Strongswan Check: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(27 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=strongswan.conf=
 +
*[[strongswan.conf filelog]]
 +
 +
 
=VPN Check=
 
=VPN Check=
 
*CONN=s2s
 
*CONN=s2s
 
*CHECK="(CHILD_SA|failed|error|could not)"
 
*CHECK="(CHILD_SA|failed|error|could not)"
*PATTERN=${CONN}.*$CHECK
+
*CHECK="(CHILD_SA|failed|error|could not|proposal|not match)"; PATTERN=${CONN}.*$CHECK
 +
=Script=
 +
<pre>
 +
#!/bin/bash
 +
CONN="$1"
 +
CHECK="(CHILD_SA|failed|error|could not|proposal|not match)"
 +
PATTERN=${CONN}.*$CHECK
 +
tail -f /var/log/charon.log | egrep "$PATTERN"
 +
</pre>
 +
 
 +
=Abfrage=
 +
*tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"
 
=Verbindung erfolgreich=
 
=Verbindung erfolgreich=
*tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"
+
<pre>
Nov 16 11:26:44 15[IKE] <s2s|6> CHILD_SA s2s{3} established with SPIs cbe2c3f8_i c64ca73c_o and TS 10.83.33.0/24 === 10.83.32.0/24
+
Nov 17 10:29:36 01[IKE] <s2s|1> sending DELETE for ESP CHILD_SA with SPI c484ade1
 +
Nov 17 10:29:38 04[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:29:38 16[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:29:38 16[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:29:38 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:29:38 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:29:38 06[CFG] <s2s|2> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:29:38 06[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:29:38 06[IKE] <s2s|2> CHILD_SA s2s{2} established with SPIs c3dde116_i ced89952_o and TS 10.83.33.0/24 === 10.83.32.0/24
 +
</pre>
 +
 
 
=PSK falsch=
 
=PSK falsch=
*tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"
+
<pre>
Nov 16 12:11:47 13[ENC] <s2s|102> invalid HASH_V1 payload length, decryption failed?
+
Nov 17 10:32:47 16[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 16 12:11:47 13[ENC] <s2s|102> could not decrypt payloads
+
Nov 17 10:32:47 15[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 16 12:11:47 13[IKE] <s2s|102> message parsing failed
+
Nov 17 10:32:47 15[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 16 12:11:47 13[IKE] <s2s|102> INFORMATIONAL_V1 request with message ID 1439430924 processing failed
+
Nov 17 10:32:47 04[ENC] <s2s|2> invalid HASH_V1 payload length, decryption failed?
 +
Nov 17 10:32:47 04[ENC] <s2s|2> could not decrypt payloads
 +
Nov 17 10:32:47 04[IKE] <s2s|2> message parsing failed
 +
Nov 17 10:32:47 04[IKE] <s2s|2> INFORMATIONAL_V1 request with message ID 2548885084 processing failed
 +
</pre>
 +
 
 
=PHASE1 oder PHASE2 Proposals=
 
=PHASE1 oder PHASE2 Proposals=
 
==PHASE1 und PHASE2 ok==
 
==PHASE1 und PHASE2 ok==
*tail -f /var/log/strongswan/charon.log | egrep "$CONN.*proposal"
 
 
<pre>
 
<pre>
 
Nov 17 10:12:35 05[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 
Nov 17 10:12:35 05[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Zeile 24: Zeile 53:
 
Nov 17 10:12:35 01[CFG] <s2s|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 
Nov 17 10:12:35 01[CFG] <s2s|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 
</pre>
 
</pre>
==PHASE1 oder PHASE2 error==
+
==Fehlkonfiguration der Proposals==
*tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"
+
  Nov 17 10:38:28 06[CFG] <s2s|1> configured proposals:
  Nov 16 12:24:57 05[IKE] <s2s|10> received NO_PROPOSAL_CHOSEN error notify
 
 
 
 
==PHASE1 Proposals werden nicht beantwortet==
 
==PHASE1 Proposals werden nicht beantwortet==
 
Es fehlt das selected proposal bei IKE
 
Es fehlt das selected proposal bei IKE
*tail -f /var/log/strongswan/charon.log | egrep "$CONN.*proposal.*IKE"
+
  Nov 17 10:42:24 01[CFG] <s2s|3> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  Nov 16 21:51:19 12[CFG] <s2s|7> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
+
Nov 17 10:42:24 12[IKE] <s2s|3> received NO_PROPOSAL_CHOSEN error notify
 
 
 
==Verschiedene Phase2 Proposals==
 
==Verschiedene Phase2 Proposals==
Es fehlt das selected proposal bei IKE  
+
Es fehlt das selected proposal bei ESP
*tail -f /var/log/strongswan/charon.log | egrep "$CONN.*proposal.*ESP"
+
<pre>
Nov 16 20:29:38 15[CFG] <s2s|4> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
+
Nov 17 10:46:24 06[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 16 20:29:38 15[CFG] <s2s|4> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
+
Nov 17 10:46:24 06[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:46:24 06[CFG] <s2s|2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:46:24 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:46:24 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:46:24 02[IKE] <s2s|2> received NO_PROPOSAL_CHOSEN error notify
 +
</pre>
  
 
=Falsches Netz=
 
=Falsches Netz=
*tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"
+
<pre>
Nov 16 20:00:41 01[IKE] <s2s|6> received INVALID_ID_INFORMATION error notify
+
Nov 17 10:49:14 14[CFG] <s2s|1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:49:14 14[CFG] <s2s|1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:49:14 14[CFG] <s2s|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:49:14 16[CFG] <s2s|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:49:14 16[CFG] <s2s|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
 +
Nov 17 10:49:14 05[IKE] <s2s|1> received INVALID_ID_INFORMATION error notify
 +
</pre>
  
 
=Falsche ID=
 
=Falsche ID=
*tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"
+
<pre>
Nov 16 20:12:55 12[IKE] <s2s|2> received AUTHENTICATION_FAILED error notify
+
Nov 17 10:57:34 05[CFG] <s2s|17> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:57:34 05[CFG] <s2s|17> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:57:34 05[CFG] <s2s|17> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 +
Nov 17 10:57:34 16[IKE] <s2s|17> IDir 'tiazel' does not match to '10.84.252
 +
</pre>
 +
'''Vorsicht ... ipsec up zeigt established successfully'''
 +
*ipsec up  s2s
 +
<pre>
 +
IDir 'tiazel' does not match to '10.84.252.32'
 +
deleting IKE_SA s2s[19] between 10.84.252.33[10.84.252.33]...10.84.252.32[%any]
 +
sending DELETE for IKE_SA s2s[19]
 +
generating INFORMATIONAL_V1 request 2142858728 [ HASH D ]
 +
sending packet: from 10.84.252.33[500] to 10.84.252.32[500] (108 bytes)
 +
connection 's2s' established successfully
 +
</pre>
 +
 
 
=Angebotene IKE Lifetime=
 
=Angebotene IKE Lifetime=
*tail -f /var/log/strongswan/charon.log | egrep "$CONN.*time"
 
 
  Nov 16 22:19:51 12[IKE] <s2s|5> maximum IKE_SA lifetime 3375s
 
  Nov 16 22:19:51 12[IKE] <s2s|5> maximum IKE_SA lifetime 3375s

Aktuelle Version vom 8. April 2019, 13:20 Uhr

strongswan.conf


VPN Check

  • CONN=s2s
  • CHECK="(CHILD_SA|failed|error|could not)"
  • CHECK="(CHILD_SA|failed|error|could not|proposal|not match)"; PATTERN=${CONN}.*$CHECK

Script

#!/bin/bash
CONN="$1"
CHECK="(CHILD_SA|failed|error|could not|proposal|not match)"
PATTERN=${CONN}.*$CHECK
tail -f /var/log/charon.log | egrep "$PATTERN"

Abfrage

  • tail -f /var/log/strongswan/charon.log | egrep "$PATTERN"

Verbindung erfolgreich

Nov 17 10:29:36 01[IKE] <s2s|1> sending DELETE for ESP CHILD_SA with SPI c484ade1
Nov 17 10:29:38 04[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:29:38 16[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:29:38 16[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:29:38 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 06[CFG] <s2s|2> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 06[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:29:38 06[IKE] <s2s|2> CHILD_SA s2s{2} established with SPIs c3dde116_i ced89952_o and TS 10.83.33.0/24 === 10.83.32.0/24

PSK falsch

Nov 17 10:32:47 16[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:32:47 15[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:32:47 15[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:32:47 04[ENC] <s2s|2> invalid HASH_V1 payload length, decryption failed?
Nov 17 10:32:47 04[ENC] <s2s|2> could not decrypt payloads
Nov 17 10:32:47 04[IKE] <s2s|2> message parsing failed
Nov 17 10:32:47 04[IKE] <s2s|2> INFORMATIONAL_V1 request with message ID 2548885084 processing failed

PHASE1 oder PHASE2 Proposals

PHASE1 und PHASE2 ok

Nov 17 10:12:35 05[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:12:35 05[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:12:35 05[CFG] <s2s|2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
...
Nov 17 10:12:35 01[CFG] <s2s|2> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:12:35 01[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:12:35 01[CFG] <s2s|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ

Fehlkonfiguration der Proposals

Nov 17 10:38:28 06[CFG] <s2s|1> configured proposals:

PHASE1 Proposals werden nicht beantwortet

Es fehlt das selected proposal bei IKE 

Nov 17 10:42:24 01[CFG] <s2s|3> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Nov 17 10:42:24 12[IKE] <s2s|3> received NO_PROPOSAL_CHOSEN error notify

Verschiedene Phase2 Proposals

Es fehlt das selected proposal bei ESP 

Nov 17 10:46:24 06[CFG] <s2s|2> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:46:24 06[CFG] <s2s|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:46:24 06[CFG] <s2s|2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:46:24 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Nov 17 10:46:24 03[CFG] <s2s|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
Nov 17 10:46:24 02[IKE] <s2s|2> received NO_PROPOSAL_CHOSEN error notify

Falsches Netz

Nov 17 10:49:14 14[CFG] <s2s|1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:49:14 14[CFG] <s2s|1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:49:14 14[CFG] <s2s|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:49:14 16[CFG] <s2s|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:49:14 16[CFG] <s2s|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Nov 17 10:49:14 05[IKE] <s2s|1> received INVALID_ID_INFORMATION error notify

Falsche ID

Nov 17 10:57:34 05[CFG] <s2s|17> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:57:34 05[CFG] <s2s|17> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:57:34 05[CFG] <s2s|17> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Nov 17 10:57:34 16[IKE] <s2s|17> IDir 'tiazel' does not match to '10.84.252

Vorsicht ... ipsec up zeigt established successfully

  • ipsec up s2s
IDir 'tiazel' does not match to '10.84.252.32'
deleting IKE_SA s2s[19] between 10.84.252.33[10.84.252.33]...10.84.252.32[%any]
sending DELETE for IKE_SA s2s[19]
generating INFORMATIONAL_V1 request 2142858728 [ HASH D ]
sending packet: from 10.84.252.33[500] to 10.84.252.32[500] (108 bytes)
connection 's2s' established successfully

Angebotene IKE Lifetime

Nov 16 22:19:51 12[IKE] <s2s|5> maximum IKE_SA lifetime 3375s
Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_Check&oldid=18169