ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > 1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Qhov xwm txheej

Kuv tau txais qhov demo version ntawm S-Terra VPN cov khoom lag luam version 4.3 rau peb lub hlis. Kuv xav paub seb kuv lub neej engineering puas yuav yooj yim dua tom qab hloov mus rau qhov tshiab.

Niaj hnub no tsis yooj yim, ib lub hnab ntawm instant kas fes 3 nyob rau hauv 1 yuav tsum txaus. Kuv mam li qhia koj yuav ua li cas kom tau txais demos. Kuv mam li sim tsim GRE-dhau-IPsec thiab IPsec-dhau-GRE schemes.

Yuav ua li cas kom tau ib tug demo

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Nws ua raws los ntawm daim duab uas thiaj li yuav tau txais ib qho demo koj yuav tsum:

  • Sau ib tsab ntawv rau [email tiv thaiv] los ntawm chaw nyob ua haujlwm;
  • Hauv tsab ntawv, qhia TIN ntawm koj lub koom haum;
  • Sau cov khoom thiab lawv qhov ntau.

Demo versions siv tau rau peb lub hlis. Tus neeg muag khoom tsis txwv lawv txoj haujlwm.

nthuav daim duab

Lub Security Gateway demo yog lub tshuab virtual. Kuv siv VMWare Workstation. Ib daim ntawv teev tag nrho ntawm kev txhawb nqa hypervisors thiab virtualization ib puag ncig muaj nyob rau ntawm tus neeg muag khoom lub vev xaib.

Ua ntej koj pib, thov nco ntsoov tias lub neej ntawd virtual tshuab duab tsis muaj network interfaces:

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Lub logic yog qhov tseeb, tus neeg siv yuav tsum tau ntxiv ntau qhov sib cuam tshuam raws li nws xav tau. Kuv mam li ntxiv plaub zaug ib zaug:

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Tam sim no kuv pib lub tshuab virtual. Tam sim ntawd tom qab tso tawm, lub rooj vag yuav tsum muaj tus username thiab password.

S-Terra Gateway muaj ntau lub consoles nrog cov nyiaj sib txawv. Kuv yuav suav lawv tus lej hauv ib tsab xov xwm cais. Lub sijhawm no:
Login as: administrator
Password: s-terra

Kuv tabtom pib lub rooj vag. Initialization yog ib ntu ntawm kev ua: nkag mus rau daim ntawv tso cai, teeb tsa lub tshuab hluav taws xob random tooj (keyboard simulator - kuv cov ntaub ntawv yog 27 vib nas this) thiab tsim ib daim ntawv qhia network interface.

Network interface daim ntawv qhia. Nws tau yooj yim dua

Version 4.2 txais tos cov neeg siv nquag nrog cov lus:

Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon

Tus neeg siv nquag (raws li tus kws ua haujlwm tsis qhia npe) yog tus neeg siv uas tuaj yeem teeb tsa txhua yam sai thiab tsis muaj ntaub ntawv.

Ib yam dab tsi mus tsis ncaj ncees lawm ua ntej sim teeb tsa tus IP chaw nyob ntawm lub interface. Nws yog txhua yam hais txog lub network interface daim ntawv qhia. Nws yog tsim nyog los ua:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart

Raws li qhov tshwm sim, daim ntawv qhia kev sib txuas hauv network tau tsim uas muaj cov duab kos ntawm lub cev sib cuam tshuam cov npe (0000: 02: 03.0) thiab lawv cov qauv kev xav hauv kev ua haujlwm (eth0) thiab Cisco zoo li console (FastEthernet0/0):

#Unique ID iface type OS name Cisco-like name

0000:02:03.0 phye eth0 FastEthernet0/0

Lub logic designations ntawm interfaces yog hu ua aliases. Aliases khaws cia rau hauv cov ntaub ntawv /etc/ifaliases.cf.
Hauv version 4.3, thaum koj thawj zaug pib lub tshuab virtual, daim ntawv qhia interface yog tsim tau. Yog tias koj hloov tus naj npawb ntawm network interfaces hauv lub tshuab virtual, thov tsim daim ntawv qhia interface dua:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking

Scheme 1: GRE-over-IPsec

Kuv xa ob lub rooj vag virtual thiab hloov raws li qhia hauv daim duab:

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Kauj ruam 1. Teeb IP chaw nyob thiab cov kev

VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254

VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253

Kuv xyuas IP txuas:

root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms

--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms

Kauj Ruam 2. Kev teeb tsa GRE

Kuv coj ib qho piv txwv ntawm kev teeb tsa GRE los ntawm cov ntawv sau ua haujlwm. Kuv tsim cov ntaub ntawv gre1 hauv /etc/network/interfaces.d directory nrog cov ntsiab lus.

Rau VG1:

auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Rau VG2:

auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Kuv tsa lub interface hauv qhov system:

root@VG1:~# ifup gre1
root@VG2:~# ifup gre1

Kuv kos:

root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 172.16.1.253 peer 172.16.1.254
    inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
       valid_lft forever preferred_lft forever

root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1

S-Terra Gateway muaj ib lub pob khoom ua si - tcpdump. Kuv mam li sau ib daim ntawv pov tseg mus rau ib daim ntawv pcap:

root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap

Kuv pib ping ntawm GRE interfaces:

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms

GRE qhov av yog nquag thiab khiav:

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Kauj ruam 3. Encrypt nrog GOST GRE

Kuv teeb hom kev qhia - los ntawm qhov chaw nyob. Kev lees paub nrog tus yuam sij ua ntej (raws li Cov Cai Siv, daim ntawv pov thawj digital yuav tsum tau siv):

VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254

Kuv teeb IPsec Phase I parameters:

VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2

Kuv teeb IPsec Phase II tsis muaj:

VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel

Kuv tab tom tsim ib daim ntawv teev npe nkag nkag. Target traffic - GRE:

VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254

Kuv tsim daim npav crypto thiab khi nws rau WAN interface:

VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
  crypto map CMAP

Rau VG2, kev teeb tsa yog mirrored, qhov sib txawv yog:

VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254

Kuv kos:

root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2

ISAKMP/IPsec cov txheeb cais:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480

Tsis muaj pob ntawv hauv GRE tsheb thauj khoom pov tseg:

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Xaus: GRE-over-IPsec scheme ua haujlwm raug.

Scheme 1.5: IPsec-dhau-GRE

Kuv tsis npaj yuav siv IPsec-dhau-GRE ntawm lub network. Kuv sau vim kuv xav tau.

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Txhawm rau xa cov phiaj xwm GRE-over-IPsec rov qab, koj yuav tsum:

  • Kho cov npe nkag rau encryption - lub hom phiaj kev khiav tsheb los ntawm LAN1 mus rau LAN2 thiab rov ua dua;
  • Configure routing ntawm GRE;
  • Dai lub cryptomap ntawm GRE interface.

Los ntawm lub neej ntawd, Cisco zoo li lub rooj vag console tsis muaj GRE interface. Nws tsuas muaj nyob rau hauv lub operating system.

Kuv ntxiv GRE interface rau Cisco zoo li console. Ua li no, kuv hloov kho cov ntaub ntawv /etc/ifaliases.cf:

interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")

qhov twg gre1 yog lub interface tsim nyob rau hauv lub operating system, Tunnel0 yog lub interface tsim nyob rau hauv lub Cisco-zoo li console.

Kuv rov xam qhov hash ntawm cov ntaub ntawv:

root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf

SUCCESS:  Operation was successful.

Tam sim no lub Tunnel0 interface tau tshwm sim hauv Cisco-zoo li console:

VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400

Kho cov npe nkag rau encryption:

VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Teeb tsa routing ntawm GRE:

VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2

Kuv tshem tawm cryptomap ntawm Fa0 / 0 thiab khi nws mus rau GRE interface:

VG1(config)#
interface Tunnel0
crypto map CMAP

Rau VG2 nws zoo ib yam.

Kuv kos:

root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap

root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms

--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms

ISAKMP/IPsec cov txheeb cais:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352

Hauv ESP tsheb thauj khoom pov tseg, pob ntawv encapsulated hauv GRE:

1.5 schemes ntawm domestic IPsec VPN. Kev sim demos

Xaus: IPsec-over-GRE ua haujlwm kom raug.

Cov txiaj ntsim tau los

Ib khob kas fes txaus. Kuv sketched cov lus qhia kom tau ib tug demo version. Configured GRE-over-IPsec thiab deployed vice versa.

Daim ntawv qhia kev sib txuas network hauv version 4.3 yog tsis siv neeg! Kuv tabtom sim ntxiv.

Anonymous engineer
t.me/anonymous_engineer ib

Tau qhov twg los: www.hab.com

Ntxiv ib saib