ProHoster > Pūnaewele > Nā Administration > Pehea e hoʻoponopono ai i ka IPsec VPN home. Mahele 1

Pehea e hoʻoponopono ai i ka IPsec VPN home. Mahele 1

Pehea e hoʻoponopono ai i ka IPsec VPN home. Mahele 1

Noho Kauakaiwa

Lā hoʻomaha. Inu au i ke kofe. Ua hoʻonohonoho ka haumāna i kahi pilina VPN ma waena o ʻelua mau wahi a nalowale. Nānā au: aia maoli kahi tunnel, akā ʻaʻohe kaʻa i ka tunnel. ʻAʻole pane ka haumāna i nā kelepona.

Hoʻokomo au i ka ipuhao a luʻu i ka hoʻoponopono pilikia ʻo S-Terra Gateway. Kaʻana au i kaʻu ʻike a me kaʻu ʻano hana.

ʻIkepili mua

Hoʻopili ʻia nā pūnaewele ʻelua i hoʻokaʻawale ʻia e kahi tunnel GRE. Pono e hoʻopili ʻia ʻo GRE:

Pehea e hoʻoponopono ai i ka IPsec VPN home. Mahele 1

Ke nānā nei au i ka hana o ka tunnel GRE. No ka hana ʻana i kēia, holo wau i ka ping mai ka hāmeʻa R1 a i ka interface GRE o ka hāmeʻa R2. ʻO kēia ka huakaʻi pahuhopu no ka hoʻopunipuni. ʻAʻohe pane:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Nānā wau i nā lāʻau ma Gate1 a me Gate2. Hōʻike hauʻoli ka lāʻau i ka hoʻomaka ʻana o ka tunnel IPsec, ʻaʻohe pilikia:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

Ma ka helu helu o ka IPsec tunnel ma Gate1 ʻike wau aia maoli kahi tunnel, akā ua hoʻihoʻi ʻia ka counter Rсvd i ka zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

Ke pilikia nei au iā S-Terra e like me kēia: Ke ʻimi nei au i kahi e nalowale ai nā ʻeke pahu hopu ma ke ala mai R1 a i R2. Ma ke kaʻina hana (spoiler) e ʻike wau i kahi kuhi.

Hoʻoponopono pilikia

KaʻAnuʻu 1. He aha ka Gate1 i loaʻa mai R1

Hoʻohana wau i ka packet sniffer i kūkulu ʻia - tcpdump. Hoʻomaka wau i ka sniffer ma ka ʻaoʻao o loko (Gi0/1 ma Cisco-like notation a i ʻole eth1 ma Debian OS notation):

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

ʻIke wau ua loaʻa iā Gate1 nā ʻeke GRE mai R1. Ke neʻe nei au.

'anuʻu 2. He aha ka Gate1 e hana ai me nā ʻeke GRE

Ke hoʻohana nei i ka pono klogview hiki iaʻu ke ʻike i ka mea e hana nei me nā ʻeke GRE i loko o ka mea hoʻokele S-Terra VPN:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

ʻIke au i ka hele ʻana o ka māka GRE (proto 47) 172.16.0.1 -> 172.17.0.1 ma lalo o ka lula encryption LIST ma ka palapala crypto CMAP a ua hoʻopili ʻia. Ma hope aʻe, ua hoʻokuʻu ʻia ka ʻeke (pau ʻia). ʻAʻohe pane pane ʻana i ka huahana klogview.

Ke nānā nei au i nā papa inoa komo ma ka polokalamu Gate1. ʻIke au i hoʻokahi papa inoa komo LIST, e wehewehe ana i ka huakaʻi i hoʻopaʻa ʻia no ka hoʻopili ʻana, ʻo ia hoʻi, ʻaʻole i hoʻonohonoho ʻia nā lula ahi:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Ka hopena: ʻaʻole pili ka pilikia me ka hāmeʻa Gate1.

Nā mea hou aku e pili ana i klogview

Hoʻohana ka mea hoʻokele VPN i nā kaʻa pūnaewele āpau, ʻaʻole wale i ke kaʻa e pono e hoʻopili ʻia. ʻO kēia nā memo i ʻike ʻia ma klogview inā ua hoʻokele ka mea hoʻokele VPN i ka ʻoihana pūnaewele a hoʻouna ʻia me ka ʻole i hoʻopili ʻia:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

ʻIke au i ka ICMP traffic (proto 1) 172.16.0.1-> 172.17.0.1 ʻaʻole i hoʻokomo ʻia (ʻaʻohe match) i nā lula hoʻopunipuni o ka kāleka crypto CMAP. Ua hoʻokuʻu ʻia ka ʻeke ma kahi kikokikona maʻemaʻe.

KaʻAnuʻu 3. He aha ka Gate2 i loaʻa mai ka Gate1

Hoʻomaka wau i ka sniffer ma ka WAN (eth0) Gate2 interface:

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

ʻIke wau ua loaʻa iā Gate2 nā ʻeke ESP mai Gate1.

'anuʻu 4. He aha ka Gate2 e hana ai me nā pūʻolo ESP

Hoʻomaka wau i ka pono klogview ma Gate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

ʻIke wau ua hoʻokuʻu ʻia nā ʻeke ESP (proto 50) (DROP) e ka lula ahi (L3VPN). ʻIke wau aia ʻo Gi0/0 i kahi papa inoa komo L3VPN pili iā ia:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Ua ʻike au i ka pilikia.

KaʻAnuʻu 5. He aha ka hewa i ka papa inoa komo

Ke nānā nei au i ka papa inoa komo L3VPN:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

ʻIke wau ua ʻae ʻia nā ʻeke ISAKMP, no laila ua hoʻokumu ʻia kahi tunnel IPsec. Akā, ʻaʻohe kānāwai e hiki ai iā ESP. Kohu mea, huikau ka haumāna icmp a me esp.

Ke hoʻoponopono nei i ka papa inoa komo:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

KaʻAnuʻu 6. Ke nānā 'ana i ka hana

ʻO ka mea mua, ʻike wau ua pololei ka papa inoa komo L3VPN:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

I kēia manawa, hoʻomaka wau i ka huakaʻi huakaʻi mai ka hāmeʻa R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Lanakila. Ua hoʻokumu ʻia ka tunnel GRE. ʻAʻole ʻole ka helu helu helu IPsec e komo mai ana:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Ma ka ʻīpuka ʻo Gate2, ma ka puka klogview, ua ʻike ʻia nā memo i hoʻopau maikaʻi ʻia ka huakaʻi 172.16.0.1->172.17.0.1 (PASS) e ka lula LIST ma ka palapala ʻāina crypto CMAP:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Nā hopena

Ua hoʻopau kekahi haumāna i kāna lā hoʻomaha.
E akahele me na rula ME.

ʻEnekinia inoa ʻole
t.me/anonymous_engineer

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka