search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
24.59k stars 6.23k forks source link

IKEv2 split tunneling with multiple leftsubnets #1053

Closed kindomLee closed 2 years ago

kindomLee commented 2 years ago

问题描述

split tunneling 參考文件:Advanced usage

在使用單一 leftsubnet 可以成功 在多個 leftsubnets 使用 split tunneling 無法生效 (VPN Server IKEv2 載入失敗)

重现步骤

ikev2.conf

conn ikev2-cp
left=%defaultroute
leftcert=123.456.789.0
leftsendcert=always
leftsubnets="10.0.10.0/24,169.254.169.254/32"
leftrsasigkey=%cert
right=%any
rightid=%fromcert
rightaddresspool=192.168.43.10-192.168.43.250
rightca=%same
rightrsasigkey=%cert
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
pfs=no
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
encapsulation=yes
leftid=123.456.789.0
modecfgdns="169.254.169.254 8.8.4.4"
mobike=yes
modecfgdomains="internal, corp"

期待的正确结果

能夠同時針對遠端 vpn 環境的複數 subnet 進行連線,而其餘連線則使用既有的 route rule

日志 检查日志及 VPN 状态,并添加错误日志以帮助解释该问题(如果适用)。

journalctl -u ipsec

Nov 18 14:11:06 dst-vpn-01 systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Nov 18 14:11:06 dst-vpn-01 ipsec[31292]: nflog ipsec capture disabled
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: Initializing NSS using read-write database "sql:/etc/ipsec.d"
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: FIPS Mode: NO
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: NSS crypto library initialized
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: FIPS mode disabled for pluto daemon
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: FIPS HMAC integrity support [disabled]
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: libcap-ng support [enabled]
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: Linux audit support [disabled]
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: Starting Pluto (Libreswan Version 4.5 IKEv2 IKEv1 XFRM XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (native-PRF) SYSTEMD_WATCHDOG LIBCAP_NG AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:31303
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: core dump dir: /run/pluto
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: secrets file: /etc/ipsec.secrets
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: leak-detective enabled
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: NSS crypto [enabled]
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: XAUTH PAM support [enabled]
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800)
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: NAT-Traversal support  [enabled]
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: Encryption algorithms:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_CCM_16         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm, aes_ccm_c
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_CCM_12         {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_b
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_CCM_8          {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_ccm_a
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   3DES_CBC           [*192]         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     3des
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   CAMELLIA_CTR       {256,192,*128} IKEv1:     ESP     IKEv2:     ESP
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   CAMELLIA_CBC       {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP          NSS(CBC)     camellia
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_GCM_16         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm, aes_gcm_c
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_GCM_12         {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_b
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_GCM_8          {256,192,*128} IKEv1:     ESP     IKEv2: IKE ESP     FIPS NSS(GCM)     aes_gcm_a
Nov 18 14:11:06 dst-vpn-01 systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_CTR            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CTR)     aesctr
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_CBC            {256,192,*128} IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS NSS(CBC)     aes
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   NULL_AUTH_AES_GMAC {256,192,*128} IKEv1:     ESP     IKEv2:     ESP     FIPS              aes_gmac
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   NULL               []             IKEv1:     ESP     IKEv2:     ESP
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   CHACHA20_POLY1305  [*256]         IKEv1:             IKEv2: IKE ESP          NSS(AEAD)    chacha20poly1305
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: Hash algorithms:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MD5                               IKEv1: IKE         IKEv2:                  NSS
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   SHA1                              IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   SHA2_256                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   SHA2_384                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   SHA2_512                          IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: PRF algorithms:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_MD5                          IKEv1: IKE         IKEv2: IKE              native(HMAC) md5
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA1                         IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha, sha1
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA2_256                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha2, sha256, sha2_256
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA2_384                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha384, sha2_384
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA2_512                     IKEv1: IKE         IKEv2: IKE         FIPS NSS          sha512, sha2_512
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_XCBC                          IKEv1:             IKEv2: IKE              native(XCBC) aes128_xcbc
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: Integrity algorithms:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_MD5_96                       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       native(HMAC) md5, hmac_md5
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA1_96                      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha, sha1, sha1_96, hmac_sha1
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA2_512_256                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha512, sha2_512, sha2_512_256, hmac_sha2_512
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA2_384_192                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha384, sha2_384, sha2_384_192, hmac_sha2_384
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA2_256_128                 IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS          sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   HMAC_SHA2_256_TRUNCBUG            IKEv1:     ESP AH  IKEv2:         AH
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_XCBC_96                       IKEv1:     ESP AH  IKEv2: IKE ESP AH       native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   AES_CMAC_96                       IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS              aes_cmac
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   NONE                              IKEv1:     ESP     IKEv2: IKE ESP     FIPS              null
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: DH algorithms:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   NONE                              IKEv1:             IKEv2: IKE ESP AH  FIPS NSS(MODP)    null, dh0
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MODP1024                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh2
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MODP1536                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH       NSS(MODP)    dh5
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MODP2048                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh14
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MODP3072                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MODP4096                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MODP6144                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   MODP8192                          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   DH19                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   DH20                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   DH21                              IKEv1: IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   DH31                              IKEv1: IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: testing CAMELLIA_CBC:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Camellia: 16 bytes with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Camellia: 16 bytes with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Camellia: 16 bytes with 256-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Camellia: 16 bytes with 256-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: testing AES_GCM_16:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   empty string
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   one block
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   two blocks
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   two blocks with associated data
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: testing AES_CTR:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 16 octets using AES-CTR with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 32 octets using AES-CTR with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 36 octets using AES-CTR with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 16 octets using AES-CTR with 192-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 32 octets using AES-CTR with 192-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 36 octets using AES-CTR with 192-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 16 octets using AES-CTR with 256-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 32 octets using AES-CTR with 256-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 36 octets using AES-CTR with 256-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: testing AES_CBC:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: testing AES_XCBC:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16)
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10)
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18)
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: testing HMAC_MD5:
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 2104: MD5_HMAC test 1
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 2104: MD5_HMAC test 2
Nov 18 14:11:06 dst-vpn-01 pluto[31303]:   RFC 2104: MD5_HMAC test 3
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: 2 CPU cores online
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: starting up 2 helper threads
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: started thread for helper 0
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: started thread for helper 1
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: using Linux xfrm kernel support code on #1 SMP Debian 4.19.208-1 (2021-09-29)
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: watchdog: sending probes every 100 secs
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: seccomp security not supported
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: seccomp security for helper not supported
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: seccomp security for helper not supported
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: "l2tp-psk": added IKEv1 connection
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: "xauth-psk": added IKEv1 connection
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: "ikev2-cp/1x1": loaded private key matching left certificate '123.456.789.0'
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: "ikev2-cp/1x1": subnet error - failing to load connection
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: listening for IKE messages
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: Kernel supports NIC esp-hw-offload
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: adding UDP interface ens4 10.0.10.2:500
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: adding UDP interface ens4 10.0.10.2:4500
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: adding UDP interface lo 127.0.0.1:500
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: adding UDP interface lo 127.0.0.1:4500
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: adding UDP interface lo [::1]:500
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: forgetting secrets
Nov 18 14:11:06 dst-vpn-01 pluto[31303]: loading secrets from "/etc/ipsec.secrets"

服务器信息(请填写以下信息)

客户端信息(请填写以下信息)

其它信息

hwdsl2 commented 2 years ago

@kindomLee Hello! I suspect that 169.254.169.254/32 is not supported in leftsubnets. Because this is not an issue with the VPN setup scripts, but instead could be an issue with Libreswan, I'm closing this. I see that you have filed an issue with Libreswan here: https://github.com/libreswan/libreswan/issues/551.

kindomLee commented 2 years ago

This is really not a problem of setup script, thank you!

gavin2love commented 2 years ago

我也遇到了同样的问题,我使用docker部署,并使用IKEv2,在配置分流后,客户端无法链接服务端,并提示“策略匹配错误”