Добрый день, коллеги.
Возникла проблема. необходимо снять дамп с VPN-канала, но в дампе получаю только ответы одной стороны, хотя обмен идёт без проблем в обе стороны.Есть сервер на Ubuntu 18.04, на котором поднят libreswan, который коннектится к cisco-вскому VPN, за которым находится сервер приложений
Сама ubuntu находится за натом в сети 192.168.1.0/24. По VPN ей даётся IP 172.18.13.107/32
Этот же сервер должен коннектится к серверу приложений за CISCO, с IP 10.241.24.40
sudo ipsec auto --status
000 "vpnconnection/0x1": 172.18.13.107/32===192.168.1.10<192.168.1.10>[XXX.XXX.XXX.XXX]---192.168.1.1...YYY.YYY.YYY.YYY<YYY.YYY.YYY.YYY>===10.241.24.40/32; erouted; eroute owner: #10585
000 "vpnconnection/0x1": oriented; my_ip=172.18.13.107; their_ip=unset; my_updown=ipsec _updown;
000 "vpnconnection/0x1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "vpnconnection/0x1": our auth:secret, their auth:secret
000 "vpnconnection/0x1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "vpnconnection/0x1": labeled_ipsec:no;
000 "vpnconnection/0x1": policy_label:unset;
000 "vpnconnection/0x1": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpnconnection/0x1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpnconnection/0x1": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "vpnconnection/0x1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "vpnconnection/0x1": conn_prio: 32,32; interface: ens160; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "vpnconnection/0x1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "vpnconnection/0x1": our idtype: ID_IPV4_ADDR; our id=XXX.XXX.XXX.XXX; their idtype: ID_IPV4_ADDR; their id=YYY.YYY.YYY.YYY
000 "vpnconnection/0x1": dpd: action:restart; delay:3; timeout:10; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "vpnconnection/0x1": newest ISAKMP SA: #0; newest IPsec SA: #10585;
000 "vpnconnection/0x1": aliases: vpnconnection
000 "vpnconnection/0x1": IKE algorithms: AES_CBC_256-HMAC_SHA1-MODP1536
000 "vpnconnection/0x1": ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1536
000 "vpnconnection/0x1": ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1536
000 #10585: "vpnconnection/0x1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 17599s; newest IPSEC; eroute owner; isakmp#10584; idle; import:admin initiate
000 #10585: "vpnconnection/0x1" esp.34d1a872@YYY.YYY.YYY.YYY esp.7c6975ef@192.168.1.10 ref=0 refhim=0 Traffic: ESPin=141KB ESPout=252KB! ESPmax=4194303B
Само соединение устанавливается без проблем и трафик ходит.
проблема возникает со снятием дампа
делаю
user:~$ sudo tcpdump -n host 10.241.24.40
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
11:21:51.588752 IP 10.241.24.40.5001 > 172.18.13.107.37862: Flags [S.], seq 1918532201, ack 1572981322, win 4140, options [mss 1380,sackOK,eol], length 0
11:21:51.593298 IP 10.241.24.40.5001 > 172.18.13.107.37862: Flags [.], ack 46, win 4185, length 0
11:21:51.593438 IP 10.241.24.40.5001 > 172.18.13.107.37862: Flags [P.], seq 1:23, ack 46, win 4185, length 22
11:21:51.593445 IP 10.241.24.40.5001 > 172.18.13.107.37862: Flags [F.], seq 23, ack 46, win 4185, length 0
11:21:51.597821 IP 10.241.24.40.5001 > 172.18.13.107.37862: Flags [.], ack 47, win 4185, length 0
11:21:56.598933 IP 10.241.24.40.5001 > 172.18.13.107.38176: Flags [S.], seq 881000480, ack 13813162, win 4140, options [mss 1380,sackOK,eol], length 0
11:21:56.603376 IP 10.241.24.40.5001 > 172.18.13.107.38176: Flags [.], ack 46, win 4185, length 0
11:21:56.603704 IP 10.241.24.40.5001 > 172.18.13.107.38176: Flags [P.], seq 1:23, ack 46, win 4185, length 22
11:21:56.603708 IP 10.241.24.40.5001 > 172.18.13.107.38176: Flags [F.], seq 23, ack 46, win 4185, length 0
11:21:56.608086 IP 10.241.24.40.5001 > 172.18.13.107.38176: Flags [.], ack 47, win 4185, length 0
11:22:01.078646 IP 10.241.24.40 > 172.18.13.107: ICMP echo reply, id 18104, seq 1, length 64
11:22:01.607792 IP 10.241.24.40.5001 > 172.18.13.107.38618: Flags [S.], seq 3998020931, ack 3323264097, win 4140, options [mss 1380,sackOK,eol], length 0
11:22:01.613247 IP 10.241.24.40.5001 > 172.18.13.107.38618: Flags [.], ack 46, win 4185, length 0
11:22:01.613375 IP 10.241.24.40.5001 > 172.18.13.107.38618: Flags [P.], seq 1:23, ack 46, win 4185, length 22
11:22:01.613487 IP 10.241.24.40.5001 > 172.18.13.107.38618: Flags [F.], seq 23, ack 46, win 4185, length 0
11:22:01.617745 IP 10.241.24.40.5001 > 172.18.13.107.38618: Flags [.], ack 47, win 4185, length 0
11:22:02.080700 IP 10.241.24.40 > 172.18.13.107: ICMP echo reply, id 18104, seq 2, length 64
11:22:03.082875 IP 10.241.24.40 > 172.18.13.107: ICMP echo reply, id 18104, seq 3, length 64
11:22:03.089279 IP 10.241.24.40.5001 > 172.18.13.107.38968: Flags [S.], seq 1650793637, ack 2052431564, win 4140, options [mss 1380,sackOK,eol], length 0
11:22:03.093748 IP 10.241.24.40.5001 > 172.18.13.107.38968: Flags [.], ack 2, win 4141, length 0
11:22:03.093824 IP 10.241.24.40.5001 > 172.18.13.107.38968: Flags [.], ack 3, win 4141, length 0
11:22:03.094343 IP 10.241.24.40.5001 > 172.18.13.107.38968: Flags [F.], seq 1, ack 3, win 4141, length 0
^C
22 packets captured
22 packets received by filter
0 packets dropped by kernel
user:~$
И в дампе присутсвуют только ответы от 10.241.24.40. Отправки от самого сервера - отсуствуют. Т.е. вида
11:22:03.093748 IP 172.18.13.107.38968 > 10.241.24.40.5001: bla-bla-bla
11:22:03.093749 IP 10.241.24.40.5001 > 172.18.13.107.38968: bla-bla-bla
нет.
Как правильно оформить дамп, чтобы я видел и то, что шлёт локалный хост, и ответ от сервера приложений?
PS: доступа к VPN серверу на "той" стороне - нет.