ProHoster > Блог > Gudanarwa > 1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Halin da ake ciki

Na karɓi sigar demo na samfuran samfuran C-Terra VPN 4.3 na tsawon watanni uku. Ina so in gano ko rayuwar injiniya ta za ta zama da sauƙi bayan canjawa zuwa sabon sigar.

Yau ba wuya ba, jaka ɗaya na kofi nan take 3 a cikin 1 ya kamata ya isa. Zan gaya muku yadda ake samun demos. Zan yi ƙoƙarin gina tsarin GRE-over-IPsec da IPsec-over-GRE.

Yadda ake samun demo

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Ya biyo baya daga adadi cewa don samun demo kuna buƙatar:

  • Rubuta wasiƙa zuwa [email kariya] daga adireshin kamfani;
  • A cikin wasiƙar, nuna TIN na ƙungiyar ku;
  • Jera samfuran da adadinsu.

Demos suna aiki na tsawon watanni uku. Mai sayarwa baya iyakance ayyukan su.

Fadada hoton

Nunin Tsaro Ƙofar Tsaro hoto ne mai kama-da-wane. Ina amfani da VMWare Workstation. Ana samun cikakken jeri na goyan bayan hypervisors da mahallin kama-da-wane akan gidan yanar gizon mai siyarwa.

Kafin ka fara, da fatan za a lura cewa babu mu'amalar hanyar sadarwa a cikin tsoffin na'ura mai kama da hoto:

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Hankali a bayyane yake, mai amfani yakamata ya ƙara yawan musaya kamar yadda yake buƙata. Zan kara hudu lokaci guda:

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Yanzu na fara injin kama-da-wane. Nan da nan bayan ƙaddamarwa, ƙofar yana buƙatar sunan mai amfani da kalmar wucewa.

Akwai consoles da yawa a cikin S-Terra Gateway tare da asusu daban-daban. Zan kirga lambar su a wani labarin daban. A yanzu:
Login as: administrator
Password: s-terra

Ina fara ƙofa. Ƙaddamarwa jerin ayyuka ne: shigar da lasisi, kafa janareta bazuwar lambar halitta (na'urar kwaikwayo ta allo - rikodin na shine daƙiƙa 27) da ƙirƙirar taswirar hanyar sadarwa.

Taswirar hanyoyin sadarwa. Ya zama mai sauƙi

Shafin 4.2 ya gai da mai amfani mai aiki da saƙo:

Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon

Mai amfani mai aiki (bisa ga injiniyan da ba a san sunansa ba) mai amfani ne wanda zai iya saita komai cikin sauri ba tare da takardu ba.

Wani abu yana faruwa ba daidai ba kafin ƙoƙarin saita adireshin IP akan hanyar sadarwa. Ya shafi taswirar mu'amala da hanyar sadarwa. Wajibi ne a yi:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart

Sakamakon haka, an ƙirƙiri taswirar mu'amalar hanyar sadarwa wacce ke ɗauke da taswirar sunaye na mu'amala na zahiri (0000:02:03.0) da ƙirarsu ta ma'ana a cikin tsarin aiki (eth0) da na'ura mai kama da Cisco (FastEthernet0/0):

#Unique ID iface type OS name Cisco-like name

0000:02:03.0 phye eth0 FastEthernet0/0

Ana kiran laƙabi na ma'ana na musaya. Ana adana laƙabi a cikin fayil ɗin /etc/ifaliases.cf.
A cikin sigar 4.3, lokacin da aka fara fara na'urar kama-da-wane, ana ƙirƙirar taswirar dubawa ta atomatik. Idan kun canza adadin mu'amalar hanyar sadarwa a cikin injin kama-da-wane, don Allah a sake ƙirƙirar taswirar mu'amala:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking

Tsarin 1: GRE-over-IPsec

Ina tura ƙofofin kama-da-wane guda biyu, na canza kamar yadda aka nuna a cikin adadi:

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Mataki 1. Saita adiresoshin IP da hanyoyi

VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254

VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253

Duba haɗin IP:

root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms

--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms

Mataki 2: Saita GRE

Na ɗauki misali na kafa GRE daga rubutun hukuma. Na ƙirƙiri fayil ɗin gre1 a cikin /etc/network/interfaces.d directory tare da abubuwan ciki.

Don VG1:

auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Don VG2:

auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Ina ɗaga dubawa a cikin tsarin:

root@VG1:~# ifup gre1
root@VG2:~# ifup gre1

Dubawa:

root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 172.16.1.253 peer 172.16.1.254
    inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
       valid_lft forever preferred_lft forever

root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1

C-Terra Gateway yana da ginanniyar fakitin sniffer - tcpdump. Zan rubuta jujjuya zirga-zirga zuwa fayil pcap:

root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap

Na fara ping tsakanin musaya na GRE:

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms

Ramin GRE yana aiki:

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Mataki 3. Encrypt tare da GOST GRE

Na saita nau'in ganewa - ta adireshin. Tabbatarwa tare da ƙayyadadden maɓalli (bisa ga Sharuɗɗan Amfani, dole ne a yi amfani da takaddun shaida na dijital):

VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254

Na saita sigogin IPsec Phase I:

VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2

Na saita sigogin IPsec Phase II:

VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel

Na ƙirƙiri lissafin shiga don ɓoyewa. Hanyoyin da aka yi niyya - GRE:

VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254

Na ƙirƙiri taswirar crypto kuma na ɗaure shi zuwa ƙirar WAN:

VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
  crypto map CMAP

Don VG2, saitin yana madubi, bambance-bambancen sune:

VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254

Dubawa:

root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2

ISAKMP/IPsec ƙididdiga:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480

Babu fakiti a cikin juji na zirga-zirga na GRE:

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Ƙarshe: tsarin GRE-over-IPsec yana aiki daidai.

Hoto 1.5: IPsec-over-GRE

Ban shirya yin amfani da IPsec-over-GRE akan hanyar sadarwa ba. Ina tattara saboda ina so.

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Don ƙaddamar da tsarin GRE-over-IPsec ta wannan hanyar:

  • Gyara lissafin samun damar ɓoye ɓoye-hanyoyin da aka yi niyya daga LAN1 zuwa LAN2 da akasin haka;
  • Sanya hanyar tafiya ta hanyar GRE;
  • Rataya taswirar crypto akan mu'amalar GRE.

Ta hanyar tsoho, babu GRE interface a cikin na'ura mai kama da na'ura mai kama da ƙofa ta Cisco. Yana wanzu ne kawai a cikin tsarin aiki.

Ina ƙara ƙirar GRE zuwa na'ura mai kama da Cisco. Don yin wannan, na shirya fayil ɗin /etc/ifaliases.cf:

interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")

inda gre1 shine ƙirar keɓancewa a cikin tsarin aiki, Tunnel0 shine ƙirar keɓancewa a cikin na'ura mai kama da na Sisiko.

Na sake ƙirga hash ɗin fayil ɗin:

root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf

SUCCESS:  Operation was successful.

Yanzu ƙirar Tunnel0 ta bayyana a cikin na'ura mai kama da na Sisiko:

VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400

Gyara lissafin shiga don ɓoyewa:

VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Ina saita hanyar tafiya ta hanyar GRE:

VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2

Na cire cryptomap daga Fa0 / 0 kuma na ɗaure shi zuwa ƙirar GRE:

VG1(config)#
interface Tunnel0
crypto map CMAP

Don VG2 yana kama da haka.

Dubawa:

root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap

root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms

--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms

ISAKMP/IPsec ƙididdiga:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352

A cikin juji na zirga-zirgar ESP, fakitin an tattara su a cikin GRE:

1.5 tsare-tsaren akan IPsec VPN na gida. Gwajin demos

Ƙarshe: IPsec-over-GRE yana aiki daidai.

Sakamakon

Kofi daya ya isa. Na zana umarnin don samun sigar demo. An saita GRE-over-IPsec kuma an tura shi akasin haka.

Taswirar musaya na cibiyar sadarwa a cikin sigar 4.3 ta atomatik ne! Ina kara gwadawa.

Injiniya wanda ba a san sunansa ba
t.me/anonymous_engineer

source: www.habr.com

Add a comment