Ipo
Isinmi ojo kan. Mo mu kofi. Ọmọ ile-iwe ṣeto asopọ VPN laarin awọn aaye meji ati pe o sọnu. Mo ṣayẹwo: eefin kan wa looto, ṣugbọn ko si ijabọ ni oju eefin naa. Ọmọ ile-iwe ko dahun awọn ipe.
Mo ti fi awọn Kettle lori ati ki o besomi sinu S-Terra Gateway laasigbotitusita. Mo pin iriri mi ati ilana.
Orisun orisun
Awọn aaye meji ti o ya sọtọ lagbaye ni asopọ nipasẹ eefin GRE kan. GRE nilo lati jẹ fifipamọ:
Mo n ṣayẹwo iṣẹ ṣiṣe ti eefin GRE. Lati ṣe eyi, Mo ṣiṣe ping lati ẹrọ R1 si wiwo GRE ti ẹrọ R2. Eyi ni ijabọ ibi-afẹde fun fifi ẹnọ kọ nkan. Kosi idahun:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3057msMo wo awọn akọọlẹ lori Gate1 ati Gate2. Iwe akọọlẹ naa fi ayọ ṣe ijabọ pe oju eefin IPsec ti ṣe ifilọlẹ ni aṣeyọri, ko si awọn iṣoro:
root@Gate1:~# cat /var/log/cspvpngate.log
Aug 5 16:14:23 localhost vpnsvc: 00100119 <4:1> IPSec connection 5 established, traffic selector 172.17.0.1->172.16.0.1, proto 47, peer 10.10.10.251, id "10.10.10.251", Filter
IPsec:Protect:CMAP:1:LIST, IPsecAction IPsecAction:CMAP:1, IKERule IKERule:CMAP:1Ninu awọn iṣiro ti oju eefin IPsec lori Gate1 Mo rii pe eefin kan wa looto, ṣugbọn counter Rсvd ti tunto si odo:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1070 1014
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 3 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 480 0Mo wahala S-Terra bi eleyi: Mo wa ibi ti awọn apo-iwe ibi-afẹde ti sọnu lori ọna lati R1 si R2. Ninu ilana (spoiler) Emi yoo rii aṣiṣe kan.
Laasigbotitusita
Igbesẹ 1. Ohun ti Gate1 gba lati R1
Mo lo sniffer packet ti a ṣe sinu - tcpdump. Mo ṣe ifilọlẹ sniffer lori inu (Gi0/1 ni akiyesi Sisiko tabi eth1 ni akiyesi Debian OS) ni wiwo:
root@Gate1:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:53:38.879525 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 1, length 64
14:53:39.896869 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 2, length 64
14:53:40.921121 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 3, length 64
14:53:41.944958 IP 172.16.0.1 > 172.17.0.1: GREv0, key=0x1, length 92: IP 1.1.1.1 > 1.1.1.2: ICMP echo request, id 2083, seq 4, length 64Mo rii pe Gate1 gba awọn apo-iwe GRE lati R1. Mo n gbe siwaju.
Igbesẹ 2. Kini Gate1 ṣe pẹlu awọn apo-iwe GRE
Lilo ohun elo klogview Mo le rii ohun ti n ṣẹlẹ pẹlu awọn apo-iwe GRE inu awakọ S-Terra VPN:
root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 4 "IPsecPolicy:CMAP", filter 8, event id IPsec:Protect:CMAP:1:LIST, status PASS
encapsulating with SA 31: 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0
passed out packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: encapsulated
Mo rii pe ijabọ GRE ti ibi-afẹde (proto 47) 172.16.0.1 -> 172.17.0.1 wa labẹ ofin fifi ẹnọ kọ nkan LIST ni maapu crypto CMAP ati pe a fi sii. Nigbamii ti, apo-iwe naa jẹ ipalọlọ (ti o kọja). Ko si ijabọ esi ni iṣelọpọ klogview.
Mo n ṣayẹwo awọn atokọ wiwọle lori ẹrọ Gate1. Mo rii atokọ iwọle kan LIST, eyiti o ṣalaye ijabọ ibi-afẹde fun fifi ẹnọ kọ nkan, eyiti o tumọ si pe awọn ofin ogiriina ko ni tunto:
Gate1#show access-lists
Extended IP access list LIST
10 permit gre host 172.16.0.1 host 172.17.0.1Ipari: iṣoro naa kii ṣe pẹlu ẹrọ Gate1.
Diẹ ẹ sii nipa klogview
Awakọ VPN n ṣakoso gbogbo awọn ijabọ nẹtiwọọki, kii ṣe ijabọ nikan ti o nilo lati pa akoonu. Iwọnyi ni awọn ifiranṣẹ ti o han ni klogview ti awakọ VPN ṣe ilana ijabọ nẹtiwọọki ati gbejade ni airotẹlẹ:
root@R1:~# ping 172.17.0.1 -c 4root@Gate1:~# klogview -f 0xffffffff
filtration result for out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: chain 4 "IPsecPolicy:CMAP": no match
passed out packet 172.16.0.1->172.17.0.1, proto 1, len 84, if eth0: filteredMo ti ri pe ICMP ijabọ (proto 1) 172.16.0.1-> 172.17.0.1 a ko to wa (ko si baramu) ni ìsekóòdù ofin ti CMAP crypto kaadi. Awọn soso ti a ipalọlọ (koja jade) ni ko o ọrọ.
Igbesẹ 3. Kini Gate2 gba lati Gate1
Mo ṣe ifilọlẹ sniffer lori wiwo WAN (eth0) Gate2:
root@Gate2:~# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:05:45.104195 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x1), length 140
16:05:46.093918 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x2), length 140
16:05:47.117078 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x3), length 140
16:05:48.141785 IP 10.10.10.251 > 10.10.10.252: ESP(spi=0x30088112,seq=0x4), length 140Mo rii pe Gate2 gba awọn apo-iwe ESP lati Gate1.
Igbesẹ 4. Kini Gate2 ṣe pẹlu awọn idii ESP
Mo ṣe ifilọlẹ ohun elo klogview lori Gate2:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: chain 17 "FilterChain:L3VPN", filter 21, status DROP
dropped in packet 10.10.10.251->10.10.10.252, proto 50, len 160, if eth0: firewall
Mo rii pe awọn apo-iwe ESP (proto 50) silẹ (DROP) nipasẹ ofin ogiriina (L3VPN). Mo rii daju pe Gi0/0 ni gangan ni atokọ iwọle L3VPN ti o so mọ rẹ:
Gate2#show ip interface gi0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.252/24
MTU is 1500 bytes
Outgoing access list is not set
Inbound access list is L3VPNMo ti ṣawari iṣoro naa.
Igbese 5. Kini aṣiṣe pẹlu akojọ wiwọle
Mo wo kini atokọ iwọle L3VPN jẹ:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit icmp host 10.10.10.251 anyMo rii pe awọn apo-iwe ISAKMP ti gba laaye, nitorinaa eefin IPsec ti fi idi mulẹ. Ṣugbọn ko si ofin ṣiṣe fun ESP. Nkqwe, akeko da icmp ati esp.
Ṣatunkọ akojọ wiwọle:
Gate2(config)#
ip access-list extended L3VPN
no 30
30 permit esp host 10.10.10.251 anyIgbesẹ 6. Ṣiṣayẹwo iṣẹ ṣiṣe
Ni akọkọ, Mo rii daju pe atokọ iwọle L3VPN jẹ deede:
Gate2#show access-list L3VPN
Extended IP access list L3VPN
10 permit udp host 10.10.10.251 any eq isakmp
20 permit udp host 10.10.10.251 any eq non500-isakmp
30 permit esp host 10.10.10.251 anyBayi Mo ṣe ifilọlẹ ijabọ ibi-afẹde lati ẹrọ R1:
root@R1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=35.3 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=3.01 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=2.87 ms
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 2.650/10.970/35.338/14.069 msIsegun. Oju eefin GRE ti ni idasilẹ. Onka ijabọ ti nwọle ni awọn iṣiro IPsec kii ṣe odo:
root@Gate1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded
ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 3 (10.10.10.251,500)-(10.10.10.252,500) active 1474 1350
IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 4 (172.16.0.1,*)-(172.17.0.1,*) 47 ESP tunn 1920 480Lori ẹnu-ọna ẹnu-ọna Gate2, ninu iṣelọpọ klogview, awọn ifiranṣẹ han pe ijabọ ibi-afẹde 172.16.0.1->172.17.0.1 ni aṣeyọri decrypted (PASS) nipasẹ ofin LIST ni maapu crypto CMAP:
root@Gate2:~# klogview -f 0xffffffff
filtration result for in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: chain 18 "IPsecPolicy:CMAP", filter 25, event id IPsec:Protect:CMAP:1:LIST, status PASS
passed in packet 172.16.0.1->172.17.0.1, proto 47, len 112, if eth0: decapsulatedAwọn esi
Ọmọ ile-iwe kan ba ọjọ isinmi rẹ jẹ.
Ṣọra pẹlu awọn ofin ME.
Anonymous ẹlẹrọ
t.me/anonymous_engineer
orisun: www.habr.com