尝试使用 ipv6 连接时收到 netlink 错误:参数无效

尝试使用 ipv6 连接时收到 netlink 错误:参数无效

我正在尝试使用 ipv6 将发起方连接到响应方

两者都已打开Ubuntu 20.04strongswan 5.9.0 启动器位于连接到我的 ISP 网络的盒子后面的个人计算机上的虚拟机(使用 VMware)。VM 与主机使用 NAT 网络响应者是在线 VPS

发起者获得了一个 ipv6(其主机的 ipv6),并且可以 ping 响应者 ipv6。它的 ipv6 是<initiator_ipv6> 响应者 ipv6 似乎配置正确,我可以使用它 ping 和 ssh。它的 ipv6 是<responder_ipv6>

IPv6 已使用以下配置激活(由我的 VPS 提供商提供)

/etc/netplan/51-ipv6.yaml

network:
    version: 2
    ethernets:
        <responder_interface>:
            dhcp4: true
            dhcp6: false
            match:
              name: <responder_interface>
            addresses:
              - <responder_ipv6>/128
            gateway6: <responder_ipv6_gateway>
            routes:
              - to: <responder_ipv6_gateway>
                scope: link

两个 strongswan 都是使用以下命令在启动器上配置构建的:

./configure --prefix=<custom_dir> --with-piddir=<custom_dir>/var/run 
make
make install

它们具有相同的 strongswan.conf,这主要是默认设置,带有 filelog 选项,便于调试

charon {
        load_modular = yes

        plugins {

                include strongswan.d/charon/*.conf
        }
        filelog {
                logger {
                        path = <custom_dir>/swanctl.log
                        time_format = %b %e %T
                        ike_name = yes
                        default = 1
                        flush_line = yes
                }

        }
}

include strongswan.d/*.conf

响应者有以下 swanctl.conf

connections {
       # Seems to change nothing
       local_addrs  = <responder_ipv6> 
       pubkey-vm {
                pools = primary-pool-ipv4, primary-pool-ipv6
                local {
                        auth = pubkey
                        certs = <responder_cert>
                        id = <responder_id>
                }
                remote {
                        auth = pubkey
                        id = <initiator_id>
                }
                children {
                        client {
                        }
                }
        }
}

pools {
    primary-pool-ipv4 {
        # Totally arbitrary value
        addrs = 10.0.0.0/24 
    }
    primary-pool-ipv6 {
        # Totally arbitrary value
        addrs = 2620:0:2d0:200::7/97
    }
}

发起者有以下配置

connections {
        initiator-to-host {
                remote_addrs = <responder_ip>
                # Any value works, at long as vips got a value (but assigned ip will be in the respodner pool)
                vips = 1.2.3.4
                local {
                        auth = pubkey
                        certs = <initator_cert>
                        id = <initiator_id>
                }

                remote {
                        auth = pubkey
                        id = <responder_id>
                }
                children {
                        to-host {
                                start_action = none
                        }
                }
        }
}

当我尝试使用响应器 ipv4 进行连接时,它可以工作,并且启动成功完成。当我将 ip 切换到 ipv6 时,它不起作用,我在响应器上收到以下日志

<pubkey-vm|4> received packet: from <initiator_ipv6>[53870] to <responder_ipv6>[4500] (80 bytes)
<pubkey-vm|4> parsed INFORMATIONAL request 2 [ D ]
<pubkey-vm|4> received DELETE for IKE_SA pubkey-vm[4]
<pubkey-vm|4> deleting IKE_SA pubkey-vm[4] between <responder_ipv6>[<responder_id>]...<initiator_ipv6>[<initiator_id>]
<pubkey-vm|4> IKE_SA deleted
<pubkey-vm|4> generating INFORMATIONAL response 2 [ ]
<pubkey-vm|4> sending packet: from <responder_ipv6>[4500] to <initiator_ipv6>[53870] (80 bytes)
<pubkey-vm|4> lease 10.0.0.1 by '<initiator_id>' went offline
<5> received packet: from <initiator_ipv6>[1016] to <responder_ipv6>[500] (392 bytes)
<5> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
<5> <initiator_ipv6> is initiating an IKE_SA
<5> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
<5> remote host is behind NAT
<5> sending cert request for "C=FR, O=Test, CN=Test CA"
<5> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
<5> sending packet: from <responder_ipv6>[500] to <initiator_ipv6>[1016] (273 bytes)
<5> received packet: from <initiator_ipv6>[53870] to <responder_ipv6>[4500] (356 bytes)
<5> parsed IKE_AUTH request 1 [ EF(2/2) ]
<5> received fragment #2 of 2, waiting for complete IKE message
<5> received packet: from <initiator_ipv6>[53870] to <responder_ipv6>[4500] (1220 bytes)
<5> parsed IKE_AUTH request 1 [ EF(1/2) ]
<5> received fragment #1 of 2, reassembled fragmented IKE message (1504 bytes)
<5> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
<5> received cert request for "C=FR, O=Test, CN=Test CA"
<5> received end entity cert "C=FR, O=Test, CN=<initiator_id>"
<5> looking for peer configs matching <responder_ipv6>[<responder_id>]...<initiator_ipv6>[<initiator_id>]
<pubkey-vm|5> selected peer config 'pubkey-vm'
<pubkey-vm|5>   using trusted ca certificate "C=FR, O=Test, CN=Test CA"
<pubkey-vm|5> checking certificate status of "C=FR, O=Test, CN=<initiator_id>"
<pubkey-vm|5> certificate status is not available
<pubkey-vm|5>   reached self-signed root ca with a path length of 0
<pubkey-vm|5>   using trusted certificate "C=FR, O=Test, CN=<initiator_id>"
<pubkey-vm|5> authentication of '<initiator_id>' with RSA_EMSA_PKCS1_SHA2_256 successful
<pubkey-vm|5> peer supports MOBIKE
<pubkey-vm|5> authentication of '<responder_id>' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
<pubkey-vm|5> IKE_SA pubkey-vm[5] established between <responder_ipv6>[<responder_id>]...<initiator_ipv6>[<initiator_id>]
<pubkey-vm|5> scheduling rekeying in 14286s
<pubkey-vm|5> maximum IKE_SA lifetime 15726s
<pubkey-vm|5> sending end entity cert "C=FR, O=Test, CN=<responder_id>"
<pubkey-vm|5> peer requested virtual IP 1.2.3.4
<pubkey-vm|5> reassigning offline lease to '<initiator_id>'
<pubkey-vm|5> assigning virtual IP 10.0.0.1 to peer '<initiator_id>'
<pubkey-vm|5> selected proposal: ESP:AES_GCM_16_128
<pubkey-vm|5> received netlink error: Invalid argument (22)
<pubkey-vm|5> unable to add SAD entry with SPI cffdef3f (FAILED)
<pubkey-vm|5> received netlink error: Invalid argument (22)
<pubkey-vm|5> unable to add SAD entry with SPI c028512b (FAILED)
<pubkey-vm|5> unable to install inbound and outbound IPsec SA (SAD) in kernel
<pubkey-vm|5> failed to establish CHILD_SA, keeping IKE_SA
<pubkey-vm|5> generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) N(MOBIKE_SUP) N(ADD_4_ADDR) N(NO_PROP) ]
<pubkey-vm|5> sending packet: from <responder_ipv6>[4500] to <initiator_ipv6>[53870] (1216 bytes)

客户端日志在这里

Starting IKE charon daemon (strongSwan 5.9.0, Linux 5.4.0-56-generic, x86_64)
loading ca certificates from '<custom_path>/etc/ipsec.d/cacerts'
loading aa certificates from '<custom_path>/etc/ipsec.d/aacerts'
loading ocsp signer certificates from '<custom_path>/etc/ipsec.d/ocspcerts'
loading attribute certificates from '<custom_path>/etc/ipsec.d/acerts'
loading crls from '<custom_path>/etc/ipsec.d/crls'
loading secrets from '<custom_path>/etc/ipsec.secrets'
loaded plugins: charon aes eap-aka eap-dynamic eap-identity eap-sim eap-tls des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
spawning 16 worker threads
loaded certificate 'C=FR, O=Test, CN=<responder_id>'
loaded certificate 'C=FR, O=Test, CN=<initiator_id>'
loaded certificate 'C=FR, O=Test, CN=Test CA'
loaded RSA private key
loaded RSA private key
added vici connection: host-host
vici initiate CHILD_SA 'to-host'
<host-host|1> initiating IKE_SA host-host[1] to <responder_ipv6>
<host-host|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
<host-host|1> sending packet: from <initiator_ipv6>[500] to <responder_ipv6>[500] (392 bytes)
<host-host|1> received packet: from <responder_ipv6>[500] to <initiator_ipv6>[500] (273 bytes)
<host-host|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
<host-host|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
<host-host|1> local host is behind NAT, sending keep alives
<host-host|1> received cert request for "C=FR, O=Test, CN=Test CA"
<host-host|1> sending cert request for "C=FR, O=Test, CN=Test CA"
<host-host|1> authentication of '<initiator_id>' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
<host-host|1> sending end entity cert "C=FR, O=Test, CN=<initiator_id>"
<host-host|1> establishing CHILD_SA to-host{1}
<host-host|1> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
<host-host|1> splitting IKE message (1504 bytes) into 2 fragments
<host-host|1> generating IKE_AUTH request 1 [ EF(1/2) ]
<host-host|1> generating IKE_AUTH request 1 [ EF(2/2) ]
<host-host|1> sending packet: from <initiator_ipv6>[4500] to <responder_ipv6>[4500] (1220 bytes)
<host-host|1> sending packet: from <initiator_ipv6>[4500] to <responder_ipv6>[4500] (356 bytes)
<host-host|1> received packet: from <responder_ipv6>[4500] to <initiator_ipv6>[4500] (1216 bytes)
<host-host|1> parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) N(MOBIKE_SUP) N(ADD_4_ADDR) N(NO_PROP) ]
<host-host|1> received end entity cert "C=FR, O=Test, CN=<responder_id>"
<host-host|1>   using trusted ca certificate "C=FR, O=Test, CN=Test CA"
<host-host|1> checking certificate status of "C=FR, O=Test, CN=<responder_id>"
<host-host|1> certificate status is not available
<host-host|1>   reached self-signed root ca with a path length of 0
<host-host|1>   using trusted certificate "C=FR, O=Test, CN=<responder_id>"
<host-host|1> authentication of '<responder_id>' with RSA_EMSA_PKCS1_SHA2_256 successful
<host-host|1> IKE_SA host-host[1] established between <initiator_ipv6>[<initiator_id>]...<responder_ipv6>[<responder_id>]
<host-host|1> scheduling rekeying in 13877s
<host-host|1> maximum IKE_SA lifetime 15317s
<host-host|1> installing new virtual IP 10.0.0.1
<host-host|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
<host-host|1> failed to establish CHILD_SA, keeping IKE_SA
<host-host|1> peer supports MOBIKE

有什么办法可以解决这个问题吗?

--enable-kernel-libipsec我尝试使用配置选项的解决方案。所以现在我得到了

./configure --prefix=<custom_dir> --with-piddir=<custom_dir>/var/run --enable-kernel-libipsec 

发起方日志保持不变,但我得到了下面的新响应方日志

[CFG] <pubkey-vm|1> selected proposal: ESP:AES_GCM_16_128
[ESP] <pubkey-vm|1> failed to create ESP context: unsupported AEAD algorithm AES_GCM_16
[ESP] <pubkey-vm|1> failed to create SAD entry
[ESP] <pubkey-vm|1> failed to create ESP context: unsupported AEAD algorithm AES_GCM_16
[ESP] <pubkey-vm|1> failed to create SAD entry
[IKE] <pubkey-vm|1> unable to install inbound and outbound IPsec SA (SAD) in kernel
[IKE] <pubkey-vm|1> failed to establish CHILD_SA, keeping IKE_SA

答案1

如果您的主机之间存在 NAT,正如对等端在此处检测到的那样:

<5> remote host is behind NAT

<host-host|1> local host is behind NAT, sending keep alives

将为 IPsec SA(NAT 穿越)启用 ESP 的 UDP 封装。但是,这需要 IPsec 堆栈的支持,而 Linux 自 5.8 版起才为 IPv6 提供该支持。因此,对于较旧的内核,这不起作用。

您必须使用较新的内核,删除 NAT,重新使用 IPv4,或者使用其他 IPsec 堆栈(例如 strongSwan 自己的libipsec)。

相关内容