Sitiyasyon an
Konje. Mwen bwè kafe. Elèv la te etabli yon koneksyon VPN ant de pwen epi li te disparèt. Mwen tcheke: reyèlman gen yon tinèl, men pa gen okenn trafik nan tinèl la. Elèv la pa reponn apèl yo.
Mwen mete Kettle a epi plonje nan depanaj S-Terra Gateway la. Mwen pataje eksperyans mwen ak metodoloji.
Done kri
De sit ki separe jeyografikman konekte pa yon tinèl GRE. GRE bezwen chiffres:
Mwen tcheke fonksyonalite tinèl GRE la. Pou fè sa, mwen kouri ping soti nan aparèy R1 nan koòdone nan GRE nan aparèy R2. Sa a se trafik la sib pou chifreman. San repons:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057msMwen gade mòso bwa yo sou Gate1 ak Gate2. Jounal la san pwoblèm mwen tap rapòte ke tinèl IPsec la te lanse avèk siksè, pa gen pwoblèm:
root@Gate1:~# cat /var/log/cspvpngate.log
Aug 5 16:14:23 localhost vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1Nan estatistik tinèl IPsec sou Gate1 mwen wè ke gen reyèlman yon tinèl, men kontwa Rсvd la reset a zewo:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0Mwen pwoblèm S-Terra tankou sa a: Mwen chèche kote pake sib yo pèdi sou chemen ki soti nan R1 a R2. Nan pwosesis la (spoiler) mwen pral jwenn yon erè.
Depanaj
Etap 1. Ki sa Gate1 resevwa nan men R1
Mwen sèvi ak sniffer pake ki entegre - tcpdump. Mwen lanse sniffer la sou koòdone entèn (Gi0/1 nan notasyon ki tankou Cisco oswa eth1 nan notasyon Debian OS):
root@Gate1:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64Mwen wè ke Gate1 resevwa pakè GRE nan men R1. M'ap avanse.
Etap 2. Ki sa Gate1 fè ak pake GRE
Sèvi ak sèvis piblik klogview mwen ka wè sa k ap pase ak pake GRE andedan chofè VPN S-Terra:
root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated
Mwen wè ke trafik GRE sib la (proto 47) 172.16.0.1 -> 172.17.0.1 te vin anba règ chifreman LIST nan kat jeyografik kriptografik CMAP la epi li te encapsulé. Apre sa, yo te voye pake a (pase soti). Pa gen okenn trafik repons nan pwodiksyon an klogview.
Mwen tcheke lis aksè yo sou aparèy Gate1 la. Mwen wè yon sèl LIS aksè lis, ki defini trafik la sib pou chifreman, ki vle di ke règ firewall yo pa configuré:
Gate1#show access-lists
Extended IP access list LIST
10 permit gre host 172.16.0.1 host 172.17.0.1Konklizyon: pwoblèm nan se pa ak aparèy Gate1 la.
Plis sou klogview
Chofè VPN a okipe tout trafik rezo a, pa sèlman trafik la ki bezwen chiffres. Sa yo se mesaj yo vizib nan klogview si chofè VPN la te trete trafik rezo a epi li transmèt li ankode:
root@R1:~# ping 172.17.0.1 -c 4root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filteredMwen wè ke trafik ICMP (proto 1) 172.16.0.1-> 172.17.0.1 pa te enkli (pa gen okenn matche) nan règ yo chifreman nan kat kript CMAP la. Yo te voye pake a (pase soti) nan tèks klè.
Etap 3. Ki sa Gate2 resevwa nan men Gate1
Mwen lanse sniffer la sou koòdone Gate0 WAN (eth2):
root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140Mwen wè ke Gate2 resevwa pake ESP nan Gate1.
Etap 4. Ki sa Gate2 fè ak pakè ESP
Mwen lanse sèvis piblik la klogview sou Gate2:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall
Mwen wè ke pake ESP (proto 50) te tonbe (DROP) pa règ la firewall (L3VPN). Mwen asire w ke Gi0/0 aktyèlman gen yon lis aksè L3VPN tache ak li:
Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.252/24
MTU is 1500 bytes
Outgoing access list is not set
Inbound access list is L3VPNMwen dekouvri pwoblèm nan.
Etap 5. Ki sa ki mal ak lis aksè a
Mwen gade ki sa lis aksè L3VPN la ye:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit icmp host 10.10.10.251 anyMwen wè ke pake ISAKMP yo pèmèt, kidonk yon tinèl IPsec etabli. Men, pa gen okenn règ pèmèt pou ESP. Aparamman, elèv la konfonn icmp ak esp.
Edite lis aksè a:
Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 anyEtap 6. Tcheke fonctionnalités
Premye a tout, mwen asire w ke lis aksè L3VPN a kòrèk:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit esp host 10.10.10.251 anyKoulye a, mwen lanse trafik sib soti nan aparèy R1:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 msViktwa. Yo te etabli tinèl GRE la. Kontwa trafik fèk ap rantre nan estatistik IPsec se pa zewo:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480Sou pòtay Gate2 a, nan pwodiksyon an klogview, mesaj parèt ke trafik sib la 172.16.0.1-> 172.17.0.1 te dechifre avèk siksè (PASS) pa règ la LIS nan kat jeyografik la crypto CMAP:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulatedRezilta
Yon etidyan te pèdi jounen l.
Fè atansyon ak règ ME yo.
Enjenyè anonim
t.me/anonymous_engineer
Sous: www.habr.com