🥇Maitiro ekugadzirisa epamba IPsec VPN. Chikamu 1

Mamiriro acho ezvinhu

Zuva rekuzorora. Ndinonwa kofi. Mudzidzi akamisa kubatana kweVPN pakati pemapoinzi maviri ndokunyangarika. Ndinotarisa: pane chaizvo mugero, asi hapana traffic mumugero. Mudzidzi haapindure mafoni.

Ndakaisa keturo ndokunyura muS-Terra Gateway kugadzirisa dambudziko. Ndinogovera ruzivo rwangu uye nzira.

Data yekutanga

Idzi nzvimbo mbiri dzakapatsanurwa nzvimbo dzakabatanidzwa neGRE tunnel. GRE inoda kuvharirwa:

Ndiri kutarisa kushanda kweGRE tunnel. Kuti ndiite izvi, ndinomhanyisa ping kubva pachigadzirwa R1 kuenda kuGRE interface yemudziyo R2. Iyi ndiyo traffic yakanangwa ye encryption. Hapana mhinduro:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Ndinotarisa matanda paGate1 neGadhi2. Iyo log inoshuma nerufaro kuti IPsec mugero wakatangwa zvinobudirira, hapana matambudziko:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

Muhuwandu hweiyo IPsec mugero paGate1 ini ndinoona kuti pane chaizvo mugero, asi iyo Rсvd counter inoiswazve zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

Ini ndinonetsa S-Terra seizvi: Ini ndinotarisa panorasika mapaketi ekunangwa munzira kubva paR1 kuenda kuR2. Mukuita (spoiler) ini ndichawana kukanganisa.

Kugadzirisa matambudziko

Danho 1. Chii Gedhi1 rinogashira kubva kuR1

Ini ndinoshandisa yakavakirwa-mukati packet sniffer - tcpdump. Ini ndinotanga sniffer pane yemukati (Gi0/1 muCisco-like notation kana eth1 muDebian OS notation) interface:

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

Ndiri kuona kuti Gate1 inogamuchira GRE mapaketi kubva kuR1. Ndiri kuenderera mberi.

Nhanho 2. Zvinoitwa neGate1 neGRE mapaketi

Ndichishandisa klogview utility ini ndinogona kuona zviri kuitika neGRE mapaketi mukati meS-Terra VPN mutyairi:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

Ndinoona kuti chinangwa GRE traffic (proto 47) 172.16.0.1 -> 172.17.0.1 yakauya pasi pemutemo weLIST encryption muCMAP crypto mepu uye yakavharirwa. Zvadaro, iyo pakiti yakafambiswa (yakapfuura). Iko hakuna mhinduro traffic mune klogview inobuda.

Ndiri kutarisa mazita ekuwana paGate1 mudziyo. Ini ndinoona runyoro rwekuwana runyoro LIST, iyo inotsanangura chinangwa chetraffic encryption, zvinoreva kuti mitemo ye firewall haina kugadzirwa:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Mhedziso: dambudziko harisi neGate1 mudziyo.

Zvakawanda nezve klogview

Mutyairi weVPN anobata ese network traffic, kwete chete traffic inoda kuvharirwa. Aya ndiwo mameseji anoonekwa muklogview kana mutyairi weVPN akagadzirisa traffic yetiweki ndokuiendesa isina kunyorwa:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

Ndinoona kuti ICMP traffic (proto 1) 172.16.0.1-> 172.17.0.1 haina kubatanidzwa (hapana mechi) mumitemo yekuvhara yeCMAP crypto card. Iyo pakiti yakafambiswa (yakapfuura) mumagwaro akajeka.

Nhanho 3. Chii Gate2 inogamuchira kubva kuGedhi1

Ini ndinotanga sniffer paWAN (eth0) Gate2 interface:

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

Ndiri kuona kuti Gate2 inogamuchira ESP mapaketi kubva kuGedhi1.

Nhanho 4. Zvinoitwa neGate2 neESP mapakeji

Ini ndinotanga klogview utility paGate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

Ndiri kuona kuti ESP mapaketi (proto 50) akadonhedzwa (DROP) nemutemo we firewall (L3VPN). Ini ndinoita shuwa kuti Gi0/0 ine chaizvo L3VPN yekuwana runyoro yakasungirirwa pairi:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Ndakaona dambudziko.

Nhanho 5. Chii chakashata nerondedzero yekuwana

Ini ndinotarisa kuti L3VPN yekuwana runyorwa chii:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

Ndiri kuona kuti ISAKMP mapaketi anotenderwa, saka IPsec tunnel inotangwa. Asi hapana mutemo unogonesa weESP. Sezviri pachena, mudzidzi akavhiringa icmp uye esp.

Kugadzirisa rondedzero yekuwana:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

Danho 6. Kutarisa kushanda

Chekutanga pane zvese, ini ndinove nechokwadi chekuti L3VPN yekuwana runyorwa ndeyechokwadi:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

Ikozvino ini ndinotangisa chinangwa chetraffic kubva kumudziyo R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Kukunda. Iyo GRE tunnel yakasimbiswa. Iyo inouya traffic counter muIPsec nhamba haisi zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Pagedhi reGedhi2, mukubuda kweklogview, mameseji airatidza kuti chinangwa chetraffic 172.16.0.1->172.17.0.1 chakadzikiswa zvakabudirira (PASS) nemutemo weLIST muCMAP crypto mepu:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Migumisiro

Mumwe mudzidzi akakanganisa zuva rake rekuzorora.
Ngwarira nemitemo yeME.

Anonymous Engineer
t.me/anonymous_engineer

Source: www.habr.com

Nzira yekugadzirisa sei mudzimba IPsec VPN. Chikamu 1

Mamiriro acho ezvinhu

Data yekutanga

Kugadzirisa matambudziko

Voeg kukanzura mhinduro