Halin da ake ciki
Ranar hutu. Ina shan kofi Dalibin ya kafa haɗin VPN tsakanin maki biyu kuma ya ɓace. Na duba: da gaske akwai rami, amma babu zirga-zirga a cikin rami. Dalibin baya amsa kira.
Na kunna kettle na nutse cikin matsala na Ƙofar S-Terra. Ina raba gwaninta da hanya.
Asalin bayanai
Shafukan da aka raba su biyu suna haɗe da rami na GRE. GRE yana buƙatar ɓoyewa:
Ina duba ayyukan ramin GRE. Don yin wannan, Ina gudu ping daga na'urar R1 zuwa GRE dubawa na na'urar R2. Wannan shi ne manufa ta hanyar ɓoyewa. Babu amsa:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057msIna kallon rajistan ayyukan akan Ƙofar1 da Ƙofar2. Littafin cikin farin ciki ya ba da rahoton cewa an ƙaddamar da rami na IPsec cikin nasara, babu matsala:
root@Gate1:~# cat /var/log/cspvpngate.log
Aug 5 16:14:23 localhost vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1A cikin ƙididdiga na rami na IPsec akan Gate1 Na ga cewa da gaske akwai rami, amma an sake saita Rсvd counter zuwa sifili:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0Ina wahala S-Terra kamar haka: Ina neman inda fakitin manufa suka ɓace akan hanyar R1 zuwa R2. A cikin tsari (masu ɓarna) zan sami kuskure.
Shirya matsala
Mataki 1. Abin da Gate1 ke karɓa daga R1
Ina amfani da ginanniyar fakitin sniffer - tcpdump. Na ƙaddamar da sniffer akan na ciki (Gi0/1 a cikin Sisiko-kamar bayanin kula ko eth1 a cikin bayanin Debian OS):
root@Gate1:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64Na ga cewa Gate1 yana karɓar fakitin GRE daga R1. Ina ci gaba.
Mataki 2. Abin da Gate1 ke yi tare da fakitin GRE
Amfani da klogview na iya ganin abin da ke faruwa tare da fakitin GRE a cikin direban S-Terra VPN:
root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated
Na ga cewa manufar GRE zirga-zirga (proto 47) 172.16.0.1 -> 172.17.0.1 ya zo ƙarƙashin ka'idar boye-boye na LIST a cikin taswirar crypto na CMAP kuma an ɓoye shi. Bayan haka, an cire fakitin (wucewa). Babu zirga-zirgar amsawa a cikin fitowar klogview.
Ina duba lissafin shiga kan na'urar Gate1. Na ga jerin shiga guda ɗaya LIST, wanda ke bayyana maƙasudin zirga-zirga don ɓoyewa, wanda ke nufin cewa ba a tsara ka'idodin Tacewar zaɓi ba:
Gate1#show access-lists
Extended IP access list LIST
10 permit gre host 172.16.0.1 host 172.17.0.1Kammalawa: matsalar ba ta na'urar Gate1 ba.
Karin bayani game da klogview
Direban VPN yana sarrafa duk zirga-zirgar hanyar sadarwa, ba kawai zirga-zirgar da ke buƙatar ɓoyewa ba. Waɗannan su ne saƙonnin da ake iya gani a cikin klogview idan direban VPN ya sarrafa zirga-zirgar hanyar sadarwa kuma ya watsa shi ba a ɓoye ba:
root@R1:~# ping 172.17.0.1 -c 4root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filteredNa ga cewa zirga-zirgar ICMP (proto 1) 172.16.0.1-> 172.17.0.1 ba a haɗa su ba (babu wasa) a cikin ƙa'idodin ɓoyewa na katin crypto CMAP. An kori fakitin (wato waje) a bayyanannen rubutu.
Mataki 3. Abin da Gate2 ke karɓa daga Ƙofar1
Na ƙaddamar da sniffer akan WAN (eth0) Gate2 interface:
root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140Na ga cewa Gate2 yana karɓar fakitin ESP daga Gate1.
Mataki 4. Abin da Gate2 ke yi tare da fakitin ESP
Na ƙaddamar da klogview mai amfani akan Gate2:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall
Na ga cewa fakitin ESP (proto 50) an jefar da su (DROP) ta ka'idar Tacewar zaɓi (L3VPN). Na tabbata cewa Gi0/0 a zahiri yana da jerin damar shiga L3VPN da ke haɗe da shi:
Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.252/24
MTU is 1500 bytes
Outgoing access list is not set
Inbound access list is L3VPNNa gano matsalar.
Mataki 5. Me ke damun lissafin shiga
Na kalli abin da jerin damar L3VPN ke:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit icmp host 10.10.10.251 anyNa ga cewa an ba da izinin fakitin ISAKMP, don haka an kafa rami na IPsec. Amma babu wata ƙa'ida ta ESP. A bayyane yake, ɗalibin ya rikitar da icmp da esp.
Gyara lissafin shiga:
Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 anyMataki 6. Duba ayyuka
Da farko, na tabbata cewa lissafin samun damar L3VPN daidai ne:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit esp host 10.10.10.251 anyYanzu na ƙaddamar da zirga-zirgar zirga-zirga daga na'urar R1:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 msNasara. An kafa ramin GRE. Ma'aunin zirga-zirga mai shigowa a cikin kididdigar IPsec ba sifili bane:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480A kan ƙofar Gate2, a cikin fitowar klogview, saƙonnin sun bayyana cewa an yi nasarar lalata maƙasudin zirga-zirgar 172.16.0.1->172.17.0.1 (PASS) ta tsarin LIST a cikin taswirar crypto CMAP:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulatedSakamakon
Wani dalibi ya bata ranar hutu.
Yi hankali da dokokin ME.
Injiniya wanda ba a san sunansa ba
t.me/anonymous_engineer
source: www.habr.com