ProHoster > Ibhulogi > Ulawulo > Uyicombulula njani ingxaki yasekhaya IPsec VPN. Icandelo loku-1

Uyicombulula njani ingxaki yasekhaya IPsec VPN. Icandelo loku-1

Uyicombulula njani ingxaki yasekhaya IPsec VPN. Icandelo loku-1

Imeko

Usuku uphumle. Ndisela ikofu. Umfundi waseka unxibelelwano lweVPN phakathi kwamanqaku amabini kwaye wanyamalala. Ndijonga: kukho itonela ngokwenene, kodwa akukho traffic kwitonela. Umfundi akaziphenduli iifowuni.

Ndabeka iketile ndantywila kwi-S-Terra Gateway yokulungisa ingxaki. Ndabelana ngamava am kunye nendlela yokusebenza.

Idatha yemvelaphi

Iziza ezibini ezahlulwe ngokwejografi ziqhagamshelwe yitonela ye-GRE. I-GRE kufuneka iguqulelwe ngokuntsonkothileyo:

Uyicombulula njani ingxaki yasekhaya IPsec VPN. Icandelo loku-1

Ndijonga ukusebenza kwetonela ye-GRE. Ukwenza oku, ndiqhuba i-ping ukusuka kwisixhobo R1 ukuya kujongano lwe-GRE lwesixhobo R2. Le yitrafikhi ekujoliswe kuyo yoguqulelo oluntsonkothileyo. Akukho mpendulo:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057ms

Ndijonge izigodo ezikwi Gate1 nase Gate2. Ilog ibika ngovuyo ukuba itonela ye-IPsec yasungulwa ngempumelelo, akukho ngxaki:

root@Gate1:~# cat /var/log/cspvpngate.log
Aug  5 16:14:23 localhost  vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter 
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1

Kwizibalo zetonela ye-IPsec kwi-Gate1 ndiyabona ukuba ikhona ngokwenene itonela, kodwa i-counter ye-Rсvd isetyenziselwe kwi-zero:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0

Ndiyikhathaza ngolu hlobo i-S-Terra: Ndikhangela apho iipakethe ekujoliswe kuzo zilahleka khona endleleni ukusuka kwi-R1 ukuya kwi-R2. Kwinkqubo (spoiler) ndiya kufumana impazamo.

Ukulungisa ingxaki

Inyathelo 1. Yintoni iSango1 eyifumanayo kwi-R1

Ndisebenzisa i-packet sniffer eyakhelwe-ngaphakathi - tcpdump. Ndisungula i-sniffer ngaphakathi (i-Gi0/1 kwi-notation efana ne-Cisco okanye i-eth1 kwi-Debian OS notation) ujongano:

root@Gate1:~# tcpdump -i eth1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64

Ndiyabona ukuba iGate1 ifumana iipakethi ze-GRE ukusuka kwi-R1. Ndiqhubekeka.

Inyathelo 2. Yintoni eyenziwa nguGate1 ngeepakethi zeGRE

Ukusebenzisa i-klogview utility ndiyakubona okwenzekayo ngeepakethi ze-GRE ngaphakathi komqhubi we-S-Terra VPN:

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated

Ndiyabona ukuba i-traffic GRE ekujoliswe kuyo (iproto 47) 172.16.0.1 -> 172.17.0.1 yafika phantsi kwe-LIST encryption rule kwi-CMAP crypto map kwaye yafakwa. Emva koko, ipakethi ihanjiswe (igqithiswe). Akukho traffic impendulo kwimveliso klogview.

Ndijonga uluhlu lofikelelo kwisixhobo se-Gate1. Ndibona uluhlu olunye lofikelelo LUHLU, oluchaza itrafikhi ekujoliswe kuyo yoguqulelo oluntsonkothileyo, okuthetha ukuba imigaqo yomlilo ayimiselwanga:

Gate1#show access-lists
Extended IP access list LIST
    10 permit gre host 172.16.0.1 host 172.17.0.1

Isiphelo: ingxaki ayikho kwisixhobo se-Gate1.

Okunye malunga neklogview

Umqhubi weVPN uphatha zonke iitrafikhi zenethiwekhi, hayi nje itrafikhi efuna ukubethelwa. Le yimiyalezo ebonakalayo kwi-klogview ukuba umqhubi weVPN uqhubekisele phambili itrafikhi yenethiwekhi kwaye wayihambisa ingabhalwanga:

root@R1:~# ping 172.17.0.1 -c 4

root@Gate1:~# klogview -f 0xffffffff

filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filtered

Ndiyabona ukuba i-ICMP ye-traffic (proto 1) 172.16.0.1-> 172.17.0.1 ayizange ifakwe (akukho umdlalo) kwimithetho yokubethela yekhadi le-crypto ye-CMAP. Ipakethi ihanjiswe (igqithiswe) kwisicatshulwa esicacileyo.

Inyathelo lesi-3. Yintoni iSango2 eyifumana kwiSango1

Ndisungula i-sniffer kwi-WAN (eth0) ujongano lweGate2:

root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140

Ndiyabona ukuba iGate2 ifumana iipakethi ze-ESP kwi-Gate1.

Inyathelo 4. Yintoni eyenziwa yi-Gate2 ngeephakheji ze-ESP

Ndisungula into eluncedo yeklogview kwiGate2:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall

Ndiyabona ukuba iipakethi ze-ESP (i-proto 50) zachithwa (DROP) ngumthetho we-firewall (L3VPN). Ndiqinisekisa ukuba i-Gi0/0 eneneni inoluhlu lofikelelo lwe-L3VPN oluncanyathiselwe kuyo:

Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.10.10.252/24
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is L3VPN

Ndafumanisa ingxaki.

Inyathelo 5. Yintoni engalunganga ngoluhlu lofikelelo

Ndijonge ukuba luthini uluhlu lokufikelela kwi-L3VPN:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit icmp host 10.10.10.251 any

Ndiyabona ukuba iipakethi ze-ISAKMP zivumelekile, ngoko ke itonela ye-IPsec isekiwe. Kodwa akukho mgaqo uvumela i-ESP. Kuyabonakala ukuba, umfundi ubhidanise i-icmp kunye ne-esp.

Ukuhlela uluhlu lofikelelo:

Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 any

Inyathelo 6. Ukuqwalasela ukusebenza

Okokuqala, ndiqinisekisa ukuba uluhlu lofikelelo lwe-L3VPN luchanekile:

Gate2#show access-list L3VPN
Extended IP access list L3VPN
    10 permit udp host 10.10.10.251 any eq isakmp
    20 permit udp host 10.10.10.251 any eq non500-isakmp
    30 permit esp host 10.10.10.251 any

Ngoku ndisungula itrafikhi ekujoliswe kuyo kwisixhobo R1:

root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 ms

Uloyiso. Itonela ye-GRE isekiwe. Ikhawuntala yetrafikhi engenayo kwizibalo ze-IPsec ayingoziro:

root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480

Kwisango le-Gate2, kwimveliso ye-klogview, imiyalezo yavela ukuba i-traffic ekujoliswe kuyo 172.16.0.1->172.17.0.1 ikhutshwe ngempumelelo (PASS) ngomgaqo we-LIST kwimephu ye-crypto ye-CMAP:

root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulated

Iziphumo

Umfundi wamosha usuku lwakhe lokuphumla.
Lumka ngemithetho ye-ME.

Injineli engaziwa
t.me/anonymous_engineer

umthombo: www.habr.com

Yongeza izimvo