Te āhuatanga
I whiwhi ahau i te putanga demo o S-Terra VPN hua putanga 4.3 mo nga marama e toru. Kei te pirangi au ki te mohio mena ka ngawari ake taku ao miihini i muri i te huri ki te putanga hou.
I tenei ra ehara i te mea uaua, kotahi te putea o te 3 i roto i te 1 kawhe inamata kia nui. Ka korerotia e ahau ki a koe me pehea te tiki putanga demo. Ka ngana ahau ki te whakakotahi i nga kaupapa GRE-over-IPsec me IPsec-over-GRE.
Me pehea te tiki demo
Ka whai mai i te ahua e kii ai koe i tetahi demo me:
- Tuhia he reta ki [email tiakina] mai i tetahi wahitau umanga;
- I roto i te reta, tohuhia te TIN o to whakahaere;
- Whakarārangihia ngā hua me te rahinga.
Ka whai mana nga whakaaturanga mo nga marama e toru. Kaore te kaihoko e whakawhāiti i a raatau mahi.
Te whakaputa i te ahua
Ko te demo Security Gateway he ahua miihini mariko. Kei te whakamahi ahau i te VMWare Workstation. Kei te paetukutuku a te kaihoko he rarangi katoa o nga kaitirotiro e tautokohia ana me nga taiao mariko.
I mua i to tiimata, kia mahara ko te ahua miihini mariko taunoa kaore he atanga whatunga:
He maamaa te arorau, me taapiri te kaiwhakamahi i nga atanga maha e hiahiatia ana e ia. Ka taapirihia e ahau kia wha i te wa kotahi:
Inaianei ka whakarewahia e ahau te miihini mariko. I muri tonu i te whakarewatanga, me whai takiuru me te kupuhipa te kuaha.
He maha nga papatohu a S-Terra Gateway me nga kaute rereke. Ka tatauhia e au o raatau nama ki tetahi tuhinga motuhake. I tenei wa:
Login as: administrator
Password: s-terra
Kei te arawhiti ahau i te kuaha. Ko te whakamaaramatanga he raupapa o nga mahi: te whakauru raihana, te whakatuu i te kaihanga tau matapōkere koiora (te simulator papapātuhi - he 27 hēkona taku rekoata) me te hanga mapi atanga whatunga.
Mapi atanga whatunga. Ka ngawari ake
Putanga 4.2 i mihi ki te kaiwhakamahi kaha me nga karere:
Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon
Ko te kaiwhakamahi kaha (e ai ki tetahi miihini kore ingoa) he kaiwhakamahi ka taea te whakarite i tetahi mea tere me te kore tuhinga.
I raru tetahi mea i mua i te ngana ki te whirihora i te wahitau IP i runga i te atanga. Ko te katoa mo te mahere atanga whatunga. I tika te mahi:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart
Ko te mutunga, ka hangaia he mapi atanga whatunga kei roto te mapi o nga ingoa atanga tinana (0000:02:03.0) me o raatau tohu arorau i roto i te punaha whakahaere (eth0) me te papatohu rite Cisco (FastEthernet0/0):
#Unique ID iface type OS name Cisco-like name
0000:02:03.0 phye eth0 FastEthernet0/0
Ko nga tohu arorau o nga atanga ka kiia ko nga ingoa ingoa. Kei te penapena ingoa ingoa ki te konae /etc/ifaliases.cf.
I te putanga 4.3, i te wa tuatahi i timata ai te miihini mariko, ka hangaia he mapi atanga. Mena ka huri koe i te maha o nga hononga whatunga i roto i te miihini mariko, katahi ka mahia ano te mapi atanga:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking
Kaupapa 1: GRE-over-IPsec
Ka tukuna e ahau nga kuaha mariko e rua, ka huri ahau kia rite ki te whakaaturanga:
Hipanga 1. Whirihorahia nga wahitau IP me nga huarahi
VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254
VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253
Ka tirohia e ahau te hononga IP:
root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms
--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms
Hipanga 2. Te whakatu GRE
Ka tango ahau i tetahi tauira mo te whakatu GRE mai i nga tuhinga mana. Ka waihangahia e ahau he konae gre1 i roto i te raarangi /etc/network/interfaces.d me nga ihirangi.
Mo VG1:
auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1
Mo VG2:
auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1
Ka whakaarahia e ahau te atanga i roto i te punaha:
root@VG1:~# ifup gre1
root@VG2:~# ifup gre1
Ka taki ahau:
root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 172.16.1.253 peer 172.16.1.254
inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
valid_lft forever preferred_lft forever
root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1
Kei a C-Terra Gateway he putunga hongi i roto - tcpdump. Ka tuhia e ahau he putunga waka ki te konae pcap:
root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap
Ka whakahaerehia e ahau te ping i waenga i nga atanga GRE:
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms
Kei te hohe te kauhanga GRE me te rere:
Hipanga 3. Whakamuna ki GOST GRE
I tautuhia e ahau te momo tohu - ma te wahitau. Motuhēhēnga mā te kī kua tautuhia kē (e ai ki ngā Ture Whakamahi, me whakamahi ngā tiwhikete matihiko):
VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254
I tautuhia e ahau nga tawhā IPsec Wāhanga I:
VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2
I tautuhia e ahau nga tawhā IPsec Phase II:
VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel
Ka hangaia e ahau he rarangi uru mo te whakamunatanga. Tauhokohoko whainga - GRE:
VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254
Ka hangaia e ahau he mahere crypto ka herea ki te atanga WAN:
VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
crypto map CMAP
Mo VG2 ka whakaatahia te whirihoranga, rereke:
VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254
Ka taki ahau:
root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2
Nga tatauranga ISAKMP/IPsec:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480
Karekau he putea kei roto i te putunga hokohoko GRE:
Whakamutunga: he tika te mahi a te kaupapa GRE-over-IPsec.
Kaupapa 1.5: IPsec-over-GRE
Kaore au e whakaaro ki te whakamahi IPsec-over-GRE i runga i te whatunga. Ka kohia e au na te mea e hiahia ana ahau.
Hei tuku i te kaupapa GRE-over-IPsec i tetahi atu huarahi:
- Whakatikaina te rarangi uru whakamunatanga - te waka kua whakaritea mai i te LAN1 ki te LAN2 me te rereke;
- Whirihorahia te ararere ma GRE;
- Whakairihia te kaari crypto ki runga i te atanga GRE.
Ma te taunoa, kaore he atanga GRE i roto i te papatohu kuaha rite Cisco. Kei roto noa i te punaha whakahaere.
Kei te taapirihia e ahau he atanga GRE ki te papatohu rite Cisco. Hei mahi i tenei, ka whakatika ahau i te kōnae /etc/ifaliases.cf:
interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")
kei hea a gre1 te tohu atanga i roto i te punaha whakahaere, ko Tunnel0 te tohu atanga i roto i te papatohu rite Cisco.
Ka tatau ano ahau i te hash o te konae:
root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf
SUCCESS: Operation was successful.
Inaianei ka puta te atanga Tunnel0 ki te papatohu rite Cisco:
VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400
Kei te whakatikatika ahau i te rarangi uru mo te whakamunatanga:
VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Te whakarite ararere ma GRE:
VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2
Ka tangohia e ahau te kaari crypto mai i te Fa0/0 ka herea ki te atanga GRE:
VG1(config)#
interface Tunnel0
crypto map CMAP
Mo te VG2 he rite tonu.
Ka taki ahau:
root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap
root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms
--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms
Nga tatauranga ISAKMP/IPsec:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352
I roto i te putunga hokohoko ESP, ko nga paatete kua whakauruhia ki te GRE:
Whakamutunga: IPsec-over-GRE mahi tika.
Ngā putanga
Kotahi kapu kawhe i ranea. Kua tuhia e ahau nga tohutohu mo te tango whakaaturanga. I whirihorahia te GRE-over-IPsec ka tukuna ki tetahi atu huarahi.
Ko te mahere atanga whatunga i te putanga 4.3 he aunoa! Kei te whakamatautau ano ahau.
Engineer ingoamuna
t.me/anonymous_engineer
Source: will.com