ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Sida loo ciladeeyo gudaha IPsec VPN. Qaybta 1

Sida loo ciladeeyo gudaha IPsec VPN. Qaybta 1

Sida loo ciladeeyo gudaha IPsec VPN. Qaybta 1

Xaaladda

Maalinta fasaxa waxaan cabaa qaxwo Ardaygu wuxuu sameeyay xiriir VPN ah oo u dhexeeya laba dhibcood oo waa la waayay. Waxaan hubiyaa: runtii waxaa jira tunnel, laakiin ma jiro wax taraafig ah oo ku jira tunnelka. Ardaygu kama jawaabo wicitaanada.

Waxaan saaray kildhigii oo waxaan dhex quustay cilad-baadhista S-Terra Gateway. Waxaan la wadaagaa waayo-aragnimadayda iyo habka.

Xogta ugu horeysa

Labada goobood ee juqraafi ahaan kala go'a waxa ku xidhan tunnel GRE ah. GRE waxa uu u baahan yahay in la sireeyo:

Sida loo ciladeeyo gudaha IPsec VPN. Qaybta 1

Waxaan hubinayaa shaqeynta tunnel-ka GRE. Si tan loo sameeyo, waxaan ka shaqeeyaa ping ka aaladda R1 ilaa GRE interface ee aaladda R2. Tani waa taraafikada bartilmaameedka ah ee sirta Jawaab maya:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Waxa aan eegayaa logaga ku yaal Gate1 iyo Gate2. Logu wuxuu si farxad leh u sheegay in tunnelka IPsec si guul leh loo bilaabay, wax dhibaato ah ma jiraan:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

Marka la eego tirakoobka tunnel-ka IPsec ee Gate1, waxaan arkaa in runtii uu jiro tunnel, laakiin miiska Rсvd wuxuu noqonayaa eber:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

Waxaan u dhibaa S-Terra sidan oo kale: Waxaan raadiyaa meesha baakadaha bartilmaameedka ah ay ku lumeen jidka R1 ilaa R2. Inta ay socoto (qaswadayaasha) waxaan heli doonaa qalad.

Ciladaynta

Tallaabada 1. Waxa Gate1 ka helo R1

Waxaan isticmaalaa baakad ku dhex jirta -tcpdump. Waxaan ku bilaabay sniffer-ka gudaha (Gi0/1 ee Cisco-like note or eth1 in Debian OS notation) interface:

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

Waxaan arkaa in Gate1 uu ka helo xirmooyinka GRE ee R1. waan sii socdaa

Tallaabada 2. Muxuu Gate1 ku sameeyaa baakadaha GRE

Isticmaalka utility klogview waxaan ku arki karaa waxa ka dhacaya baakadaha GRE gudaha darawalka S-Terra VPN:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

Waxaan arkaa in bartilmaameedka GRE taraafikada (proto 47) 172.16.0.1 -> 172.17.0.1 uu hoos yimid sharciga LIST sirta ee khariidadda crypto CMAP oo la duubay. Marka xigta, baakidhkii waa la tuuray (waa la dhaafay). Ma jiro wax taraafig ah oo jawaab ah oo ku jira wax soo saarka klogview.

Waxaan hubinayaa liisaska gelitaanka ee aaladda Gate1. Waxaan arkaa hal liis oo gelitaan LIST, kaas oo qeexaya taraafikada bartilmaameedka ee sirta, taas oo macnaheedu yahay in xeerarka dab-damiska aan la habeynin:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Gabagabo: dhibaatadu maaha aaladda Gate1.

Wax badan oo ku saabsan klogview

Dareewalka VPN wuxuu qabtaa dhammaan taraafikada shabakada, ma aha oo kaliya taraafikada u baahan in la sireeyo. Kuwani waa fariimaha ka muuqda klogview haddii darawalka VPN uu farsameeyay taraafikada shabakadda oo uu u gudbiyay si qarsoodi ah:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

Waxaan arkaa in taraafikada ICMP (proto 1) 172.16.0.1-> 172.17.0.1 aan lagu darin (wax ciyaar ah ma leh) xeerarka sirta ah ee kaadhka crypto CMAP. Baakidhkii waa la jabiyay (la dhaafay) qoraal cad.

Tallaabada 3. Waxa Gate2 ka helo Gate1

Waxaan ku bilaabay sniffer WAN (eth0) Gate2 interface:

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

Waxaan arkaa in Gate2 ay ka hesho xidhmooyinka ESP ee Gate1.

Tallaabada 4. Muxuu Gate2 ku sameeyaa xirmooyinka ESP

Waxaan ka bilaabay utility klogview Gate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

Waxaan arkaa in baakadaha ESP (proto 50) lagu tuuray (DROP) xeerka dab-damiska (L3VPN). Waxaan hubiyaa in Gi0/0 dhab ahaantii leeyahay liiska gelitaanka L3VPN ee ku lifaaqan:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Dhibka ayaan ogaaday.

Tallaabada 5. Maxaa ka khaldan liiska gelitaanka

Waxaan eegayaa waxa liiska gelitaanka L3VPN yahay:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

Waxaan arkaa in baakadaha ISAKMP la oggol yahay, sidaas darteed tunnel IPsec ayaa la sameeyay. Laakiin ma jiro sharci awood u leh ESP. Sida muuqata, ardaygu wuu wareeray icmp iyo esp.

Tafatirka liiska gelitaanka:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

Tallaabada 6. Hubinta shaqeynta

Marka hore, waxaan hubiyaa in liiska gelitaanka L3VPN uu sax yahay:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

Hadda waxaan ka bilaabay taraafikada bartilmaameedka aaladda R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Guul. Tunnel-ka GRE waa la sameeyay. Miisaanka taraafikada ee soo galaya ee tirakoobka IPsec maaha eber:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Albaabka Gate2, ee soosaarka klogview, fariimaha ayaa u muuqday in taraafikada bartilmaameedka 172.16.0.1->172.17.0.1 si guul leh loo furay (PASS) ee xeerka LIST ee khariidadda CMAP ee crypto:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Natiijooyinka

Arday ayaa maalintisii fasaxa kharibay.
Ka taxaddar xeerarka ME.

Injineer qarsoodi ah
t.me/anonymous_injineer

Source: www.habr.com

Add a comment