最近、Strongswanと呼ばれるLinuxでIPsecトンネルの設定をしたので、設定の方法について書きたいと思います。
今回やること
- L2TP/IPsecを構築してヤマハルータのLAN内に接続をする
今回の環境
- Amazon Linux (172.20.0.1)
- Yamahaルータ NVR700W(172.20.0.3)
構成図
構築
AmazonLinuxの設定
1.Strongswanの設定
/etc/strongswan/ipsec.conf
ここに設定を書くと接続台数が増えると管理しづらくなるので、端末毎にコンフィグが設定できるように、以下の設定を追加します。
include /etc/strongswan/ipsec.d/*.conf
/etc/strongswan/ipsec.d/yamaha.conf
IPsecトンネルの設定ファイルです。色々検証した結果の最適なパラメータです。IPSecセッションの切断を検知して、再接続するために、DPDを使用します。
conn yamaha
# Serviceを起動したら自動でIPsecトンネルを張るようにする
auto=start
# L2TPの場合はトランスポートに設定
type=transport
# 認証方法はPSKを使用
authby=secret
# 鍵交換アルゴリズムの設定
keyexchange=ikev1
# IKEの暗号化アルゴリズムの設定
ike=aes128-sha1-modp1024
# ESPの暗号化アルゴリズムの設定
esp=aes128-sha1
# サーバのIP
left=172.20.0.1
leftid=172.20.0.1
# ヤマハルータのIP
right=172.20.0.3
rightid=172.20.0.3
compress=no
# IKEライフタイム(8時間)
ikelifetime=8h
# SAのライフタイム(8時間)
lifetime=8h
keyingtries=%forever
# サーバ側のトランスポートのポート番号(L2TP =>UDP:1701)
leftprotoport=17/1701
# ヤマハルータ側のトランスポートのポート番号(L2TP =>UDP:1701)
rightprotoport=17/1701
# 20秒ごとにdpdパケットを送信
dpddelay=20秒
# タイムアウトは60
dpdtimeout=60
# DPDがタイムアウトしたらトンネルを貼り直す
dpdaction=restart
# 予期せずトンネルが切断したらトンネルを貼り直す
closeaction=restart
/etc/strongswan/ipsec.secrets
PSK(Pre-Shared Key)の設定をします。サーバのIP、ヤマハルータのIPの順番に記述します。
# /etc/ipsec.secrets - strongSwan IPsec secrets file 172.20.0.1 172.20.0.3 : PSK "vpn"
2.xl2tpdの設定
/etc/xl2tpd/xl2tpd.conf
debugは適宜コメントアウトしてください。
debug avp = yes debug network = yes debug packet = yes debug state = yes debug tunnel = yes [lac YamahaRouter] lns = 172.20.0.3 require chap = yes refuse pap = yes require authentication = yes ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd.yamaha length bit = yes redial = yes redial timeout = 10 max redials = 100
/etc/ppp/options.xl2tpd.yamaha
name vpn # 認証を設定しない。 noauth # ハードウェアフロー制御 (RTS/CTS) crtscts # 最大受信単位 (MRU) mtu 1258 # 最大転送単位 (MTU) mru 1258 # ヤマハルータをデフォルト経路として追加しない nodefaultroute # UUCP 形式のファイルロックを有効 lock # ログファイル保管場所 logfile /var/log/ppp/saiji11.log # L2TPトンネルのユーザ名/パスワード name hoge password hoge
ここまででIPsecの設定は完了です。続いてYamahaルータの設定をしていきます。
ヤマハルータの設定
ip route default gateway pdp wan1 pp select 1 pp bind tunnel3 pp auth request chap-pap pp auth username hoge hoge ppp ipcp ipaddress on ppp ipcp msext on ip pp remote address 172.16.10.50 ip pp mtu 1258 pp enable 1 tunnel select 1 description tunnel TO_AmazonLinux tunnel encapsulation l2tp tunnel endpoint address 172.20.0.1 ipsec tunnel 101 ipsec sa policy 101 1 esp aes-cbc sha-hmac ipsec ike always-on 1 on ipsec ike encryption 1 aes-cbc ipsec ike hash 1 sha ipsec ike keepalive use 1 on dpd 20 3 ipsec ike local address 1 172.20.0.3 ipsec ike local id 1 172.20.0.3 ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text vpn ipsec ike remote address 1 172.20.0.1 ipsec ike remote id 1 172.20.0.1 ipsec auto refresh 1 on l2tp always-on on l2tp tunnel disconnect time off l2tp keepalive use off l2tp keepalive log on l2tp syslog on l2tp local router-id 172.20.0.3 l2tp remote router-id 172.20.0.1 ip tunnel tcp mss limit auto nat descriptor type 31000 masquerade nat descriptor address outer 31000 172.20.0.3 nat descriptor address inner 31000 auto nat descriptor masquerade static 31000 12 172.20.0.3 udp * nat descriptor masquerade static 31000 13 172.20.0.3 esp ipsec auto refresh on ipsec transport 1 101 udp 1701 l2tp service on
検証
Strongswanの起動してIPsecトンネルを張ってみる
[root@hoge ~]# service strongswan start Starting strongswan: Starting strongSwan 5.4.0 IPsec [starter]... [ OK ]
■起動時のログ
/var/log/secure
<pre class="lang:default decode:true">Dec 25 16:20:00 ip-10-31-1-185 ipsec_starter[7428]: Starting strongSwan 5.4.0 IPsec [starter]...
Dec 25 16:20:00 ip-10-31-1-185 ipsec_starter[7437]: charon (7439) started after 40 ms
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[IKE] initiating Main Mode IKE_SA saiji11[1] to 172.20.0.3
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] IKE_SA saiji11[1] established between 172.20.0.1[172.20.0.1]...172.20.0.3[172.20.0.3]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[IKE] CHILD_SA saiji11{1} established with SPIs c2f2daf9_i 4410a72b_o and TS 172.20.0.1/32[udp/l2tp] === 172.20.0.3/32[udp/l2tp]
/var/log/message
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 4.9.62-21.56.amzn1.x86_64, x86_64)
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[LIB] openssl FIPS mode(2) - enabled
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loaded IKE secret for 172.16.10.15 172.16.10.202
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loaded IKE secret for 172.16.10.15 172.16.10.204
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loaded IKE secret for 10.31.1.185 10.31.1.183
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loaded IKE secret for 172.20.0.1 172.20.0.3
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loaded IKE secret for 172.20.0.1 172.20.0.5
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loaded IKE secret for %any
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[JOB] spawning 16 worker threads
Dec 25 16:20:00 ip-10-31-1-185 charon: 05[CFG] received stroke: add connection 'L2TP-PSK'
Dec 25 16:20:00 ip-10-31-1-185 charon: 05[CFG] added configuration 'L2TP-PSK'
Dec 25 16:20:00 ip-10-31-1-185 charon: 06[CFG] received stroke: add connection 'saiji11'
Dec 25 16:20:00 ip-10-31-1-185 charon: 06[CFG] added configuration 'saiji11'
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[CFG] received stroke: initiate 'saiji11'
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[IKE] initiating Main Mode IKE_SA saiji11[1] to 172.20.0.3
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V ]
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (216 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (124 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[ENC] parsed ID_PROT response 0 [ SA V V ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[IKE] received DPD vendor ID
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (244 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (276 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (108 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (76 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[ENC] parsed ID_PROT response 0 [ ID HASH ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] IKE_SA saiji11[1] established between 172.20.0.1[172.20.0.1]...172.20.0.3[172.20.0.3]
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] scheduling reauthentication in 27732s
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] maximum IKE_SA lifetime 28272s
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[ENC] generating QUICK_MODE request 1702356715 [ HASH SA No ID ID ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (204 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (204 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[ENC] parsed QUICK_MODE response 1702356715 [ HASH SA No ID ID ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[IKE] CHILD_SA saiji11{1} established with SPIs c2f2daf9_i 4410a72b_o and TS 172.20.0.1/32[udp/l2tp] === 172.20.0.3/32[udp/l2tp]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[ENC] generating QUICK_MODE request 1702356715 [ HASH ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (60 bytes)
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (92 bytes)
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2722088797 [ HASH N(DPD) ]
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[ENC] generating INFORMATIONAL_V1 request 2461533453 [ HASH N(DPD_ACK) ]
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (92 bytes)
■IPsecトンネルが張れたか確認
yamahaルータ
yamaha# show ipsec sa Total: isakmp:1 send:1 recv:3 sa sgw isakmp connection dir life[s] remote-id ---------------------------------------------------------------------------- 1 1 - isakmp - 28751 172.20.0.1 2 1 1 tra[0001]esp send 28751 172.20.0.1 9 1 - tra[0001]esp recv 28697 172.20.0.1 10 1 - tra[0001]esp recv 28727 172.20.0.1 11 1 1 tra[0001]esp recv 28751 172.20.0.1
Amazon Linux
[root@hoge ~]# swanctl --list-sas
yamaha: #1, ESTABLISHED, IKEv1, 51e17d367dc40af4:b7ea1ced90489fc1
local '172.20.0.1' @ 172.20.0.1[500]
remote '172.20.0.3' @ 172.20.0.3[500]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 526s ago, reauth in 27206s
saiji11: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
installed 526s ago, rekeying in 27297s, expires in 28274s
in c2f2daf9, 0 bytes, 0 packets
out 4410a72b, 0 bytes, 0 packets
local 172.20.0.1/32[udp/l2tp]
remote 172.20.0.3/32[udp/l2tp]
ESTABLISHEDになっていることが確認できたので、IPsecトンネルが張れていますね。
L2TPトンネルを張ってみる
- このまま、L2TPトンネルを張ってみます。まずはサービスを起動します。
[root@hoge ~]# service xl2tpd start
起動時のログ /var/log/message
6:32:31 ip-10-31-1-185 xl2tpd[7574]: setsockopt recvref[30]: Protocol not available Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7574]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp) Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: xl2tpd version xl2tpd-1.3.8 started on ip-10-31-1-185 PID:7576 Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Forked by Scott Balmos and David Stipp, (C) 2001 Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Inherited by Jeff McAdams, (C) 2002 Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Listening on IP address 0.0.0.0, port 1701
- このあと、L2TPコネクションを接続します。
※サービス起動してから20〜30秒程待ってから繋がないと、うまく繋がらないことがありました。
[root@hoge ~]# xl2tpd-control connect yamaha
■L2TP接続した際のログ
/var/log/message
Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Connecting to host 172.20.0.3, port 1701 Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Connection established to 172.20.0.3, 1701. Local: 24193, Remote: 3664 (ref=0/0). Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Calling on tunnel 24193 Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Call established with 172.20.0.3, Local: 43413, Remote: 47214, Serial: 1 (ref=0/0) Dec 25 16:39:43 ip-10-31-1-185 pppd[7580]: pppd 2.4.5 started by ec2-user, uid 0 Dec 25 16:39:43 ip-10-31-1-185 pppd[7580]: Using interface ppp0 Dec 25 16:39:43 ip-10-31-1-185 pppd[7580]: Connect: ppp0 <--> /dev/pts/1 Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: CHAP authentication succeeded: Authentication succeeded. Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: CHAP authentication succeeded Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: local IP address 172.16.10.50 Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: remote IP address 10.195.0.1 Dec 25 16:39:44 ip-10-31-1-185 charon: 15[KNL] 172.16.10.50 appeared on ppp0 Dec 25 16:39:44 ip-10-31-1-185 charon: 10[KNL] 172.16.10.50 disappeared from ppp0 Dec 25 16:39:44 ip-10-31-1-185 charon: 16[KNL] 172.16.10.50 appeared on ppp0 Dec 25 16:39:44 ip-10-31-1-185 charon: 09[KNL] interface ppp0 activated Dec 25 16:39:45 ip-10-31-1-185 charon: 13[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (92 bytes) Dec 25 16:39:45 ip-10-31-1-185 charon: 13[ENC] parsed INFORMATIONAL_V1 request 3592965662 [ HASH N(DPD) ] Dec 25 16:39:45 ip-10-31-1-185 charon: 13[ENC] generating INFORMATIONAL_V1 request 3991459577 [ HASH N(DPD_ACK) ] Dec 25 16:39:45 ip-10-31-1-185 charon: 13[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (92 bytes)
■ヤマハルータ
yamaha # show status l2tp
------------------- L2TP INFORMATION -------------------
L2TP情報テーブル
L2TPトンネル数: 1, L2TPセッション数: 1
TUNNEL[3]:
トンネルの状態: established
バージョン: L2TPv2
自機側トンネルID: 3664
相手側トンネルID: 24193
自機側IPアドレス: 10.195.0.1
相手側IPアドレス: 172.20.0.1
自機側送信元ポート: 1701
相手側送信元ポート: 1701
PPインタフェース: PP[02]
ベンダ名: xelerance.com
ホスト名: ip-10-31-1-185
Next Transmit sequence(Ns): 2
Next Receive sequence(Nr) : 8
トンネル内のセッション数: 1 session
セッション情報:
セッションの状態: established
自機側セッションID: 47214
相手側セッションID: 43413
通信時間: 4分56秒
受信: 22 パケット [310 オクテット]
送信: 13 パケット [351 オクテット]
3.疎通確認してみます。無事疎通が取れていますね。
[root@hoge ~]# ping 10.195.0.1 PING 10.195.0.1 (10.195.0.1) 56(84) bytes of data. 64 bytes from 10.195.0.1: icmp_seq=1 ttl=255 time=53.0 ms 64 bytes from 10.195.0.1: icmp_seq=2 ttl=255 time=52.7 ms 64 bytes from 10.195.0.1: icmp_seq=3 ttl=255 time=52.0 ms 64 bytes from 10.195.0.1: icmp_seq=4 ttl=255 time=51.7 ms 64 bytes from 10.195.0.1: icmp_seq=5 ttl=255 time=50.8 ms
さいごに
設定していてつながらない時は、/var/log/message, /var/log/secureを確認するとトラブルシューティングがはかどります。