Awọn ero 1.5 lori IPsec VPN ile. Idanwo demo awọn ẹya

Ipo

Mo gba ẹya demo ti ẹya S-Terra VPN ẹya 4.3 fun oṣu mẹta. Mo fẹ lati ṣawari boya igbesi aye imọ-ẹrọ mi yoo rọrun lẹhin yi pada si ẹya tuntun.

Loni ko nira, apo kan ti 3 ni 1 kọfi lẹsẹkẹsẹ yẹ ki o to. Emi yoo sọ fun ọ bi o ṣe le gba awọn ẹya demo. Emi yoo gbiyanju lati ṣajọpọ awọn eto GRE-over-IPsec ati IPsec-over-GRE.

Bii o ṣe le gba demo kan

Lati aworan o tẹle iyẹn lati gba ẹya demo ti o nilo:

• Kọ lẹta kan si presale@s-terra.ru lati adirẹsi ile-iṣẹ rẹ;
• Ninu lẹta naa, tọka TIN ti ajo rẹ;
• Ṣe atokọ awọn ọja ati awọn iwọn wọn.

Awọn ẹya demo wulo fun oṣu mẹta. Olutaja ko ni opin iṣẹ ṣiṣe wọn.

Ṣiṣii aworan naa

Ẹya demo ti Ẹnu-ọna Aabo jẹ aworan ti ẹrọ foju kan. Mo n lo VMWare Workstation. Atokọ pipe ti awọn hypervisors ti o ni atilẹyin ati awọn agbegbe ipa-ipa wa lori oju opo wẹẹbu ataja naa.

Ṣaaju ki o to bẹrẹ, jọwọ ṣe akiyesi pe aworan ẹrọ foju aifọwọyi ko ni awọn atọkun nẹtiwọọki:

Awọn kannaa jẹ ko o, olumulo gbọdọ fi bi ọpọlọpọ awọn atọkun bi o ti nilo. Emi yoo fi mẹrin kun ni ẹẹkan:

Bayi Mo ṣe ifilọlẹ ẹrọ foju. Lẹsẹkẹsẹ lẹhin ifilọlẹ, ẹnu-ọna nilo wiwọle ati ọrọ igbaniwọle kan.

S-Terra Gateway ni ọpọlọpọ awọn afaworanhan pẹlu awọn akọọlẹ oriṣiriṣi. Emi yoo ka nọmba wọn ni nkan lọtọ. Ni enu igba yi:
Login as: administrator
Password: s-terra

Mo n bẹrẹ ẹnu-ọna. Ibẹrẹ jẹ lẹsẹsẹ awọn iṣe: titẹ iwe-aṣẹ kan, ṣeto olupilẹṣẹ nọmba ID ti ibi (labeabo bọtini itẹwe - igbasilẹ mi jẹ iṣẹju-aaya 27) ati ṣiṣẹda maapu wiwo nẹtiwọọki kan.

Nẹtiwọọki ni wiwo map. O di rọrun

Ẹya 4.2 ṣe itẹwọgba olumulo ti nṣiṣe lọwọ pẹlu awọn ifiranṣẹ:

Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon

Olumulo ti nṣiṣe lọwọ (ni ibamu si ẹlẹrọ ailorukọ) jẹ olumulo ti o le tunto ohunkohun ni iyara ati laisi iwe.

Nkankan n lọ aṣiṣe paapaa ṣaaju igbiyanju lati tunto adiresi IP lori wiwo naa. O jẹ gbogbo nipa maapu wiwo nẹtiwọki. O jẹ dandan lati ṣe:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart

Bi abajade, maapu ti awọn atọkun nẹtiwọọki ti ṣẹda, eyiti o ni aworan agbaye ti awọn orukọ ti awọn atọkun ti ara (0000: 02: 03.0) ati awọn apẹrẹ ọgbọn wọn ninu ẹrọ iṣẹ (eth0) ati Sisiko-like console (FastEthernet0/0) :

#Unique ID iface type OS name Cisco-like name

0000:02:03.0 phye eth0 FastEthernet0/0

Awọn apẹrẹ wiwo ti o mọgbọnwa ni a pe ni aliases. Awọn inagijẹ ti wa ni ipamọ sinu faili /etc/ifaliases.cf.
Ninu ẹya 4.3, nigbati o kọkọ bẹrẹ ẹrọ foju kan, maapu wiwo yoo ṣẹda laifọwọyi. Ti o ba yipada nọmba awọn atọkun nẹtiwọọki ninu ẹrọ foju, lẹhinna jọwọ ṣẹda maapu wiwo lẹẹkansi:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking

Eto 1: GRE-over-IPsec

Mo ran awọn ẹnu-ọna foju meji ati yipada bi o ṣe han ninu eeya:

Igbesẹ 1. Tunto awọn adirẹsi IP ati awọn ipa-ọna

VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254

VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253

Mo ṣayẹwo IP Asopọmọra:

root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms

--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms

Igbesẹ 2. Ṣiṣeto GRE

Mo gba apẹẹrẹ ti eto GRE lati awọn iwe afọwọkọ osise. Mo ṣẹda faili gre1 ninu itọsọna /etc/network/interfaces.d pẹlu awọn akoonu.

Fun VG1:

auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Fun VG2:

auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Mo gbe wiwo soke ninu eto naa:

root@VG1:~# ifup gre1
root@VG2:~# ifup gre1

Mo ṣayẹwo:

root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 172.16.1.253 peer 172.16.1.254
    inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
       valid_lft forever preferred_lft forever

root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1

S-Terra Gateway ni o ni a-itumọ ti ni soso sniffer - tcpdump. Emi yoo kọ idalẹnu ijabọ si faili pcap kan:

root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap

Mo ṣiṣe ping laarin awọn atọkun GRE:

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms

Eefin GRE nṣiṣẹ lọwọ ati nṣiṣẹ:

Igbesẹ 3. Encrypt pẹlu GOST GRE

Mo ṣeto iru idanimọ - nipasẹ adirẹsi. Ijeri nipa lilo bọtini ti a ti yan tẹlẹ (gẹgẹbi Awọn ofin Lilo, awọn iwe-ẹri oni nọmba gbọdọ ṣee lo):

VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254

Mo ṣeto awọn paramita IPsec Ipele I:

VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2

Mo ṣeto awọn paramita IPsec Ipele II:

VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel

Mo n ṣẹda atokọ wiwọle fifi ẹnọ kọ nkan. Awọn ijabọ ibi-afẹde - GRE:

VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254

Mo ṣẹda kaadi crypto kan ki o so mọ ni wiwo WAN:

VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
  crypto map CMAP

Fun VG2 iṣeto ni digi, awọn iyatọ:

VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254

Mo ṣayẹwo:

root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2

Awọn iṣiro ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480

Ko si awọn idii ninu idalẹnu ijabọ GRE:

Ipari: ero GRE-over-IPsec ṣiṣẹ ni deede.

Eto 1.5: IPsec-over-GRE

Emi ko gbero lati lo IPsec-over-GRE lori nẹtiwọọki. Mo gba nitori Mo fẹ.

Lati ran ero GRE-over-IPsec lọna idakeji, o nilo lati:

• Ṣe atunṣe atokọ iwọle fun fifi ẹnọ kọ nkan - ijabọ ibi-afẹde lati LAN1 si LAN2 ati ni idakeji;
• Tunto afisona nipasẹ GRE;
• Gbe kaadi crypto sori wiwo GRE.

Nipa aiyipada, Sisiko-bi ẹnu-ọna console ko ni wiwo GRE. O wa nikan ni ẹrọ ṣiṣe.

Mo n fi GRE ni wiwo to a Sisiko-bi console. Lati ṣe eyi, Mo ṣatunkọ faili /etc/ifaliases.cf:

interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")

ibi ti gre1 ni awọn yiyan ti awọn wiwo ninu awọn ẹrọ eto, Tunnel0 ni awọn yiyan ti awọn wiwo ni Sisiko-bi console.

Mo tun ṣe iṣiro hash faili naa:

root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf

SUCCESS:  Operation was successful.

Bayi ni wiwo Tunnel0 han ni Sisiko-bi console:

VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400

Mo n ṣatunṣe atokọ wiwọle fun fifi ẹnọ kọ nkan:

VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Ṣiṣeto ipa-ọna nipasẹ GRE:

VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2

Mo yọ kaadi crypto kuro lati Fa0/0 ki o si dè e si wiwo GRE:

VG1(config)#
interface Tunnel0
crypto map CMAP

Fun VG2 o jẹ kanna.

Mo ṣayẹwo:

root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap

root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms

--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms

Awọn iṣiro ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352

Ninu idalẹnu ijabọ ESP, awọn apo-iwe ti a fi sinu GRE:

Ipari: IPsec-over-GRE ṣiṣẹ bi o ti tọ.

Awọn esi

Ọkan ife ti kofi wà to. Mo ti kọ awọn ilana fun gbigba demo kan. Tunto GRE-over-IPsec ati gbe lọ ni ọna miiran ni ayika.

Maapu wiwo nẹtiwọọki ni ẹya 4.3 jẹ adaṣe! Mo n danwo siwaju sii.

Anonymous ẹlẹrọ
t.me/anonymous_engineer

orisun: www.habr.com