配置IKEV2
=================VPP作为接收端=====================
【组网】
[strongswan] [vpp]
[1.1.1.1] [1.1.1.2]
[2.2.2.2] [3.3.3.3]
【1】VPP配置
set interface state GigabitEthernet0/8/0 up
set interface ip address GigabitEthernet0/8/0 1.1.1.2/24
set interface state GigabitEthernet0/9/0 up
set interface ip address GigabitEthernet0/9/0 3.3.3.3/24
ikev2 profile del pr1
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string abc123456
ikev2 profile set pr1 id local ip4-addr 1.1.1.2
ikev2 profile set pr1 id remote ip4-addr 1.1.1.1
ikev2 profile set pr1 traffic-selector local ip-range 3.3.3.0 - 3.3.3.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 2.2.2.0 - 2.2.2.255 port-range 0 - 65535 protocol 0 //这样配置只能vpp端ping,对端ping不一定会携带2.2.2.2的地址
//ikev2 profile set pr1 traffic-selector remote ip-range 1.1.1.0 - 1.1.1.255 port-range 0 - 65535 protocol 0 //简单点可以这样配置? //保护网段和Ip网关在同一个网段?
【2】然后在发起端strongswan 虚机上执行 ipsec restart,ike建链成功。
在vpp上查看ipsec信息
DBGvpp# show ipsec all
[0] sa 2147483648 (0x80000000) spi 3328014627 (0xc65d7923) protocol:esp flags:[anti-replay ]
[1] sa 3221225472 (0xc0000000) spi 3887195961 (0xe7b1e739) protocol:esp flags:[anti-replay inbound ]
SPD Bindings:
ipip0 flags:[none]
output-sa:
[0] sa 2147483648 (0x80000000) spi 3328014627 (0xc65d7923) protocol:esp flags:[anti-replay ]
input-sa:
[1] sa 3221225472 (0xc0000000) spi 3887195961 (0xe7b1e739) protocol:esp flags:[anti-replay inbound ]
IPSec async mode: off
DBGvpp# show ipsec sa 0
[0] sa 2147483648 (0x80000000) spi 3328014627 (0xc65d7923) protocol:esp flags:[anti-replay ]
locks 2
salt 0x0
thread-index:0
seq 0 seq-hi 0
window 0000000000000000000000000000000000000000000000000000000000000000
crypto alg aes-cbc-128 key 92725b33ee5bfe70d2ae9bc493804670
integrity alg sha1-96 key 67a7643b1003323a4d1c79c7ff2b47bace578079
UDP:[src:0 dst:0]
packets 0 bytes 0
可以看到创建的ipip0实时down的
DBGvpp# show int
Name Idx State MTU (L3/IP4/IP6/MPLS) Counter Count
GigabitEthernet0/8/0 1 up 9000/0/0/0 rx packets 422
rx bytes 48578
tx packets 289
tx bytes 30196
drops 268
ip4 267
ip6 68
tx-error 2
GigabitEthernet0/9/0 2 up 9000/0/0/0 rx packets 136
rx bytes 16412
drops 136
ip4 68
ip6 68
ipip0 3 down 9000/0/0/0
local0 0 down 0/0/0/0
【3】vpp端配置路由绑定隧道 //不配置会报错:Failed: no egress interface
set interface state ipip0 up
ip route add 2.2.2.0/24 via ipip0
set interface unnumbered ipip0 use GigabitEthernet0/8/0
//然后就可以在接收端看到esp报文了
//从发送端Ping,就可以ping通了
strongswan端配置路由
ip route add 3.3.3.0/24 via 1.1.1.1 dev enp0s8
vpp查看建链结果:
show ikev2 sa details # 查看ike sa信息
show ipsec sa details # 查看ipsec sa信息
show ipsec tun
show ikev2 sa
show ipsec all
查看strongswan 日志:
cat /var/log/charon_debug.log
================VPP作为发起端===============================
Vpp端主动建链:再敲以下命令
ikev2 profile set pr1 responder GigabitEthernet0/8/0 1.1.1.1
ikev2 profile set pr1 ike-crypto-alg aes-gcm-16 256 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-gcm-16 256
然后发起 IKEv2 连接
vpp# ikev2 initiate sa-init pr1
show ikev2 sa details
strongswan的conn配置
/etc/ipsec.conf 添加:
conn %default
ikelifetime=24h
keylife=24h
rekeymargin=3m
keyingtries=2
keyexchange=ikev2
ike=aes128-sha1-modp1024!
esp=aes128-sha1-modp1024!
authby=psk
reauth=no
conn vpp
left=1.1.1.2
leftsubnet=3.3.3.0/24
right=1.1.1.1
rightsubnet=2.2.2.0/24
auto=add #strongswan作为发起端配成auto=start
========================================================
/*可以采用spd方式吗? -- 因为Ikev2协商出来的就是ipip0方式所以暂时不知道如何对接,等以后再考虑。
查看ipsec sa
DBGvpp# show ipsec all
[0] sa 2147483648 (0x80000000) spi 3411469020 (0xcb56e2dc) protocol:esp flags:[anti-replay ]
[1] sa 3221225472 (0xc0000000) spi 1097310285 (0x4167a04d) protocol:esp flags:[anti-replay inbound ]
SPD Bindings:
ipip0 flags:[none]
output-sa:
[0] sa 2147483648 (0x80000000) spi 3411469020 (0xcb56e2dc) protocol:esp flags:[anti-replay ]
input-sa:
[1] sa 3221225472 (0xc0000000) spi 1097310285 (0x4167a04d) protocol:esp flags:[anti-replay inbound ]
IPSec async mode: off
ipsec spd add 1
set interface ipsec spd GigabitEthernet0/8/0 1
ipsec policy add spd 1 priority 10 inbound action protect sa 3221225472 remote-ip-range 2.2.2.0 - 2.2.2.255
ipsec policy add spd 1 priority 10 outbound action protect sa 2147483648 remote-ip-range 2.2.2.0 - 2.2.2.255
经测试报如下错误:
DBGvpp# ping 2.2.2.2
Failed: no egress interface
*/
配置Ipsec - spd方式
发送端配置
set interface state GigabitEthernet0/8/0 up
set interface ip address GigabitEthernet0/8/0 1.1.1.1/24
set interface promiscuous on GigabitEthernet0/8/0
set interface state GigabitEthernet0/9/0 up
set interface ip address GigabitEthernet0/9/0 2.2.2.2/24
set interface promiscuous on GigabitEthernet0/9/0
ip route add 3.3.3.0/16 via 1.1.1.2
ipsec spd add 1
set interface ipsec spd GigabitEthernet0/8/0 1
ipsec sa add 10 spi 1000 esp crypto-key 4339314b55523947594d6d3547666b45 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45 integ-alg sha1-96
ipsec policy add spd 1 priority 10 inbound action protect sa 10 remote-ip-range 3.3.3.0 - 3.3.3.255
ipsec policy add spd 1 priority 10 outbound action protect sa 10 remote-ip-range 3.3.3.0 - 3.3.3.255
接收端配置
set interface state GigabitEthernet0/8/0 up
set interface ip address GigabitEthernet0/8/0 1.1.1.2/24
set interface promiscuous on GigabitEthernet0/8/0
set interface state GigabitEthernet0/9/0 up
set interface ip address GigabitEthernet0/9/0 3.3.3.3/24
set interface promiscuous on GigabitEthernet0/9/0
//ip route add 2.2.2.0/16 via 1.1.1.1
ipsec spd add 1
set interface ipsec spd GigabitEthernet0/8/0 1
ipsec sa add 10 spi 1000 esp crypto-key 4339314b55523947594d6d3547666b45 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45 integ-alg sha1-96
ipsec policy add spd 1 priority 10 inbound action protect sa 10 remote-ip-range 1.1.1.0 - 1.1.1.255
ipsec policy add spd 1 priority 10 outbound action protect sa 10 remote-ip-range 1.1.1.0 - 1.1.1.255
//因为发送端携带的源地址是1.1.1.1并不是2.2.2.2所以上面的保护网段写成了1.1.1.0而不是2.2.2.0
//***核心配置就是上面这三句:指明了流量加密使用的算法和加密密钥, 指明了对哪些出去的流量加密,哪些进来的流量解密
这样从发送端Ping 3.3.3.3就通了。
================配置查看=========================
发送端
DBGvpp# show ipsec all
[0] sa 10 (0xa) spi 1000 (0x000003e8) protocol:esp flags:[]
spd 1
ip4-outbound:
[1] priority 10 action protect type ip4-outbound protocol any sa 10
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 3.3.3.0 - 3.3.3.255 port range 0 - 65535
packets 35 bytes 3360
ip6-outbound:
ip4-inbound-protect:
[0] priority 10 action protect type ip4-inbound-protect protocol any sa 10
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 3.3.3.0 - 3.3.3.255 port range 0 - 65535
packets 19 bytes 2584
ip6-inbound-protect:
ip4-inbound-bypass:
ip6-inbound-bypass:
ip4-inbound-discard:
ip6-inbound-discard:
SPD Bindings:
1 -> GigabitEthernet0/8/0
IPSec async mode: off
接收端
DBGvpp# show ipsec all
[0] sa 10 (0xa) spi 1000 (0x000003e8) protocol:esp flags:[]
spd 1
ip4-outbound:
[1] priority 10 action protect type ip4-outbound protocol any sa 10
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 1.1.1.0 - 1.1.1.255 port range 0 - 65535
packets 19 bytes 1824
ip6-outbound:
ip4-inbound-protect:
[0] priority 10 action protect type ip4-inbound-protect protocol any sa 10
local addr range 0.0.0.0 - 255.255.255.255 port range 0 - 65535
remote addr range 1.1.1.0 - 1.1.1.255 port range 0 - 65535
packets 20 bytes 2720
ip6-inbound-protect:
ip4-inbound-bypass:
ip6-inbound-bypass:
ip4-inbound-discard:
ip6-inbound-discard:
SPD Bindings:
1 -> GigabitEthernet0/8/0
IPSec async mode: off
配置Ipsec - 路由方式
//配置路由时注意gw参数是下一跳网关的地址,别配置错了
//这个版本的区别就是vpp上配置业务地址的同网段的地址(网关)
1、组网
【PC:2.2.2.2】 - 【VPN_S:1.1.1.1】 : 【VPN_R配置:1.1.1.2】 - 【PC:3.3.3.3】
【 2.2.2.1】 【 3.3.3.1】
2、发送端VPN_S配置
set interface state GigabitEthernet0/8/0 up
set interface ip address GigabitEthernet0/8/0 1.1.1.1/24
set interface promiscuous on GigabitEthernet0/8/0
set interface state GigabitEthernet0/9/0 up
set interface ip address GigabitEthernet0/9/0 2.2.2.1/24
create ipip tunnel src 1.1.1.1 dst 1.1.1.2
ipsec sa add 10 spi 1000 esp crypto-key 4339314b55523947594d6d3547666b45 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45 integ-alg sha1-96
ipsec tunnel protect ipip0 sa-in 10 sa-out 10 1.1.1.2
//注意上面这条 sa-out 10后面是1.1.1.2 而不是保护网段的地址2.2.2.2。 这个路由加密的模式是采用路由配置决定哪段进行加密的
ip route add 3.3.3.0/24 via 1.1.1.2 ipip0
set interface unnumbered ipip0 use GigabitEthernet0/8/0
set interface state ipip0 up
发送端主机配置
1)ip地址配置为2.2.2.2 使用 enp0s9
配置路由
2)ip route add 3.3.3.0/24 via 2.2.2.1 dev enp0s9
3、接收端VPN_R配置
set interface state GigabitEthernet0/8/0 up
set interface ip address GigabitEthernet0/8/0 1.1.1.2/24
set interface promiscuous on GigabitEthernet0/8/0
set interface state GigabitEthernet0/9/0 up
set interface ip address GigabitEthernet0/9/0 3.3.3.1/24
create ipip tunnel src 1.1.1.2 dst 1.1.1.1
ipsec sa add 10 spi 1000 esp crypto-key 4339314b55523947594d6d3547666b45 crypto-alg aes-cbc-128 integ-key 4339314b55523947594d6d3547666b45 integ-alg sha1-96
ipsec tunnel protect ipip0 sa-in 10 sa-out 10 1.1.1.1
ip route add 2.2.2.0/24 via 1.1.1.1 ipip0
set interface unnumbered ipip0 use GigabitEthernet0/8/0
set interface state ipip0 up
接收端主机配置
1)ip地址配置为3.3.3.3 使用enp0s9
配置路由
2)route add -net 2.2.2.0/24 gw 3.3.3.1 dev enp0s9
4、测试
带源地址ping ,发送端:ping -c 1 -l 1500 -I 2.2.2.2 3.3.3.3
调试命令
vpp 查看路由:show ip fib
clear trace
trace add dpdk-input 10
show trace
show runtime esp4-encrypt-tun
set interface reassembly <interface-name> [on|off|ip4
set interface reassembly GigabitEthernet0/8/0 on
【总结】抓包发现会收到3个重复的响应报文,原因暂时未知。
换成spd方式测试,现象一样。
有流程下会有七八个报文,貌似报文个数不定。
采用 spd方式测试 发现2边只各有一个包。并没有多出来的包,可能和PC端或者组网有关系。