SSH%20%E7%B5%8C%E7%94%B1%E3%81%A7%E3%82%B5%E3%83%BC%E3%83%90%E3%83%BC%E3%81%AB%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E3%81%A7%E3%81%8D%E3%81%AA%E3%81%8F%E3%81%AA%E3%82%8A%E3%81%BE%E3%81%97%E3%81%9F%E3%80%82.png)
リモート マシン (Debian 11.7 / カーネル 5.10.0-23-amd64) で作業しているときに、Strongswan をインストールして VPN クライアントとして構成しました。
apt install strongswan
この後、サービスstrongswan-starter.serviceが開始され、ホストにアクセスできなくなります。幸いなことに、サービスを物理的に無効にしsystemctl disable strongswan-starter.serviceて再起動することができました。
しかし、「systemctl start strongswan-starter.service」を実行するたびに、OpenSSH 接続が失われます。
サービスを開始する際に私が気づいたことは次のとおりです。
May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 21:45:25 machinename charon: 08[KNL] received netlink error: Permission denied (13)
May 29 21:45:25 machinename charon: 08[KNL] installing route failed: 2a00:6020:4e2a:8000::/64 src 2a00:xxxx:4e2a:xxxx:6a1d:xxxx:xxxx:9579 dev ipsec0
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
IP は192.168.189.1ルーターのアドレスです。ただし、ローカルの物理コンソールから Google などに ping することは可能です。
libcharon-extra-plugin パッケージがインストールされている場合にのみ表示されるため、最初に bypass-lan プラグインに焦点を当てました。
更新しました
これはデフォルトのstrongswanインストールなので、この時点では設定は行われていません。したがって、関連する設定ファイルは次のとおりです。
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
# strongswan.conf
charon {
plugins {
eap_dynamic {
preferred = eap-mschapv2, eap-tls
}
}
}
# /etc/strongswan.d/starter.conf
starter {
# Location of the ipsec.conf file
# config_file = ${sysconfdir}/ipsec.conf
# Disable charon plugin load option warning.
# load_warning = yes
}
アップデート2
以下は、サービスを開始した後の完全なログ出力であり、リモート接続がhostmachine切断されています。
May 29 23:21:49 hostmachine systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 29 23:21:49 hostmachine ipsec[6423]: Starting strongSwan 5.9.1 IPsec [starter]...
May 29 23:21:49 hostmachine charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:21:49 hostmachine kernel: [ 3621.243706] NET: Registered protocol family 38
May 29 23:21:49 hostmachine kernel: [ 3621.282054] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.332375] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.394450] alg: No test for xcbc(camellia) (xcbc(camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.436211] alg: No test for rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.445352] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.559730] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.593517] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.682207] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.750485] tun: Universal TUN/TAP device driver, 1.6
May 29 23:21:50 hostmachine charon: 00[LIB] created TUN device: ipsec0
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Link UP
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained carrier
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained IPv6LL
May 29 23:21:50 hostmachine systemd-udevd[6556]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
May 29 23:21:50 hostmachine charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:21:50 hostmachine charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:21:50 hostmachine charon: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:21:50 hostmachine charon: 00[CFG] HA config misses local/remote address
May 29 23:21:50 hostmachine charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:21:50 hostmachine charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:21:50 hostmachine charon: 00[JOB] spawning 16 worker threads
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for ::1/128
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for fe80::/64
May 29 23:21:50 hostmachine charon: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine ipsec[6423]: charon (6427) started after 580 ms
May 29 23:22:04 hostmachine charon: 00[DMN] SIGINT received, shutting down
May 29 23:22:04 hostmachine systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Link DOWN
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Lost carrier
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for ::1/128
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] created TUN device: ipsec0
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] HA config misses local/remote address
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:22:04 hostmachine ipsec[6427]: 00[JOB] spawning 16 worker threads
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for ::1/128
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
どのようなアイデアでも大歓迎です。