Ọnọdụ ahụ
Enwetara m ụdị ngosi nke C-Terra VPN ụdị ngwaahịa 4.3 maka ọnwa atọ. Achọrọ m ịchọpụta ma ndụ injinia m ga-adị mfe ma m gbanwee gaa na ụdị ọhụrụ ahụ.
Taa adịghị ike, otu akpa kọfị ngwa ngwa 3 na 1 kwesịrị ezuru. Aga m agwa gị otu esi enweta ngosi. Aga m agba mbọ wulite atụmatụ GRE-over-IPsec na IPsec-over-GRE.
Otu esi enweta ngosi
Ọ na-esite na ọnụ ọgụgụ ahụ na iji nweta ngosi ị ga-emerịrị:
- Dee akwụkwọ ozi [email protected] site na adreesị ụlọ ọrụ;
- N'ime akwụkwọ ozi ahụ, gosi TIN nke nzukọ gị;
- Depụta ngwaahịa na ọnụọgụ ha.
Ihe ngosi dị irè maka ọnwa atọ. Onye na-ere ahịa anaghị ejedebe ọrụ ha.
Na-agbasa onyonyo
Ihe ngosi nchekwa ọnụ ụzọ ámá bụ onyonyo igwe mebere. Ana m eji VMWare Workstation. Ndepụta zuru oke nke hypervisors akwadoro yana gburugburu ihe njiri anya dị na webụsaịtị onye na-ere ahịa.
Tupu ịmalite, biko rịba ama na enweghị oghere netwọkụ na onyonyo igwe mebere ndabara:
Echiche doro anya, onye ọrụ ga-agbakwunye ọtụtụ interfaces dị ka ọ chọrọ. Aga m atụkwasị anọ otu oge:
Ugbu a, m na-amalite igwe mebere. Ozugbo emepechara, ọnụ ụzọ ámá chọrọ aha njirimara na paswọọdụ.
Enwere ọtụtụ consoles na S-Terra Gateway nwere akaụntụ dị iche iche. M ga-agụta nọmba ha na edemede dị iche. Maka ugbu a:
Login as: administrator
Password: s-terra
Ana m ebido ụzọ ámá ahụ. Mmalite bụ usoro nke omume: ịbanye akwụkwọ ikike, guzobe onye na-emepụta nọmba random nke ndụ (simulator keyboard - ndekọ m bụ 27 sekọnd) na ịmepụta maapụ interface netwọk.
Map nke ihu netwọkụ. Ọ bịara dị mfe karị
Ụdị 4.2 ji ozi kele onye ọrụ nọ n'ọrụ:
Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon
Onye ọrụ na-arụsi ọrụ ike (dị ka onye injinia na-amaghị aha) bụ onye ọrụ nwere ike ịtọ ihe ọ bụla ngwa ngwa na enweghị akwụkwọ.
Ọ nwere ihe na-aga n'ihu tupu ịgbalị ịtọ adreesị IP na interface ahụ. Ọ bụ ihe niile gbasara map interface netwọk. Ọ dị mkpa ime:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart
N'ihi ya, a na-emepụta map interface netwọk nke nwere maapụ nke aha interface anụ ahụ (0000:02:03.0) na aha ezi uche dị na ya na sistemụ arụmọrụ (eth0) na Cisco-like console (FastEthernet0/0):
#Unique ID iface type OS name Cisco-like name
0000:02:03.0 phye eth0 FastEthernet0/0
A na-akpọ aha njirimara nke interfaces aliases. A na-echekwa utu aha na faịlụ /etc/ifaliases.cf.
Na ụdị 4.3, mgbe ebidochara igwe mebere, a na-emepụta maapụ interface na-akpaghị aka. Ọ bụrụ na ị gbanwee ọnụọgụ ọnụọgụ netwọkụ dị na igwe mebere, biko megharịa maapụ interface ahụ:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking
Atụmatụ 1: GRE-over-IPsec
Ana m ebuga ụzọ ụzọ abụọ mebere, m na-agbanwe dị ka egosiri na foto a:
Nzọụkwụ 1. Hazie adreesị IP na ụzọ
VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254
VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253
Lelee njikọ IP:
root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms
--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms
Kwụpụ 2: Tọọ GRE
Ana m ewere ihe atụ nke ịtọlite GRE site na edemede gọọmentị. M na-emepụta faịlụ gre1 na ndekọ /etc/network/interfaces.d na ọdịnaya.
Maka VG1:
auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1
Maka VG2:
auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1
M na-ebuli interface ahụ na sistemụ:
root@VG1:~# ifup gre1
root@VG2:~# ifup gre1
Na-enyocha:
root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 172.16.1.253 peer 172.16.1.254
inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
valid_lft forever preferred_lft forever
root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1
Ọnụ ụzọ C-Terra nwere ngwungwu arụnyere arụrụ arụ - tcpdump. M ga-ede ihe mkpofu okporo ụzọ na faịlụ pcap:
root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap
M na-amalite ping n'etiti GRE interfaces:
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms
Ọwara GRE na-arụ ọrụ:
Nzọụkwụ 3. Encrypt na GOST GRE
Etinyere m ụdị njirimara - site na adreesị. Nyocha site na igodo eburu ụzọ kọwaa (dị ka Usoro ojiji, asambodo dijitalụ ga-ejiri):
VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254
Etinyere m paramita nke IPsec Phase I:
VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2
Etinyere m paramita nke IPsec Phase II:
VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel
M na-emepụta ndepụta ohere maka izo ya ezo. Okporo ụzọ ezubere iche - GRE:
VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254
M na-emepụta maapụ crypto wee kee ya na interface WAN:
VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
crypto map CMAP
Maka VG2, a na-egosipụta nhazi ahụ, ihe dị iche iche bụ:
VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254
Na-enyocha:
root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2
Ndekọ ISAKMP/IPsec:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480
Enweghị ngwugwu ọ bụla na mkpofu okporo ụzọ GRE:
Mmechi: atụmatụ GRE-over-IPsec na-arụ ọrụ nke ọma.
Ọgụgụ 1.5: IPsec-over-GRE
Anaghị m eme atụmatụ iji IPsec-over-GRE na netwọkụ. M na-anakọta n'ihi na m chọrọ.
Iji tinye atụmatụ GRE-over-IPsec n'ụzọ ọzọ:
- Idozi ndepụta ohere nzuzo - okporo ụzọ ezubere iche sitere na LAN1 gaa na LAN2 na nke ọzọ;
- Hazie okporo ụzọ site na GRE;
- Kọwaa cryptomap na interface GRE.
Site na ndabara, ọ nweghị GRE interface na Cisco-dị ka ọnụ ụzọ ámá console. Ọ dị naanị na sistemụ arụmọrụ.
M na-agbakwunye GRE interface na Cisco-dị ka njikwa. Iji mee nke a, m na-edezi faịlụ /etc/ifaliases.cf:
interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")
ebe gre1 bụ aha interface dị na sistemụ arụmọrụ, Tunnel0 bụ aha interface dị na Cisco-dị ka njikwa.
Ana m agbakọ hash nke faịlụ ahụ:
root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf
SUCCESS: Operation was successful.
Ugbu a Tunnel0 interface apụtala na Cisco-dị ka njikwa:
VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400
Na-emezi ndepụta nnweta maka izo ya ezo:
VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Ana m ahazi ụzọ ụzọ site na GRE:
VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2
Ana m ewepụ cryptomap na Fa0/0 wee kee ya na interface GRE:
VG1(config)#
interface Tunnel0
crypto map CMAP
Maka VG2 ọ bụ otu ihe ahụ.
Na-enyocha:
root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap
root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms
--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms
Ndekọ ISAKMP/IPsec:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352
Na mkpofu okporo ụzọ ESP, ngwugwu ndị ahụ kpuchiri na GRE:
Mmechi: IPsec-over-GRE na-arụ ọrụ nke ọma.
Nsonaazụ
Otu iko kọfị ezuola. Edere m ntuziaka maka ịnweta ụdị ngosi. Haziri GRE-over-IPsec wee bute ya ọzọ.
Maapụ oghere netwọkụ dị na ụdị 4.3 bụ akpaka! Ana m anwale ọzọ.
Injinia na-amaghị aha
t.me/anonymous_engineer
isi: www.habr.com