no-image

ヤマハルータとAmazon LinuxをstrongSwanとxl2tpをつかってL2TPトンネルを構築してみた。

最近、Strongswanと呼ばれるLinuxでIPsecトンネルの設定をしたので、設定の方法について書きたいと思います。

今回やること

  • L2TP/IPsecを構築してヤマハルータのLAN内に接続をする

今回の環境

  • Amazon Linux (172.20.0.1)
  • Yamahaルータ NVR700W(172.20.0.3)

構成図

構築

AmazonLinuxの設定

1.Strongswanの設定

/etc/strongswan/ipsec.conf

ここに設定を書くと接続台数が増えると管理しづらくなるので、端末毎にコンフィグが設定できるように、以下の設定を追加します。

include /etc/strongswan/ipsec.d/*.conf

 

/etc/strongswan/ipsec.d/yamaha.conf

IPsecトンネルの設定ファイルです。色々検証した結果の最適なパラメータです。IPSecセッションの切断を検知して、再接続するために、DPDを使用します。

conn yamaha
    # Serviceを起動したら自動でIPsecトンネルを張るようにする
    auto=start
    # L2TPの場合はトランスポートに設定
    type=transport
    # 認証方法はPSKを使用
    authby=secret
    # 鍵交換アルゴリズムの設定
    keyexchange=ikev1
    # IKEの暗号化アルゴリズムの設定
    ike=aes128-sha1-modp1024
    # ESPの暗号化アルゴリズムの設定
    esp=aes128-sha1
    # サーバのIP
    left=172.20.0.1
    leftid=172.20.0.1
    # ヤマハルータのIP
    right=172.20.0.3
    rightid=172.20.0.3
    compress=no
    # IKEライフタイム(8時間)
    ikelifetime=8h
    # SAのライフタイム(8時間)
    lifetime=8h
    keyingtries=%forever
    # サーバ側のトランスポートのポート番号(L2TP =>UDP:1701)
    leftprotoport=17/1701
    # ヤマハルータ側のトランスポートのポート番号(L2TP =>UDP:1701) 
    rightprotoport=17/1701
    # 20秒ごとにdpdパケットを送信
    dpddelay=20秒
    # タイムアウトは60
    dpdtimeout=60
    # DPDがタイムアウトしたらトンネルを貼り直す
    dpdaction=restart
    # 予期せずトンネルが切断したらトンネルを貼り直す
    closeaction=restart

 

/etc/strongswan/ipsec.secrets

PSK(Pre-Shared Key)の設定をします。サーバのIP、ヤマハルータのIPの順番に記述します。

# /etc/ipsec.secrets - strongSwan IPsec secrets file
172.20.0.1 172.20.0.3 : PSK "vpn"

2.xl2tpdの設定

/etc/xl2tpd/xl2tpd.conf

debugは適宜コメントアウトしてください。

debug avp = yes
debug network = yes
debug packet = yes
debug state = yes
debug tunnel = yes

[lac YamahaRouter]
lns = 172.20.0.3
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.yamaha
length bit = yes
redial = yes
redial timeout = 10
max redials = 100

 

/etc/ppp/options.xl2tpd.yamaha

name vpn

# 認証を設定しない。
noauth
# ハードウェアフロー制御 (RTS/CTS)
crtscts
# 最大受信単位 (MRU) 
mtu 1258
# 最大転送単位 (MTU)
mru 1258
# ヤマハルータをデフォルト経路として追加しない
nodefaultroute
# UUCP 形式のファイルロックを有効
lock
# ログファイル保管場所
logfile /var/log/ppp/saiji11.log
# L2TPトンネルのユーザ名/パスワード
name hoge
password hoge

 

ここまででIPsecの設定は完了です。続いてYamahaルータの設定をしていきます。

ヤマハルータの設定

ip route default gateway pdp wan1

pp select 1
 pp bind tunnel3
 pp auth request chap-pap
 pp auth username hoge hoge
 ppp ipcp ipaddress on
 ppp ipcp msext on
 ip pp remote address 172.16.10.50
 ip pp mtu 1258
 pp enable 1

tunnel select 1
 description tunnel TO_AmazonLinux
 tunnel encapsulation l2tp
 tunnel endpoint address 172.20.0.1
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike always-on 1 on
  ipsec ike encryption 1 aes-cbc
  ipsec ike hash 1 sha
  ipsec ike keepalive use 1 on dpd 20 3
  ipsec ike local address 1 172.20.0.3
  ipsec ike local id 1 172.20.0.3
  ipsec ike nat-traversal 1 on
  ipsec ike pre-shared-key 1 text vpn
  ipsec ike remote address 1 172.20.0.1
  ipsec ike remote id 1 172.20.0.1
  ipsec auto refresh 1 on
 l2tp always-on on
 l2tp tunnel disconnect time off
 l2tp keepalive use off
 l2tp keepalive log on
 l2tp syslog on
 l2tp local router-id 172.20.0.3
 l2tp remote router-id 172.20.0.1
 ip tunnel tcp mss limit auto

nat descriptor type 31000 masquerade
nat descriptor address outer 31000 172.20.0.3
nat descriptor address inner 31000 auto
nat descriptor masquerade static 31000 12 172.20.0.3 udp *
nat descriptor masquerade static 31000 13 172.20.0.3 esp
ipsec auto refresh on
ipsec transport 1 101 udp 1701
l2tp service on

検証

Strongswanの起動してIPsecトンネルを張ってみる

[root@hoge ~]# service strongswan start
Starting strongswan: Starting strongSwan 5.4.0 IPsec [starter]...
 [ OK ]

■起動時のログ

/var/log/secure

<pre class="lang:default decode:true">Dec 25 16:20:00 ip-10-31-1-185 ipsec_starter[7428]: Starting strongSwan 5.4.0 IPsec [starter]...
Dec 25 16:20:00 ip-10-31-1-185 ipsec_starter[7437]: charon (7439) started after 40 ms
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[IKE] initiating Main Mode IKE_SA saiji11[1] to 172.20.0.3
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] IKE_SA saiji11[1] established between 172.20.0.1[172.20.0.1]...172.20.0.3[172.20.0.3]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[IKE] CHILD_SA saiji11{1} established with SPIs c2f2daf9_i 4410a72b_o and TS 172.20.0.1/32[udp/l2tp] === 172.20.0.3/32[udp/l2tp]

/var/log/message

Dec 25 16:20:00 ip-10-31-1-185 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 4.9.62-21.56.amzn1.x86_64, x86_64)
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[LIB] openssl FIPS mode(2) - enabled
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG]   loaded IKE secret for 172.16.10.15 172.16.10.202
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG]   loaded IKE secret for 172.16.10.15 172.16.10.204
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG]   loaded IKE secret for 10.31.1.185 10.31.1.183
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG]   loaded IKE secret for 172.20.0.1 172.20.0.3
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG]   loaded IKE secret for 172.20.0.1 172.20.0.5
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[CFG]   loaded IKE secret for %any
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Dec 25 16:20:00 ip-10-31-1-185 charon: 00[JOB] spawning 16 worker threads
Dec 25 16:20:00 ip-10-31-1-185 charon: 05[CFG] received stroke: add connection 'L2TP-PSK'
Dec 25 16:20:00 ip-10-31-1-185 charon: 05[CFG] added configuration 'L2TP-PSK'
Dec 25 16:20:00 ip-10-31-1-185 charon: 06[CFG] received stroke: add connection 'saiji11'
Dec 25 16:20:00 ip-10-31-1-185 charon: 06[CFG] added configuration 'saiji11'
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[CFG] received stroke: initiate 'saiji11'
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[IKE] initiating Main Mode IKE_SA saiji11[1] to 172.20.0.3
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V ]
Dec 25 16:20:00 ip-10-31-1-185 charon: 07[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (216 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (124 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[ENC] parsed ID_PROT response 0 [ SA V V ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[IKE] received DPD vendor ID
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 07[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (244 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (276 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 12[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (108 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (76 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[ENC] parsed ID_PROT response 0 [ ID HASH ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] IKE_SA saiji11[1] established between 172.20.0.1[172.20.0.1]...172.20.0.3[172.20.0.3]
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] scheduling reauthentication in 27732s
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[IKE] maximum IKE_SA lifetime 28272s
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[ENC] generating QUICK_MODE request 1702356715 [ HASH SA No ID ID ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 08[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (204 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (204 bytes)
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[ENC] parsed QUICK_MODE response 1702356715 [ HASH SA No ID ID ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[IKE] CHILD_SA saiji11{1} established with SPIs c2f2daf9_i 4410a72b_o and TS 172.20.0.1/32[udp/l2tp] === 172.20.0.3/32[udp/l2tp]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[ENC] generating QUICK_MODE request 1702356715 [ HASH ]
Dec 25 16:20:01 ip-10-31-1-185 charon: 13[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (60 bytes)
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (92 bytes)
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2722088797 [ HASH N(DPD) ]
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[ENC] generating INFORMATIONAL_V1 request 2461533453 [ HASH N(DPD_ACK) ]
Dec 25 16:20:05 ip-10-31-1-185 charon: 09[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (92 bytes)

 

■IPsecトンネルが張れたか確認

yamahaルータ

yamaha# show ipsec sa
Total: isakmp:1 send:1 recv:3

sa    sgw isakmp connection    dir  life[s] remote-id
----------------------------------------------------------------------------
1     1    -     isakmp        -    28751   172.20.0.1
2     1    1     tra[0001]esp  send 28751   172.20.0.1
9     1    -     tra[0001]esp  recv 28697   172.20.0.1
10    1    -     tra[0001]esp  recv 28727   172.20.0.1
11    1    1     tra[0001]esp  recv 28751   172.20.0.1

Amazon Linux

[root@hoge ~]# swanctl --list-sas
yamaha: #1, ESTABLISHED, IKEv1, 51e17d367dc40af4:b7ea1ced90489fc1
  local  '172.20.0.1' @ 172.20.0.1[500]
  remote '172.20.0.3' @ 172.20.0.3[500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 526s ago, reauth in 27206s
  saiji11: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 526s ago, rekeying in 27297s, expires in 28274s
    in  c2f2daf9,      0 bytes,     0 packets
    out 4410a72b,      0 bytes,     0 packets
    local  172.20.0.1/32[udp/l2tp]
    remote 172.20.0.3/32[udp/l2tp]

ESTABLISHEDになっていることが確認できたので、IPsecトンネルが張れていますね。

L2TPトンネルを張ってみる

  1. このまま、L2TPトンネルを張ってみます。まずはサービスを起動します。
[root@hoge ~]# service xl2tpd start

起動時のログ /var/log/message

6:32:31 ip-10-31-1-185 xl2tpd[7574]: setsockopt recvref[30]: Protocol not available
Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7574]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)
Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: xl2tpd version xl2tpd-1.3.8 started on ip-10-31-1-185 PID:7576
Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Forked by Scott Balmos and David Stipp, (C) 2001
Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Inherited by Jeff McAdams, (C) 2002
Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Dec 25 16:32:31 ip-10-31-1-185 xl2tpd[7576]: Listening on IP address 0.0.0.0, port 1701
  1. このあと、L2TPコネクションを接続します。
    ※サービス起動してから20〜30秒程待ってから繋がないと、うまく繋がらないことがありました。
[root@hoge ~]# xl2tpd-control connect yamaha

■L2TP接続した際のログ

/var/log/message

Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Connecting to host 172.20.0.3, port 1701
Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Connection established to 172.20.0.3, 1701.  Local: 24193, Remote: 3664 (ref=0/0).
Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Calling on tunnel 24193
Dec 25 16:39:43 ip-10-31-1-185 xl2tpd[7576]: Call established with 172.20.0.3, Local: 43413, Remote: 47214, Serial: 1 (ref=0/0)
Dec 25 16:39:43 ip-10-31-1-185 pppd[7580]: pppd 2.4.5 started by ec2-user, uid 0
Dec 25 16:39:43 ip-10-31-1-185 pppd[7580]: Using interface ppp0
Dec 25 16:39:43 ip-10-31-1-185 pppd[7580]: Connect: ppp0 <--> /dev/pts/1
Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: CHAP authentication succeeded: Authentication succeeded.
Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: CHAP authentication succeeded
Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: local  IP address 172.16.10.50
Dec 25 16:39:44 ip-10-31-1-185 pppd[7580]: remote IP address 10.195.0.1
Dec 25 16:39:44 ip-10-31-1-185 charon: 15[KNL] 172.16.10.50 appeared on ppp0
Dec 25 16:39:44 ip-10-31-1-185 charon: 10[KNL] 172.16.10.50 disappeared from ppp0
Dec 25 16:39:44 ip-10-31-1-185 charon: 16[KNL] 172.16.10.50 appeared on ppp0
Dec 25 16:39:44 ip-10-31-1-185 charon: 09[KNL] interface ppp0 activated
Dec 25 16:39:45 ip-10-31-1-185 charon: 13[NET] received packet: from 172.20.0.3[500] to 172.20.0.1[500] (92 bytes)
Dec 25 16:39:45 ip-10-31-1-185 charon: 13[ENC] parsed INFORMATIONAL_V1 request 3592965662 [ HASH N(DPD) ]
Dec 25 16:39:45 ip-10-31-1-185 charon: 13[ENC] generating INFORMATIONAL_V1 request 3991459577 [ HASH N(DPD_ACK) ]
Dec 25 16:39:45 ip-10-31-1-185 charon: 13[NET] sending packet: from 172.20.0.1[500] to 172.20.0.3[500] (92 bytes)

■ヤマハルータ

yamaha # show status l2tp
------------------- L2TP INFORMATION -------------------
L2TP情報テーブル
  L2TPトンネル数: 1, L2TPセッション数: 1
TUNNEL[3]:
  トンネルの状態: established
  バージョン: L2TPv2
  自機側トンネルID: 3664
  相手側トンネルID: 24193
  自機側IPアドレス: 10.195.0.1
  相手側IPアドレス: 172.20.0.1
  自機側送信元ポート: 1701
  相手側送信元ポート: 1701
  PPインタフェース: PP[02]
  ベンダ名: xelerance.com
  ホスト名: ip-10-31-1-185
  Next Transmit sequence(Ns): 2
  Next Receive sequence(Nr) : 8
  トンネル内のセッション数: 1 session
  セッション情報:
    セッションの状態: established
    自機側セッションID: 47214
    相手側セッションID: 43413
    通信時間: 4分56秒
    受信: 22 パケット [310 オクテット]
    送信: 13 パケット [351 オクテット]

3.疎通確認してみます。無事疎通が取れていますね。

[root@hoge ~]# ping 10.195.0.1
PING 10.195.0.1 (10.195.0.1) 56(84) bytes of data.
64 bytes from 10.195.0.1: icmp_seq=1 ttl=255 time=53.0 ms
64 bytes from 10.195.0.1: icmp_seq=2 ttl=255 time=52.7 ms
64 bytes from 10.195.0.1: icmp_seq=3 ttl=255 time=52.0 ms
64 bytes from 10.195.0.1: icmp_seq=4 ttl=255 time=51.7 ms
64 bytes from 10.195.0.1: icmp_seq=5 ttl=255 time=50.8 ms

さいごに

設定していてつながらない時は、/var/log/message, /var/log/secureを確認するとトラブルシューティングがはかどります。