LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@spicecurry05(スパイスカレー)

StrongSwanでIPv4 over IPv6 IPSec

Posted at

概要

Linux namespaceを用いて作成した試験系で、StrongSwanを用いたIPv4 over IPv6 IPSecを試す。
結論としてVPNの異なるLAN間の通信ができていない。

環境

  • osxのmultipass上で動作するUbuntu20.04

試験系

下図のような系をLinux network namespace構築する(Dockerコンテナ+OVSとかでも構築買可能)。
moonとsun間はIPv6、moon-lan,sun-lanはIPv4のネットワーク。
Untitled Diagram-4.jpg

試験系構築手順

  • ネットワークを構築する。
sudo ip netns add moon
sudo ip netns add sun
sudo ip netns add moon-lan
sudo ip netns add sun-lan
sudo ip link add sunlan-veth0 type veth peer name sun-veth0
sudo ip link add moonlan-veth0 type veth peer name moon-veth0
sudo ip link add sun-veth1 type veth peer name moon-veth1
sudo ip link set sunlan-veth0 netns sun-lan
sudo ip link set moonlan-veth0 netns moon-lan
sudo ip link set sun-veth0  netns sun
sudo ip link set sun-veth1 netns sun
sudo ip link set moon-veth0  netns moon
sudo ip link set moon-veth1 netns moon


sudo ip netns exec moon-lan ip link set moonlan-veth0 up
sudo ip netns exec sun-lan ip link set sunlan-veth0 up
sudo ip netns exec sun ip link set sun-veth0 up
sudo ip netns exec sun ip link set sun-veth1 up
sudo ip netns exec moon ip link set moon-veth0 up
sudo ip netns exec moon ip link set moon-veth1 up

sudo ip netns exec sun sysctl net.ipv4.ip_forward=1
sudo ip netns exec moon sysctl net.ipv4.ip_forward=1
sudo ip netns exec sun sysctl net.ipv6.ip_forward=1
sudo ip netns exec moon sysctl net.ipv6.ip_forward=1

sudo ip netns exec sun ip addr add 2001:db8::1/64 dev sun-veth1 
sudo ip netns exec moon ip addr add 2001:db8::2/64 dev moon-veth1 

sudo ip netns exec sun ip addr add 192.168.0.1/24 dev sun-veth0
sudo ip netns exec sun-lan ip addr add 192.168.0.10/24 dev sunlan-veth0 
sudo ip netns exec moon ip addr add 192.168.1.1/24  dev moon-veth0
sudo ip netns exec moon-lan ip addr add 192.168.1.10/24  dev moonlan-veth0
  • StrongSwanのnetwork namespace用のディレクトリを作成
sudo mkdir -p /etc/ipsec.d/run
sudo mkdir -p /etc/netns/sun/ipsec.d/run
sudo mkdir -p /etc/netns/moon/ipsec.d/run
  • StrongSwanの設定ファイル作成
cat /etc/netns/sun/ipsec.conf
conn IPv4_IPv6
	authby=psk
	auto=add
	keyexchange=ikev2
	ike=aes256-sha256-modp1024!
	esp=aes256!
	ikelifetime=10h
	lifetime=1h
	left=2001:db8::1
	leftsubnet=192.168.0.0/24
	right=2001:db8::2
	rightsubnet=192.168.1.0/24

cat /etc/netns/moon/ipsec.conf
conn IPv4_IPv6
	authby=psk
	auto=start
	keyexchange=ikev2
	ike=aes256-sha256-modp1024!
	esp=aes256!
	ikelifetime=10h
	lifetime=1h
	left=2001:db8::2
	leftsubnet=192.168.1.0/24
	right=2001:db8::1
	rightsubnet=192.168.0.0/24
  • PSK接続用のシークレットファイルを作成。
cat /etc/netns/moon/ipsec.secrets 
2001:db8::2 2001:db8::1 : PSK "pskpskpsk"
cat /etc/netns/sun/ipsec.secrets 
2001:db8::1 2001:db8::2 : PSK "pskpskpsk"

IPSec接続確認

  • IPSec起動
sudo ip netns exec sun ipsec start
sudo ip netns exec moon ipsec start
  • 状態確認
sudo ip netns exec moon ipsec status
Security Associations (1 up, 0 connecting):
   IPv4_IPv6[1]: ESTABLISHED 9 seconds ago, 2001:db8::2[2001:db8::2]...2001:db8::1[2001:db8::1]
   IPv4_IPv6{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c76da785_i c1cafe10_o
   IPv4_IPv6{1}:   192.168.1.0/24 === 192.168.0.0/24

sudo ip netns exec sun ipsec status
Security Associations (1 up, 0 connecting):
   IPv4_IPv6[1]: ESTABLISHED 27 minutes ago, 2001:db8::1[2001:db8::1]...2001:db8::2[2001:db8::2]
   IPv4_IPv6{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c1cafe10_i c76da785_o
   IPv4_IPv6{1}:   192.168.0.0/24 === 192.168.1.0/24
  • 疎通確認
    moon-sun間のIPv4は疏通出来ている。
sudo ip netns exec moon ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.313 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.106 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.104 ms

IPv6のESPパケットに変換されてpingが飛んでいることが確認できる。

sudo ip netns exec moon tcpdump -i moon-veth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on moon-veth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C21:37:20.776042 IP6 2001:db8::1 > 2001:db8::2: ESP(spi=0xc76da785,seq=0x1a), length 120
21:37:20.776042 IP 192.168.0.1 > 192.168.1.1: ICMP echo request, id 49470, seq 1, length 64
21:37:20.776092 IP6 2001:db8::2 > 2001:db8::1: ESP(spi=0xc1cafe10,seq=0x1a), length 120
21:37:21.778143 IP6 2001:db8::1 > 2001:db8::2: ESP(spi=0xc76da785,seq=0x1b), length 120
21:37:21.778143 IP 192.168.0.1 > 192.168.1.1: ICMP echo request, id 49470, seq 2, length 64
21:37:21.778202 IP6 2001:db8::2 > 2001:db8::1: ESP(spi=0xc1cafe10,seq=0x1b), length 120
21:37:22.783848 IP6 2001:db8::1 > 2001:db8::2: ESP(spi=0xc76da785,seq=0x1c), length 120

問題点

moonとsun-lan, moon-lanとsunは疏通出来ていない。
デフォルトゲートウェイやルーティングの問題と考えているがよくわかっていない。

sudo ip netns exec moon ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
^C
--- 192.168.0.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1030ms
sudo ip netns exec moon-lan ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
^C
--- 192.168.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2092ms
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?