Сломался IPSEC после обновлений

Yamah · Сообщение **Yamah** » 09 ноя 2023, 09:40

Добрый день. Где-то между февралем и ноябрем этого года сломался IPSEC. В феврале я нормально пользовался им для подключения к этому же ресурсу. В другом российском дистрибутиве проблем сейчас нет.

Подключения просто отваливаются как на libreswan, так и на strongSwan

LibreSwan

Код: Выделить всё

/usr/libexec/nm-l2tp-service --debug
nm-l2tp[20936] <debug> nm-l2tp-service (version 1.8.2) starting...
nm-l2tp[20936] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[20936] <info>  ipsec enable flag: yes
** Message: 13:19:21.407: Check port 1701
connection
        id : 'My Need VPN'
        permissions : ['user:myuser:']
        type : 'vpn'
        uuid : 'SAME_UUID'

vpn
        data : {'gateway': 'vpn-host.remote_domain.ru', 'ipsec-enabled': 'yes', 'ipsec-esp': 'aes128-sha1!', 'ipsec-ike': 'aes128-sha1-modp1024!', 'ipsec-psk': 'VPN_PSK', 'no-vj-comp': 'yes', 'noaccomp': 'yes', 'nobsdcomp': 'yes', 'nodeflate': 'yes', 'nopcomp': 'yes', 'password-flags': '1', 'refuse-chap': 'yes', 'refuse-eap': 'yes', 'refuse-mschap': 'yes', 'refuse-mschapv2': 'yes', 'user': 'remote_user@remote_domain.loc'}
        secrets : {'password': 'password'}
        service-type : 'org.freedesktop.NetworkManager.l2tp'
        user-name : 'myuser'

ipv4
        address-data : []
        dns : []
        dns-search : []
        method : 'auto'
        route-data : []

ipv6
        address-data : []
        dns : []
        dns-search : []
        method : 'auto'
        route-data : []

proxy

nm-l2tp[21799] <info>  starting ipsec
whack: Pluto is not running (no "/run/pluto/pluto.ctl")
Redirecting to: systemctl restart ipsec.service
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
opening file: /var/run/nm-l2tp-SAME_UUID/ipsec.conf
debugging mode enabled
end of file /var/run/nm-l2tp-SAME_UUID/ipsec.conf
Loading conn SAME_UUID
starter: left is KH_DEFAULTROUTE
loading named conns: SAME_UUID
resolving src = <defaultroute> gateway = <defaultroute> peer REMOTE_IP
  seeking gateway
  query getroute +REQUEST +ROOT +MATCH
  add dst REMOTE_IP (peer->addr)
  src <unset-address> prefsrc <unset-address> gateway MY_GATEWAY dst <unset-address> dev enp3s0 priority 100 pref -1 table 254
  found gateway (host_nexthop): MY_GATEWAY
  please-call-again: src = <defaultroute> gateway = MY_GATEWAY
resolving src = <defaultroute> gateway = MY_GATEWAY peer REMOTE_IP
  seeking prefsrc
  query getroute +REQUEST
  add dst MY_GATEWAY (host->nexthop)
  ignoring 25
  src <unset-address> prefsrc MY_IP gateway <unset-address> dst MY_GATEWAY dev enp3s0 priority -1 pref -1 table 254 +cacheinfo
  found prefsrc (host_addr): MY_IP
  success: src = MY_IP gateway = MY_GATEWAY
resolving src = REMOTE_IP gateway = <not-set> peer MY_IP
  seeking nothing
conn: "SAME_UUID" modecfgdns=<unset>
conn: "SAME_UUID" modecfgdomains=<unset>
conn: "SAME_UUID" modecfgbanner=<unset>
conn: "SAME_UUID" mark=<unset>
conn: "SAME_UUID" mark-in=<unset>
conn: "SAME_UUID" mark-out=<unset>
conn: "SAME_UUID" vti_iface=<unset>
conn: "SAME_UUID" redirect-to=<unset>
conn: "SAME_UUID" accept-redirect-to=<unset>
conn: "SAME_UUID" esp=aes128-sha1!
conn: "SAME_UUID" ike=aes128-sha1-modp1024!
036 "SAME_UUID": failed to add connection: IKE DH algorithm 'modp1024!' is not recognized
nm-l2tp[21799] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:21799): GLib-GIO-CRITICAL **: 13:34:39.234: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

StrongSwan

Код: Выделить всё

/usr/libexec/nm-l2tp-service --debug
nm-l2tp[20936] <debug> nm-l2tp-service (version 1.8.2) starting...
nm-l2tp[20936] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[20936] <info>  ipsec enable flag: yes
** Message: 13:19:21.407: Check port 1701
connection
        id : 'My Need VPN'
        permissions : ['user:myuser:']
        type : 'vpn'
        uuid : 'SAME_UUID'

vpn
        data : {'gateway': 'vpn-host.remote_domain.ru', 'ipsec-enabled': 'yes', 'ipsec-esp': 'aes128-sha1!', 'ipsec-ike': 'aes128-sha1-modp1024!', 'ipsec-psk': 'VPN_PSK', 'no-vj-comp': 'yes', 'noaccomp': 'yes', 'nobsdcomp': 'yes', 'nodeflate': 'yes', 'nopcomp': 'yes', 'password-flags': '1', 'refuse-chap': 'yes', 'refuse-eap': 'yes', 'refuse-mschap': 'yes', 'refuse-mschapv2': 'yes', 'user': 'remote_user@remote_domain.loc'}
        secrets : {'password': 'password'}
        service-type : 'org.freedesktop.NetworkManager.l2tp'
        user-name : 'myuser'

ipv4
        address-data : []
        dns : []
        dns-search : []
        method : 'auto'
        route-data : []

ipv6
        address-data : []
        dns : []
        dns-search : []
        method : 'auto'
        route-data : []

proxy

nm-l2tp[20936] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.10 IPsec [starter]...
Loading config setup
Loading conn 'SAME_UUID'
nm-l2tp[20936] <info>  Spawned ipsec up script with PID 20986.
initiating Main Mode IKE_SA SAME_UUID[1] to <REMOTE_ADDRESS>
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from <MY_LOCAL_IP>[500] to <REMOTE_ADDRESS>[500] (180 bytes)
received packet: from <REMOTE_ADDRESS>[500] to <MY_LOCAL_IP>[500] (276 bytes)
parsed ID_PROT response 0 [ SA V V V V V V V V V V ]
received NAT-T (RFC 3947) vendor ID
received draft-ietf-ipsec-nat-t-ike-03 vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received draft-ietf-ipsec-nat-t-ike-02 vendor ID
received draft-ietf-ipsec-nat-t-ike-00 vendor ID
received FRAGMENTATION vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 03:10:17:e0:7f:7a:82:e3:aa:69:50:c9:99:99:01:01
received unknown vendor ID: 1d:c0:10:31:3c:49:35:59:e2:d0:87:a7:5b:9b:de:ca
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from <MY_LOCAL_IP>[500] to <REMOTE_ADDRESS>[500] (244 bytes)
received packet: from <REMOTE_ADDRESS>[500] to <MY_LOCAL_IP>[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from <MY_LOCAL_IP>[4500] to <REMOTE_ADDRESS>[4500] (76 bytes)
received packet: from <REMOTE_ADDRESS>[4500] to <MY_LOCAL_IP>[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA SAME_UUID[1] established between <MY_LOCAL_IP>[<MY_LOCAL_IP>]...<REMOTE_ADDRESS>[<REMOTE_ADDRESS>]
scheduling reauthentication in 9763s
maximum IKE_SA lifetime 10303s
generating QUICK_MODE request 993333236 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from <MY_LOCAL_IP>[4500] to <REMOTE_ADDRESS>[4500] (204 bytes)
received packet: from <REMOTE_ADDRESS>[4500] to <MY_LOCAL_IP>[4500] (204 bytes)
parsed QUICK_MODE response 993333236 [ HASH SA No ID ID NAT-OA NAT-OA ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
  IPsec SA: unsupported mode
failed to create SAD entry
  IPsec SA: unsupported mode
failed to create SAD entry
unable to install inbound and outbound IPsec SA (SAD) in kernel
establishing connection 'SAME_UUID' failed
nm-l2tp[20936] <info>  strongSwan IPsec tunnel is up.
** Message: 13:19:24.771: xl2tpd started with pid 20995
xl2tpd[20995]: Not looking for kernel SAref support.
xl2tpd[20995]: This binary does not support kernel L2TP.
xl2tpd[20995]: xl2tpd version xl2tpd-1.3.16 started on host.myuser.zone PID:20995
xl2tpd[20995]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[20995]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[20995]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[20995]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[20995]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[20995]: get_call: allocating new tunnel for host <REMOTE_ADDRESS>, port 1701.
xl2tpd[20995]: Connecting to host <REMOTE_ADDRESS>, port 1701
xl2tpd[20995]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[20995]: control_finish: sending SCCRQ
nm-l2tp[20936] <warn>  Looks like pppd didn't initialize our dbus module
nm-l2tp[20936] <info>  Terminated xl2tpd daemon with PID 20995.
xl2tpd[20995]: death_handler: Fatal signal 15 received
Stopping strongSwan IPsec...
** Message: 13:19:38.902: ipsec shut down
nm-l2tp[20936] <warn>  xl2tpd exited with error code 1
Stopping strongSwan IPsec failed: starter is not running
** Message: 13:19:38.918: ipsec shut down

Как починить все это?

Сообщение **irton** » 09 ноя 2023, 13:23

https://github.com/nm-l2tp/NetworkManag ... issues/123 оно?

Yamah · Сообщение **Yamah** » 09 ноя 2023, 14:02

irton писал(а): ↑
09 ноя 2023, 13:23
https://github.com/nm-l2tp/NetworkManag ... issues/123 оно?

Да. Я отсюда брал идею сменить на strongswan. Но ошибка осталась.

Сообщение **irton** » 09 ноя 2023, 15:00

strongswan обновлялся 6 месяцев назад версия 5.9.10
libreswan 9 дней назад закрыли уязвимости, обновления не было, версия 4.6-3

Сообщение **irton** » 09 ноя 2023, 15:23

у меня с английским не сильно, modp1024 где рекомендуют выключить?

Yamah · Сообщение **Yamah** » 09 ноя 2023, 17:21

irton писал(а): ↑
09 ноя 2023, 15:23
у меня с английским не сильно, modp1024 где рекомендуют выключить?

На гитхабе предлагают убрать протокол из настроек L2TP в NetworkManger. Но вот беда, "aes128-sha1-modp1024!" требуется стороной, к которой я подключаюсь. Как и "aes128-sha1!". Если я эти параметры уберу, то я все равно ловлю ошибку:

Код: Выделить всё

xl2tpd[29042]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[29042]: control_finish: sending SCCRQ
nm-l2tp[28346] <warn>  Looks like pppd didn't initialize our dbus module
nm-l2tp[28346] <info>  Terminated xl2tpd daemon with PID 29042.
xl2tpd[29042]: death_handler: Fatal signal 15 received

В гитехабе есть предложение включить при компиляции DH2, хоть это и не безопасно.

"If you really want you can enable it at compile time with USE_DH2=true

But everything that supports DH2 also supports DH5. We are pretty sure nationstates can successfully attack DH2. You really cannot expect to use crypto parameters that were already not the most secure TWENTY years ago to still keep working unmodified.

That's unfortunate, I know of legacy VPN servers that only support DH2.

I'll update the Fedora NetworkManager-l2tp RPMs with a patch to remove modp1024."

Может форкнуть пакет и собрать с этим флагом отдельно от основной ветки?

Сообщение **irton** » 10 ноя 2023, 06:14

да, вот отсель пакеты возьми https://abf.io/build_lists/4818374 , если что в телеграм мне пиши.

Yamah · Сообщение **Yamah** » 10 ноя 2023, 08:26

irton писал(а): ↑
10 ноя 2023, 06:14
да, вот отсель пакеты возьми https://abf.io/build_lists/4818374 , если что в телеграм мне пиши.

Проверил. Ошибка та же.

Код: Выделить всё

036 "SAME_UUID": failed to add connection: IKE DH algorithm 'modp1024!' is not recognized
nm-l2tp[4449] <warn>  Could not establish IPsec tunnel.