2 几种esp_tunnel模式的设置

最新推荐文章于 2019-11-11 19:26:15 发布

塞子

最新推荐文章于 2019-11-11 19:26:15 发布

阅读量1.9k

点赞数

分类专栏： linux_ipsec

本文链接：https://blog.csdn.net/zhanzc1/article/details/79302801

版权

linux_ipsec 专栏收录该内容

7 篇文章 0 订阅

订阅专栏

#####################
使用setkey设置 spd, 再使用 racoon来协商 sa信息并支持natt .
[192.168.125.10/30]<--(路由)-->[192.168.125.14/30]

没有所带的网段. 只测试了两点间的通信. 后面带网段时是要再写spd信息吗?
配置里直接启动了 nat-t 不启动它时配置文件差一行. ipsec的封装用的是 esp启动nat-t封装用的是 esp-udp

-----------

192.168.125.14
#cat /etc/racoon/racoon.conf

log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
adminsock disabled;
}

timer
{
# To keep the NAT-mappings on your NAT gateway, there must be
# The default is 20s. Set it to 0s to disable sending completely.
natt_keepalive 10 sec;
}

remote "192.168.125.10" {
remote_address 192.168.125.10;
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
generate_policy off;
nat_traversal force;
}

sainfo address 192.168.125.14/32[any] any address 192.168.125.10/32[any] any {
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#cat psk.txt
192.168.125.10 abcd1234
#手动加上
spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

--------------------
# setkey -D
192.168.125.14[4500] 192.168.125.10[4500]
esp-udp mode=tunnel spi=11506335(0x00af929f) reqid=0(0x00000000)
E: aes-cbc 8b56ee03 25cd2348 cd4a15d8 aaa0755b
A: hmac-sha1 df471b37 41063f59 37c5133e 386e80e6 4f4b07e8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 3 11:36:22 2018 current: Feb 3 11:39:13 2018
diff: 171(s) hard: 28800(s) soft: 23040(s)
last: Feb 3 11:36:23 2018 hard: 0(s) soft: 0(s)
current: 252(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=949 refcnt=0
192.168.125.10[4500] 192.168.125.14[4500]
esp-udp mode=tunnel spi=190166737(0x0b55b6d1) reqid=0(0x00000000)
E: aes-cbc 71e0462c fe6a9bbb 656cb9b6 2233aa34
A: hmac-sha1 a1a0d1f5 280f9ec6 770d544a 5b0603a8 c49f45de
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 3 11:36:22 2018 current: Feb 3 11:39:13 2018
diff: 171(s) hard: 28800(s) soft: 23040(s)
last: Feb 3 11:36:23 2018 hard: 0(s) soft: 0(s)
current: 252(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=949 refcnt=0

# setkey -DP 有很多racoon加的条目. 其中有手动加的两行. 还有一行 fwd是自动出现的.

192.168.125.10[any] 192.168.125.14[any] 255
fwd prio def ipsec
esp/tunnel/192.168.125.10-192.168.125.14/require
created: Feb 3 11:22:28 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=362 seq=21 pid=951
refcnt=1
192.168.125.10[any] 192.168.125.14[any] 255
in prio def ipsec
esp/tunnel/192.168.125.10-192.168.125.14/require
created: Feb 3 11:22:28 2018 lastused: Feb 3 11:36:25 2018
lifetime: 0(s) validtime: 0(s)
spid=352 seq=22 pid=951
refcnt=2
192.168.125.14[any] 192.168.125.10[any] 255
out prio def ipsec
esp/tunnel/192.168.125.14-192.168.125.10/require
created: Feb 3 11:22:28 2018 lastused: Feb 3 11:36:25 2018
lifetime: 0(s) validtime: 0(s)
spid=345 seq=23 pid=951
refcnt=2

-------------------------------
192.168.125.10
#cat /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

listen {
adminsock disabled;
}

timer
{
# To keep the NAT-mappings on your NAT gateway, there must be
# The default is 20s. Set it to 0s to disable sending completely.
natt_keepalive 10 sec;
}

remote "192.168.125.14" {
remote_address 192.168.125.14;
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
generate_policy off;
nat_traversal force;
}
#
sainfo address 192.168.125.10/32[any] any address 192.168.125.14/32[any] any {
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

# cat psk.txt
192.168.125.14 abcd1234

spdadd -4 192.168.125.14/32 192.168.125.10/32 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10/32 192.168.125.14/32 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

--------------
# setkey -D
192.168.125.10[4500] 192.168.125.14[4500]
esp-udp mode=tunnel spi=190166737(0x0b55b6d1) reqid=0(0x00000000)
E: aes-cbc 71e0462c fe6a9bbb 656cb9b6 2233aa34
A: hmac-sha1 a1a0d1f5 280f9ec6 770d544a 5b0603a8 c49f45de
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 3 11:36:22 2018 current: Feb 3 11:41:42 2018
diff: 320(s) hard: 28800(s) soft: 23040(s)
last: Feb 3 11:36:23 2018 hard: 0(s) soft: 0(s)
current: 252(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=1014 refcnt=0
192.168.125.14[4500] 192.168.125.10[4500]
esp-udp mode=tunnel spi=11506335(0x00af929f) reqid=0(0x00000000)
E: aes-cbc 8b56ee03 25cd2348 cd4a15d8 aaa0755b
A: hmac-sha1 df471b37 41063f59 37c5133e 386e80e6 4f4b07e8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 3 11:36:22 2018 current: Feb 3 11:41:42 2018
diff: 320(s) hard: 28800(s) soft: 23040(s)
last: Feb 3 11:36:23 2018 hard: 0(s) soft: 0(s)
current: 252(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=1014 refcnt=0

# setkey -DP
192.168.125.10[any] 192.168.125.14[any] 255
out prio def ipsec
esp/tunnel/192.168.125.10-192.168.125.14/require
created: Feb 3 11:22:15 2018 lastused: Feb 3 11:36:25 2018
lifetime: 0(s) validtime: 0(s)
spid=521 seq=21 pid=1015
refcnt=3
192.168.125.14[any] 192.168.125.10[any] 255
fwd prio def ipsec
esp/tunnel/192.168.125.14-192.168.125.10/require
created: Feb 3 11:22:15 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=514 seq=22 pid=1015
refcnt=1
192.168.125.14[any] 192.168.125.10[any] 255
in prio def ipsec
esp/tunnel/192.168.125.14-192.168.125.10/require
created: Feb 3 11:22:15 2018 lastused: Feb 3 11:36:25 2018
lifetime: 0(s) validtime: 0(s)
spid=504 seq=0 pid=1015
refcnt=1

----------------------------
racoon -F -d -d -d -v -L 启动. 有这样的提示表示racoon没有找到合适的 spd项目.
2018-02-03 13:32:24: DEBUG: pfkey.c:235:pfkey_handler(): got pfkey X_SPDDUMP message
2018-02-03 13:32:24: DEBUG2: plog.c:241:plogdump():
02120200 02000000 00000000 4f050000
2018-02-03 13:32:24: DEBUG: pfkey.c:252:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory

我发现racoon.conf里的算法名字和setkey有些对不上. 不同的linux发行版也有差别! 感觉有点儿神奇!!

##################################
下面用setkey直接写sad spd.
这样设置简单. 少一个守护进程听在 500上.(这个进程的安全方面就不用考虑了)
同时也带来了一些问题. 没有 log 可以帮助排错.
没有racoon来判断你加进去的 spd条目是不是正确. 设置出了错只能一脸的茫然.
这种方式我还没想出办法来支持esp-udp封装. 因为没有进程会listen udp 4500.

--------
192.168.125.14
# cat file
add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m tunnel
-E blowfish-cbc 0xf797fcaae3fb6320f25415ebd8adc525517620dc6bea4ff8f3cfe768d2cd219e1cf7c7e15ff7c72c3ab45b10712f92c8f01e72727f0fb622
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;

add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m tunnel
-E blowfish-cbc 0x25bc815defd9fef626cad802d25752a0677f798ef7910aa16f89b9ae1dfe1c7561ba554c6fcb397786e1253c387677ef39c765e81ea2ef29
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;

spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

#cat file |setkey -c
-------------
192.168.125.10
# cat file
add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m tunnel
-E blowfish-cbc 0xf797fcaae3fb6320f25415ebd8adc525517620dc6bea4ff8f3cfe768d2cd219e1cf7c7e15ff7c72c3ab45b10712f92c8f01e72727f0fb622
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;

add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m tunnel
-E blowfish-cbc 0x25bc815defd9fef626cad802d25752a0677f798ef7910aa16f89b9ae1dfe1c7561ba554c6fcb397786e1253c387677ef39c765e81ea2ef29
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;

spdadd -4 192.168.125.14/32 192.168.125.10/32 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10/32 192.168.125.14/32 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

##################################

继续测试一下. tunnel方式连接两个网段. 用 setkey 直接设置sad, spd .

网络结构是这样的.

[10.0.10.2/24]<-->[10.0.10.1/24,192.168.125.10/30]<--(192.168.125.9/30,路由,192.168.125.13/30)-->[192.168.125.14/30,10.0.14.1/24]<-->[10.0.14.2/24]
最两端的 10.0.10.2和 10.0.14.2没有ipsec设置只进行测试
中间的路由只进行包转发.
ipsec设置在 192.168.125.10,192.168.125.14上.

所有的设备都是 linux (debian 9.3). 其实是同一台机器上的两个kvm虚拟机.虚拟机中再各启动一个 docker container.

假设 192.168的网段为公网段. 10.0的网段为私有网段.

ipsec没有网络接口,也没有路由的概念.
两边ipsec设备下面的网段的连通是因为符合 proxy id(spd条目) 被加上ipsec包头,转发到IPsec通道中.
这样来实现两个私有网段互联的. ipsec SA信息使这些内网数据包的下一跳指到ipsec对端的那台设备上去.

---------------
192.168.125.14上的设置.
这样的设置. 会把两端的私有网络(10.0.10.0/24 <-->10.0.14.0/24) 通信数据放到esp tunnel中.
但是 ipsec SA两端设备的通信确不会被加上 esp tunnel数据.

add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m tunnel
-E blowfish-cbc 0xf797fcaae3fb6320f25415ebd8adc525517620dc6bea4ff8f3cfe768d2cd219e1cf7c7e15ff7c72c3ab45b10712f92c8f01e72727f0fb622
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;

add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m tunnel
-E blowfish-cbc 0x25bc815defd9fef626cad802d25752a0677f798ef7910aa16f89b9ae1dfe1c7561ba554c6fcb397786e1253c387677ef39c765e81ea2ef29
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;

#spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
#spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

----------------
对端 192.168.125.10上的设置
add -4 192.168.125.10 192.168.125.14 esp 0x1001 -m tunnel
-E blowfish-cbc 0xf797fcaae3fb6320f25415ebd8adc525517620dc6bea4ff8f3cfe768d2cd219e1cf7c7e15ff7c72c3ab45b10712f92c8f01e72727f0fb622
-A hmac-sha1 0xd64ffbac35949351fb12dbc1774732e57fb4e471 ;

add -4 192.168.125.14 192.168.125.10 esp 0x2001 -m tunnel
-E blowfish-cbc 0x25bc815defd9fef626cad802d25752a0677f798ef7910aa16f89b9ae1dfe1c7561ba554c6fcb397786e1253c387677ef39c765e81ea2ef29
-A hmac-sha1 0x802aa95c18319dd8a0fc6be2d70c8560625569e5 ;

#spdadd -4 192.168.125.14/32 192.168.125.10/32 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
#spdadd -4 192.168.125.10/32 192.168.125.14/32 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;

-----------------
两个公网设备的通信抓包
01:23:51.576012 IP 192.168.125.14 > 192.168.125.10: ICMP echo request, id 810, seq 4, length 64
01:23:51.576406 IP 192.168.125.10 > 192.168.125.14: ICMP echo reply, id 810, seq 4, length 64
01:23:52.599946 IP 192.168.125.14 > 192.168.125.10: ICMP echo request, id 810, seq 5, length 64
01:23:52.600323 IP 192.168.125.10 > 192.168.125.14: ICMP echo reply, id 810, seq 5, length 64
01:23:53.623919 IP 192.168.125.14 > 192.168.125.10: ICMP echo request, id 810, seq 6, length 64

私有网络通信的数据.
01:23:33.158374 IP 192.168.125.10 > 192.168.125.14: ESP(spi=0x00001001,seq=0x2c), length 116
01:23:33.158900 IP 192.168.125.14 > 192.168.125.10: ESP(spi=0x00002001,seq=0x2c), length 116
01:23:34.159797 IP 192.168.125.10 > 192.168.125.14: ESP(spi=0x00001001,seq=0x2d), length 116
01:23:34.160281 IP 192.168.125.14 > 192.168.125.10: ESP(spi=0x00002001,seq=0x2d), length 116

-------------------------
如果ipsec两端设备的通信也需要保护. 那就把上面配置中注释掉的两行 sp加上.
这里不细写了. 测试效果完全正常.