ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Yuav ua li cas teeb meem hauv IPsec VPN. Ntu 1

Yuav ua li cas teeb meem hauv IPsec VPN. Ntu 1

Yuav ua li cas teeb meem hauv IPsec VPN. Ntu 1

Qhov xwm txheej

Hnub so. Kuv haus kas fes. Tus tub ntxhais kawm teeb tsa VPN txuas ntawm ob lub ntsiab lus thiab ploj mus. Kuv xyuas: yeej muaj ib lub qhov, tab sis tsis muaj tsheb khiav hauv lub qhov. Tus tub kawm ntawv tsis teb hu.

Kuv muab lub hwj rau thiab dhia rau hauv S-Terra Gateway kev daws teeb meem. Kuv qhia kuv qhov kev paub thiab kev siv tshuab.

Cov ntaub ntawv los ntawm cov ntaub ntawv

Ob qhov chaw nyob sib cais yog txuas nrog GRE qhov. GRE yuav tsum tau encrypted:

Yuav ua li cas teeb meem hauv IPsec VPN. Ntu 1

Kuv tab tom kuaj xyuas qhov ua haujlwm ntawm GRE qhov. Ua li no, kuv khiav ping los ntawm ntaus ntawv R1 mus rau GRE interface ntawm ntaus ntawv R2. Qhov no yog lub hom phiaj tsheb rau encryption. Tsis teb:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Kuv saib cov cav ntawm Gate1 thiab Gate2. Lub cav zoo siab tshaj tawm tias IPsec qhov tau ua tiav tiav, tsis muaj teeb meem:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

Hauv kev txheeb cais ntawm IPsec qhov ntawm Gate1 Kuv pom tias muaj qhov tiag tiag, tab sis lub txee Rсvd rov pib dua rau xoom:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

Kuv teeb meem S-Terra zoo li no: Kuv nrhiav qhov twg lub hom phiaj pob ntawv ploj ntawm txoj kev ntawm R1 txog R2. Hauv cov txheej txheem (spoiler) Kuv yuav pom qhov yuam kev.

Kev daws teeb meem

Kauj Ruam 1. Dab tsi Gate1 tau txais los ntawm R1

Kuv siv cov pob ntawv ua ke sniffer - tcpdump. Kuv tso tus sniffer ntawm sab hauv (Gi0/1 hauv Cisco zoo li sau lossis eth1 hauv Debian OS cim) interface:

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

Kuv pom tias Gate1 tau txais GRE pob ntawv los ntawm R1. Kuv tab tom mus.

Kauj Ruam 2. Qhov Gate1 ua li cas nrog GRE pob ntawv

Siv cov khoom siv klogview Kuv tuaj yeem pom tias muaj dab tsi tshwm sim nrog GRE pob ntawv hauv S-Terra VPN tsav tsheb:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

Kuv pom tias lub hom phiaj GRE tsheb khiav (proto 47) 172.16.0.1 -> 172.17.0.1 tuaj nyob rau hauv LIST encryption txoj cai nyob rau hauv CMAP crypto daim ntawv qhia thiab tau encapsulated. Tom qab ntawd, lub pob ntawv raug xa mus (dhau tawm). Tsis muaj cov lus teb rau hauv cov zis klogview.

Kuv tab tom kuaj xyuas cov npe nkag ntawm Gate1 ntaus ntawv. Kuv pom ib daim ntawv teev npe nkag, uas txhais tau hais tias lub hom phiaj kev khiav mus rau encryption, uas txhais tau hais tias firewall cov cai tsis raug teeb tsa:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Xaus: qhov teeb meem tsis yog nrog Gate1 ntaus ntawv.

Xav paub ntau ntxiv txog klogview

Tus neeg tsav tsheb VPN tswj xyuas tag nrho cov tsheb khiav hauv lub network, tsis yog cov tsheb khiav uas yuav tsum tau encrypted. Cov no yog cov lus pom nyob rau hauv klogview yog tias tus neeg tsav tsheb VPN tau ua tiav cov tsheb khiav hauv lub network thiab xa mus rau nws unencrypted:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

Kuv pom tias ICMP kev khiav tsheb (proto 1) 172.16.0.1->172.17.0.1 tsis suav nrog (tsis muaj qhov sib tw) hauv cov cai encryption ntawm CMAP crypto daim npav. Cov pob ntawv raug xa mus (dhau tawm) hauv cov ntawv ntshiab.

Kauj Ruam 3. Dab tsi Gate2 tau txais los ntawm Gate1

Kuv tso tus sniffer ntawm WAN (eth0) Gate2 interface:

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

Kuv pom tias Gate2 tau txais ESP pob ntawv los ntawm Gate1.

Kauj ruam 4. Qhov Gate2 ua li cas nrog ESP pob

Kuv tso klogview utility ntawm Gate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

Kuv pom tias ESP pob ntawv (proto 50) tau poob (DROP) los ntawm txoj cai firewall (L3VPN). Kuv paub tseeb tias Gi0/0 yeej muaj L3VPN cov npe nkag mus rau nws:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Kuv nrhiav tau qhov teeb meem.

Kauj ruam 5. Dab tsi yog qhov tsis ncaj ncees lawm ntawm cov npe nkag

Kuv saib qhov L3VPN cov npe nkag yog dab tsi:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

Kuv pom tias ISAKMP pob ntawv raug tso cai, yog li tsim qhov IPsec qhov. Tab sis tsis muaj kev cai lij choj rau ESP. Thaj, tus menyuam kawm ntawv tsis meej pem icmp thiab esp.

Hloov kho cov npe nkag:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

Kauj Ruam 6. Tshawb xyuas kev ua haujlwm

Ua ntej tshaj plaws, kuv paub tseeb tias L3VPN cov npe nkag yog raug:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

Tam sim no kuv tso lub hom phiaj tsheb los ntawm ntaus ntawv R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Yeej. GRE qhov av tau tsim. Cov khoom lag luam tuaj hauv IPsec cov txheeb cais tsis yog xoom:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Ntawm Gate2 lub rooj vag, hauv klogview cov zis, cov lus tau tshwm sim tias lub hom phiaj tsheb 172.16.0.1-> 172.17.0.1 tau ua tiav decrypted (PASS) los ntawm LIST txoj cai hauv CMAP daim ntawv qhia crypto:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Cov txiaj ntsim tau los

Ib tug tub ntxhais kawm ua rau nws lub hnub so.
Ua tib zoo nrog ME cov cai.

Anonymous engineer
t.me/anonymous_engineer ib

Tau qhov twg los: www.hab.com

Ntxiv ib saib