1. ipsec-tools on ubuntu14.04

最新推荐文章于 2019-08-27 09:24:19 发布
最新推荐文章于 2019-08-27 09:24:19 发布
阅读量605 收藏
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/mounter625/article/details/45876429
版权


1. ipsec-tools on ubuntu14.04

1.When configuring the kernel, it is important, to turn on the following features:

Networking support (NET) [Y/n/?] y
  *
  * Networking options
  *
  PF_KEY sockets (NET_KEY) [Y/n/m/?] y
  IP: AH transformation (INET_AH) [Y/n/m/?] y
  IP: ESP transformation (INET_ESP) [Y/n/m/?] y
  IP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y

Cryptographic API (CRYPTO) [Y/n/?] y
  HMAC support (CRYPTO_HMAC) [Y/n/?] y
  Null algorithms (CRYPTO_NULL) [Y/n/m/?] y
  MD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] y
  SHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] y
  DES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] y
  AES cipher algorithms (CRYPTO_AES) [Y/n/m/?] y
     
2. apt-get install racoon ipsec-tools

3. Manual keyed connections using setkey

A manual keyed connection means that all parameters needed for the setup of the connection are provided by the administrator. The IKE protocol is not used to automatically authenticate the peers and negotiate these parameters. The administrator decides which protocol, algorithm and key to use for the creation of the security associations and populates the security association database (SAD) accordingly.


Transport Mode

This section will first cover the setup of a manual keyed connection in transport mode. This is probably the best way to start because it is the simplest connection to setup. This section assumes that two machines with the IP addresses 192.168.1.100 and 192.168.2.100 communicate using IPsec.

All parameters stored in the SAD and the SPD can be modified using the setkey command. This command has a quite exhaustive man page. Therefore only the options needed for the setup of a connection in transport mode are covered here. setkey reads its commands from a file when invoked with setkey -f /etc/setkey.conf. A suitable /etc/setkey.conf file is shown in following listing.

#!/usr/sbin/setkey -f

# Configuration for 192.168.1.100

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.2.100 192.168.1.100 any -P in ipsec
           esp/transport//require
           ah/transport//require;
 
 

You will need some keys to replace the keys of this script, if you want to use the manually keyed connection for anything but testing purposes. Use a command such as the following to generate your keys:

$ # 128 Bit long key
$ dd if=/dev/random count=16 bs=1| xxd -ps
16+0 Records ein
16+0 Records aus
cd0456eff95c5529ea9e918043e19cbe

$ # 192 Bit long key
$ dd if=/dev/random count=24 bs=1| xxd -ps
24+0 Records ein
24+0 Records aus
9d6c4a8275ab12fbfdcaf01f0ba9dcfb5f424c878e97f888
 
 

Please use the device /dev/random  when generating the keys because it ensures random keys.

The script first flushes the security association database (SAD) and the security policy database (SPD). It then creates AH SAs and ESP SAs. The command add adds a security association to the SAD and requires the source and destination IP address, the IPsec protocol (ah), the SPI (0x200) and the algorithm. The authentication algorithm is specified with -A (encryption using -E, compression using -C; IP compression is not yet supported). Following the algorithm the key must be specified. The key may be formatted in double-quoted “ASCII” or in hexadecimal with a leading 0x.

Linux supports the following algorithms for AH and ESP: hmac-md5 and hmac-sha, des-cbc and 3des-cbc. Within a short amount of time the following algorithms will probably be supported: simple (no encryption), blowfish-cbc, aes-cbc, hmac-sha2-256 and hmac-sha2-512.

spdadd adds the security policies to the SPD. These policies define which packets are to be protected by IPsec and which protocols and keys to use. The command requires the source and destination IP addresses of the packets to be protected, the protocol (and port) to protect (any) and the policy to use (-P). The policy specifies the direction (in/out), the action to apply (ipsec/discard/none), the protocol (ah/esp/ipcomp), the mode (transport) and the level (use/require).

This configuration file has to be created on both peers taking part in the IPsec communication. While the shown listing works without any change on the peer 192.168.1.100 it has to be slightly modified on the peer 192.168.2.100 to reflect the change of direction of the packets. The easiest way to do it is to exchange the directions in the security policies: replace -P in with -P out and vice versa. This is shown in the following listing:

#!/usr/sbin/setkey -f

# Configuration for 192.168.2.100

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 192.168.1.100 192.168.2.100 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.1.100 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.100 192.168.2.100 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.2.100 192.168.1.100 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 192.168.1.100 192.168.2.100 any -P in ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.2.100 192.168.1.100 any -P out ipsec
           esp/transport//require
           ah/transport//require;
 
 

Once the configuration file is in place on the peers it can be loaded using setkey -f /etc/setkey.conf. The successful load can be tested by displaying the SAD and the SPD:

# setkey -D
# setkey -DP
  
 
If you now ping from one peer to the other the traffic will be encrypted and tcpdump will show the following packets:

12:45:39.373005 192.168.1.100 > 192.168.2.100: AH(spi=0x00000200,seq=0x1):
ESP(spi=0x00000201,seq=0x1) (DF)
12:45:39.448636 192.168.2.100 > 192.168.1.100: AH(spi=0x00000300,seq=0x1):
ESP(spi=0x00000301,seq=0x1)
12:45:40.542430 192.168.1.100 > 192.168.2.100: AH(spi=0x00000200,seq=0x2):
ESP(spi=0x00000201,seq=0x2) (DF)
12:45:40.569414 192.168.2.100 > 192.168.1.100: AH(spi=0x00000300,seq=0x2):
ESP(spi=0x00000301,seq=0x2)
 
 

mounter625
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
IPSec-Tools配置
zt698的专栏
11-14 6382
1       介绍从Linux 2.6内核开始,内核就自身带有IPSec模块,配合IPSec-Tools,能很好的实现Linux的IPSec功能。IPSec-Tools主要包含libipsec、setkey、racoon和racoonctl这4个模块,setkey主要用于配置SAD(安全关联数据库)和SPD(安全策略数据库),racoon用于IKE协商。本文采用最简单的网络配置(2台
3. ipsec-tools on ubuntu14.04
mounter625的专栏
05-21 1621
3. ipsec-tools on ubuntu14.04 Automatic keyed connections using racoon The KAME IKE daemon racoon has also been ported to Linux. This daemon is able to setup automatically keyed IPsec connectio
4. ipsec-tools on ubuntu14.04
mounter625的专栏
05-22 1050
4. ipsec-tools on ubuntu14.04 X.509 Certificates Racoon supports the usage of X.509 certificates for the authentication process. These certificates may be checked against a certificate authority
2. ipsec-tools on ubuntu14.04
mounter625的专栏
05-20 739
 2. ipsec-tools on ubuntu14.04 Tunnel Mode Tunnel mode is used when the two peers using IPsec work as a gateway and protect the traffic between two networks (Figure 5). The original IP packets ar
Ubuntu15.04安装IPSec/L2TP
weixin_34194359的博客
02-20 413
一、IPSec注意:以下教程中sudo在有些版本系统中会提示“未知sudo命令”,在输入时去掉sudo即可。1.安装IPSec/L2TP软件#sudoapt-getinstallxl2tpdopenswanppplsof如果出现Do you want to create a RSA public/private keypair for this host?。我...
MLNX-OFED-LINUX-4.1-1.0.2.0-ubuntu14.04-x86-64
12-27
OFED 4.1 for ubuntu14.04。官网已经关闭了下载通道,这是之前现在的驱动。我的主页还有OFED 4.1 其他操作系统版本(16.04、rhel 7.4等) MLNX_OFED_LINUX-4.1-1.0.2.0-ubuntu14.04-x86_64.tgz
vscode_for_ubuntu14.04.zip
05-15
Ubuntu 14.04系统下能用的vscode客户端(新版本在启动时无响应,且无法打开终端),版本号:code_1.42.1-1581432938_amd64.deb 使用方法:解压后执行sudo dpkg -i code*
docker-ubuntu:带有en_US.UTF-8语言环境的Ubuntu 14.04
05-25
当您尝试从Ubuntu映像更改语言环境时,您会在日志中看到此错误: Step 3 : RUN locale-gen en_US.UTF-8 && echo 'LANG="en_US.UTF-8"' > /etc/default/locale ---> Running in b24799cb6c0a Generating ...
百度云资源下载ubuntu-14.04-desktop-amd64.iso;
09-28
1. **长期支持**:作为LTS版本,Ubuntu 14.04在发布后的五年内都会获得官方的安全更新和技术支持。 2. **桌面环境**:默认搭载Unity 7桌面环境,提供了直观易用的图形界面。 3. **软件兼容性**:兼容大量开源和闭源...
clang+llvm-9.0.0-x86_64-linux-gnu-ubuntu-14.04.tar.xz
05-05
LLVM是构架编译器(compiler)的框架系统,以C++编写而成,用于优化以任意程序语言编写的程序的编译时间(compile-time)、链接时间(link-time)、运行时间(run-time)以及空闲时间(idle-time),对开发者保持开放,并兼容...
ipsectools-0.8.2
09-05
linux 2.6.32上使用的ipsectools,最新版本到0.8.2
ipsec-tools安装问题总结
daa20的专栏
07-21 1567
安装环境: [devel@dev-1 ipsec-tools-0.8.0]$ uname -a Linux dev-1 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux 安装软件 [devel@dev-1 ipsec-tools-0.8.0]$ sudo y...
ipsec/racoon on ubuntu14.04
mounter625的专栏
11-27 655
4. on vm1 a) root@localhost:/root> ip -4 a 1: lo: mtu 16436 qdisc noqueue state UNKNOWN     inet 127.0.0.1/8 scope host lo 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000     inet 2.1.1.
ipsec-tools安装教程
weixin_34367845的博客
05-11 1612
ipsec-tools最新版本为0.8.2,此处以0.7.3版本为例说明安装和使用过程。可参考ipsec-howto。 安装步骤 ipsec-tools依赖于linux2.6版本内核,在安装ipsec-tools前需编译安装linux kernel 2.6,此处以2.6.34.1为例。 内核编译步骤 下载 linux-2.6.34.1.tar.bz2 将文件移...
Ubuntu 16.04安装IPSEC服务
nileihope的博客
08-27 1620
sudo apt-get update ​sudo apt-get upgrade sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp sudo apt-get update ​sudo apt-get install network-manager-l2tp network-manager-l2tp-gnome
IPSEC-TOOLS工具编译安装介绍
Dalek的专栏
04-10 1555
<br />如何从源代码安装编译IPSEC-TOOLS,安装
Linux 下 IPsec-tools的使用
ai58203的博客
07-26 597
Ipsec-tools有人工和自动两种方式来管理SA。 Manual keyed connections using setkey 所有连接所需的参数均由管理员提供。不使用IKE协议来自动认证对端和协商参数。管理员来决定用哪个协议、算法和密钥来创建安全联盟。 Transport Mode 使用Setkey命令可以修改SAD和SPD中存储的所有参数。Setkey -...
ubuntu安装l2tp/ipsec
追梦
03-21 2万+
一键安装l2tp,参考网址https://teddysun.com/448.htm 1、服务器端 下载一键安装包 wget --no-check-certificate https://raw.githubusercontent.com/teddysun/across/master/l2tp.sh chmod +x l2tp.sh ./l2tp.sh ...
IPsec-Tools配置之racoon
热门推荐
人生如棋
07-12 2万+
IPsec-Tools中的racoon工具实现了IKE的功能:既实现了双向认证,又能建立和维护IPsec SA。
ubuntu14.04安装vmware tools
最新发布
05-22
安装VMware Tools可以提高虚拟机的性能和功能。下面是在Ubuntu 14.04上安装VMware Tools的步骤: 1. 在VMware虚拟机菜单中选择“虚拟机”->“安装VMware Tools”。 2. 在Ubuntu 14.04中,会自动挂载VMware Tools的ISO映像文件。你可以在终端中输入以下命令查看: ``` ls /media/<your-username>是你的用户名。 3. 将VMware Tools的ISO映像文件复制到/tmp目录: ``` cp /media/<your-username>/VMware\ Tools/VMwareTools-*.tar.gz /tmp/ ``` 4. 解压缩VMware Tools: ``` cd /tmp tar -xvf VMwareTools-*.tar.gz ``` 5. 进入解压后的VMware Tools目录: ``` cd vmware-tools-distrib/ ``` 6. 运行VMware Tools安装程序: ``` sudo ./vmware-install.pl -d ``` 7. 按照提示进行安装。安装完成后,重启虚拟机即可。 注意:在安装过程中可能会提示你安装一些依赖库,按照提示进行安装即可。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

mounter625

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值