手动用setkey transport 简单的设置
虚拟机环境测试
setkey -D 显示sad
setkey -D -P 显示spd
cat cfgfile|setkey -c 或 echo "设置信息" |setkey -c 或 setkey -f cfgfile 生效配置.
setkey -F 清除sad所有内容
setkey -F -D 清除 spd所有内容
###########
esp_transport
----------
192.168.125.14
add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/transport//require;
----------
192.168.125.10
add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P in ipsec esp/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P out ipsec esp/transport//require;
----------
# tcpdump -n -i tap3 -n
12:30:06.657926 IP 192.168.125.10 > 192.168.125.14: ESP(spi=0x00001001,seq=0x17), length 96
12:30:06.658384 IP 192.168.125.14 > 192.168.125.10: ESP(spi=0x00002001,seq=0x17), length 96
12:30:07.659087 IP 192.168.125.10 > 192.168.125.14: ESP(spi=0x00001001,seq=0x18), length 96
12:30:07.659542 IP 192.168.125.14 > 192.168.125.10: ESP(spi=0x00002001,seq=0x18), length 96
################
ah_transport
----------
192.168.125.14
add -4 192.168.125.10 192.168.125.14 ah 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 ah 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec ah/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec ah/transport//require;
----------
192.168.125.10
add -4 192.168.125.10 192.168.125.14 ah 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 ah 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P in ipsec ah/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P out ipsec ah/transport//require;
------------
# tcpdump -n -i tap3 -n
12:35:11.494008 IP 192.168.125.10 > 192.168.125.14: AH(spi=0x00001001,seq=0xb): ICMP echo request, id 1201, seq 4, length 64
12:35:11.494332 IP 192.168.125.14 > 192.168.125.10: AH(spi=0x00002001,seq=0xb): ICMP echo reply, id 1201, seq 4, length 64
12:35:12.518114 IP 192.168.125.10 > 192.168.125.14: AH(spi=0x00001001,seq=0xc): ICMP echo request, id 1201, seq 5, length 64
12:35:12.518633 IP 192.168.125.14 > 192.168.125.10: AH(spi=0x00002001,seq=0xc): ICMP echo reply, id 1201, seq 5, length 64
################
标准的生成随机key. 更改 128来设置要生成的 key长度
dd if=/dev/random count=$((128/8)) bs=1| xxd -ps
################
测试速度.
虚拟机的cpu里没有 aes加速指令.
在实机的aes也许有加速. 是不是应该是首选呢.
ipsec/esp/transport des-cbc 18-21 MB/second
ipsec/esp/transport 3des-cbc 10 MB/second
ipsec/esp/transport aes-ctr_160bitkey 21-23 MB/second
虚拟机环境测试
192.168.125.10 <--路由--> 192.168.125.14
近来实在没有事干闲得难受,没啥事儿干.
有一个比较特殊的事件提到了ipsec.
我就准备花一些时间看看linux中的ipsec.学学相关的基础知识.
最好能再看看在实际应用环境里怎么能够用上它.
如果我还在继续看这这些信息.我会继续再发点信息.
setkey -D 显示sad
setkey -D -P 显示spd
cat cfgfile|setkey -c 或 echo "设置信息" |setkey -c 或 setkey -f cfgfile 生效配置.
setkey -F 清除sad所有内容
setkey -F -D 清除 spd所有内容
###########
esp_transport
----------
192.168.125.14
add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/transport//require;
----------
192.168.125.10
add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P in ipsec esp/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P out ipsec esp/transport//require;
----------
# tcpdump -n -i tap3 -n
12:30:06.657926 IP 192.168.125.10 > 192.168.125.14: ESP(spi=0x00001001,seq=0x17), length 96
12:30:06.658384 IP 192.168.125.14 > 192.168.125.10: ESP(spi=0x00002001,seq=0x17), length 96
12:30:07.659087 IP 192.168.125.10 > 192.168.125.14: ESP(spi=0x00001001,seq=0x18), length 96
12:30:07.659542 IP 192.168.125.14 > 192.168.125.10: ESP(spi=0x00002001,seq=0x18), length 96
################
ah_transport
----------
192.168.125.14
add -4 192.168.125.10 192.168.125.14 ah 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 ah 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec ah/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec ah/transport//require;
----------
192.168.125.10
add -4 192.168.125.10 192.168.125.14 ah 0x1001 -m transport
-E aes-ctr 0x2b460e68de9020d3ee6096e01f23ad22a802432b
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;
add -4 192.168.125.14 192.168.125.10 ah 0x2001 -m transport
-E aes-ctr 0x2cb7395fa8d54a4e9d1639cbe91bb8809d72da21
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;
spdadd -4 192.168.125.14 192.168.125.10 any -P in ipsec ah/transport//require;
spdadd -4 192.168.125.10 192.168.125.14 any -P out ipsec ah/transport//require;
------------
# tcpdump -n -i tap3 -n
12:35:11.494008 IP 192.168.125.10 > 192.168.125.14: AH(spi=0x00001001,seq=0xb): ICMP echo request, id 1201, seq 4, length 64
12:35:11.494332 IP 192.168.125.14 > 192.168.125.10: AH(spi=0x00002001,seq=0xb): ICMP echo reply, id 1201, seq 4, length 64
12:35:12.518114 IP 192.168.125.10 > 192.168.125.14: AH(spi=0x00001001,seq=0xc): ICMP echo request, id 1201, seq 5, length 64
12:35:12.518633 IP 192.168.125.14 > 192.168.125.10: AH(spi=0x00002001,seq=0xc): ICMP echo reply, id 1201, seq 5, length 64
################
标准的生成随机key. 更改 128来设置要生成的 key长度
dd if=/dev/random count=$((128/8)) bs=1| xxd -ps
################
测试速度.
虚拟机的cpu里没有 aes加速指令.
在实机的aes也许有加速. 是不是应该是首选呢.
非ipsec两虚拟机 tcp netcat传大文件 140 MB/second
ipsec/esp/transport des-cbc 18-21 MB/second
ipsec/esp/transport 3des-cbc 10 MB/second
ipsec/esp/transport aes-ctr_160bitkey 21-23 MB/second