Ubuntu
Ubuntu 18.04 SA 上的 strongSwan 5.6.2 和 xl2tp 1.3.12 已建立但沒有流量
自從將 strongSwan 和 xl2tpd 更新到適用於 Ubuntu 的最新版本後,我在 L2TP 中遇到了 ESP 和 AH 的問題。
伺服器配置:
Interface for generating traffic ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.219.1 netmask 255.255.255.252 broadcast 192.168.219.3 ppp0 interface created by xl2tpd ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 192.168.231.1 netmask 255.255.255.255 destination 192.168.231.2
客戶端配置:
Interface for generating traffic ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.219.5 netmask 255.255.255.252 broadcast 192.168.219.7 ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 192.168.231.2 netmask 255.255.255.255 destination 192.168.231.1
當我開始從客戶端 ping 到伺服器時
$$ 192.168.219.5 -> 192.168.219.1 $$在客戶上,我有 100% 的損失。 來自客戶端的 IPSec ESP 的 tcpdump:
11:53:39.729306 Out ethertype IPv4 (0x0800), length 100: 192.168.231.2 > 192.168.219.1: ICMP echo request, id 8318, seq 27, length 64 11:53:39.735978 In ethertype IPv4 (0x0800), length 100: 192.168.219.1 > 192.168.231.2: ICMP echo reply, id 8318, seq 27, length 64 11:54:07.956148 Out ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:54:07.967355 In ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:54:07.973795 Out ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:54:07.992232 In ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:54:08.017478 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:54:08.017518 Out ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:54:08.042533 In ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:54:08.042751 In ethertype IPv4 (0x0800), length 992: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:54:08.773279 Out ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x1), length 132 11:54:09.796992 Out ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x2), length 132
來自伺服器端的 IPSec ESP 的 tcpdump
11:53:40.661518 In ethertype IPv4 (0x0800), length 100: 192.168.231.2 > 192.168.219.1: ICMP echo request, id 8318, seq 27, length 64 11:53:40.661547 Out ethertype IPv4 (0x0800), length 100: 192.168.219.1 > 192.168.231.2: ICMP echo reply, id 8318, seq 27, length 64 11:54:08.892269 In ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:54:08.893831 Out ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:54:08.907962 In ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:54:08.918575 Out ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:54:08.952164 In ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:54:08.952427 In ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:54:08.968649 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:54:08.968759 Out ethertype IPv4 (0x0800), length 992: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:54:09.705686 In ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x1), length 132 11:54:09.705686 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 56, length 64 11:54:10.729687 In ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x2), length 132 11:54:10.729687 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 57, length 64
切換到 IPSec AH:
客戶:
11:56:45.057757 Out ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:56:45.068383 In ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:56:45.075626 Out ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:56:45.095453 In ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:56:45.117129 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:56:45.117185 Out ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:56:45.142557 In ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:56:45.142567 In ethertype IPv4 (0x0800), length 976: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:56:45.309776 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x1): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64 (ipip-proto-4) 11:56:46.340981 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x2): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64 (ipip-proto-4) 11:56:47.364966 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x3): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 211, length 64 (ipip-proto-4)
伺服器:
11:56:45.999222 In ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:56:46.000323 Out ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:56:46.016453 In ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I] 11:56:46.027356 Out ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R] 11:56:46.059588 In ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:56:46.059840 In ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 11:56:46.074470 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:56:46.074522 Out ethertype IPv4 (0x0800), length 976: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R] 11:56:46.249345 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x1): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64 (ipip-proto-4) 11:56:46.249345 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64 11:56:47.280994 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x2): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64 (ipip-proto-4) 11:56:47.280994 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64 11:56:48.305921 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x3): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 211, length 64 (ipip-proto-4) [lns L2TPserver] ip range = 192.168.231.2 - 192.168.231.254 local ip = 192.168.231.1 require chap = no refuse pap = yes require authentication = no ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes lac = 88.134.0.0 - 88.134.254.254 lac = 100.70.0.0 - 100.70.254.254 [lac L2TPserver] ;lns = 192.168.21.33 lns = 100.80.1.252 redial = yes redial timeout = 5 local ip = 192.168.231.2 require chap = no require authentication = no ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd.client require pap = no autodial = yes name = cpe length bit = yes
伺服器上的 IPSec 配置
keyexchange=ikev2 auto=add left=%any leftid=192.168.231.1 leftsubnet=192.168.219.0/30 leftcert=vpnHostCert_192.168.231.1.der leftsendcert=always right=%any rightcert=VPNclientESPL2TPCert.der rightsourceip=192.168.219.5/32 rightsubnet=192.168.219.4/30 mobike=no
客戶端上的 IPSec conf
conn l2tp-ikev2-rw-esp right=192.168.231.1 rightid=%192.168.231.1 rightsubnet=192.168.219.0/30 rightauth=pubkey leftsourceip=%config leftauth=pubkey leftcert=VPNclientESPL2TPCert.der leftsubnet=192.168.219.4/30 auto=start
客戶
root@vsrv-bicab-2u:/home/VPN# ip ro get 192.168.219.1 192.168.219.1 via 192.168.231.1 dev ppp0 table 220 src 192.168.219.5 uid 0 cache
伺服器
root@vsrv-bicab-1u:/home/VPN# ip ro get 192.168.219.5 192.168.219.5 via 192.168.231.2 dev ppp0 table 220 src 192.168.219.1 uid 0 cache
問題是 8.0.219.x 在更新之前並非如此。
Ubuntu 18.04 發布的 Linux 核心 4.15 中存在一個已知錯誤,導致 IP 地址以這種方式更改。
它是由5efec5c655dd (“xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version”) 引起的,後來被87cdf3148b11 修復(“xfrm: 在覆蓋 eth_hdr(skb)->h_proto 之前驗證 MAC 標頭是否存在”),這是 4.16 核心原始碼的一部分。
此修復程序顯然從未被向後移植到 4.15(它不是linux-4.15.y穩定分支的一部分),並且 Ubuntu 核心包維護者也沒有添加它。您可能想要通知核心開發人員缺少的 backport 到 stable(通過netdev 郵件列表)和/或向 Ubuntu 開發人員送出錯誤。