|
|
Besucher 1260498
Ansichten 5448
Online 0 |
|
|
site-to-site mit openswan auf openwrt rc6
| |
| Thema |
Verfasser |
Letzte Antwort |
| site-to-site mit openswan auf openwrt rc6 |
thuttere ( ---.liwest.at) |
16 Dec 2009 16:07 | Hallo!
Ich bin kurz davor meine Router (WRT54GL mit OpenWRT RC6) zu sprengen. Seit Tagen versuch ich ein site-to-site VPN aufzubauen. Der Tunnel lässt sich ohne Probleme aufbauen. Pakete von der Gegenseite kommen ebenfalls an. Das Problem sind jene Pakete, die vom lokalen Netzwerk in das Netzwerk der Gegenstelle gehen sollen.
Hier meine Konifguration:
root@OpenWrt:~# cat /etc/ipsec.conf:
version 2.0
config setup
klipsdebug=none
plutodebug=none
nat_traversal=no
conn rup
left=%defaultroute
leftsubnet=192.168.1.0/24
right=62.218.34.132
rightsubnet=10.10.0.0/16
auto=start
authby=secret
aggrmode=no
type=tunnel
pfs=yes
include /etc/ipsec.d/examples/no_oe.conf
root@OpenWrt:~# ip route show
212.241.65.0/24 dev vlan1 proto kernel scope link src 212.241.65.218
212.241.65.0/24 dev ipsec0 proto kernel scope link src 212.241.65.218
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
10.10.0.0/16 dev ipsec0 scope link
default via 212.241.65.1 dev vlan1
root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
212.241.65.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
212.241.65.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ipsec0
0.0.0.0 212.241.65.1 0.0.0.0 UG 0 0 0 vlan1
[thuttere@Huzi ~]$ ping -c 2 10.10.10.20
PING 10.10.10.20 (10.10.10.20) 56(84) bytes of data.
--- 10.10.10.20 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
Dieser ping wurde von einem Rechner hinter dem Router ausgeführt.
root@OpenWrt:~# tcpdump -n -i br0 host 10.10.10.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
01:29:37.349927 IP 192.168.1.2 > 10.10.10.20: ICMP echo request, id 57670, seq 1, length 64
01:29:38.350543 IP 192.168.1.2 > 10.10.10.20: ICMP echo request, id 57670, seq 2, length 64
root@OpenWrt:~# tcpdump -n -i ipsec0 host 10.10.10.20
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
01:31:04.540679 IP 192.168.1.2 > 10.10.10.20: ICMP echo request, id 10824, seq 1, length 64
01:31:05.541911 IP 192.168.1.2 > 10.10.10.20: ICMP echo request, id 10824, seq 2, length 64
root@OpenWrt:~# tcpdump -n -i vlan1 host 62.218.34.132
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan1, link-type EN10MB (Ethernet), capture size 96 bytes
root@OpenWrt:~# ifconfig
br0 Link encap:Ethernet HWaddr 00:14:BF:77:56:77
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6689 errors:0 dropped:0 overruns:0 frame:0
TX packets:4950 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5059274 (4.8 MiB) TX bytes:467121 (456.1 KiB)
eth0 Link encap:Ethernet HWaddr 00:14:BF:77:56:77
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:11068 errors:0 dropped:0 overruns:0 frame:0
TX packets:10918 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5579690 (5.3 MiB) TX bytes:5652476 (5.3 MiB)
Interrupt:5
eth1 Link encap:Ethernet HWaddr 00:14:BF:77:56:79
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:4 Base address:0x1000
ipsec0 Link encap:Ethernet HWaddr 00:14:BF:77:56:78
inet addr:212.241.65.218 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:10 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
vlan0 Link encap:Ethernet HWaddr 00:14:BF:77:56:77
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:6691 errors:0 dropped:0 overruns:0 frame:0
TX packets:4950 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5087436 (4.8 MiB) TX bytes:486921 (475.5 KiB)
vlan1 Link encap:Ethernet HWaddr 00:14:BF:77:56:78
inet addr:212.241.65.218 Bcast:212.241.65.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4336 errors:0 dropped:0 overruns:0 frame:0
TX packets:5965 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:296336 (289.3 KiB) TX bytes:5116232 (4.8 MiB)
Hier ist mir aufgefallen, dass bei der Device ipsec0 der error-count auf 10 steht. Dieser erhöht sich mit jedem ping um 1.
root@OpenWrt:~# ipsec look
/usr/libexec/ipsec/look: 42: hostname: not found
Thu Feb 15 01:36:10 CET 2007
192.168.1.0/24 -> 10.10.0.0/16 => tun0x1002@62.218.34.132 esp0xd5058470@62.218.34.132 (10)
/usr/libexec/ipsec/look: 73: paste: not found
esp0xd3c9642f@212.241.65.218 ESP_3DES_HMAC_SHA1: dir=in src=62.218.34.132 iv_bits=64bits iv=0x56512fcc23c2cba1 ooowin=64 alen=160 aklen=160 eklen=192 life(c,s,h)=addtime(476,0,0) natencap=none natsport=0 natdport=0 refcount=4 ref=9
esp0xd5058470@62.218.34.132 ESP_3DES_HMAC_SHA1: dir=out src=212.241.65.218 iv_bits=64bits iv=0x9f6a49f8149e7a1d ooowin=64 seq=10 alen=160 aklen=160 eklen=192 life(c,s,h)=bytes(1360,0,0)addtime(476,0,0)usetime(424,0,0)packets(10,0,0) idle=305 natencap=none natsport=0 natdport=0 refcount=4 ref=14
tun0x1001@212.241.65.218 IPIP: dir=in src=62.218.34.132 policy=10.10.0.0/16->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(476,0,0) natencap=none natsport=0 natdport=0 refcount=4 ref=8
tun0x1002@62.218.34.132 IPIP: dir=out src=212.241.65.218 life(c,s,h)=bytes(1040,0,0)addtime(476,0,0)usetime(424,0,0)packets(10,0,0) idle=305 natencap=none natsport=0 natdport=0 refcount=14 ref=13
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 212.241.65.1 0.0.0.0 UG 0 0 0 vlan1
10.10.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ipsec0
212.241.65.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
212.241.65.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
root@OpenWrt:~# ipsec auto --status
000 interface ipsec0/vlan1 212.241.65.218
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "rup": 192.168.1.0/24===212.241.65.218...62.218.34.132===10.10.0.0/16; erouted; eroute owner: #2
000 "rup": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "rup": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "rup": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,16; interface: vlan1;
000 "rup": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "rup": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #2: "rup":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27661s; newest IPSEC; eroute owner
000 #2: "rup" used 279s ago; esp.d5058470@62.218.34.132 esp.d3c9642f@212.241.65.218 tun.1002@62.218.34.132 tun.1001@212.241.65.218
000 #1: "rup":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2160s; newest ISAKMP; nodpd
000
root@OpenWrt:~# uname -a
Linux OpenWrt 2.4.30 #1 Mon Nov 6 17:35:21 PST 2006 mips unknown
Bitte um Hilfe,
Thomas
|
| ||
| RE: site-to-site mit openswan auf openwrt rc6 | Ralf ( ---.versanet.de) | 19 Feb 2007 21:42 |
Hallo,
da scheint was mit dem Tunnel oder den Kernel-Modulen nicht zu stimmen. Prüf mal die Version mit ipsec --version. Passen die verschiedenen zusätzlichen Kernel-Pakete zu Deinem originalen Kernel?
Gruß,
Ralf | | RE: RE: site-to-site mit openswan auf openwrt rc6 | thuttere ( ---.liwest.at) | 22 Feb 2007 18:52 |
Hallo!
Hier ein paar Daten des installierten Systems:
OpenWRT
WHITE RUSSIAN (RC6)
root@OpenWrt:/lib/modules/2.4.30# ipsec --version
Linux Openswan 2.4.6 (klips)
See `ipsec --copyright' for copyright information.
root@OpenWrt:/lib/modules/2.4.30# uname -a
Linux OpenWrt 2.4.30 #1 Mon Nov 6 17:35:21 PST 2006 mips unknown
root@OpenWrt:/lib/modules/2.4.30# lsmod
Module Size Used by Tainted: P
ipsec 349168 2
wlcompat 15520 0 (unused)
wl 423640 0 (unused)
switch-robo 4460 0 (unused)
switch-core 4896 0 [switch-robo]
diag 18176 0 (unused)
root@OpenWrt:/lib/modules/2.4.30# ipkg list_installed
base-files - 8 -
base-files-brcm - 2 - Board/architecture specific files
bridge - 1.0.6-1 - Ethernet bridging tools
busybox - 1.00-4 -
dnsmasq - 2.33-1 -
dropbear - 0.48.1-1 - a small SSH 2 server/client designed for small memory environments.
haserl - 0.8.0-1 - a CGI wrapper to embed shell scripts in HTML documents
ip - 2.6.11-050330-1 - iproute2 routing control utility
ipkg - 0.99.149-2 - lightweight package management system
iptables - 1.3.3-2 - The netfilter firewalling software for IPv4
iwlib - 28.pre7-1 - Library for setting up WiFi cards using the Wireless Extension
kernel - 2.4.30-brcm-4 -
kmod-brcm-wl - 2.4.30-brcm-4 -
kmod-diag - 2.4.30-brcm-5 - Kernel modules for LEDs and buttons
kmod-openswan - 2.4.30brcm+2.4.6-2 - Openswan IPSec kernel module
kmod-switch - 2.4.30-brcm-1 - switch driver for robo/admtek switch
kmod-wlcompat - 2.4.30-brcm-4 - Compatibility module for using the Wireless Extension with broadcom's wl
libgmp - 4.1.4-1 - GNU multiprecision arithmetic library
libpcap - 0.9.4-1 - a low-level packet capture library
mtd - 4 - Tool for modifying the flash chip
ntpclient - 2003_194-2 - NTP client for setting system time from NTP servers.
nvram - 1 - NVRAM utility and libraries for Broadcom hardware
openswan - 2.4.6-1 - Openswan IPSec software
tcpdump - 3.9.4-1 - A tool for network monitoring and data acquisition.
uclibc - 0.9.27-8 -
webif - 0.3-6 - An HTTP administrative console for OpenWrt.
wificonf - 6 - Replacement utility for wlconf
wireless-tools - 28.pre7-1 - Tools for setting up WiFi cards using the Wireless Extension
Successfully terminated.
Die installierte Software sollte eigentlich schon zusammenpassen, da ich alle Paket der Distribution genommen habe.
lg,
Thomas
| | RE: RE: RE: site-to-site mit openswan auf openwrt rc6 | chrisidc ( ---.162.66.68) | 16 Dec 2009 16:07 |
Hi,
konntest du das Problem fixen?
Ich habe ähnliche wenn nicht sogar gleiche Probleme zwischen 2 Openwrt (RC6) - siehe http://www.spenneberg.com/7795.html
Falls du das Problem fixen konntest (z.B. andere Version von Openwrt oder ähnliches) wäre ich dir über eine kurze Info sehr dankbar.
lg
Christoph
|
[ Zurück ] Um ein neues Thema hinzu zu fügen müssen sie eingeloggt sein.
|
|
|
|
Welche Distribution verwenden Sie?
| |
|
|
|
17 Oct 2008: