1.5 skema ing IPsec VPN domestik. Testing demo

Kahanan

Aku nampa versi demo produk C-Terra VPN versi 4.3 telung sasi. Aku pengin ngerti apa urip engineering bakal dadi luwih gampang sawise ngalih menyang versi anyar.

Dina iki ora angel, siji kantong kopi instan 3 in 1 kudu cukup. Aku bakal pitutur marang kowe carane njaluk demo. Aku bakal nyoba mbangun skema GRE-over-IPsec lan IPsec-over-GRE.

Carane njaluk demo

Saka tokoh kasebut, supaya entuk demo sampeyan kudu:

• Tulis layang kanggo [email dilindhungi] saka alamat perusahaan;
• Ing layang kasebut, tandhani TIN organisasi sampeyan;
• Dhaptar produk lan jumlahe.

Demo berlaku telung sasi. Vendor ora mbatesi fungsine.

Ngembangake gambar

Demo Keamanan Gateway minangka gambar mesin virtual. Aku nggunakake VMWare Workstation. Dhaptar lengkap hypervisor lan lingkungan virtualisasi sing didhukung kasedhiya ing situs web vendor.

Sadurunge miwiti, elinga yen ora ana antarmuka jaringan ing gambar mesin virtual standar:

Logika jelas, pangguna kudu nambah akeh antarmuka sing dibutuhake. Aku bakal nambah papat bebarengan:

Saiki aku miwiti mesin virtual. Sanalika sawise diluncurake, gateway mbutuhake jeneng pangguna lan sandhi.

Ana sawetara nyenengake ing S-Terra Gateway karo akun beda. Aku bakal ngetung nomer kasebut ing artikel sing kapisah. Saiki:
Login as: administrator
Password: s-terra

Aku iki initializing gateway. Inisialisasi minangka urutan tumindak: ngetik lisensi, nyetel generator nomer acak biologis (simulator keyboard - rekamanku 27 detik) lan nggawe peta antarmuka jaringan.

Peta antarmuka jaringan. Iku dadi luwih gampang

Versi 4.2 menehi salam marang pangguna aktif kanthi pesen:

Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon

Pangguna aktif (miturut insinyur anonim) yaiku pangguna sing bisa nyetel apa wae kanthi cepet lan tanpa dokumentasi.

Ana sing salah sadurunge nyoba nyiyapake alamat IP ing antarmuka. Iku kabeh babagan peta antarmuka jaringan. Iku perlu kanggo nindakake:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart

Akibaté, peta antarmuka jaringan digawe sing ngemot pemetaan jeneng antarmuka fisik (0000:02:03.0) lan sebutan logis ing sistem operasi (eth0) lan console kaya Cisco (FastEthernet0/0):

#Unique ID iface type OS name Cisco-like name

0000:02:03.0 phye eth0 FastEthernet0/0

Sebutan logis antarmuka diarani alias. Alias ​​disimpen ing file /etc/ifaliases.cf.
Ing versi 4.3, nalika mesin virtual pisanan diwiwiti, peta antarmuka digawe kanthi otomatis. Yen sampeyan ngganti jumlah antarmuka jaringan ing mesin virtual, mangga gawe maneh peta antarmuka:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking

Skema 1: GRE-over-IPsec

Aku masang loro gateway virtual, aku ngalih kaya sing ditampilake ing gambar:

Langkah 1. Nggawe alamat IP lan rute

VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254

VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253

Priksa konektivitas IP:

root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms

--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms

Langkah 2: Nggawe GRE

Aku njupuk conto nyetel GRE saka skrip resmi. Aku nggawe file gre1 ing direktori /etc/network/interfaces.d karo isi.

Kanggo VG1:

auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Kanggo VG2:

auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Aku mundhakaken antarmuka ing sistem:

root@VG1:~# ifup gre1
root@VG2:~# ifup gre1

mriksa:

root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 172.16.1.253 peer 172.16.1.254
    inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
       valid_lft forever preferred_lft forever

root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1

C-Terra Gateway wis dibangun ing paket sniffer - tcpdump. Aku bakal nulis dump lalu lintas menyang file pcap:

root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap

Aku miwiti ping antarane antarmuka GRE:

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms

Terowongan GRE lagi aktif:

Langkah 3. Enkripsi karo GOST GRE

Aku nyetel jinis identifikasi - miturut alamat. Otentikasi kanthi kunci sing wis ditemtokake (miturut Katentuan Pangginaan supados langkung, sertifikat digital kudu digunakake):

VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254

Aku nyetel parameter IPsec Phase I:

VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2

Aku nyetel paramèter IPsec Phase II:

VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel

Aku nggawe dhaptar akses kanggo enkripsi. Lalu lintas sing ditarget - GRE:

VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254

Aku nggawe peta crypto lan ikatan menyang antarmuka WAN:

VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
  crypto map CMAP

Kanggo VG2, konfigurasi dicerminake, bedane yaiku:

VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254

mriksa:

root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2

Statistik ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480

Ora ana paket ing dump lalu lintas GRE:

Kesimpulan: skema GRE-over-IPsec bisa digunakake kanthi bener.

Gambar 1.5: IPsec-over-GRE

Aku ora rencana nggunakake IPsec-over-GRE ing jaringan. Aku ngumpulake amarga aku pengin.

Kanggo masang skema GRE-over-IPsec kanthi cara liya:

• Ndandani dhaptar akses enkripsi - lalu lintas sing ditargetake saka LAN1 menyang LAN2 lan kosok balene;
• Ngatur nuntun liwat GRE;
• Nyumerepi cryptomap ing antarmuka GRE.

Kanthi gawan, ora ana antarmuka GRE ing console gateway kaya Cisco. Iku mung ana ing sistem operasi.

Aku nambah antarmuka GRE kanggo console Cisco-kaya. Kanggo nindakake iki, aku nyunting file /etc/ifaliases.cf:

interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")

ngendi gre1 minangka sebutan antarmuka ing sistem operasi, Tunnel0 minangka sebutan antarmuka ing console kaya Cisco.

Aku ngitung maneh hash file:

root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf

SUCCESS:  Operation was successful.

Saiki antarmuka Tunnel0 wis katon ing konsol kaya Cisco:

VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400

Mbenerake dhaptar akses kanggo enkripsi:

VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Aku ngatur rute liwat GRE:

VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2

Aku mbusak cryptomap saka Fa0 / 0 lan ikatan menyang antarmuka GRE:

VG1(config)#
interface Tunnel0
crypto map CMAP

Kanggo VG2 padha.

mriksa:

root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap

root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms

--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms

Statistik ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352

Ing mbucal lalu lintas ESP, paket-paket kasebut dibungkus ing GRE:

Kesimpulan: IPsec-over-GRE bisa digunakake kanthi bener.

Hasil

Secangkir kopi wis cukup. Aku nggawe sketsa instruksi kanggo entuk versi demo. Dikonfigurasi GRE-over-IPsec lan disebarake kosok balene.

Peta antarmuka jaringan ing versi 4.3 otomatis! Aku nyoba luwih lanjut.

Insinyur Anonim
t.me/anonymous_engineer

Source: www.habr.com