Ubuntu 20.04가 설치된 Gateworks SBC가 있습니다. 내 SOC는 USB-이더넷 어댑터(eth0)를 사용하여 DHCP 클라이언트(192.168.88.102)로 인터넷(Masquerade)에 대한 게이트웨이 역할을 하는 Mikrotik 라우터(DHCP 서버)에 연결됩니다.
AWS에 가상 Mikrotik 인스턴스를 설치했습니다. IP 주소는 18.xxx입니다. 여기서 인증서로 Ipsec Ikev2 터널을 구성했습니다. Roadwarrior 클라이언트는 가상 IP 192.168.11.0/24(템플릿)와 연결해야 합니다. 내 구성은 Mikrotik Ipsec Wiki와 동일합니다.
Strongswan을 통해 SBC를 Mikrotik AWS 라우터에 연결합니다. 내 SOC는 로드워리어 클라이언트(가상 IP 192.168.11.254) 역할을 합니다. 연결이 설정되고 SA가 할당됩니다. SOC에서 8.8.8.8로 핑을 보낼 수 있고, 패킷은 Mikrotik IPSEC 라우터를 통해 터널링되어 다시 전송됩니다. 지금까지 모든 것이 훌륭했습니다.
힌트: 문제를 방지하기 위해 지금 USB-이더넷 어댑터 연결을 끊습니다.
My Gateworks SBC에는 Toby L210 4G USB 모뎀이 설치되어 있습니다. 우분투는 모뎀을 인식했습니다. u-blox의 설명에 따라 라우터 모드에서 작동하도록 모뎀을 구성했습니다. Modemmanager를 사용하여 Telekom 공급자에 연결하라는 명령을 보냅니다. wwan0 인터페이스를 생성하고 모뎀의 DHCP 서버에서 IP 주소 192.168.1.100을 가져오기 위해 "dhclient wwan0" 명령을 보냅니다. 192.168.1.1은 모뎀의 게이트웨이 주소입니다. Google에 대한 핑이 작동합니다. 내 모뎀의 내부 IP 주소는 100.64.xx(캐리어 등급 NAT)입니다.
이제 Strongswan(ipsec up 테스트)을 시작합니다. 다시 연결이 설정되고 SA가 배포됩니다. 하지만 8.8.8.8에는 ping을 보낼 수 없습니다. 8.8.8.8로 ping을 하면 Mikrotik IPSEC 서버(패킷 스니퍼)에서 들어오는 패킷을 볼 수 있는데, 이 서버는 8.8.8.8로 전달하고 응답을 터널로 다시 보내는 것입니다. 그래서 내 SBC 작업에서 나가는 패킷은 아마도...
4G 모뎀을 사용한 Ping 덤프, Ping에 응답하지 않음
1 0.000000000 192.168.1.100 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x0b2a5a40)
2 0.063911734 18.xxx.xxx.xxx 192.168.1.100 ESP 174 ESP (SPI=0xcbb1d2c0)
3 0.486664666 18.xxx.xxx.xxx 192.168.1.100 ISAKMP 202 INFORMATIONAL MID=65 Responder Request
4 0.488833047 192.168.1.100 18.xxx.xxx.xxx ISAKMP 122 INFORMATIONAL MID=65 Initiator Response
5 1.019959021 192.168.1.100 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x0b2a5a40)
6 1.088668527 18.xxx.xxx.xxx 192.168.1.100 ESP 174 ESP (SPI=0xcbb1d2c0)
7 2.043874128 192.168.1.100 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x0b2a5a40)
8 2.133560094 18.xxx.xxx.xxx 192.168.1.100 ESP 174 ESP (SPI=0xcbb1d2c0)
9 3.067978240 192.168.1.100 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x0b2a5a40)
10 3.163589336 18.xxx.xxx.xxx 192.168.1.100 ESP 174 ESP (SPI=0xcbb1d2c0)
11 4.091881681 192.168.1.100 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x0b2a5a40)
12 4.168360691 18.xxx.xxx.xxx 192.168.1.100 ESP 174 ESP (SPI=0xcbb1d2c0)
13 5.115993793 192.168.1.100 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x0b2a5a40)
14 5.193667829 18.xxx.xxx.xxx 192.168.1.100 ESP 174 ESP (SPI=0xcbb1d2c0)
15 5.566650670 18.xxx.xxx.xxx 192.168.1.100 ISAKMP 186 INFORMATIONAL MID=66 Responder Request
16 5.568814384 192.168.1.100 18.xxx.xxx.xxx ISAKMP 122 INFORMATIONAL MID=66 Initiator Response
eth0을 사용한 Ping Dump, Ping 응답
2 0.227289053 192.168.88.102 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x05bce76a)
3 0.245391122 18.xxx.xxx.xxx 192.168.88.102 ESP 174 ESP (SPI=0xc7c756b9)
4 0.245391122 8.8.8.8 192.168.11.254 ICMP 98 Echo (ping) reply id=0x0002, seq=9/2304, ttl=111
9 1.229264659 192.168.88.102 18.xxx.xxx.xxx ESP 174 ESP (SPI=0x05bce76a)
10 1.243413640 18.xxx.xxx.xxx 192.168.88.102 ESP 174 ESP (SPI=0xc7c756b9)
11 1.243413640 8.8.8.8 192.168.11.254 ICMP 98 Echo (ping) reply id=0x0002, seq=10/2560, ttl=111
12 1.651801718 18.xxx.xxx.xxx 192.168.88.102 ISAKMP 186 INFORMATIONAL MID=04 Responder Request
13 1.654115436 192.168.88.102 18.xxx.xxx.xxx ISAKMP 122 INFORMATIONAL MID=04 Initiator Response
Ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
conn test
keyexchange=ikev2
ike=aes128-sha1-modp2048
esp=aes128-sha1-modp2048
ikelifetime = 24h
lifetime = 30m
dpddelay = 120s
left=%defaultroute
leftsourceip=%modeconfig
leftcert=cert_export_Ventana.pem
leftid=VentanaTest
leftfirewall=yes
right=18.xxx.xxx.xxx
rightsubnet=0.0.0.0/0
rightid="18.xxx.xxx.xxx"
auto=add
IPsec 상태 전체
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.45-g334256aa8a89, armv7l):
uptime: 6 minutes, since Dec 12 20:06:32 2020
malloc: sbrk 1347584, mmap 0, used 457608, free 889976
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
192.168.1.100
Connections:
test: %any...18.xxx.xxx.xxx IKEv2
test: local: [CN=VentanaTest] uses public key authentication
test: cert: "CN=VentanaTest"
test: remote: [18.xxx.xxx.xxx] uses public key authentication
test: child: dynamic === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
test[1]: ESTABLISHED 65 seconds ago, 192.168.1.100[CN=VentanaTest]...18.xxx.xxx.xxx[18.xxx.xxx.xxx]
test[1]: IKEv2 SPIs: 0f0ebcd1d3f24257_i* 0bdabee4cebd469b_r, public key reauthentication in 23 hours
test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
test{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c91f7359_i 005ce3a7_o
test{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 5068 bytes_o, (66pkts, 58s ago), rekeying in 14 minutes
test{1}: 192.168.11.254/32 === 0.0.0.0/0
IP XFRM 정책
src 192.168.11.254/32 dst 0.0.0.0/0
dir out priority 383615
tmpl src 192.168.1.100 dst 18.xxx.xxx.xxx
proto esp spi 0x005ce3a7 reqid 1 mode tunnel
src 0.0.0.0/0 dst 192.168.11.254/32
dir fwd priority 383615
tmpl src 18.xxx.xxx.xxx dst 192.168.1.100
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 192.168.11.254/32
dir in priority 383615
tmpl src 18.xxx.xxx.xxx dst 192.168.1.100
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
iptables-저장
# Generated by iptables-save v1.8.4 on Sat Dec 12 20:24:03 2020
*filter
:INPUT ACCEPT [235:34857]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [224:27000]
-A INPUT -d 192.168.11.254/32 -i wwan0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -d 192.168.11.254/32 -i wwan0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.11.254/32 -o wwan0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s 192.168.11.254/32 -o wwan0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
IP 경로 표시 테이블 모두
default via 192.168.1.1 dev wwan0 table 220 proto static src 192.168.11.254
default via 192.168.1.1 dev wwan0
192.168.1.0/24 dev wwan0 proto kernel scope link src 192.168.1.100
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev wwan0 table local proto kernel scope link src 192.168.1.100
local 192.168.1.100 dev wwan0 table local proto kernel scope host src 192.168.1.100
broadcast 192.168.1.255 dev wwan0 table local proto kernel scope link src 192.168.1.100
local 192.168.11.254 dev wwan0 table local proto kernel scope host src 192.168.11.254
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev wwan0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::8c85:a8ff:fe59:1d79 dev wwan0 table local proto kernel metric 0 pref medium
ff00::/8 dev wwan0 table local metric 256 pref medium
IP 주소
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wwan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 8e:85:a8:59:1d:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.100/24 brd 192.168.1.255 scope global dynamic wwan0
valid_lft 42250sec preferred_lft 42250sec
inet 192.168.11.254/32 scope global wwan0
valid_lft forever preferred_lft forever
inet6 fe80::8c85:a8ff:fe59:1d79/64 scope link
valid_lft forever preferred_lft forever
ip -s xfrm 상태 8.8.8.8로 동일한 핑을 보낸 후
root@focal-ventana:~# ip -s xfrm state
src 192.168.1.100 dst 18.xxx.xxx.xxx
proto esp spi 0x0ce2b2ec(216183532) reqid 1(0x00000001) mode tunnel
replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x960b069b0a13ba25dcb30b85f8d5c7ce62efce48 (160 bits) 96
enc cbc(aes) 0x032cc1a7afb2035dd4b6124bf0a845f7 (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xd, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2921(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1092(bytes), 13(packets)
add 2020-12-14 20:26:13 use 2020-12-14 20:36:15
stats:
replay-window 0 replay 0 failed 0
src 18.xxx.xx.x dst 192.168.1.100
proto esp spi 0xc56be3e6(3312182246) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0xa6789f18e159b6abc44c20850bada3b903c9a161 (160 bits) 96
enc cbc(aes) 0xf6b72416ee9c739502a67dc14883334b (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 2582(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2020-12-14 20:26:13 use -
stats:
replay-window 0 replay 0 failed 0
/proc/net/xfrm_stat
root@focal-ventana:~# vi /proc/net/xfrm_stat
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 0
XfrmInStateProtoError 0
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 0
XfrmInStateProtoError 0
XfrmInStateModeError 0
XfrmInStateSeqError 0
XfrmInStateExpired 0
XfrmInStateMismatch 0
XfrmInStateInvalid 0
XfrmInTmplMismatch 0
XfrmInNoPols 0
XfrmInPolBlock 0
XfrmInPolError 0
XfrmOutError 0
XfrmOutBundleGenError 0
XfrmOutBundleCheckError 0
XfrmOutNoStates 0
XfrmOutStateProtoError 0
XfrmOutStateModeError 0
XfrmOutStateSeqError 0
XfrmOutStateExpired 0
XfrmOutPolBlock 0
XfrmOutPolDead 0
XfrmOutPolError 0
XfrmFwdHdrError 0
XfrmOutStateInvalid 0
XfrmAcquireError 0
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
답변1
그래서 작동합니다.
Toby L210 4G 모뎀은 공장 기본 RNDIS를 가상 이더넷 링크로 사용합니다. RNDIS는 IPSEC 없이도 네트워크 트래픽에 문제를 일으켜 CDC-ECM으로 전환했습니다.
ublox AT 명령 매뉴얼에서:
On a Linux system, to reach the maximum throughput it is necessary to recompile the kernel. Apply the following modification in /kernel/drivers/net/usb/usbnet.c:
Replace "size_t size = dev->rx_urb_size;"with "size_t size = (16*1024);
"If it is not possible to recompile the kernel, then try to use CDC-ECM.
이제 CDC-ECM으로 인해 IPSEC에서 수신 트래픽이 어딘가에서 손실되었으므로 드라이버 최적화가 비활성화된 상태에서 RNDIS로 다시 전환했습니다.
The RNDIS interface may not work if Linux kernel version of the DTE is higher than 4.8 and RNDIS driver optimization is enabled (AT+UDCONF=67,1).
The reported behavior is due to the “rndis_host:
Set valid random MAC on buggy devices” patch introduced in the Kernel version v4.8-rc1:
https://github.com/torvalds/linux/commit/a5a18bdf7453d505783e40e47ebb84bfdd35f93b#diff6dfe16ca0bdcdc21501ef11cfd202a10
The patch presents an incompatibility with the RNDIS driver optimization, which leads to a TCP and UDP traffic lost.
The issue is not present if the RNDIS driver optimization is disabled (AT+UDCONF=67,0), however this may lead to lower throughput.