[Fli4l_dev] StrongSwan und?==?utf-8?Q? das Routing
Marc-Oliver Lange
mol1 at gmx.de
So Feb 25 13:36:19 CET 2018
So, bin ein Stückchen weiter...aber noch keinen Durchbruch :|
Hier ein paar Hintergrundinformationen:
mein Netz: 192.168.144.0/24
remote Netz: 192.168.178.0/24
>> iptables -L | grep 178
ACCEPT all -- 192.168.178.0/24 192.168.144.0/24 policy
match dir in pol ipsec reqid 1 proto esp
ACCEPT all -- 192.168.178.0/24 192.168.144.0/24 policy
match dir in pol ipsec reqid 1 proto esp
ACCEPT all -- 192.168.144.0/24 192.168.178.0/24 policy
match dir out pol ipsec reqid 1 proto esp
ACCEPT all -- 192.168.144.0/24 192.168.178.0/24 policy
match dir out pol ipsec reqid 1 proto esp]
>> ip route show table 220
[code] '/sbin/ip route show table 220' called, call sequence: init (1)
-> dropbear (27806) -> dropbear (19859) -> sh (19896) -> ip (3693) ->
/sbin/ip
192.168.178.0/24 via 84.46.104.218 dev ppp1 proto static src
192.168.144.1
>> ipsec statusall
Status of IKE charon daemon (strongSwan 5.4.0, Linux 4.4.115, x86_64):
uptime: 24 minutes, since Feb 25 13:04:13 2018
malloc: sbrk 278528, mmap 0, used 265104, free 13424
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic led unity
Listening IP addresses:
192.168.144.1
2a02:2028:839:a901::1
192.168.143.1
84.46.14.164
Connections:
STS:
LocalFLI4L.chickenkiller.com...FritzBox.chickenkiller.com,0.0.0.0/0,::/0
IKEv1 Aggressive, dpddelay=30s
STS: local: [LocalFLI4L.chickenkiller.com] uses pre-shared
key authentication
STS: remote: [FritzBox.chickenkiller.com] uses pre-shared key
authentication
STS: child: 192.168.144.0/24 === 192.168.178.0/24 TUNNEL,
dpdaction=restart
Security Associations (1 up, 0 connecting):
STS[1]: ESTABLISHED 24 minutes ago,
84.46.14.164[LocalFLI4L.chickenkiller.com]...88.70.118.161[FritzBox.chickenkiller.com]
STS[1]: IKEv1 SPIs: a25305c0ac37d2c2_i* ffb32c113e5b88e8_r,
pre-shared key reauthentication in 20 minutes
STS[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
STS{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7e14c71_i
9d335ba0_o, IPCOMP CPIs: d780_i c529_o
STS{1}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0
bytes_o, rekeying in 7 hours
STS{1}: 192.168.144.0/24 === 192.168.178.0/24]
>> ip address show
'/sbin/ip address show' called, call sequence: init (1) -> dropbear
(27806) -> dropbear (19859) -> sh (19896) -> ip (6412) -> /sbin/ip
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.144.1/24 brd 192.168.144.255 scope global br0
valid_lft forever preferred_lft forever
inet6 2a02:2028:839:a901::1/64 scope global dynamic
valid_lft 81327sec preferred_lft 81327sec
inet6 fe80::20d:b9ff:fe42:61c0/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0
state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:02 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether XX:XX:XX:XX:XX:03 brd ff:ff:ff:ff:ff:ff
5: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0
state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:04 brd ff:ff:ff:ff:ff:ff
6: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0
state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:05 brd ff:ff:ff:ff:ff:ff
7: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0
state UP group default qlen 1000
link/ether XX:XX:XX:XX:XX:06 brd ff:ff:ff:ff:ff:ff
8: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether XX:XX:XX:XX:XX:07 brd ff:ff:ff:ff:ff:ff
inet 169.254.23.42/32 scope global dummy0
valid_lft forever preferred_lft forever
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 192.168.143.1 peer 192.168.143.2/32 scope global tun0
valid_lft forever preferred_lft forever
10: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc
pfifo_fast state UNKNOWN group default qlen 3
link/ppp
inet 84.46.14.164 peer 84.46.104.218/32 scope global ppp1
valid_lft forever preferred_lft forever
inet6 fe80::2/10 scope link
valid_lft forever preferred_lft forever]
>> traceroute 192.168.178.1
traceroute to 192.168.178.1 (192.168.178.1), 30 hops max, 60 byte
packets
1 LNS8.routing.wtnet.de (84.46.104.218) 0.981 ms 1.008 ms 0.872 ms
2 LNS8.routing.wtnet.de (84.46.104.218) 0.960 ms !X * *]
Aber leider immer noch das hier:
>> ping 192.168.178.1
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
>From 84.46.104.218 icmp_seq=1 Packet filtered
>From 84.46.104.218 icmp_seq=2 Packet filtered
>From 84.46.104.218 icmp_seq=3 Packet filtered
^C
--- 192.168.178.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time
2002ms
Mehr Informationen über die Mailingliste Fli4l_dev