Vaziyat
Men uch oy davomida C-Terra VPN mahsulotlarining 4.3 versiyasining demo versiyasini oldim. Yangi versiyaga o'tgandan keyin muhandislik hayotim osonlashadimi yoki yo'qligini bilmoqchiman.
Bugungi kunda qiyin emas, bir xalta eriydigan kofe 3 dan 1 gacha etarli bo'lishi kerak. Men sizga demolarni qanday olish kerakligini aytaman. Men GRE-over-IPsec va IPsec-over-GRE sxemalarini yaratishga harakat qilaman.
Demoni qanday olish mumkin
Rasmdan ko'rinib turibdiki, demoni olish uchun sizga kerak bo'ladi:
- Ga xat yozing [elektron pochta bilan himoyalangan] korporativ manzildan;
- Xatda tashkilotingizning TINni ko'rsating;
- Mahsulotlarni va ularning miqdorini sanab o'ting.
Namoyishlar uch oy davomida amal qiladi. Sotuvchi ularning funksionalligini cheklamaydi.
Tasvirni kengaytirish
Security Gateway demosi virtual mashina tasviridir. Men VMWare Workstation-dan foydalanmoqdaman. Qo'llab-quvvatlanadigan gipervisorlar va virtualizatsiya muhitlarining to'liq ro'yxati sotuvchining veb-saytida mavjud.
Boshlashdan oldin, standart virtual mashina tasvirida tarmoq interfeyslari yo'qligini unutmang:
Mantiq aniq, foydalanuvchi kerakli darajada ko'p interfeyslarni qo'shishi kerak. Men birdaniga to'rttasini qo'shaman:
Endi virtual mashinani ishga tushiraman. Ishga tushgandan so'ng darhol shlyuz foydalanuvchi nomi va parolni talab qiladi.
S-Terra Gateway-da turli hisoblarga ega bir nechta konsollar mavjud. Men ularning sonini alohida maqolada hisoblayman. Hozircha:
Login as: administrator
Password: s-terra
Men shlyuzni ishga tushiryapman. Initializatsiya - bu harakatlar ketma-ketligi: litsenziyani kiritish, biologik tasodifiy sonlar generatorini sozlash (klaviatura simulyatori - mening rekordim 27 soniya) va tarmoq interfeysi xaritasini yaratish.
Tarmoq interfeyslari xaritasi. Bu osonlashdi
4.2-versiya faol foydalanuvchini quyidagi xabarlar bilan kutib oldi:
Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon
Faol foydalanuvchi (anonim muhandisning so'zlariga ko'ra) har qanday narsani tez va hujjatsiz sozlashi mumkin bo'lgan foydalanuvchidir.
Interfeysda IP manzilni o'rnatishdan oldin nimadir noto'g'ri ketdi. Hammasi tarmoq interfeysi xaritasi haqida. Buni qilish kerak edi:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart
Natijada, tarmoq interfeysi xaritasi yaratiladi, unda jismoniy interfeys nomlari (0000:02:03.0) va ularning operatsion tizimda (eth0) va Cisco-ga o'xshash konsolda (FastEthernet0/0) mantiqiy belgilashlari mavjud:
#Unique ID iface type OS name Cisco-like name
0000:02:03.0 phye eth0 FastEthernet0/0
Interfeyslarning mantiqiy belgilari taxalluslar deb ataladi. Taxalluslar /etc/ifaliases.cf faylida saqlanadi.
4.3 versiyasida virtual mashina birinchi marta ishga tushirilganda avtomatik ravishda interfeys xaritasi yaratiladi. Agar siz virtual mashinada tarmoq interfeyslari sonini o'zgartirsangiz, interfeys xaritasini qayta yarating:
/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking
1-sxema: GRE-over-IPsec
Men ikkita virtual shlyuzni joylashtiraman, rasmda ko'rsatilganidek almashtiraman:
Qadam 1. IP manzillar va marshrutlarni o'rnating
VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253IP ulanishini tekshirish:
root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms
--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms2-qadam: GRE-ni sozlang
Men rasmiy skriptlardan GRE ni o'rnatishga misol keltiraman. Men /etc/network/interfaces.d katalogida mazmuni bilan gre1 faylini yarataman.
VG1 uchun:
auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1VG2 uchun:
auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1Tizimdagi interfeysni ko'taraman:
root@VG1:~# ifup gre1
root@VG2:~# ifup gre1Tekshirilmoqda:
root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 172.16.1.253 peer 172.16.1.254
inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
valid_lft forever preferred_lft forever
root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1C-Terra Gateway o'rnatilgan paketli sniffer - tcpdumpga ega. Men pcap fayliga trafik dumpini yozaman:
root@VG2:~# tcpdump -i eth0 -w /home/dump.pcapMen GRE interfeyslari orasida pinglashni boshlayman:
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 msGRE tunnel ishlamoqda:
Qadam 3. GOST GRE bilan shifrlash
Men identifikatsiya turini o'rnatdim - manzil bo'yicha. Oldindan belgilangan kalit bilan autentifikatsiya (Foydalanish shartlariga muvofiq raqamli sertifikatlardan foydalanish kerak):
VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254Men IPsec Faza I parametrlarini o'rnatdim:
VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2Men IPsec Phase II parametrlarini o'rnatdim:
VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnelMen shifrlash uchun kirish ro'yxatini yarataman. Maqsadli trafik - GRE:
VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254Men kripto xaritasini yarataman va uni WAN interfeysiga bog'layman:
VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
crypto map CMAPVG2 uchun konfiguratsiya aks ettirilgan, farqlar:
VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254Tekshirilmoqda:
root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcaproot@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2
ISAKMP/IPsec statistikasi:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480GRE trafigida hech qanday paket yo'q:
Xulosa: GRE-over-IPsec sxemasi to'g'ri ishlaydi.
1.5-rasm: IPsec-over-GRE
Men tarmoqda IPsec-over-GRE-dan foydalanishni rejalashtirmayman. Men xohlaganim uchun yig'aman.
GRE-over-IPsec sxemasini boshqa yo'l bilan o'rnatish uchun:
- Shifrlash kirish ro'yxatini tuzatish - LAN1 dan LAN2 ga va aksincha maqsadli trafik;
- GRE orqali marshrutlashni sozlash;
- GRE interfeysida kriptografik kartani osib qo'ying.
Odatiy bo'lib, Cisco-ga o'xshash shlyuz konsolida GRE interfeysi mavjud emas. U faqat operatsion tizimda mavjud.
Men GRE interfeysini Cisco-ga o'xshash konsolga qo'shaman. Buning uchun men /etc/ifaliases.cf faylini tahrir qilaman:
interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")Bu erda gre1 - operatsion tizimdagi interfeys belgisi, Tunnel0 - Cisco-ga o'xshash konsoldagi interfeys belgisi.
Faylning xeshini qayta hisoblayman:
root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf
SUCCESS: Operation was successful.Endi Tunnel0 interfeysi Cisco-ga o'xshash konsolda paydo bo'ldi:
VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400Shifrlash uchun kirish ro'yxatini tuzatish:
VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255GRE orqali marshrutlashni sozlayman:
VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2Men kriptografani Fa0 / 0 dan olib tashlayman va uni GRE interfeysiga bog'layman:
VG1(config)#
interface Tunnel0
crypto map CMAPVG2 uchun ham xuddi shunday.
Tekshirilmoqda:
root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcaproot@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms
--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 msISAKMP/IPsec statistikasi:
root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352ESP trafik axlatxonasida paketlar GRE-ga o'ralgan:
Xulosa: IPsec-over-GRE to'g'ri ishlaydi.
natijalar
Bir chashka qahva yetarli edi. Demo versiyasini olish bo'yicha ko'rsatmalarni chizdim. GRE-over-IPsec sozlangan va aksincha joylashtirilgan.
4.3 versiyadagi tarmoq interfeyslari xaritasi avtomatik! Men ko'proq sinovdan o'taman.
Anonim muhandis
t.me/anonymous_engineer
Manba: www.habr.com