Iptables nat для strongswan accel-l2tp — как подружить?

Question

[Free0wl]

есть тестовый стенд (VirtualBox):

• vm1: Windows 10 (роль: VPN клиент )
  
• vm2: Debian 12 (роль: шлюз, ifE 10.0.0.58/24, ifL 192.168.9.1/24))
  
• vm3: Debian 12 (роль: VPN сервер "на базе accel-ppp", ifE 192.168.9.2/24, ifL 192.168.56.1/24)
  

- ifE, ifL - имена интерфейсов, E-внешний, L-внутренний (локальный)
Задача: подключить vm1 к vm3 через vm2.

на vm3, настроен, в том числе, "accel-l2tp" + strongswan с авторизацией PSK + mschapv2

/etc/ipsec.conf

config setup
charondebug="ike 2, knl 2, cfg 2"
conn L2TP-PSK-NAT
keyexchange=ikev2
rightsubnet=vhost::%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
auto=add
keyingtries=3
rekey=no
dpddelay=10
dpdtimeout=90
dpdaction=clear
esp=aes128-sha1
ike=aes128-sha-modp1024
ikelifetime=8h
keylife=1h
type=transport
left=192.168.9.2
leftprotoport=17/%any
right=%any
rightprotoport=17/%any

/etc/ipsec.secrets

%any %any : PSK "8G6g1sAOCztkOh65LlfN8rPC)"

/etc/accel-ppp/accel-l2tp.conf

[modules]
log_file
log_syslog
l2tp
auth_mschap_v2
chap-secrets
logwtmp
[core]
log-error=/var/log/accel-ppp/l2tp-core.log
thread-count=4
[common]
single-session=replace
[ppp]
verbose=1
min-mtu=1280
mtu=1400
mru=1400
ipv4=require
ipv6=deny
lcp-echo-interval=20
lcp-echo-failure=30
lcp-echo-timeout=120
unit-cache=1
[l2tp]
verbose=1
gw-ip-address=192.168.56.1
dictionary=/usr/share/accel-ppp/l2tp/dictionary
retransmit=3
[dns]
dns1=192.168.56.1
[client-ip-range]
disable
[log]
log-file=/var/log/accel-ppp/l2tp.log
log-emerg=/var/log/accel-ppp/l2tp-emerg.log
log-fail-file=/var/log/accel-ppp/l2tp-auth-fail.log
log-debug=/var/log/accel-ppp/l2tp-debug.log
copy=1
level=3
[chap-secrets]
gw-ip-address=192.168.9.2
chap-secrets=/etc/accel-ppp/chap-secrets
[cli]
verbose=1
telnet=127.0.0.1:2004
tcp=127.0.0.1:2005

/etc/accel-ppp/chap-secrets

user001 * user001 192.168.56.101 20480/10240
user002 * user002 192.168.56.102 10240/10240
vboxw10 * vboxw10 192.168.56.110
vboxw11 * vboxw11 192.168.56.111

Подключаюсь:
vm1 - IP 192.168.9.110, логин/пароль vboxw10/vboxw10
vm1 -> vm3 - всё работает

На шлюзе (vm2) настроены следующие правила iptables:

iptables - тестовый минимум

# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:60022 to:192.168.9.2:22
DNAT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:192.168.9.2
DNAT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:192.168.9.2

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Подключаюсь:
vm1 - IP 10.0.0.85, логин/пароль vboxw10/vboxw10
vm1 -> vm2 -> vm3 - НЕ работает

Вопрос: почему? чего ему надо-то? всё же разрешено

момент соединения journalctl -f | egrep charon|accel|ipsec|strongs'

мар 04 17:10:29 accel-s50 charon[3862]: 10[NET] received packet: from 10.0.0.85[500] to 192.168.9.2[500] (408 bytes)
мар 04 17:10:29 accel-s50 charon[3862]: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] looking for an IKEv1 config for 192.168.9.2...10.0.0.85
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] candidate: 192.168.9.2...%any, prio 1048
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] found matching ike config: 192.168.9.2...%any with prio 1048
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] local endpoint changed from 0.0.0.0[500] to 192.168.9.2[500]
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] remote endpoint changed from 0.0.0.0 to 10.0.0.85[500]
мар 04 17:10:29 accel-s50 charon[3862]: 10[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] received NAT-T (RFC 3947) vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] received FRAGMENTATION vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
мар 04 17:10:29 accel-s50 charon[3862]: 10[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
мар 04 17:10:29 accel-s50 charon[3862]: 10[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] 10.0.0.85 is initiating a Main Mode IKE_SA
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] 10.0.0.85 is initiating a Main Mode IKE_SA
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] selecting proposal:
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] selecting proposal:
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] no acceptable KEY_EXCHANGE_METHOD found
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] selecting proposal:
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] selecting proposal:
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] selecting proposal:
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] no acceptable ENCRYPTION_ALGORITHM found
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] selecting proposal:
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] proposal matches
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/CURVE_25519/CURVE_448/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/CURVE_25519/CURVE_448/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
мар 04 17:10:29 accel-s50 charon[3862]: 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] sending XAuth vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] sending DPD vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] sending FRAGMENTATION vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[IKE] sending NAT-T (RFC 3947) vendor ID
мар 04 17:10:29 accel-s50 charon[3862]: 10[ENC] generating ID_PROT response 0 [ SA V V V V ]
мар 04 17:10:29 accel-s50 charon[3862]: 10[NET] sending packet: from 192.168.9.2[500] to 10.0.0.85[500] (160 bytes)
мар 04 17:10:29 accel-s50 charon[3862]: 11[NET] received packet: from 10.0.0.85[500] to 192.168.9.2[500] (228 bytes)
мар 04 17:10:29 accel-s50 charon[3862]: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
мар 04 17:10:29 accel-s50 charon[3862]: 11[IKE] local host is behind NAT, sending keep alives
мар 04 17:10:29 accel-s50 charon[3862]: 11[CFG] candidate "L2TP-PSK-noNAT", match: 1/1/1048 (me/other/ike)
мар 04 17:10:29 accel-s50 charon[3862]: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
мар 04 17:10:29 accel-s50 charon[3862]: 11[NET] sending packet: from 192.168.9.2[500] to 10.0.0.85[500] (212 bytes)
мар 04 17:10:29 accel-s50 charon[3862]: 12[NET] received packet: from 10.0.0.85[4500] to 192.168.9.2[4500] (76 bytes)
мар 04 17:10:29 accel-s50 ipsec[3862]: 14[IKE] deleting IKE_SA L2TP-PSK-noNAT[2] between 192.168.9.2[192.168.9.2]...10.0.0.85[10.0.0.85]
мар 04 17:10:29 accel-s50 ipsec[3862]: 14[IKE] IKE_SA L2TP-PSK-noNAT[2] state change: ESTABLISHED => DELETING
мар 04 17:10:29 accel-s50 ipsec[3862]: 14[IKE] IKE_SA L2TP-PSK-noNAT[2] state change: DELETING => DELETING
мар 04 17:10:29 accel-s50 ipsec[3862]: 14[IKE] IKE_SA L2TP-PSK-noNAT[2] state change: DELETING => DESTROYING

полный вывод (pastebin)

Comments

[ValdikSS]

Вы лидируете в номинации «самый плохосформулированный вопрос, что вообще не вопрос».
Если хотите получать ответы, пишите так, чтобы вас понимали.
valdikss.org.ru/smart-questions.html

Answer 1

[Дмитрий]

У вас, как минимум. не маскируется обратный трафик от vm3 через vm2

Comments

[Free0wl]

NAT vm2

[Вт 2024/03/05 09:12][root@router58ipt ~] # iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:60022 to:192.168.9.2:22
DNAT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:192.168.9.2
DNAT 17 -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:192.168.9.2

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 0.0.0.0/0 0.0.0.0/0
[Вт 2024/03/05 09:12][root@router58ipt ~] # cat /proc/sys/net/ipv4/ip_forward
1

- не помогло, маскардинг был и ранее, чистил правила перед публикацией - потерялось

[Дмитрий]

Free0wl, сделайте наты не для 0.0.0.0 а для конкретных сетей

[Free0wl]

Дмитрий, если я Вас правильно понял:

[Вт 2024/03/05 11:28][root@router58ipt ~] # iptables -t nat -I POSTROUTING -s 192.168.9.0/24 -o ifE -j MASQUERADE
[Вт 2024/03/05 11:29][root@router58ipt ~] # iptables -nL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  0    --  192.168.9.0/24       0.0.0.0/0
[Вт 2024/03/05 11:30][root@router58ipt ~] # iptables -t nat -D POSTROUTING -s 192.168.9.0/24 -o ifE -j MASQUERADE
[Вт 2024/03/05 11:30][root@router58ipt ~] # iptables -t nat -I POSTROUTING -o ifE -s 192.168.9.0/24 -j SNAT --to-source 10.0.0.58
[Вт 2024/03/05 11:30][root@router58ipt ~] # iptables -nL POSTROUTING -t nat
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       0    --  192.168.9.0/24       0.0.0.0/0            to:10.0.0.58

- не помогает, мне кажется проблема в настройке strongswan.

Answer 2

[Free0wl]

даже если на "шлюзе" сделать так:

iptables -t nat -D PREROUTING -i ifE -s 10.0.0.85 -j DNAT --to 192.168.9.2

10.0.0.85 - это vm1 (гипотетический клиент)
192.168.9.2 - vm3 (VPN сервер)
PPTP работает
Strongswan + L2TP - нет