Openswan ipsec tool: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
Thomas (Diskussion | Beiträge) |
||
| (14 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
=start= | =start= | ||
| − | ipsec setup --start | + | *ipsec setup --start |
| + | ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic... | ||
=stop= | =stop= | ||
| − | ipsec setup --stop | + | *ipsec setup --stop |
| + | ipsec_setup: Stopping Openswan IPsec... | ||
=restart= | =restart= | ||
| − | ipsec setup --restart | + | *ipsec setup --restart |
| + | ipsec_setup: Stopping Openswan IPsec... | ||
| + | ipsec_setup: stop ordered, but IPsec appears to be already stopped! | ||
| + | ipsec_setup: doing cleanup anyway... | ||
| + | ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic... | ||
=status= | =status= | ||
| − | ipsec setup --status | + | *ipsec setup --status |
| + | IPsec running - pluto pid: 9515 | ||
| + | pluto pid 9515 | ||
| + | No tunnels up | ||
| + | =Anzeige der verfügbaren Verbindungen= | ||
| + | *grep conn /etc/ipsec.conf | ||
| + | conn toc-ras | ||
| + | |||
=conn add= | =conn add= | ||
| − | ipsec auto --add | + | *ipsec auto --add toc-ras |
| + | |||
=conn up= | =conn up= | ||
| − | ipsec auto --up < | + | *ipsec auto --up toc-ras |
| + | <pre> | ||
| + | 104 "toc-ras" #5: STATE_MAIN_I1: initiate | ||
| + | 003 "toc-ras" #5: received Vendor ID payload [Openswan (this version) 2.6.38 ] | ||
| + | 003 "toc-ras" #5: received Vendor ID payload [Dead Peer Detection] | ||
| + | 106 "toc-ras" #5: STATE_MAIN_I2: sent MI2, expecting MR2 | ||
| + | 108 "toc-ras" #5: STATE_MAIN_I3: sent MI3, expecting MR3 | ||
| + | 003 "toc-ras" #5: received Vendor ID payload [CAN-IKEv2] | ||
| + | 004 "toc-ras" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536} | ||
| + | 117 "toc-ras" #6: STATE_QUICK_I1: initiate | ||
| + | 004 "toc-ras" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5b54fafa <0xd99615e0 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none} | ||
| + | </pre> | ||
| + | |||
=conn delete= | =conn delete= | ||
| − | ipsec auto --delete | + | *ipsec auto --delete toc-ras |
| + | |||
=conn down= | =conn down= | ||
| − | ipsec auto --down | + | *ipsec auto --down toc-ras |
| + | |||
=reread secrets= | =reread secrets= | ||
| − | ipsec auto --rereadsecrets | + | *ipsec auto --rereadsecrets |
| − | |||
| − | |||
| − | |||
| − | |||
=status of all connections= | =status of all connections= | ||
| − | ipsec auto --status | + | *ipsec auto --status |
| + | =status of one connection= | ||
| + | *ipsec auto --status | grep toc-ras | ||
| + | <pre> | ||
| + | 000 "toc-ras": 192.168.122.0/24===192.168.252.5<192.168.252.5>...192.168.241.13<192.168.241.13>===192.168.56.0/24; erouted; eroute owner: #16 | ||
| + | 000 "toc-ras": myip=unset; hisip=unset; | ||
| + | 000 "toc-ras": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 | ||
| + | 000 "toc-ras": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; | ||
| + | 000 "toc-ras": newest ISAKMP SA: #15; newest IPsec SA: #16; | ||
| + | 000 "toc-ras": IKE algorithms wanted: AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict | ||
| + | 000 "toc-ras": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP1536(5) | ||
| + | 000 "toc-ras": IKE algorithm newest: AES_CBC_256-MD5-MODP1536 | ||
| + | 000 "toc-ras": ESP algorithms wanted: AES(12)_256-MD5(1)_000; pfsgroup=MODP1536(5); flags=-strict | ||
| + | 000 "toc-ras": ESP algorithms loaded: AES(12)_256-MD5(1)_128 | ||
| + | 000 "toc-ras": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536 | ||
| + | 000 #16: "toc-ras":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28404s; newest IPSEC; eroute owner; isakmp#15; idle; import:not set | ||
| + | 000 #16: "toc-ras" esp.26aaf00e@192.168.241.13 esp.71b98466@192.168.252.5 tun.0@192.168.241.13 tun.0@192.168.252.5 ref=0 refhim=4294901761 | ||
| + | 000 #15: "toc-ras":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3204s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set | ||
| + | </pre> | ||
=have a look to the established connections= | =have a look to the established connections= | ||
| − | ipsec look | + | *ipsec look |
| + | <pre> | ||
| + | toc Thu Feb 11 14:40:39 CET 2016 | ||
| + | XFRM state: | ||
| + | src 192.168.241.13 dst 192.168.252.5 | ||
| + | proto esp spi 0x71b98466 reqid 16401 mode tunnel | ||
| + | replay-window 32 flag af-unspec | ||
| + | auth-trunc hmac(md5) 0x9def4a65b3bee66c4de357f5cca24cb0 96 | ||
| + | enc cbc(aes) 0xd819c9243025df09b41333a01f7341e906615f638673af60851f3a2f297f9ba7 | ||
| + | src 192.168.252.5 dst 192.168.241.13 | ||
| + | proto esp spi 0x26aaf00e reqid 16401 mode tunnel | ||
| + | replay-window 32 flag af-unspec | ||
| + | auth-trunc hmac(md5) 0x6f013010f2b134369a09a783ca6e37b7 96 | ||
| + | enc cbc(aes) 0x58e68b8534684d83b905603ce174bfb4c387023b6f6e46e319eb8465729ab7f8 | ||
| + | XFRM policy: | ||
| + | src 192.168.122.0/24 dst 192.168.56.0/24 | ||
| + | dir out priority 2344 | ||
| + | tmpl src 192.168.252.5 dst 192.168.241.13 | ||
| + | proto esp reqid 16401 mode tunnel | ||
| + | src 192.168.56.0/24 dst 192.168.122.0/24 | ||
| + | dir fwd priority 2344 | ||
| + | tmpl src 192.168.241.13 dst 192.168.252.5 | ||
| + | proto esp reqid 16401 mode tunnel | ||
| + | src 192.168.56.0/24 dst 192.168.122.0/24 | ||
| + | dir in priority 2344 | ||
| + | tmpl src 192.168.241.13 dst 192.168.252.5 | ||
| + | proto esp reqid 16401 mode tunnel | ||
| + | src ::/0 dst ::/0 | ||
| + | socket out priority 0 | ||
| + | src ::/0 dst ::/0 | ||
| + | socket in priority 0 | ||
| + | src ::/0 dst ::/0 | ||
| + | socket out priority 0 | ||
| + | src ::/0 dst ::/0 | ||
| + | socket in priority 0 | ||
| + | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
| + | socket out priority 0 | ||
| + | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
| + | socket in priority 0 | ||
| + | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
| + | socket out priority 0 | ||
| + | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
| + | socket in priority 0 | ||
| + | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
| + | socket out priority 0 | ||
| + | src 0.0.0.0/0 dst 0.0.0.0/0 | ||
| + | socket in priority 0 | ||
| + | XFRM done | ||
| + | IPSEC mangle TABLES | ||
| + | iptables: No chain/target/match by that name. | ||
| + | ip6tables: No chain/target/match by that name. | ||
| + | NEW_IPSEC_CONN mangle TABLES | ||
| + | iptables: No chain/target/match by that name. | ||
| + | ip6tables: No chain/target/match by that name. | ||
| + | ROUTING TABLES | ||
| + | default via 192.168.252.1 dev eth0 | ||
| + | 192.168.252.0/24 dev eth0 proto kernel scope link src 192.168.252.5 | ||
| + | 2003:a:32a:1720::/64 dev eth0 proto kernel metric 256 expires 86072sec mtu 1280 | ||
| + | fe80::/64 dev eth0 proto kernel metric 256 mtu 1280 | ||
| + | default via fe80::20c:29ff:fe07:d4c5 dev eth0 proto ra metric 1024 expires 1472sec hoplimit 64 | ||
| + | </pre> | ||
| + | |||
=showdefaults ip, nexthop, interface= | =showdefaults ip, nexthop, interface= | ||
| − | ipsec showdefaults | + | *ipsec showdefaults |
| + | routephys=eth0 | ||
| + | routevirt=none | ||
| + | routeaddr=192.168.252.5 | ||
| + | routenexthop=192.168.252.1 | ||
| + | |||
=collect debugging infos= | =collect debugging infos= | ||
| − | ipsec barf --short | + | *ipsec barf --short |
| + | =Verifzierung= | ||
| + | *ipsec verify | ||
| + | <pre> | ||
| + | Checking your system to see if IPsec got installed and started correctly: | ||
| + | Version check and ipsec on-path [OK] | ||
| + | Linux Openswan U2.6.38/K3.19.0-25-generic (netkey) | ||
| + | Checking for IPsec support in kernel [OK] | ||
| + | SAref kernel support [N/A] | ||
| + | NETKEY: Testing XFRM related proc values [FAILED] | ||
| + | |||
| + | Please disable /proc/sys/net/ipv4/conf/*/send_redirects | ||
| + | or NETKEY will cause the sending of bogus ICMP redirects! | ||
| + | |||
| + | [FAILED] | ||
| + | |||
| + | Please disable /proc/sys/net/ipv4/conf/*/accept_redirects | ||
| + | or NETKEY will accept bogus ICMP redirects! | ||
| + | |||
| + | [OK] | ||
| + | Checking that pluto is running [OK] | ||
| + | Pluto listening for IKE on udp 500 [OK] | ||
| + | Pluto listening for NAT-T on udp 4500 [FAILED] | ||
| + | Two or more interfaces found, checking IP forwarding [FAILED] | ||
| + | Checking NAT and MASQUERADEing [OK] | ||
| + | Checking for 'ip' command [OK] | ||
| + | Checking /bin/sh is not /bin/dash [WARNING] | ||
| + | Checking for 'iptables' command [OK] | ||
| + | Opportunistic Encryption Support [DISABLED] | ||
| + | </pre> | ||
| + | |||
| + | =Nützlicher Logbefehl= | ||
| + | *tail -f /var/log/auth.log | grep toc-ras | ||
| + | <pre> | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: STATE_MAIN_I3: sent MI3, expecting MR3 | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: received Vendor ID payload [CAN-IKEv2] | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.241.13' | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536} | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:96ff6c59 proposal=AES(12)_256-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536} | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 | ||
| + | Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xde3cbbbf <0xd253bca2 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none} | ||
| + | Feb 11 14:51:32 toc pluto[11337]: "toc-ras" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x26aaf00e) not found (maybe expired) | ||
| + | Feb 11 14:51:32 toc pluto[11337]: "toc-ras" #1: received and ignored informational message | ||
| + | </pre> | ||
| + | =list ca certs= | ||
| + | *ipsec auto --listcacerts | ||
| + | |||
| + | =list certs= | ||
| + | ipsec auto --listcerts | ||
Aktuelle Version vom 11. Februar 2016, 14:00 Uhr
start
- ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
stop
- ipsec setup --stop
ipsec_setup: Stopping Openswan IPsec...
restart
- ipsec setup --restart
ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway... ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
status
- ipsec setup --status
IPsec running - pluto pid: 9515 pluto pid 9515 No tunnels up
Anzeige der verfügbaren Verbindungen
- grep conn /etc/ipsec.conf
conn toc-ras
conn add
- ipsec auto --add toc-ras
conn up
- ipsec auto --up toc-ras
104 "toc-ras" #5: STATE_MAIN_I1: initiate
003 "toc-ras" #5: received Vendor ID payload [Openswan (this version) 2.6.38 ]
003 "toc-ras" #5: received Vendor ID payload [Dead Peer Detection]
106 "toc-ras" #5: STATE_MAIN_I2: sent MI2, expecting MR2
108 "toc-ras" #5: STATE_MAIN_I3: sent MI3, expecting MR3
003 "toc-ras" #5: received Vendor ID payload [CAN-IKEv2]
004 "toc-ras" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536}
117 "toc-ras" #6: STATE_QUICK_I1: initiate
004 "toc-ras" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5b54fafa <0xd99615e0 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none}
conn delete
- ipsec auto --delete toc-ras
conn down
- ipsec auto --down toc-ras
reread secrets
- ipsec auto --rereadsecrets
status of all connections
- ipsec auto --status
status of one connection
- ipsec auto --status | grep toc-ras
000 "toc-ras": 192.168.122.0/24===192.168.252.5<192.168.252.5>...192.168.241.13<192.168.241.13>===192.168.56.0/24; erouted; eroute owner: #16 000 "toc-ras": myip=unset; hisip=unset; 000 "toc-ras": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "toc-ras": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; 000 "toc-ras": newest ISAKMP SA: #15; newest IPsec SA: #16; 000 "toc-ras": IKE algorithms wanted: AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict 000 "toc-ras": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP1536(5) 000 "toc-ras": IKE algorithm newest: AES_CBC_256-MD5-MODP1536 000 "toc-ras": ESP algorithms wanted: AES(12)_256-MD5(1)_000; pfsgroup=MODP1536(5); flags=-strict 000 "toc-ras": ESP algorithms loaded: AES(12)_256-MD5(1)_128 000 "toc-ras": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536 000 #16: "toc-ras":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28404s; newest IPSEC; eroute owner; isakmp#15; idle; import:not set 000 #16: "toc-ras" esp.26aaf00e@192.168.241.13 esp.71b98466@192.168.252.5 tun.0@192.168.241.13 tun.0@192.168.252.5 ref=0 refhim=4294901761 000 #15: "toc-ras":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3204s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
have a look to the established connections
- ipsec look
toc Thu Feb 11 14:40:39 CET 2016 XFRM state: src 192.168.241.13 dst 192.168.252.5 proto esp spi 0x71b98466 reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x9def4a65b3bee66c4de357f5cca24cb0 96 enc cbc(aes) 0xd819c9243025df09b41333a01f7341e906615f638673af60851f3a2f297f9ba7 src 192.168.252.5 dst 192.168.241.13 proto esp spi 0x26aaf00e reqid 16401 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x6f013010f2b134369a09a783ca6e37b7 96 enc cbc(aes) 0x58e68b8534684d83b905603ce174bfb4c387023b6f6e46e319eb8465729ab7f8 XFRM policy: src 192.168.122.0/24 dst 192.168.56.0/24 dir out priority 2344 tmpl src 192.168.252.5 dst 192.168.241.13 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir fwd priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src 192.168.56.0/24 dst 192.168.122.0/24 dir in priority 2344 tmpl src 192.168.241.13 dst 192.168.252.5 proto esp reqid 16401 mode tunnel src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 XFRM done IPSEC mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. NEW_IPSEC_CONN mangle TABLES iptables: No chain/target/match by that name. ip6tables: No chain/target/match by that name. ROUTING TABLES default via 192.168.252.1 dev eth0 192.168.252.0/24 dev eth0 proto kernel scope link src 192.168.252.5 2003:a:32a:1720::/64 dev eth0 proto kernel metric 256 expires 86072sec mtu 1280 fe80::/64 dev eth0 proto kernel metric 256 mtu 1280 default via fe80::20c:29ff:fe07:d4c5 dev eth0 proto ra metric 1024 expires 1472sec hoplimit 64
showdefaults ip, nexthop, interface
- ipsec showdefaults
routephys=eth0 routevirt=none routeaddr=192.168.252.5 routenexthop=192.168.252.1
collect debugging infos
- ipsec barf --short
Verifzierung
- ipsec verify
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K3.19.0-25-generic (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [FAILED] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
Nützlicher Logbefehl
- tail -f /var/log/auth.log | grep toc-ras
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: received Vendor ID payload [CAN-IKEv2]
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.241.13'
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1536}
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:96ff6c59 proposal=AES(12)_256-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 11 14:51:15 toc pluto[11337]: "toc-ras" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xde3cbbbf <0xd253bca2 xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none DPD=none}
Feb 11 14:51:32 toc pluto[11337]: "toc-ras" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x26aaf00e) not found (maybe expired)
Feb 11 14:51:32 toc pluto[11337]: "toc-ras" #1: received and ignored informational message
list ca certs
- ipsec auto --listcacerts
list certs
ipsec auto --listcerts