Mamiriro acho ezvinhu
Zuva rekuzorora. Ndinonwa kofi. Mudzidzi akamisa kubatana kweVPN pakati pemapoinzi maviri ndokunyangarika. Ndinotarisa: pane chaizvo mugero, asi hapana traffic mumugero. Mudzidzi haapindure mafoni.
Ndakaisa keturo ndokunyura muS-Terra Gateway kugadzirisa dambudziko. Ndinogovera ruzivo rwangu uye nzira.
Data yekutanga
Idzi nzvimbo mbiri dzakapatsanurwa nzvimbo dzakabatanidzwa neGRE tunnel. GRE inoda kuvharirwa:
Ndiri kutarisa kushanda kweGRE tunnel. Kuti ndiite izvi, ndinomhanyisa ping kubva pachigadzirwa R1 kuenda kuGRE interface yemudziyo R2. Iyi ndiyo traffic yakanangwa ye encryption. Hapana mhinduro:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms
Ndinotarisa matanda paGate1 neGadhi2. Iyo log inoshuma nerufaro kuti IPsec mugero wakatangwa zvinobudirira, hapana matambudziko:
root@Gate1:~# cat /var/log/cspvpngate.log
Aug 5 16:14:23 localhost vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1
Muhuwandu hweiyo IPsec mugero paGate1 ini ndinoona kuti pane chaizvo mugero, asi iyo RΡvd counter inoiswazve zero:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0
Ini ndinonetsa S-Terra seizvi: Ini ndinotarisa panorasika mapaketi ekunangwa munzira kubva paR1 kuenda kuR2. Mukuita (spoiler) ini ndichawana kukanganisa.
Kugadzirisa matambudziko
Danho 1. Chii Gedhi1 rinogashira kubva kuR1
Ini ndinoshandisa yakavakirwa-mukati packet sniffer - tcpdump. Ini ndinotanga sniffer pane yemukati (Gi0/1 muCisco-like notation kana eth1 muDebian OS notation) interface:
root@Gate1:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64
Ndiri kuona kuti Gate1 inogamuchira GRE mapaketi kubva kuR1. Ndiri kuenderera mberi.
Nhanho 2. Zvinoitwa neGate1 neGRE mapaketi
Ndichishandisa klogview utility ini ndinogona kuona zviri kuitika neGRE mapaketi mukati meS-Terra VPN mutyairi:
root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated
Ndinoona kuti chinangwa GRE traffic (proto 47) 172.16.0.1 -> 172.17.0.1 yakauya pasi pemutemo weLIST encryption muCMAP crypto mepu uye yakavharirwa. Zvadaro, iyo pakiti yakafambiswa (yakapfuura). Iko hakuna mhinduro traffic mune klogview inobuda.
Ndiri kutarisa mazita ekuwana paGate1 mudziyo. Ini ndinoona runyoro rwekuwana runyoro LIST, iyo inotsanangura chinangwa chetraffic encryption, zvinoreva kuti mitemo ye firewall haina kugadzirwa:
Gate1#show access-lists
Extended IP access list LIST
10 permit gre host 172.16.0.1 host 172.17.0.1
Mhedziso: dambudziko harisi neGate1 mudziyo.
Zvakawanda nezve klogview
Mutyairi weVPN anobata ese network traffic, kwete chete traffic inoda kuvharirwa. Aya ndiwo mameseji anoonekwa muklogview kana mutyairi weVPN akagadzirisa traffic yetiweki ndokuiendesa isina kunyorwa:
root@R1:~# ping 172.17.0.1 -c 4
root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered
Ndinoona kuti ICMP traffic (proto 1) 172.16.0.1-> 172.17.0.1 haina kubatanidzwa (hapana mechi) mumitemo yekuvhara yeCMAP crypto card. Iyo pakiti yakafambiswa (yakapfuura) mumagwaro akajeka.
Nhanho 3. Chii Gate2 inogamuchira kubva kuGedhi1
Ini ndinotanga sniffer paWAN (eth0) Gate2 interface:
root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140
Ndiri kuona kuti Gate2 inogamuchira ESP mapaketi kubva kuGedhi1.
Nhanho 4. Zvinoitwa neGate2 neESP mapakeji
Ini ndinotanga klogview utility paGate2:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall
Ndiri kuona kuti ESP mapaketi (proto 50) akadonhedzwa (DROP) nemutemo we firewall (L3VPN). Ini ndinoita shuwa kuti Gi0/0 ine chaizvo L3VPN yekuwana runyoro yakasungirirwa pairi:
Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.252/24
MTU is 1500 bytes
Outgoing access list is not set
Inbound access list is L3VPN
Ndakaona dambudziko.
Nhanho 5. Chii chakashata nerondedzero yekuwana
Ini ndinotarisa kuti L3VPN yekuwana runyorwa chii:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit icmp host 10.10.10.251 any
Ndiri kuona kuti ISAKMP mapaketi anotenderwa, saka IPsec tunnel inotangwa. Asi hapana mutemo unogonesa weESP. Sezviri pachena, mudzidzi akavhiringa icmp uye esp.
Kugadzirisa rondedzero yekuwana:
Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any
Danho 6. Kutarisa kushanda
Chekutanga pane zvese, ini ndinove nechokwadi chekuti L3VPN yekuwana runyorwa ndeyechokwadi:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit esp host 10.10.10.251 any
Ikozvino ini ndinotangisa chinangwa chetraffic kubva kumudziyo R1:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms
Kukunda. Iyo GRE tunnel yakasimbiswa. Iyo inouya traffic counter muIPsec nhamba haisi zero:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480
Pagedhi reGedhi2, mukubuda kweklogview, mameseji airatidza kuti chinangwa chetraffic 172.16.0.1->172.17.0.1 chakadzikiswa zvakabudirira (PASS) nemutemo weLIST muCMAP crypto mepu:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated
Migumisiro
Mumwe mudzidzi akakanganisa zuva rake rekuzorora.
Ngwarira nemitemo yeME.
Anonymous Engineer
t.me/anonymous_engineer
Source: www.habr.com