继续测试一下 esp_tunnel 用 racoon协商 用setkey设置 spd
网络结构这次写详细点儿. 之前可能太过简单了看不清楚.
[10.0.10.2/24]<-->[10.0.10.1/24,192.168.125.10/30]<--(192.168.125.9/30,路由,192.168.125.13/30)-->[192.168.125.14/30,10.0.14.1/24]<-->[10.0.14.2/24]
最两端的 10.0.10.2和 10.0.14.2没有ipsec设置只进行测试
中间的路由只进行包转发.
ipsec设置在 192.168.125.10,192.168.125.14上.
##########################
192.168.125.10
#cat /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
adminsock disabled;
}
timer
{
# To keep the NAT-mappings on your NAT gateway, there must be
# The default is 20s. Set it to 0s to disable sending completely.
natt_keepalive 10 sec;
}
remote "remote14" {
remote_address 192.168.125.14;
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
generate_policy off;
nat_traversal force;
passive off;
#If you do not want to initiate the negotiation, set this to on. The default value is off. It is useful for a server.
weak_phase1_check on;
ph1id 1;
#An optional number to identify the remote proposal and to link it only with sainfos who have the same number. Defaults to 0.
}
sainfo subnet 10.0.10.0/24[any] any subnet 10.0.14.0/24[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo subnet 192.168.125.10/32[any] any subnet 192.168.125.14/32[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# cat /etc/racoon/psk.txt
192.168.125.14 jqka1234
# cat /home/10
spdadd -4 192.168.125.14/32 192.168.125.10/32 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10/32 192.168.125.14/32 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
#cat /home/10 |setkey -c
-------------------------------------------
192.168.125.14
# cat /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
adminsock disabled;
}
timer
{
natt_keepalive 10 sec;
}
remote "remote10" {
remote_address 192.168.125.10;
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
generate_policy off;
nat_traversal force;
passive off;
#If you do not want to initiate the negotiation, set this to on. The default value is off. It is useful for a server.
weak_phase1_check on;
ph1id 1;
#An optional number to identify the remote proposal and to link it only with sainfos who have the same number. Defaults to 0.
}
sainfo subnet 10.0.14.0/24[any] any subnet 10.0.10.0/24[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.125.14/32[any] any address 192.168.125.10/32[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# cat /etc/racoon/psk.txt
192.168.125.10 jqka1234
# cat /home/14
spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
# cat /home/14|setkey -c
---------------------------------------
如果通信只包括 10.0.10.0/24 和 10.0.14.0/24之间可以去掉前面两个 sp条目及最后一个 sainfo 部分.
----------------------------------------
瞎记点儿信息.
出错
哪种identifier对应哪一种方式在哪儿能查到?
2018-02-18 10:59:09: ERROR: ipsec_doi.c:3586:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN.
ipsec esp tunnel模式在linux中转发时. 不用设置 ip_forward. 同时操作 ttl减1和路由方式是相同的.
passive on的话. 这一端不会主动进行 过程1的协商. 通信会一直卡住.
唉... ipsec真是麻烦.和其他实现方法相比.太痛苦了....
各种不同的组合种类太多. 太太太太复杂了.
下次我看看与 nat相关的部分?
nat的session超时基本上可以解决. ipsec sa的超时部分需要怎么测试? 写个很小的数进去让它重连啥地?
网络结构这次写详细点儿. 之前可能太过简单了看不清楚.
[10.0.10.2/24]<-->[10.0.10.1/24,192.168.125.10/30]<--(192.168.125.9/30,路由,192.168.125.13/30)-->[192.168.125.14/30,10.0.14.1/24]<-->[10.0.14.2/24]
最两端的 10.0.10.2和 10.0.14.2没有ipsec设置只进行测试
中间的路由只进行包转发.
ipsec设置在 192.168.125.10,192.168.125.14上.
##########################
192.168.125.10
#cat /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
adminsock disabled;
}
timer
{
# To keep the NAT-mappings on your NAT gateway, there must be
# The default is 20s. Set it to 0s to disable sending completely.
natt_keepalive 10 sec;
}
remote "remote14" {
remote_address 192.168.125.14;
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
generate_policy off;
nat_traversal force;
passive off;
#If you do not want to initiate the negotiation, set this to on. The default value is off. It is useful for a server.
weak_phase1_check on;
ph1id 1;
#An optional number to identify the remote proposal and to link it only with sainfos who have the same number. Defaults to 0.
}
sainfo subnet 10.0.10.0/24[any] any subnet 10.0.14.0/24[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo subnet 192.168.125.10/32[any] any subnet 192.168.125.14/32[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# cat /etc/racoon/psk.txt
192.168.125.14 jqka1234
# cat /home/10
spdadd -4 192.168.125.14/32 192.168.125.10/32 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10/32 192.168.125.14/32 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
#cat /home/10 |setkey -c
-------------------------------------------
192.168.125.14
# cat /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
adminsock disabled;
}
timer
{
natt_keepalive 10 sec;
}
remote "remote10" {
remote_address 192.168.125.10;
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
generate_policy off;
nat_traversal force;
passive off;
#If you do not want to initiate the negotiation, set this to on. The default value is off. It is useful for a server.
weak_phase1_check on;
ph1id 1;
#An optional number to identify the remote proposal and to link it only with sainfos who have the same number. Defaults to 0.
}
sainfo subnet 10.0.14.0/24[any] any subnet 10.0.10.0/24[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.125.14/32[any] any address 192.168.125.10/32[any] any {
remoteid 1;
#Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1. Defaults to 0,
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# cat /etc/racoon/psk.txt
192.168.125.10 jqka1234
# cat /home/14
spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require;
spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require;
# cat /home/14|setkey -c
---------------------------------------
如果通信只包括 10.0.10.0/24 和 10.0.14.0/24之间可以去掉前面两个 sp条目及最后一个 sainfo 部分.
----------------------------------------
瞎记点儿信息.
出错
哪种identifier对应哪一种方式在哪儿能查到?
2018-02-18 10:59:09: ERROR: ipsec_doi.c:3586:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN.
现在看用证书认证时用 FQDN的 identifier. 写对端 adress时对端也是用地址.
ipsec esp tunnel模式在linux中转发时. 不用设置 ip_forward. 同时操作 ttl减1和路由方式是相同的.
passive on的话. 这一端不会主动进行 过程1的协商. 通信会一直卡住.
唉... ipsec真是麻烦.和其他实现方法相比.太痛苦了....
各种不同的组合种类太多. 太太太太复杂了.
下次我看看与 nat相关的部分?
nat的session超时基本上可以解决. ipsec sa的超时部分需要怎么测试? 写个很小的数进去让它重连啥地?