🥇1.5 merero ho IPsec VPN ea lapeng. Liteko tsa demos

Boemo

Ke fumane mofuta oa demo oa lihlahisoa tsa C-Terra VPN 4.3 ka likhoeli tse tharo. Ke batla ho tseba hore na bophelo ba ka ba boenjiniere bo tla nolofala ka mor'a hore ke fetole mofuta o mocha.

Kajeno ha ho thata, mokotla o le mong oa kofi hang-hang 3 ho 1 e lokela ho lekana. Ke tla u bolella mokhoa oa ho fumana li-demos. Ke tla leka ho aha merero ea GRE-over-IPsec le IPsec-over-GRE.

Mokhoa oa ho fumana demo

E latela setšoantšong hore ho fumana demo o hloka ho:

Ngolla lengolo ho [imeile e sirelelitsoe] ho tsoa atereseng ea khoebo;
Lengolong, bontša TIN ea mokhatlo oa hau;
Thathamisa lihlahisoa le bongata ba tsona.

Li-demo li sebetsa likhoeli tse tharo. Morekisi ha a lekanye ts'ebetso ea bona.

Ho atolosa setšoantšo

Pontšo ea Security Gateway ke setšoantšo sa mochini oa sebele. Ke sebelisa VMWare Workstation. Lethathamo le felletseng la li-hypervisors tse tšehetsoeng le tikoloho ea virtualization li fumaneha webosaeteng ea morekisi.

Pele o qala, ka kopo hlokomela hore ha ho na li-interfaces tsa marang-rang setšoantšong sa mochine oa kamehla:

Monahano o hlakile, mosebelisi o lokela ho eketsa lihokelo tse ngata kamoo a hlokang. Ke tla eketsa tse 'nè hang-hang:

Hona joale ke qala mochine oa sebele. Hang ka mor'a ho qala, heke e hloka lebitso la mosebelisi le password.

Ho na le li-consoles tse 'maloa ho S-Terra Gateway e nang le li-account tse fapaneng. Ke tla bala palo ea bona sehloohong se arohaneng. Bakeng sa hona joale:
Login as: administrator Password: s-terra

Ke qala heke. Ho qala ke tatellano ea liketso: ho kenya laesense, ho theha jenereithara ea nomoro ea bioloji (keyboard simulator - rekoto ea ka ke metsotsoana e 27) le ho theha 'mapa oa khokahano ea marang-rang.

'Mapa oa likhokahano tsa marang-rang. Ho ile ha e-ba bonolo

Mofuta oa 4.2 o lumelisa mosebelisi ea sebetsang ka melaetsa:

Starting IPsec daemon….. failed ERROR: Could not establish connection with daemon

Mosebelisi ea sebetsang (ho ea ka moenjiniere ea sa tsejoeng) ke mosebedisi ea ka khonang ho theha ntho leha e le efe kapele le ntle le litokomane.

Ho na le ho hong ho sa tsamaeeng hantle pele o leka ho theha aterese ea IP ho sehokelo. Tsohle li mabapi le 'mapa oa khokahano ea marang-rang. Ho ne ho hlokahala ho etsa:

/bin/netifcfg enum > /home/map /bin/netifcfg map /home/map service networking restart

Ka lebaka leo, 'mapa oa marang-rang oa thehoa o nang le' mapa oa mabitso a sebopeho sa 'mele (0000:02:03.0) le litlhaloso tsa bona tse utloahalang tsamaisong ea ts'ebetso (eth0) le Cisco-like console (FastEthernet0/0):

#Unique ID iface type OS name Cisco-like name

0000:02:03.0 phye eth0 FastEthernet0/0

Litlhaloso tse utloahalang tsa li-interfaces li bitsoa aliases. Litlhaloso li bolokiloe faeleng ea /etc/ifaliases.cf.
Mofuteng oa 4.3, ha mochine oa sebele o qala ho qala, 'mapa oa li-interface o bōptjoa ka bohona. Haeba o fetola palo ea likhokahano tsa marang-rang mochining o fumanehang, ka kopo etsa hape 'mapa oa sebopeho:

/bin/netifcfg enum > /home/map /bin/netifcfg map /home/map systemctl restart networking

Leano la 1: GRE-over-IPsec

Ke sebelisa liheke tse peli tsa sebele, ke fetola joalokaha ho bontšitsoe setšoantšong:

Mohato oa 1. Beha liaterese tsa IP le litsela

VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254

VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253

Ho hlahloba khokahano ea IP:

root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms

--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms

Mohato oa 2: Theha GRE

Ke nka mohlala oa ho theha GRE ho tsoa mangolong a semmuso. Ke theha faele ea gre1 bukeng ea /etc/network/interfaces.d e nang le litaba.

Bakeng sa VG1:

auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Bakeng sa VG2:

auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Ke phahamisa sebopeho sa sistimi:

root@VG1:~# ifup gre1
root@VG2:~# ifup gre1

E hlahloba:

root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 172.16.1.253 peer 172.16.1.254
    inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
       valid_lft forever preferred_lft forever

root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1

C-Terra Gateway e na le sniffer e hahiloeng ka har'a pakete - tcpdump. Ke tla ngola ho lahla sephethephethe ho faele ea pcap:

root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap

Ke qala ping lipakeng tsa li-interface tsa GRE:

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms

kotopo ea GRE e ntse e sebetsa:

Mohato oa 3. Encrypt le GOST GRE

Ke beha mofuta oa boitsebiso - ka aterese. Netefatso ka senotlolo se boletsoeng esale pele (ho ea ka Melao ea Tšebeliso, litifikeiti tsa digital li tlameha ho sebelisoa):

VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254

Ke beha liparamente tsa IPsec Phase I:

VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2

Ke beha liparamente tsa IPsec Phase II:

VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel

Ke theha lethathamo la phihlello bakeng sa encryption. Sephethephethe se reriloeng - GRE:

VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254

Ke theha 'mapa oa crypto ebe ke o tlama ho sebopeho sa WAN:

VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
  crypto map CMAP

Bakeng sa VG2, tlhophiso e bonts'oa, liphapang ke tsena:

VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254

E hlahloba:

root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2

Lipalopalo tsa ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480

Ha ho na lipakete sebakeng sa ho lahla sephethephethe sa GRE:

Qetello: leano la GRE-over-IPsec le sebetsa ka nepo.

Setšoantšo sa 1.5: IPsec-over-GRE

Ha ke rera ho sebelisa IPsec-over-GRE marang-rang. Ke bokella hobane ke batla.

Ho sebelisa morero oa GRE-over-IPsec ka tsela e 'ngoe:

Lokisa lethathamo la phihlello ea encryption - sephethephethe se lebisitsoeng ho tloha LAN1 ho ea LAN2 le ka tsela e fapaneng;
Lokisa routing ka GRE;
Eketsa "cryptomap" ho sebopeho sa GRE.

Ka ho sa feleng, ha ho na sebopeho sa GRE ho Cisco-like gateway console. E fumaneha feela tsamaisong ea ts'ebetso.

Ke kenyelletsa sebopeho sa GRE ho khomphutha e kang ea Cisco. Ho etsa sena, ke hlophisa faele ea /etc/ifaliases.cf:

interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")

moo gre1 e leng sebopeho sa sebopeho tsamaisong ea ts'ebetso, Tunnel0 ke sebopeho sa sebopeho ho khomphutha e kang ea Cisco.

Ke bala hape hash ea faele:

root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf

SUCCESS:  Operation was successful.

Hona joale sebopeho sa Tunnel0 se hlahile ka har'a khomphutha e kang ea Cisco:

VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400

Ho lokisa lenane la phihlello bakeng sa encryption:

VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Ke hlophisa routing ka GRE:

VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2

Ke tlosa cryptomap ho Fa0 / 0 ebe ke e tlama ho sebopeho sa GRE:

VG1(config)#
interface Tunnel0
crypto map CMAP

Bakeng sa VG2 hoa tšoana.

E hlahloba:

root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap

root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms

--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms

Lipalopalo tsa ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352

Lefelong la ho lahla sephethephethe sa ESP, lipakete li kentsoe ho GRE:

Qetello: IPsec-over-GRE e sebetsa ka nepo.

Liphello

Komiki e le 'ngoe ea kofi e ne e lekane. Ke ile ka thathamisa litaelo tsa ho fumana mofuta oa demo. E hlophisitsoe GRE-over-IPsec le ho sebelisoa ka tsela e fapaneng.

'Mapa oa likhokahano tsa marang-rang ho mofuta oa 4.3 oa ikemela! Ke ntse ke etsa liteko ho feta.

Moenjiniere ea sa tsejoeng
t.me/anonymous_engineer

Source: www.habr.com

1.5 merero ka malapeng IPsec VPN. Li-demos tsa liteko

Boemo

Mokhoa oa ho fumana demo

Ho atolosa setšoantšo

'Mapa oa likhokahano tsa marang-rang. Ho ile ha e-ba bonolo

Leano la 1: GRE-over-IPsec

Setšoantšo sa 1.5: IPsec-over-GRE

Liphello

Eketsa ka tlhaloso hlakola karabo