Estou tentando me conectar ao meu servidor Strongswan VPN, compilado a partir da versão 5.9.14.
Eu o tenho no servidor, e o cliente tenta se conectar, mas o servidor nunca atende a chamada. Eu verifiquei o firewall e ele está configurado para permitir as portas 500 e 4500. Eu também tentei fazer com que ele efetue login com mais detalhes, mas ele não faz isso / ou nenhuma entrada é feita no diário do sistema.
Geralmente, estou perdido e apreciaria qualquer ajuda. Eu tentei com UFW para cima e para baixo - nenhuma mudança.
O servidor é um Ubuntu 24.04.01 LTS.
Comando de compilação:
./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --enable-silent-rules --enable-charon --enable-systemd --enable-ikev2 --enable-vici --enable-swanctl --enable-nonce --enable-random --enable-drbg --enable-openssl --enable-curl --enable-pem --enable-x509 --enable-constraints --enable-revocation --enable-pki --enable-pubkey --enable-socket-default --enable-kernel-netlink --enable-resolve --enable-eap-identity --enable-eap-md5 --enable-eap-dynamic --enable-eap-tls --enable-updown --enable-tss-tss2 --enable-tpm
root@huginn:~/strongswan-5.9.14# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-09-02 21:06:16 EDT; 10min ago
Process: 220846 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 220827 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.9.14, Linux 6.8.0-41-generic, x86_64"
Tasks: 17 (limit: 9445)
Memory: 3.5M (peak: 6.1M)
CPU: 44ms
CGroup: /system.slice/strongswan.service
└─220827 /usr/sbin/charon-systemd
Sep 02 21:06:16 huginn swanctl[220846]: loaded certificate from '/etc/swanctl/x509ca/ca-chain.cert.pem'
Sep 02 21:06:16 huginn swanctl[220846]: loaded private key from '/etc/swanctl/private/vpn.server.org.key.pem'
Sep 02 21:06:16 huginn swanctl[220846]: loaded eap secret 'eap-user'
Sep 02 21:06:16 huginn swanctl[220846]: loaded authority 'Strongswan'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 authorities, 0 unloaded
Sep 02 21:06:16 huginn swanctl[220846]: loaded pool 'remote_pool'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 pools, 0 unloaded
Sep 02 21:06:16 huginn swanctl[220846]: loaded connection 'roadwarrior'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 connections, 0 unloaded
Sep 02 21:06:16 huginn systemd[1]: Started strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
registro.conf
charon-systemd {
journal {
default = 4
ike = 4
knl = 4
# ...
}
}
charon {
# two defined file loggers
filelog {
charon {
# path to the log file, specify this as section name in versions prior to 5.7.0
path = /var/log/charon.log
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = yes
# increase default loglevel for all daemon subsystems
default = 2
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
}
}
# and two loggers using syslog
syslog {
# prefix for each log message
identifier = charon-custom
# use default settings to log to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 0
}
}
# ...
}
conexão.conf
#roadwarrior configuration
authorities {
Strongswan {
cacert = ca-chain.cert.pem
}
}
journal {
default = 4
ike = 4
knl = 4
# ...
}
connections {
roadwarrior {
pools = rw_pool
local {
auth = pubkey
certs = vpn.server.org.cert.pem
id = vpn.server.org
}
remote {
auth = pubkey
}
children {
roadwarrior {
# local_ts = 10.1.0.0/16
# local_ts = 0.0.0.0/0
local_ts = 0.0.0.0/0, ::/0
rekey_time = 0
}
}
}
}
}
log do cliente (ubuntu desktop 24.04)
2024-09-02T19:32:04.323589-06:00 fafnir charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-09-02T19:32:04.323634-06:00 fafnir charon-nm: 05[NET] sending packet: from 192.168.30.50[46858] to 167.71.166.210[500] (972 bytes)
2024-09-02T19:32:08.324281-06:00 fafnir charon-nm: 12[IKE] retransmit 1 of request with message ID 0
2024-09-02T19:32:08.324342-06:00 fafnir charon-nm: 12[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:15.524583-06:00 fafnir charon-nm: 14[IKE] retransmit 2 of request with message ID 0
2024-09-02T19:32:15.524692-06:00 fafnir charon-nm: 14[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:28.485020-06:00 fafnir charon-nm: 09[IKE] retransmit 3 of request with message ID 0
2024-09-02T19:32:28.485079-06:00 fafnir charon-nm: 09[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:51.813298-06:00 fafnir charon-nm: 15[IKE] retransmit 4 of request with message ID 0
2024-09-02T19:32:51.813448-06:00 fafnir charon-nm: 15[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:33:04.247159-06:00 fafnir charon-nm[70214]: Connect timer expired, disconnecting.
2024-09-02T19:33:04.247220-06:00 fafnir charon-nm: 08[IKE] destroying IKE_SA in state CONNECTING without notification
2024-09-02T19:33:04.247899-06:00 fafnir charon-nm: 07[KNL] interface nm-xfrm-2751540 deactivated
2024-09-02T19:33:04.248785-06:00 fafnir charon-nm: 13[KNL] fe80::bddd:f33c:78f:5cd9 disappeared from nm-xfrm-2751540
Atualização de 4 de setembro.
Meu cliente está se conectando via Starlink, que eu entendo que teve problemas com IPV4, então eu o reconfigurei para IPv6 com base na configuração do Strongswan Test labs para IPv6 roadwarrior. Então eu executei um TCPDUMP enquanto tentava conectar, o que, do servidor, resultou nisso:
02:42:11.805109 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:15.803606 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:23.008293 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:35.966303 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:59.299393 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431
Não recebo nada no syslog para o IP do cliente ou para conexões IKEV2.
Atualização de 4 de setembro - saída ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1020 1 0 03:03 ? 00:00:00 /usr/sbin/charon-systemd
Então o problema é/era que o Ubuntu 24.04 estava usando o firewall netfilter / nft. Foi criada uma tabela separada inet que se aplica tanto ao IPV4 quanto ao IPv6, mas não foi modificada pelos comandos UFW ou IPTABLES.
Listará as regras com um número de posição.
Aplique as regras abaixo para posicionar a régua pelo menos acima da última régua (queda)
A adição das regras acima à última regra de descarte corrigiu o problema dos pacotes serem descartados, independentemente das regras UFW e IPTABLES para aceitar a porta 500.