ProHoster > blog > Amministrazzjoni > Kif issolvi l-problemi tal-IPsec VPN domestiku. Parti 1

Kif issolvi l-problemi tal-IPsec VPN domestiku. Parti 1

Kif issolvi l-problemi tal-IPsec VPN domestiku. Parti 1

Sitwazzjoni

Jum liberu. Nixrob il-kafè. L-istudent waqqaf konnessjoni VPN bejn żewġ punti u sparixxa. Iċċekkja: hemm tassew mina, iżda m'hemm l-ebda traffiku fil-mina. L-istudent ma jirrispondix sejħiet.

Poġġejt il-kitla u noqgħod fis-soluzzjoni tal-problemi S-Terra Gateway. Naqsam l-esperjenza u l-metodoloġija tiegħi.

Data mhux ipproċessata

Iż-żewġ siti separati ġeografikament huma konnessi minn mina GRE. GRE jeħtieġ li jiġi encrypted:

Kif issolvi l-problemi tal-IPsec VPN domestiku. Parti 1

Qed niċċekkja l-funzjonalità tal-mina GRE. Biex tagħmel dan, nmexxi ping mill-apparat R1 għall-interface GRE tal-apparat R2. Dan huwa t-traffiku fil-mira għall-encryption. Bla tweġiba:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Inħares lejn ir-zkuk fuq Gate1 u Gate2. Ir-reġistru b'ferħ jirrapporta li l-mina IPsec tnediet b'suċċess, l-ebda problema:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

Fl-istatistika tal-mina IPsec fuq Gate1 nara li verament hemm mina, iżda l-counter Rсvd huwa reset għal żero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

I inkwiet S-Terra bħal dan: I tfittex fejn il-pakketti fil-mira huma mitlufa fit-triq minn R1 sa R2. Fil-proċess (spoiler) se nsib żball.

Issolvi l-problemi

Pass 1. X'inhu Gate1 jirċievi minn R1

Jien nuża l-packet sniffer inkorporat - tcpdump. Inniedi l-sniffer fuq l-interfaċċja interna (Gi0/1 f'notazzjoni bħal Cisco jew eth1 fin-notazzjoni Debian OS):

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

Nara li Gate1 jirċievi pakketti GRE minn R1. Jien nimxi fuq.

Pass 2. X'jagħmel Gate1 bil-pakketti GRE

Billi tuża l-utilità klogview nista' nara x'qed jiġri bil-pakketti GRE ġewwa s-sewwieq S-Terra VPN:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

Nara li t-traffiku GRE fil-mira (proto 47) 172.16.0.1 -> 172.17.0.1 daħal taħt ir-regola ta 'encryption LIST fil-mappa kripto CMAP u kien inkapsulat. Sussegwentement, il-pakkett ġie mgħoddi (mgħoddi). M'hemm l-ebda traffiku ta' rispons fl-output tal-klogview.

Qed niċċekkja l-listi tal-aċċess fuq l-apparat Gate1. Nara lista ta 'aċċess waħda LISTA, li tiddefinixxi t-traffiku fil-mira għall-encryption, li jfisser li r-regoli tal-firewall mhumiex konfigurati:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Konklużjoni: il-problema mhix bl-apparat Gate1.

Aktar dwar klogview

Is-sewwieq VPN jieħu ħsieb it-traffiku kollu tan-netwerk, mhux biss it-traffiku li jeħtieġ li jiġi encrypted. Dawn huma l-messaġġi viżibbli f'klogview jekk is-sewwieq tal-VPN ipproċessa t-traffiku tan-netwerk u jittrasmettih mhux kriptat:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

Nara li t-traffiku ICMP (proto 1) 172.16.0.1-> 172.17.0.1 ma kienx inkluż (l-ebda taqbila) fir-regoli tal-kriptaġġ tal-karta kripto CMAP. Il-pakkett ġie mgħoddi (mgħoddi) f'test ċar.

Pass 3. X'jirċievi Gate2 minn Gate1

Inniedi l-sniffer fuq l-interface Gate0 WAN (eth2):

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

Nara li Gate2 jirċievi pakketti ESP minn Gate1.

Pass 4. X'jagħmel Gate2 b'pakketti ESP

Inniedi l-utilità klogview fuq Gate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

Nara li l-pakketti ESP (proto 50) twaqqgħu (DROP) mir-regola tal-firewall (L3VPN). Niżgura li Gi0/0 fil-fatt ikollu lista ta 'aċċess L3VPN mehmuża magħha:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Skoprejt il-problema.

Pass 5. X'hemm ħażin mal-lista ta 'aċċess

Inħares lejn x'inhi l-lista ta 'aċċess L3VPN:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

Nara li l-pakketti ISAKMP huma permessi, għalhekk hija stabbilita mina IPsec. Iżda m'hemm l-ebda regola ta' abilitazzjoni għall-ESP. Apparentement, l-istudent ħawwad icmp u esp.

Editjar tal-lista ta' aċċess:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

Pass 6. Iċċekkjar tal-funzjonalità

L-ewwelnett, niżgura li l-lista ta 'aċċess L3VPN hija korretta:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

Issa nniedi traffiku fil-mira mill-apparat R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Rebħa. Il-mina GRE ġiet stabbilita. Il-counter tat-traffiku li jkun dieħel fl-istatistika IPsec mhuwiex żero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Fuq il-gateway Gate2, fl-output tal-klogview, dehru messaġġi li t-traffiku fil-mira 172.16.0.1->172.17.0.1 kien decrypted b'suċċess (PASS) bir-regola LISTA fil-mappa kripto CMAP:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Riżultati ta '

Student ħassru l-ġurnata libera tiegħu.
Oqgħod attent bir-regoli tal-ME.

Inġinier anonimu
t.me/anonymous_engineer

Sors: www.habr.com

Żid kumment