307809a_r*

local '192.168.25.182' @ 192.168.25.182[500]

remote '192.168.25.49' @ 192.168.25.49[500]

AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

established 159s ago, rekeying in 79793s, reauth in 28548s

gost-ipsec: #2, reqid 1, INSTALLED, TUNNEL, ESP:3DES_CBC/HMAC_MD5_96

installed 159s ago, rekeying in 77772s, expires in 94881s

in ca249833, 13356 bytes, 159 packets, 0s ago

out c50c4def, 13356 bytes, 159 packets, 0s ago

local 192.168.58.0/24

remote 192.168.59.0/24

В выводе могут/должны быть сведения о числе прошедших пакетов и сумме байт.

Посмотреть вывод ipsec statusall

Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.19.82, x86_64):

uptime: 4 minutes, since Feb 07 17:26:24 2020

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4

loaded plugins: charon random nonce constraints pubkey pkcs1 pkcs7 pkcs12 af-alg gmp attr kernel-netlink resolve socket-default farp stroke vici updown addrblock

Listening IP addresses:

192.168.25.182

192.168.58.1

Connections:

pass-mcast: %any…127.0.0.1 IKEv1/2

pass-mcast: local: uses any authentication

pass-mcast: remote: uses any authentication

pass-mcast: child: 0.0.0.0/0 === 224.0.0.0/4 PASS

gost-ipsec: 192.168.25.182…192.168.25.49 IKEv2, dpddelay=15s

gost-ipsec: local: [192.168.25.182] uses pre-shared key authentication

gost-ipsec: remote: [192.168.25.49] uses pre-shared key authentication

gost-ipsec: child: 192.168.58.0/24 === 192.168.59.0/24 TUNNEL, dpdaction=restart

Shunted Connections:

pass-mcast: 0.0.0.0/0 === 224.0.0.0/4 PASS

Routed Connections:

gost-ipsec{1}: ROUTED, TUNNEL, reqid 1

gost-ipsec{1}: 192.168.58.0/24 === 192.168.59.0/24

Security Associations (1 up, 0 connecting):

gost-ipsec[1]: ESTABLISHED 3 minutes ago, 192.168.25.182[192.168.25.182]…192.168.25.49[192.168.25.49]

gost-ipsec[1]: IKEv2 SPIs: e947e9f4292464b7_i 28fb87626307809a_r*, rekeying in 22 hours, pre-shared key reauthentication in 7 hours

gost-ipsec[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

gost-ipsec{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca249833_i c50c4def_o

gost-ipsec{2}: 3DES_CBC/HMAC_MD5_96, 20076 bytes_i (239 pkts, 1s ago), 20076 bytes_o (239 pkts, 1s ago), rekeying in 21 hours

gost-ipsec{2}: 192.168.58.0/24 === 192.168.59.0/24

ESTABLISHED в выводе означает, что фаза 1 закончилась успешно.

INSTALLED в выводе означает, что фаза 2 закончилась успешно. Присутствуют счетчики пакетов и байт.

Примеры логов службы IPSec и определение проблемы на основе вывода

Для вывода логов можно использовать команду /opt/stasoft/bin/ipsec-log.sh [x] или

ipsec stroke loglevel any 4

swanctl –log

1. Не совпадают proposals для фазы 1

06[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (418 bytes)

disconnecting…

06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]

06[IKE] received strongSwan vendor ID

06[IKE] 192.168.25.49 is initiating an IKE_SA

06[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

06[CFG] configured proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768

06[IKE] received proposals unacceptable

06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

06[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (36 bytes)

2. Не совпадают парольные фразы

11[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (418 bytes)

11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]

11[IKE] received strongSwan vendor ID

11[IKE] 192.168.25.49 is initiating an IKE_SA

11[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

11[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

11[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ]

11[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (430 bytes)

06[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (268 bytes)

06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

06[CFG] looking for peer configs matching 192.168.25.182[192.168.25.182]…192.168.25.49[192.168.25.49]

06[CFG] selected peer config 'gost-ipsec'

06[IKE] tried 1 shared key for '192.168.25.182' - '192.168.25.49', but MAC mismatched

disconnecting…

06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

06[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (76 bytes)

3. Не совпадают proposals для фазы 2

15[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (418 bytes)

15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]

15[IKE] received strongSwan vendor ID

15[IKE] 192.168.25.49 is initiating an IKE_SA

15[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

15[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

15[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ]

15[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (430 bytes)

07[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (268 bytes)

07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

07[CFG] looking for peer configs matching 192.168.25.182[192.168.25.182]…192.168.25.49[192.168.25.49]

07[CFG] selected peer config 'gost-ipsec'

07[IKE] authentication of '192.168.25.49' with pre-shared key successful

07[IKE] authentication of '192.168.25.182' (myself) with pre-shared key

07[IKE] destroying duplicate IKE_SA for peer '192.168.25.49', received INITIAL_CONTACT

07[IKE] IKE_SA gost-ipsec[2] established between 192.168.25.182[192.168.25.182]…192.168.25.49[192.168.25.49]

disconnecting…

07[IKE] scheduling rekeying in 80140s

07[IKE] scheduling reauthentication in 25528s

07[IKE] maximum IKE_SA lifetime 34168s

07[CFG] received proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

07[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ

07[IKE] no acceptable proposal found

07[IKE] failed to establish CHILD_SA, keeping IKE_SA

07[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(NO_PROP) ]

07[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (124 bytes)

08[IKE] sending DPD request

08[ENC] generating INFORMATIONAL request 0 [ ]

08[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (76 bytes)

05[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (76 bytes)

05[ENC] parsed INFORMATIONAL response 0 [ ]

4. Все совпадает. Туннель создан

13[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (418 bytes)

13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]

13[IKE] received strongSwan vendor ID

13[IKE] 192.168.25.49 is initiating an IKE_SA

13[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

13[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

13[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) V ]

13[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (430 bytes)

07[NET] received packet: from 192.168.25.49[500] to 192.168.25.182[500] (268 bytes)

07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]

07[CFG] looking for peer configs matching 192.168.25.182[192.168.25.182]…192.168.25.49[192.168.25.49]

07[CFG] selected peer config 'gost-ipsec'

07[IKE] authentication of '192.168.25.49' with pre-shared key successful

disconnecting…

07[IKE] authentication of '192.168.25.182' (myself) with pre-shared key

07[IKE] IKE_SA gost-ipsec[1] established between 192.168.25.182[192.168.25.182]…192.168.25.49[192.168.25.49]

07[IKE] scheduling rekeying in 85745s

07[IKE] scheduling reauthentication in 20238s

07[IKE] maximum IKE_SA lifetime 28878s

07[CFG] received proposals: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

07[CFG] configured proposals: ESP:3DES_CBC/HMAC_MD5_96/MODP_768/NO_EXT_SEQ

07[CFG] selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ

07[KNL] using encryption algorithm 3DES_CBC with key size 192

07[KNL] using encryption algorithm des3_ede

07[KNL] using encryption algorithm 3DES_CBC with key size 192

07[KNL] using encryption algorithm des3_ede

07[IKE] CHILD_SA gost-ipsec{2} established with SPIs cea50306_i c1be0866_o and TS 192.168.58.0/24 === 192.168.59.0/24

07[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]

07[NET] sending packet: from 192.168.25.182[500] to 192.168.25.49[500] (204 bytes)

краткое_руководство_по_поиску_проблем_ipsec.txt · Последнее изменение: 2020/10/15 21:08 — doku_netshe_admin