1 votes

vtbiggi avatar

La commande de démarrage d'IPSec se bloque

Demandé el 10 de Septembre, 2018
Quand la question a-t-elle été
4675 affichage
Nombre de visites la question a
1 Réponses
Nombre de réponses aux questions
Ouvert
Situation réelle de la question

J'essaie d'établir une connexion VPN entre deux régions dans AWS EC2 (deux machines virtuelles) en utilisant StrongSwan dans Docker. Cependant, je reçois une tonne d'erreurs lorsque j'essaie de lancer la connexion.

Les commandes sudo ipsec start --nofork y sudo ipsec restart donnent les erreurs suivantes, respectivement :

Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[374]: Starting strongSwan 5.3.5 IPsec [starter]...

00[LIB] expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied
00[LIB] expanding file pattern '/etc/strongswan.d/*.conf' failed: Permission denied
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 
'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon
charon has quit: initialization failed
ipsec_starter[374]: charon has quit: initialization failed

charon refused to be started
ipsec_starter[374]: charon refused to be started

ipsec starter stopped
ipsec_starter[374]: ipsec starter stopped

et

Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[389]: Starting strongSwan 5.3.5 IPsec [starter]...

root@b65e01b190f6:/etc# ipsec_starter[408]: charon has quit: 
initialization failed

ipsec_starter[408]: charon refused to be started

ipsec_starter[408]: ipsec starter stopped

(La seconde se bloque après la dernière commande et doit être quittée par Ctrl+C).

Pour corriger certaines erreurs, j'ai commenté la ligne :

load_modular = oui

dans le fichier :

/etc/strongswan.conf

Maintenant, en exécutant les mêmes commandes de sortie :

Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[413]: Starting strongSwan 5.3.5 IPsec [starter]...

00[LIB] expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied
00[LIB] expanding file pattern '/etc/strongswan.d/*.conf' failed: Permission denied
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[LIB] opening directory '/etc/ipsec.d/cacerts' failed: Permission denied
00[CFG]   reading directory failed
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: Permission denied
00[CFG]   reading directory failed
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: Permission denied
00[CFG]   reading directory failed
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[LIB] opening directory '/etc/ipsec.d/acerts' failed: Permission denied
00[CFG]   reading directory failed
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[LIB] opening directory '/etc/ipsec.d/crls' failed: Permission denied
00[CFG]   reading directory failed
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for B.B.B.B X.X.X.X
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (426) started after 20 ms
ipsec_starter[413]: charon (426) started after 20 ms

11[CFG] received stroke: add connection 'A-to-B'
11[CFG] left nor right host is our side, assuming left=local
11[CFG] algorithm 'sha_256' not recognized
11[CFG] skipped invalid proposal string: aes256-sha_256-modp1024
11[CFG] added configuration 'A-to-B'
13[CFG] received stroke: initiate 'A-to-B'
13[IKE] initiating IKE_SA A-to-B[1] to X.X.X.X
13[IKE] configured DH group MODP_NONE not supported
13[MGR] tried to check-in and delete nonexisting IKE_SA

et

Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[444]: Starting strongSwan 5.3.5 IPsec [starter]...

root@b65e01b190f6:/etc# ipsec_starter[463]: charon (464) started after 20 ms

Maintenant, les deux commandes s'arrêtent là et je ne suis pas sûr que le fait de commenter cette ligne ait aidé.

Le site expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied est probablement à l'origine de la plupart de mes erreurs, mais je ne sais pas comment y remédier puisque je suis déjà root dans Docker.

J'inclus également une partie de mon Dockerfile au cas où cela pourrait aider :

FROM ubuntu:16.04

RUN apt update && apt install -y --no-install-recommends apt-utils
RUN apt -y install sudo
RUN apt upgrade -y
RUN apt install strongswan -y
RUN apt install nano -y
RUN apt install openssh-client -y
RUN apt install kmod
RUN echo "IdentityFile ~/.ssh/id_rsa" >> /etc/ssh/ssh_config
RUN sudo rm /etc/ipsec.conf
RUN touch /etc/ipsec.conf
RUN echo "# basic configuration" >> /etc/ipsec.conf \
    && echo "config setup" >> /etc/ipsec.conf \
    && echo '    charondebug="all"' >> /etc/ipsec.conf \
    && echo "    uniqueids=yes" >> /etc/ipsec.conf \
    && echo "    strictcrlpolicy=no" >> /etc/ipsec.conf \
    && echo "" >> /etc/ipsec.conf \
    && echo "conn A-to-B" >> /etc/ipsec.conf \
    && echo "    authby=secret" >> /etc/ipsec.conf \
    && echo "    left=A.A.A.A" >> /etc/ipsec.conf \
    && echo "    leftid=B.B.B.B" >> /etc/ipsec.conf \
    && echo "    leftsubnet=A.C.C.C/16" >> /etc/ipsec.conf \
    && echo "    right=X.X.X.X" >> /etc/ipsec.conf \
    && echo "    rightsubnet=Y.Y.Y.Y/16" >> /etc/ipsec.conf \
    && echo "    ike=aes256-sha_256-modp1024!" >> /etc/ipsec.conf \
    && echo "    esp=aes256-sha2_256!" >> /etc/ipsec.conf \
    && echo "    keyingtries=0" >> /etc/ipsec.conf \
    && echo "    ikelifetime=1h" >> /etc/ipsec.conf \
    && echo "    lifetime=8h" >> /etc/ipsec.conf \
    && echo "    dpddelay=30" >> /etc/ipsec.conf \
    && echo "    dpdtimeout=120" >> /etc/ipsec.conf \
    && echo "    dpdaction=restart" >> /etc/ipsec.conf \
    && echo "    auto=start" >> /etc/ipsec.conf
RUN sudo rm /etc/ipsec.secrets
RUN touch /etc/ipsec.secrets
RUN echo "'B.B.B.B X.X.X.X : PSK "mykey"' >> /etc/ipsec.secrets
RUN echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
RUN sudo sysctl -p /etc/sysctl.conf

Le Dockerfile sur l'autre instance est à peu près le même avec les IPs permutées.

EDIT : MISE À JOUR (NE FAIT PAS PARTIE DE LA QUESTION ORIGINALE)

J'ai changé d'algorithme de cryptage car le mod1024 n'est plus assez fort pour les normes de strongSwan. J'utilise maintenant :

ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384!

et cela a corrigé quelques erreurs. J'utilisais aussi la commande :

sudo docker run -itv ~:/mnt/ nameHere bash

mais a ajouté la balise --cap-add=NET_ADMIN et toutes les erreurs de pré-connexion ont disparu. Cependant, il y a une nouvelle erreur lors de la tentative de connexion où la connexion s'arrête après 5 tentatives.

root@aaaaaaaaaa:/etc# sudo ipsec start --nofork
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[482]: Starting strongSwan 5.3.5 IPsec [starter]...

00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for X.X.X.X Y.Y.Y.Y
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (495) started after 20 ms
ipsec_starter[482]: charon (495) started after 20 ms

11[CFG] received stroke: add connection 'A-to-B'
11[CFG] left nor right host is our side, assuming left=local
11[CFG] added configuration 'A-to-B'
13[CFG] received stroke: initiate 'A-to-B'
13[IKE] initiating IKE_SA A-to-B[1] to Y.Y.Y.Y
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
13[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
15[IKE] retransmit 1 of request with message ID 0
15[NET] sending packet: from X.X.X.X (private ip)[500] to Y.Y.Y.Y (public ip of other connection)[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
.
.
.
04[IKE] retransmit 5 of request with message ID 0
04[NET] sending packet: from X.X.X.X (private ip)[500] to Y.Y.Y.Y (public ip of other connection)[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
03[IKE] giving up after 5 retransmits
03[IKE] establishing IKE_SA failed, peer not responding

Et il est maintenant suspendu ici jusqu'à ce que je le tue avec un autre CTRL+C. Toute idée serait grandement appréciée.

Demandé el 10 de Septembre, 2018 par vtbiggi

Réponse

Trop de publicités?

0voto

gipi avatar
gipi Points 101

J'ai eu le même problème et j'étais aussi perplexe que vous. J'ai découvert dans le journal que la raison de la permission refusée était la suivante apparmor

audit: type=1400 audit(1592238171.739:83): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/lib/docker/overlay2/02767f1d398d73371577bf0894a350595be9cecaecdbb9f416b7f421ae7820eb/diff/etc/strongswan.d/charon/" pid=46257 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1592238171.739:84): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/lib/docker/overlay2/02767f1d398d73371577bf0894a350595be9cecaecdbb9f416b7f421ae7820eb/diff/etc/strongswan.d/" pid=46257 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

La solution de contournement facile est d'arrêter apparmor en utilisant la commande aa-teardown (vous voyez les règles activées en utilisant aa-status ) mais évidemment ce n'est pas optimal, une vraie solution consisterait à modifier les règles pour charon contenu dans /etc/apparmor.d/usr.lib.ipsec.charon .

Répondu el 16 de Juin, 2020 par gipi (101 Points )

Questions en vedette

Top Tags

Dans notre réseau

SistemesEz.com

SystemesEZ est une communauté de sysadmins où vous pouvez résoudre vos problèmes et vos doutes. Vous pouvez consulter les questions des autres sysadmins, poser vos propres questions ou résoudre celles des autres.

Powered by:

Yandex
X