Mamiriro acho ezvinhu
Ndakagamuchira demo vhezheni yeC-Terra VPN zvigadzirwa vhezheni 4.3 kwemwedzi mitatu. Ini ndoda kuona kana hupenyu hwangu hweinjiniya huchave nyore mushure mekuchinja kune iyo nyowani vhezheni.
Nhasi hazvina kuoma, bhegi rimwe rekofi pakarepo 3 mu1 inofanira kukwana. Ini ndichakuudza nzira yekuwana demo. Ini ndichaedza kuvaka iyo GRE-pamusoro-IPsec uye IPsec-pamusoro-GRE zvirongwa.
Nzira yekuwana sei demo
Izvo zvinotevera kubva pamufananidzo kuti kuti uwane demo unofanirwa:
- Nyora tsamba kuna [email inodzivirirwa] kubva kukero yekambani;
- Mutsamba, ratidza TIN yesangano rako;
- Nyora zvigadzirwa uye huwandu hwazvo.
Demos inoshanda kwemwedzi mitatu. Mutengesi haagadzirisi kushanda kwavo.
Kuwedzera mufananidzo
Iyo Security Gateway demo mufananidzo wemuchina chaiwo. Ndiri kushandisa VMWare Workstation. Rondedzero yakazara yeanotsigirwa hypervisors uye virtualization nharaunda inowanikwa pane webhusaiti yemutengesi.
Usati watanga, ndapota cherechedza kuti hapana network network muiyo default virtual muchina mufananidzo:
Iyo pfungwa yakajeka, mushandisi anofanira kuwedzera akawanda mainterface sezvaanoda. Ndichawedzera mana kamwechete:
Iye zvino ini ndinotanga virtual muchina. Pakarepo mushure mekutanga, gedhi rinoda zita rekushandisa uye password.
Kune akati wandei ekunyaradza muS-Terra Gateway ane akasiyana maakaundi. Ndichaverenga nhamba yavo mune imwe nyaya. Parizvino:
Login as: administrator
Password: s-terra
Ndiri kutanga gedhi. Kutanga kutevedzana kwezviito: kupinda rezinesi, kumisikidza biological random nhamba jenareta (keyboard simulator - rekodhi yangu ndeye 27 seconds) uye kugadzira network interface mepu.
Mepu ye network interfaces. Zvakava nyore
Shanduro 4.2 yakakwazisa mushandisi anoshanda nemameseji:
Starting IPsec daemonβ¦.. failed
ERROR: Could not establish connection with daemon
Mushandisi anoshanda (maererano neinjiniya isingazivikanwe) mushandisi anogona kuseta chero chinhu nekukurumidza uye pasina zvinyorwa.
Chimwe chinhu chakanga chisina kumira zvakanaka ndisati ndaedza kuseta IP kero pane interface. Izvo zvese nezve network interface mepu. Zvakakodzera kuita:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart
Nekuda kweizvozvo, mepu yetiweki yekubatanidza inogadzirwa ine mepu yemazita echimiro chechimiro (0000:02:03.0) nemazita avo ane musoro musystem yekushandisa (eth0) uye Cisco-like console (FastEthernet0/0):
#Unique ID iface type OS name Cisco-like name
0000:02:03.0 phye eth0 FastEthernet0/0
Madimikira ane musoro emainterface anonzi ma aliases. Mazita akachengetwa mu /etc/ifaliases.cf faira.
Mushanduro 4.3, kana muchina chaiwo watanga kutangwa, mepu yekutarisa inogadzirwa otomatiki. Kana iwe ukachinja huwandu hwetiweki interfaces mumuchina chaiwo, saka ndokumbira udzokorore mepu yekubatanidza:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking
Chirongwa 1: GRE-pamusoro-IPsec
Ini ndinotumira maviri chaiwo magedhi, ini ndinochinja sezvakaratidzwa mumufananidzo:
Danho 1. Seta IP kero uye nzira
VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253Kutarisa IP yekubatanidza:
root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms
--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 msDanho 2: Gadzira GRE
Ini ndinotora muenzaniso wekumisikidza GRE kubva kune zviri pamutemo zvinyorwa. Ini ndinogadzira gre1 faira mu /etc/network/interfaces.d dhairekitori ine zviri mukati.
ZveVG1:
auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1ZveVG2:
auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1Ini ndinosimudza iyo interface musystem:
root@VG1:~# ifup gre1
root@VG2:~# ifup gre1Kutarisa:
root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 172.16.1.253 peer 172.16.1.254
inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
valid_lft forever preferred_lft forever
root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1C-Terra Gateway ine yakavakirwa-mukati packet sniffer - tcpdump. Ini ndichanyora traffic dump kune pcap faira:
root@VG2:~# tcpdump -i eth0 -w /home/dump.pcapIni ndinotanga ping pakati peGRE interfaces:
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 msGRE mugero uri kumusoro uye unoshanda:
Danho 3. Encrypt neGOST GRE
Ini ndakaisa mhando yekuzivikanwa - nekero. Kusimbiswa nekiyi yakafanotsanangurwa (maererano neMitemo Yekushandisa, zvitupa zvedhijitari zvinofanirwa kushandiswa):
VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254Ini ndinoisa iyo IPsec Phase I paramita:
VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2Ini ndinoseta iyo IPsec Phase II paramita:
VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnelIni ndinogadzira rondedzero yekuwana encryption. Trafiki yakanangwa - GRE:
VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254Ini ndinogadzira mepu yekrispto uye ndinoisungira kune WAN interface:
VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
crypto map CMAPKune VG2, iyo gadziriso inoratidzwa, misiyano ndeiyi:
VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254Kutarisa:
root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcaproot@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2
ISAKMP/IPsec nhamba:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480Iko hakuna mapaketi muGRE traffic dump:
Mhedziso: iyo GRE-pamusoro-IPsec chirongwa chinoshanda nemazvo.
Mufananidzo 1.5: IPsec-pamusoro-GRE
Ini handironge kushandisa IPsec-pamusoro-GRE panetiweki. Ndinounganidza nokuti ndinoda.
Kuendesa iyo GRE-pamusoro-IPsec chirongwa neimwe nzira yakatenderedza:
- Gadzirisa encryption yekuwana runyorwa - yakanangwa traffic kubva kuLAN1 kuenda kuLAN2 uye zvinopesana;
- Gadzirisa nzira kuburikidza neGRE;
- Nyora cryptomap pane GRE interface.
Nekutadza, hapana GRE interface muCisco-senge gedhi console. Inowanikwa chete muhurongwa hwekushandisa.
Ini ndinowedzera iyo GRE interface kuCisco-like console. Kuti ndiite izvi, ndinogadzirisa iyo /etc/ifaliases.cf faira:
interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")uko gre1 ndiyo dhizaini yedhizaini mune inoshanda sisitimu, Tunnel0 ndiyo inotaridzwa muCisco-like console.
Ini ndinoverenga zvakare hash yefaira:
root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf
SUCCESS: Operation was successful.Iye zvino iyo Tunnel0 interface yaonekwa muCisco-like console:
VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400Kugadzirisa rondedzero yekuwana encryption:
VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255Ini ndinogadzirisa nzira kuburikidza neGRE:
VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2Ini ndinobvisa iyo cryptomap kubva kuFa0 / 0 uye ndoisunga kune iyo GRE interface:
VG1(config)#
interface Tunnel0
crypto map CMAPKune VG2 zvakafanana.
Kutarisa:
root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcaproot@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms
--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 msISAKMP/IPsec nhamba:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352MuESP ββtraffic dump, mapaketi akavharirwa muGRE:
Mhedziso: IPsec-over-GRE inoshanda nemazvo.
Migumisiro
Kapu imwe yekofi yaikwana. Ndakanyora mirairo yekuwana demo vhezheni. Yakagadzirirwa GRE-pamusoro-IPsec uye yakashandiswa zvakasiyana.
Mepu ye network interfaces muvhezheni 4.3 ndeye otomatiki! Ndiri kuyedza zvakare.
Anonymous Engineer
t.me/anonymous_engineer
Source: www.habr.com