ProHoster > Blog > Tsamaiso > Mokhoa oa ho rarolla mathata lapeng IPsec VPN. Karolo ea 1

Mokhoa oa ho rarolla mathata lapeng IPsec VPN. Karolo ea 1

Mokhoa oa ho rarolla mathata lapeng IPsec VPN. Karolo ea 1

Boemo

Letsatsi la phomolo. Ke noa kofi. Seithuti se ile sa theha khokahano ea VPN lipakeng tsa lintlha tse peli mme ea nyamela. Ke hlahloba: ho hlile ho na le kotopo, empa ha ho na sephethephethe kotopong. Moithuti ha a arabe mehala.

Ke beha ketlele ebe ke itahlela ka har'a S-Terra Gateway ea ho rarolla mathata. Ke arolelana phihlelo ea ka le mokhoa oa ka.

Lintlha tsa pele

Libaka tse peli tse arohaneng tsa libaka li hokahantsoe ke kotopo ea GRE. GRE e hloka ho ngolisoa:

Mokhoa oa ho rarolla mathata lapeng IPsec VPN. Karolo ea 1

Ke ntse ke lekola tšebetso ea kotopo ea GRE. Ho etsa sena, ke tsamaisa ping ho tloha sesebelisoa sa R1 ho ea ho sebopeho sa GRE sa sesebelisoa sa R2. Sena ke sepheo sa sephethephethe bakeng sa encryption. Ha ho karabo:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Ke sheba lifate tse ho Gate1 le Gate2. Lenane lena le tlaleha ka thabo hore kotopo ea IPsec e qalile ka katleho, ha ho na mathata:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

Lipalopalong tsa kotopo ea IPsec ho Gate1 ke bona hore ho na le kotopo, empa k'hamphani ea Rсvd e khutliselitsoe ho zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

Ke khathatsa S-Terra tjena: Ke batla moo lipakete tse hlahletsoeng li lahlehileng teng tseleng ho tloha ho R1 ho ea ho R2. Ts'ebetsong (spoiler) ke tla fumana phoso.

Ho batle phoso

Mohato oa 1. Seo Gate1 e se fumanang ho tsoa ho R1

Ke sebelisa sniffer ea pakete e hahelletsoeng ka hare - tcpdump. Ke tsebisa sebui ka hare (Gi0/1 ho Cisco-like notation kapa eth1 ho Debian OS notation) interface:

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

Ke bona hore Gate1 e amohela lipakete tsa GRE ho tsoa ho R1. Ke tswela pele.

Mohato oa 2. Seo Gate1 e se etsang ka lipakete tsa GRE

Ke sebelisa sesebelisoa sa klogview ke bona se etsahalang ka lipakete tsa GRE ka har'a mokhanni oa S-Terra VPN:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

Kea bona hore sepheo sa GRE sephethephethe (proto 47) 172.16.0.1 -> 172.17.0.1 se ile sa tla tlas'a molao oa LIST oa ho kenyelletsa 'mapeng oa CMAP crypto' me o ne o kenyelelitsoe. Ka mor'a moo, pakete e ile ea tsamaisoa (ea felloa ke matla). Ha ho na sephethephethe sa likarabo ho tlhahiso ea klogview.

Ke ntse ke sheba manane a phihlello sesebelisoa sa Gate1. Ke bona lenane le le leng la phihlello LIST, le hlalosang sephethephethe se lebisitsoeng bakeng sa ho encryption, ho bolelang hore melao ea firewall ha e lokisoe:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Qetello: bothata ha bo teng ka sesebelisoa sa Gate1.

Tse ling ka klogview

Mokhanni oa VPN o sebetsana le sephethe-phethe sa marang-rang, eseng feela sephethephethe se hlokang ho ngolisoa. Ena ke melaetsa e bonahalang ho klogview haeba mokhanni oa VPN a sebetsana le sephethephethe sa marang-rang mme a se fetisetsa se sa ngolisoa:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

Ke bona hore sephethephethe sa ICMP (proto 1) 172.16.0.1->172.17.0.1 se ne se sa kenyelletsoa (ha ho na papali) melaong ea ho kenyelletsa karete ea CMAP crypto. Pakete e ne e tsamaisoa (e feletsoe) ka mongolo o hlakileng.

Mohato oa 3. Seo Gate2 e se fumanang ho tsoa ho Gate1

Ke tsebisa sebui ho sebopeho sa WAN (eth0) Gate2:

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

Ke bona hore Gate2 e amohela lipakete tsa ESP ho tsoa Gate1.

Mohato oa 4. Seo Gate2 e se etsang ka liphutheloana tsa ESP

Ke qala ts'ebeliso ea klogview ho Gate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

Ke bona hore lipakete tsa ESP (proto 50) li theohile (DROP) ka molao oa firewall (L3VPN). Ke etsa bonnete ba hore Gi0/0 e na le lenane la phihlello la L3VPN le hokelletsoeng ho lona:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Ke ile ka fumana bothata.

Mohato 5. Phoso ke efe ka lenane la phihlello

Ke sheba hore na lenane la phihlello ea L3VPN ke eng:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

Kea bona hore lipakete tsa ISAKMP li lumelloa, kahoo kotopo ea IPsec e thehiloe. Empa ha ho na molao o lumellang ESP. Kamoo ho bonahalang kateng, seithuti se ile sa ferekanya icmp le esp.

Ho lokisa lenane la phihlello:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

Mohato oa 6. Ho hlahloba tshebetso

Pele ho tsohle, ke etsa bonnete ba hore lenane la phihlello ea L3VPN le nepahetse:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

Joale ke qala sephethephethe sa sepheo ho tloha sesebelisoa sa R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Tlholo. kotopo ea GRE e thehiloe. Thepa e kenang ea sephethephethe ho lipalo-palo tsa IPsec ha se zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Hekeng ea Gate2, tlhahisong ea klogview, ho ile ha hlaha melaetsa ea hore sepheo sa sephethephethe 172.16.0.1->172.17.0.1 se hlakotsoe ka katleho (PASS) ka molao oa LIST 'mapeng oa CMAP crypto:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Liphello

Moithuti e mong o ile a senya letsatsi la hae la phomolo.
E-ba hlokolosi ka melao ea ME.

Moenjiniere ea sa tsejoeng
t.me/anonymous_engineer

Source: www.habr.com

Eketsa ka tlhaloso