IPSec linux 不将 SIP 连接路由到中继
IPSec linux doesn't route SIP connection to trunk
我正在尝试通过 IPSec 隧道使用 Asterisk 连接到 SIP 中继,但似乎路由不正常...因为我来自 OpenVPN,我认为 IPSec 启用了一些接口并使流量通过。
我将在这里列出我的 IP-s 作为 X,Y,Z...
我的 IPSec 配置是:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
interfaces="%defaultroute"
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
conn sTest01
type=tunnel
connaddrfamily=ipv4
left=XXX.XXX.XXX.XXX
leftnexthop=%defaultroute
leftsourceip=XXX.XXX.XXX.XXX
right=YYY.YYY.YYY.YYY
rightid=YYY.YYY.YYY.YYY
rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
#rightsubnet=0.0.0.0/0
pfs=no
keyingtries=4
rekeymargin=15m
authby=secret
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1;modp1536
lifetime=28800s
auto=start
conn sTest02
type=tunnel
connaddrfamily=ipv4
left=XXX.XXX.XXX.XXX
leftnexthop=%defaultroute
leftsourceip=XXX.XXX.XXX.XXX
right=YYY.YYY.YYY.YYY
rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
#rightsubnet=0.0.0.0/0
pfs=no
keyingtries=4
rekeymargin=15m
authby=secret
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1;modp1536
lifetime=28800s
auto=start
我的路由table:
root@lix ~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
1 Trunk XXX.XXX.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
2 Trunk XXX.XXX.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
84.XXX.XXX.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
ipsec 验证
root@lix ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.12.28+ (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
当我在日志中重新启动 ipsec 时,我没有看到任何异常。
系统日志:
Feb 9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:35 lix ipsec_setup: Stopping Openswan IPsec...
Feb 9 16:22:39 lix kernel: [ 1066.612566] NET: Unregistered protocol family 15
Feb 9 16:22:39 lix ipsec_setup: ...Openswan IPsec stopped
Feb 9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:39 lix kernel: [ 1066.965557] NET: Registered protocol family 15
Feb 9 16:22:39 lix ipsec_setup: Starting Openswan IPsec U2.6.37/K3.12.28+...
Feb 9 16:22:40 lix ipsec_setup: Using NETKEY(XFRM) stack
Feb 9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_setup: ...Openswan IPsec started
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest01"
Feb 9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest02"
Feb 9 16:22:42 lix ipsec__plutorun: 104 "sTest01" #1: STATE_MAIN_I1: initiate
重击
root@lix ~ # ipsec whack --name sTest01 --initiate
002 "sTest01" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:ea6824a9 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest01" #4: STATE_QUICK_I1: initiate
002 "sTest01" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest01" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x2caadd64 <0x69b0a0e0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
root@lix ~ # ipsec whack --name sTest02 --initiate
002 "sTest02" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:956ccc0e proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest02" #5: STATE_QUICK_I1: initiate
002 "sTest02" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest02" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6e58c948 <0x7177b9ed xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
星号 CLI:
lix*CLI> sip show peers
Name/username Host Dyn Forcerport ACL Port Status
peer 80.XX.XXX.149 N 5060 UNREACHABLE
如果有人可以提供帮助,我可以 post 如果有人需要,我可以提供更多信息,
谢谢
您需要在完成隧道设置后重新启动 asterisk。
您已将 localnet 或 externip 设置为您的 vpn 地址。
抱歉,无法帮助您,因为您使用通配符的信息过多。
我正在尝试通过 IPSec 隧道使用 Asterisk 连接到 SIP 中继,但似乎路由不正常...因为我来自 OpenVPN,我认为 IPSec 启用了一些接口并使流量通过。
我将在这里列出我的 IP-s 作为 X,Y,Z...
我的 IPSec 配置是:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
interfaces="%defaultroute"
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
conn sTest01
type=tunnel
connaddrfamily=ipv4
left=XXX.XXX.XXX.XXX
leftnexthop=%defaultroute
leftsourceip=XXX.XXX.XXX.XXX
right=YYY.YYY.YYY.YYY
rightid=YYY.YYY.YYY.YYY
rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
#rightsubnet=0.0.0.0/0
pfs=no
keyingtries=4
rekeymargin=15m
authby=secret
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1;modp1536
lifetime=28800s
auto=start
conn sTest02
type=tunnel
connaddrfamily=ipv4
left=XXX.XXX.XXX.XXX
leftnexthop=%defaultroute
leftsourceip=XXX.XXX.XXX.XXX
right=YYY.YYY.YYY.YYY
rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
#rightsubnet=0.0.0.0/0
pfs=no
keyingtries=4
rekeymargin=15m
authby=secret
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1;modp1536
lifetime=28800s
auto=start
我的路由table:
root@lix ~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
1 Trunk XXX.XXX.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
2 Trunk XXX.XXX.XXX.XXX 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
84.XXX.XXX.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
ipsec 验证
root@lix ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.12.28+ (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
当我在日志中重新启动 ipsec 时,我没有看到任何异常。
系统日志:
Feb 9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:35 lix ipsec_setup: Stopping Openswan IPsec...
Feb 9 16:22:39 lix kernel: [ 1066.612566] NET: Unregistered protocol family 15
Feb 9 16:22:39 lix ipsec_setup: ...Openswan IPsec stopped
Feb 9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:39 lix kernel: [ 1066.965557] NET: Registered protocol family 15
Feb 9 16:22:39 lix ipsec_setup: Starting Openswan IPsec U2.6.37/K3.12.28+...
Feb 9 16:22:40 lix ipsec_setup: Using NETKEY(XFRM) stack
Feb 9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_setup: ...Openswan IPsec started
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb 9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest01"
Feb 9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest02"
Feb 9 16:22:42 lix ipsec__plutorun: 104 "sTest01" #1: STATE_MAIN_I1: initiate
重击
root@lix ~ # ipsec whack --name sTest01 --initiate
002 "sTest01" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:ea6824a9 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest01" #4: STATE_QUICK_I1: initiate
002 "sTest01" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest01" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x2caadd64 <0x69b0a0e0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
root@lix ~ # ipsec whack --name sTest02 --initiate
002 "sTest02" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:956ccc0e proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest02" #5: STATE_QUICK_I1: initiate
002 "sTest02" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest02" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6e58c948 <0x7177b9ed xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
星号 CLI:
lix*CLI> sip show peers
Name/username Host Dyn Forcerport ACL Port Status
peer 80.XX.XXX.149 N 5060 UNREACHABLE
如果有人可以提供帮助,我可以 post 如果有人需要,我可以提供更多信息,
谢谢
您需要在完成隧道设置后重新启动 asterisk。
您已将 localnet 或 externip 设置为您的 vpn 地址。
抱歉,无法帮助您,因为您使用通配符的信息过多。