Ubuntu

Ubuntu 18.04 SA 上的 strongSwan 5.6.2 和 xl2tp 1.3.12 已建立但沒有流量

  • October 2, 2018

自從將 strongSwan 和 xl2tpd 更新到適用於 Ubuntu 的最新版本後,我在 L2TP 中遇到了 ESP 和 AH 的問題。

伺服器配置:

Interface for generating traffic

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.219.1 netmask 255.255.255.252 broadcast 192.168.219.3

ppp0 interface created by xl2tpd

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.231.1 netmask 255.255.255.255 destination 192.168.231.2

客戶端配置:

Interface for generating traffic

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.219.5 netmask 255.255.255.252 broadcast 192.168.219.7

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 192.168.231.2 netmask 255.255.255.255 destination 192.168.231.1

當我開始從客戶端 ping 到伺服器時

$$ 192.168.219.5 -> 192.168.219.1 $$在客戶上,我有 100% 的損失。 來自客戶端的 IPSec ESP 的 tcpdump:

11:53:39.729306 Out ethertype IPv4 (0x0800), length 100: 192.168.231.2 > 192.168.219.1: ICMP echo request, id 8318, seq 27, length 64
11:53:39.735978 In ethertype IPv4 (0x0800), length 100: 192.168.219.1 > 192.168.231.2: ICMP echo reply, id 8318, seq 27, length 64
11:54:07.956148 Out ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:07.967355 In ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:07.973795 Out ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:07.992232 In ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:08.017478 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.017518 Out ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.042533 In ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:08.042751 In ethertype IPv4 (0x0800), length 992: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:08.773279 Out ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x1), length 132
11:54:09.796992 Out ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x2), length 132

來自伺服器端的 IPSec ESP 的 tcpdump

11:53:40.661518 In ethertype IPv4 (0x0800), length 100: 192.168.231.2 > 192.168.219.1: ICMP echo request, id 8318, seq 27, length 64
11:53:40.661547 Out ethertype IPv4 (0x0800), length 100: 192.168.219.1 > 192.168.231.2: ICMP echo reply, id 8318, seq 27, length 64
11:54:08.892269 In ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:08.893831 Out ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:08.907962 In ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:54:08.918575 Out ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:54:08.952164 In ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.952427 In ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:54:08.968649 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:08.968759 Out ethertype IPv4 (0x0800), length 992: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:54:09.705686 In ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x1), length 132
11:54:09.705686 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 56, length 64
11:54:10.729687 In ethertype IPv4 (0x0800), length 168: 192.168.231.2 > 192.168.231.1: ESP(spi=0xca9bd294,seq=0x2), length 132
11:54:10.729687 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 57, length 64

切換到 IPSec AH:

客戶:

11:56:45.057757 Out ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:45.068383 In ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:45.075626 Out ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:45.095453 In ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:45.117129 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:45.117185 Out ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:45.142557 In ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:45.142567 In ethertype IPv4 (0x0800), length 976: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:45.309776 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x1): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64 (ipip-proto-4)
11:56:46.340981 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x2): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64 (ipip-proto-4)
11:56:47.364966 Out ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x3): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 211, length 64 (ipip-proto-4)

伺服器:

11:56:45.999222 In ethertype IPv4 (0x0800), length 938: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:46.000323 Out ethertype IPv4 (0x0800), length 82: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:46.016453 In ethertype IPv4 (0x0800), length 1130: 192.168.231.2.500 > 192.168.231.1.500: isakmp: parent_sa ikev2_init[I]
11:56:46.027356 Out ethertype IPv4 (0x0800), length 531: 192.168.231.1.500 > 192.168.231.2.500: isakmp: parent_sa ikev2_init[R]
11:56:46.059588 In ethertype IPv4 (0x0800), length 1296: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:46.059840 In ethertype IPv4 (0x0800), length 1264: 192.168.231.2.4500 > 192.168.231.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:56:46.074470 Out ethertype IPv4 (0x0800), length 1296: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:46.074522 Out ethertype IPv4 (0x0800), length 976: 192.168.231.1.4500 > 192.168.231.2.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
11:56:46.249345 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x1): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64 (ipip-proto-4)
11:56:46.249345 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 209, length 64
11:56:47.280994 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x2): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64 (ipip-proto-4)
11:56:47.280994 In ethertype IPv4 (0x0800), length 100: 8.0.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 210, length 64
11:56:48.305921 In ethertype IPv4 (0x0800), length 148: 192.168.231.2 > 192.168.231.1: AH(spi=0xc140b026,seq=0x3): 192.168.219.5 > 192.168.219.1: ICMP echo request, id 8318, seq 211, length 64 (ipip-proto-4)


[lns L2TPserver]
ip range = 192.168.231.2 - 192.168.231.254
local ip = 192.168.231.1
require chap = no
refuse pap = yes
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
lac = 88.134.0.0 - 88.134.254.254
lac = 100.70.0.0 - 100.70.254.254



[lac L2TPserver]
;lns = 192.168.21.33
lns = 100.80.1.252
redial = yes
redial timeout = 5
local ip = 192.168.231.2
require chap = no
require authentication = no
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.client
require pap = no
autodial = yes
name = cpe
length bit = yes

伺服器上的 IPSec 配置

keyexchange=ikev2
auto=add
left=%any
leftid=192.168.231.1
leftsubnet=192.168.219.0/30
leftcert=vpnHostCert_192.168.231.1.der
leftsendcert=always
right=%any
rightcert=VPNclientESPL2TPCert.der
rightsourceip=192.168.219.5/32
rightsubnet=192.168.219.4/30
mobike=no

客戶端上的 IPSec conf

conn l2tp-ikev2-rw-esp
right=192.168.231.1
rightid=%192.168.231.1
rightsubnet=192.168.219.0/30
rightauth=pubkey
leftsourceip=%config
leftauth=pubkey
leftcert=VPNclientESPL2TPCert.der
leftsubnet=192.168.219.4/30
auto=start

客戶

root@vsrv-bicab-2u:/home/VPN# ip ro get 192.168.219.1
192.168.219.1 via 192.168.231.1 dev ppp0 table 220 src 192.168.219.5 uid 0
cache

伺服器

root@vsrv-bicab-1u:/home/VPN# ip ro get 192.168.219.5
192.168.219.5 via 192.168.231.2 dev ppp0 table 220 src 192.168.219.1 uid 0
cache

問題是 8.0.219.x 在更新之前並非如此。

Ubuntu 18.04 發布的 Linux 核心 4.15 中存在一個已知錯誤,導致 IP 地址以這種方式更改。

它是由5efec5c655dd (“xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version”) 引起的,後來被87cdf3148b11 修復(“xfrm: 在覆蓋 eth_hdr(skb)->h_proto 之前驗證 MAC 標頭是否存在”),這是 4.16 核心原始碼的一部分。

此修復程序顯然從未被向後移植到 4.15(它不是linux-4.15.y穩定分支的一部分),並且 Ubuntu 核心包維護者也沒有添加它。您可能想要通知核心開發人員缺少的 backport 到 stable(通過netdev 郵件列表)和/或向 Ubuntu 開發人員送出錯誤

引用自:https://serverfault.com/questions/933601