ααααΆαααΆα
αααα»αααΆαααα½αααααααΆαααααααααα·ααα C-Terra VPN αααα 4.3 αααααΆααααααααααΈααα αααα»αα ααααααααααααΆααΎααΈαα·ααα·ααααααααααααααα»αααΉαααΆααααααΆααααα½ααααααΆααααΈααααΌααα ααααααααΈα
ααααααααα·ααα·ααΆααα αα½ααααα
αα ααΆα ααα 3 in 1 αα½ααααααααααααΆααα αααα»αααΉαααααΆααα’αααααΈααααααΎααααΈααα½αααΆαααΆααααα αΆαα αααα»αααΉαααααΆααΆααααααΎααααααααΆααα GRE-over-IPsec αα·α IPsec-over-GRE α
ααααααΎααααΈααα½αααΆαααΆααααα αΆα
ααΆααααΎααΆαααΈαα½αααααααααΎααααΈααα½αααΆαααΆααααα αΆα α’αααααααΌαα
- ααααααααα»ααααα [α’ααΈαααααΆαααΆα] ααΈα’αΆααααααΆαααΆααΈααααα;
- αα αααα»ααα·αα·αααα α ααα’α»ααααα αΆα TIN ααααααΆαααααααα’ααα
- ααΆααααααΈααα·ααααα·αααα·ααΆαααααααΆα
ααΆααααα αΆαααΆααα»ααααΆαααααααααΈααα α’αααααααα·αααααααα»αααΆααααααα½αααααα
ααΆααααααΈαααΌαααΆα
ααΆααααα αΆααα Security Gateway ααΊααΆααΌαααΆααααΆαααΈααα·αααα·αα αααα»ααααα»αααααΎ VMWare Workstationα αααααΈαααααααα hypervisors αααααΆαααα αα·αααα·ααααΆααα·αααα·αααΆααα ααΎααα αααααααααα’ααααααα
αα»ααααα’αααα αΆααααααΎα ααΌαα αααΆαααΆαα·αααΆαα ααα»α αααααΆαααααααΆααα αααα»αααΌαααΆααααΆαααΈααα·αααα·αααααΆαααΎαααα
αααααα·ααααΆααΊα
αααΆααααΆαα α’αααααααΎααααΆαααα½αααααααααα
ααα»α
αααααΆααααΆα
αααΎαααΆααααααΆααααααΌαααΆαα αααα»αααΉααααααααα½ααααα»αααααααα½αα
α₯α‘αΌαααααααα»αα
αΆααααααΎααααΆαααΈααα·αααα·αα ααααΆαααααααΆααααΈααΆαααΎαααααΎαααΆα α
αααααααΆααααααΌαα±ααααΆααααααα’αααααααΎααααΆαα αα·αααΆααααααααΆααα
ααΆααα»αααΌαααΆα αααΎααα αααα»α S-Terra Gateway αααααΆαααααΈααααααααααΆα αααα»αααΉαααΆααααααααααα½ααααα αααα»αα’αααααααΆα ααααα‘αααα½αα αααα»αβαααβα₯α‘αΌα:
Login as: administrator
Password: s-terra
αααα»ααααα»αα αΆααααααΎαα αααααααΌαα ααΆαα αΆααααααΎαααΊααΆαααααααΆαααΆαααααΆαααααααα αααα αΌαα’αΆααααΆααααα αααααΎααααΆαααΈααααααΎααααα αααααααΈαααΆααααα (αααΆαααΈααααααααααΎααααΆαα α»α - αααααααααΆαααααααα»αααΊ 27 αα·ααΆααΈ) αα·ααααααΎααααααΈα ααα»α αααααΆαααααααΆαα
αααααΈααα ααα»α αααααΆαααααααΆαα ααΆααΆααααααΆααααα½α
αααα 4.2 ααΆαααααΆααααα’αααααααΎααααΆαααααααααΆαα½αααΉαααΆαα
Starting IPsec daemonβ¦.. failed
ERROR: Could not establish connection with daemon
α’αααααααΎααααΆααααααα (ααααα ααΆααα·αααααα’ααΆαα·α) ααΊααΆα’αααααααΎααααΆαααααα’αΆα ααα‘αΎαα’αααΈαααΆααααΆαααΆαααα αα αα·ααααααααΆαα―αααΆαα
ααΆαα’αααΈαα½ααα»αααααααααΈ αα»ααααααααΆααΆαααα‘αΎαα’αΆααααααΆα IP αα ααΎα ααα»α αααααΆααα ααΆααΆααα’ααα’αααΈαααααΈα ααα»α αααααΆαααααααΆαα ααΆα αΆαααΆα αααΎααααΈααααΎα
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart
ααΆαααααα αααααΈα ααα»α αααααΆαααααααΆαααααΌαααΆααααααΎαα‘αΎααααααΆαααΆαααΌααααααΈαααααααα ααα»α αααααΆααααΌααααα (0000:02:03.0) αα·αααΆααα ααΆα‘αΌααΈαααααααα½ααααα αααα»αααααααααααααα·ααααα·ααΆα (eth0) αα·ααα»αααΌαααΌα αααΈααααΌ (FastEthernet0/0):
#Unique ID iface type OS name Cisco-like name
0000:02:03.0 phye eth0 FastEthernet0/0
ααΆααα
ααΆα‘αΌααΈααααα
ααα»α
αααααΆααααααΌαααΆαααα α
ααΆααααααααααααααΆαα ααααααααααααααΆαααααΌαααΆααααααΆαα»ααααα»αα―αααΆα /etc/ifaliases.cf α
αα
αααα»ααααα 4.3 αα
αααααααααΆαααΈααα·αααα·αααααΌαααΆαα
αΆααααααΎαααααΌα αααααΈα
ααα»α
αααααΆααααααΌαααΆααααααΎααααααααααααααααα·α ααααα·αααΎα’αααααααΆααααααΌαα
ααα½αααα
ααα»α
αααααΆαααααααΆααα
αααα»ααααΆαααΈααα·αααα·αααα ααΌααααααΎααααααΈα
ααα»α
αααααΆααα‘αΎααα·αα
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking
αααααααΆαααααΈ 1: GRE-over-IPsec
αααα»αβααΆααβαααααΆαβα αααβαα·αααα·αβααΈα αααα»αβααααΌαβααΌα βαααα αΆαβαααα»αβααΌαα
ααα αΆαααΈ 1. αααα
αα’αΆααααααΆα IP αα·αααααΌα
VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254
VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253
αα·αα·αααααΆαααααΆαα IPα
root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms
--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms
ααα αΆαααΈ 2: ααα‘αΎα GRE
αααα»αααα§ααΆα αααααααΆαααα‘αΎα GRE ααΈααααααΈαααααΌαααΆαα αααα»ααααααΎαα―αααΆα gre1 αα αααα»ααα /etc/network/interfaces.d ααΆαα½αααΉαααΆαα·ααΆα
αααααΆαα VG1α
auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1
αααααΆαα VG2α
auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1
αααα»αααΎαα ααα»α αααααΆαααα αααα»αααααααααα
root@VG1:~# ifup gre1
root@VG2:~# ifup gre1
αααα»ααα·αα·αααα
root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 172.16.1.253 peer 172.16.1.254
inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
valid_lft forever preferred_lft forever
root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1
C-Terra Gateway ααΆαα§ααααα sniffer αααα αααααααααΆααααααΆαα½α - tcpdump α αααα»αααΉααααααααΆααααα ααα ααΆα ααααα ααΆααα―αααΆα pcapα
root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap
αααα»αα αΆααααααΎα ping αααΆαα ααα»α αααααΆαα GREα
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms
ααααΌαααΌααααααααΈ GRE ααααΎαααΆαα αΎαα
ααα αΆαααΈ 3. α’αα·αααααΈαααΆαα½α GOST GRE
αααα»αααΆααααααααααααααα’ααααααααΆα - ααΆαα’αΆααααααΆαα ααΆααααααααααΆααααΆαααααΉαααααΌααααααααΎαααααααΆααααααααΆαα»α (ααααα ααΆαααααααααααααΆαααααΎααααΆαα αα·ααααΆααααααααΈααΈααααααΌαααααααΎ)α
VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254
αααα»αααααααααΆαααΆαααααα IPsec Phase Iα
VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2
αααα»αααααααααΆαααΆαααααα IPsec ααααΆααααΆαααΈ IIα
VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel
αααα»ααααααΎααααααΈα αΌαααααΎαααααΆααααΆαα’αα·αααααΈαα α ααΆα αααααααα - GREα
VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254
αααα»ααααααΎααααααΈααααΈαααΌ α αΎαααααΆααααΆαα α ααα»α αααααΆαα WANα
VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
crypto map CMAP
αααααΆαα VG2 ααΆαααααααα ααΆααααααααααααΌαααΆααααα»ααααα αΆαα ααΆααα»αααααΆααΊα
VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254
αααα»ααα·αα·αααα
root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2
αααα·αα· ISAKMP/IPsecα
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480
αα·αααΆααααα αααα αααα»αααααααα αΆααααααΆα GRE ααα
ααα
ααααΈααααα·ααααΆαα αααααααΆααα GRE-over-IPsec ααααΎαααΆαααΆαααααΉαααααΌαα
ααΌαααΆα 1.5: IPsec-over-GRE
αααα»ααα·αααΆαααααααααααΎ IPsec-over-GRE αα ααΎαααααΆαααα αααα»ααααααΌαααααααααα»αα ααα
ααΎααααΈααΆαααααααΆααααααααΆααα GRE-over-IPsec ααΆααααααααΆαααααααααα
- αα½ααα»ααααααΈααΆαα αΌαααααΎααΆαα’αα·αααααΈα - α ααΆα αααααααα ααΈ LAN1 αα LAN2 αα·αα αααΆααααα·α;
- ααααααα ααΆααααααααααααΌαααΆαααα GRE;
- αααα½α cryptomap αα ααΎα ααα»α αααααΆαα GRE α
ααΆαααααΆαααΎα αα·αααΆαα ααα»α αααααΆαα GRE αα αααα»ααα»αααΌαα αααααααΌαααΌα Cisco ααα ααΆααΆααααα αααα»αααααααααααααα·ααααα·ααΆαααα»αααααα
αααα»αααααααα ααα»α αααααΆαα GRE αα αα»αααΌαααΌα Cisco α ααΎααααΈααααΎααΌα ααααααα»αααααααα½αα―αααΆα /etc/ifaliases.cfα
interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")
ααα gre1 ααΊααΆααΆααα ααΆα ααα»α αααααΆαααα αααα»αααααααααααααα·ααααα·ααΆα Tunnel0 ααΊααΆααΆααα ααΆα ααα»α αααααΆαααα αααα»ααα»αααΌαααΌα Cisco α
αααα»αααααΆα‘αΎααα·αααΌα hash ααα―αααΆαα
root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf
SUCCESS: Operation was successful.
α₯α‘αΌααααα ααα»α αααααΆαα Tunnel0 ααΆααααα αΆααααα½ααα αααα»ααα»αααΌαααΌα Ciscoα
VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400
ααΆααααααααΌααααααΈα αΌαααααΎαααααΆααααΆαα’αα·αααααΈαα
VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
αααα»αααααααα ααΆααααααααααααΌαααΆαααα GREα
VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2
αααα»ααα cryptomap α ααααΈ Fa0/0 α αΎαα αααΆαα α ααα»α αααααΆαα GREα
VG1(config)#
interface Tunnel0
crypto map CMAP
αααααΆαα VG2 ααΆααααααααααΆα
αααα»ααα·αα·αααα
root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap
root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms
--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms
αααα·αα· ISAKMP/IPsecα
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352
αα αααα»αααΆααααα ααα ααΆα ααα ESP αααα ααααααααΆαααααα»ααααααααα GREα
ααα
ααααΈααααα·ααααΆαα IPsec-over-GRE ααααΎαααΆαααΆαααααΉαααααΌαα
αααααα
ααΆα ααααα½ααααααΊαααααααααΆααα αΎαα αααα»αααΆαααΌαααΆαααΆαααααΆααααααΆααααΆαααα½αααΆαααααααΆαααααα ααΆαααααααα ααΆαααααααα GRE-over-IPsec αα·αααΆααα±ααααααΎααααΆαααααα»ααααα·αα
αααααΈααα ααα»α αααααΆαααααααΆααα αααα»ααααα 4.3 ααΊαααααααααααααααα·! αααα»ααααα»αααααΎααααααααααααααα
αα·αααααα’ααΆαα·α
t.me/anonymous_engineer
ααααα: www.habr.com