I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > 1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Isimo

Ngithole inguqulo yedemo ye-C-Terra VPN inguqulo engu-4.3 izinyanga ezintathu. Ngifuna ukuthola ukuthi impilo yami yobunjiniyela izoba lula yini ngemuva kokushintshela enguqulweni entsha.

Namuhla akunzima, isikhwama esisodwa sekhofi esheshayo 3 ku-1 kufanele sanele. Ngizokutshela indlela yokuthola amademo. Ngizozama ukwakha izikimu ze-GRE-over-IPsec kanye ne-IPsec-over-GRE.

Ungayithola kanjani idemo

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Kulandela ngomfanekiso ukuthi ukuze uthole idemo udinga:

  • Bhala incwadi eya ku [i-imeyili ivikelwe] kusuka ekhelini lebhizinisi;
  • Encwadini, bonisa i-TIN yenhlangano yakho;
  • Faka ohlwini imikhiqizo kanye nenani layo.

Amademo asebenza izinyanga ezintathu. Umthengisi akakhawuleli ukusebenza kwawo.

Ukunweba isithombe

Idemo ye-Security Gateway iyisithombe somshini obonakalayo. Ngisebenzisa i-VMWare Workstation. Uhlu oluphelele lwama-hypervisors asekelwayo kanye nezindawo ze-virtualization luyatholakala kuwebhusayithi yomthengisi.

Ngaphambi kokuthi uqale, sicela uqaphele ukuthi azikho izixhumanisi zenethiwekhi esithombeni esizenzakalelayo somshini obonakalayo:

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

I-logic icacile, umsebenzisi kufanele engeze i-interfaces eminingi njengoba edinga. Ngizongeza ezine ngesikhathi esisodwa:

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Manje ngiqala umshini we-virtual. Ngokushesha ngemva kokwethulwa, isango lidinga igama lomsebenzisi nephasiwedi.

Kukhona ama-consoles amaningana ku-S-Terra Gateway enama-akhawunti ahlukene. Ngizobala inombolo yabo esihlokweni esihlukile. Okwamanje:
Login as: administrator
Password: s-terra

Ngiqalisa isango. Ukuqalisa kuwukulandelana kwezenzo: ukufaka ilayisense, ukusetha ijeneretha yenombolo engahleliwe yebhayoloji (isifanisi sekhibhodi - irekhodi lami imizuzwana engu-27) nokudala imephu yokusebenzelana kwenethiwekhi.

Imephu yokuxhumana kwenethiwekhi. Kwaba lula

Inguqulo 4.2 ibingelele umsebenzisi osebenzayo ngemilayezo:

Starting IPsec daemon….. failed
ERROR: Could not establish connection with daemon

Umsebenzisi osebenzayo (ngokusho konjiniyela ongaziwa) ungumsebenzisi ongamisa noma yini ngokushesha futhi ngaphandle kwemibhalo.

Kukhona okungahambanga kahle ngaphambi kokuzama ukusetha ikheli le-IP kusixhumi esibonakalayo. Konke kumayelana nemephu yokusebenzelana kwenethiwekhi. Kwakufanele kwenziwe:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
service networking restart

Njengomphumela, kwakhiwa imephu yokusebenzelana kwenethiwekhi equkethe ukuqoshwa kwamagama esixhumi esibonakalayo (0000:02:03.0) kanye namagama awo anengqondo ohlelweni lokusebenza (eth0) kanye ne-Cisco-like console (FastEthernet0/0):

#Unique ID iface type OS name Cisco-like name

0000:02:03.0 phye eth0 FastEthernet0/0

Ukuqanjwa okunengqondo kokuxhumana kubizwa ngokuthi ama-aliases. Iziteketiso zigcinwa kufayela /etc/ifaliases.cf.
Enguqulweni engu-4.3, lapho umshini we-virtual uqalwa, imephu yokusebenzelana iyakhiwa ngokuzenzakalelayo. Uma ushintsha inombolo yokusebenzelana kwenethiwekhi emshinini obonakalayo, sicela udale kabusha imephu yokusebenzelana:

/bin/netifcfg enum > /home/map
/bin/netifcfg map /home/map
systemctl restart networking

Uhlelo 1: GRE-over-IPsec

Ngisebenzisa amasango amabili abonakalayo, ngishintsha njengoba kuboniswe esithombeni:

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Isinyathelo 1. Setha amakheli e-IP nemizila

VG1(config) #
interface fa0/0
ip address 172.16.1.253 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.1.253 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254

VG2(config) #
interface fa0/0
ip address 172.16.1.254 255.255.255.0
no shutdown
interface fa0/1
ip address 192.168.2.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.253

Ihlola ukuxhumeka kwe-IP:

root@VG1:~# ping 172.16.1.254 -c 4
PING 172.16.1.254 (172.16.1.254) 56(84) bytes of data.
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=0.545 ms
64 bytes from 172.16.1.254: icmp_seq=2 ttl=64 time=0.657 ms
64 bytes from 172.16.1.254: icmp_seq=3 ttl=64 time=0.687 ms
64 bytes from 172.16.1.254: icmp_seq=4 ttl=64 time=0.273 ms

--- 172.16.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 0.273/0.540/0.687/0.164 ms

Isinyathelo sesi-2: Setha i-GRE

Ngithatha isibonelo sokusetha i-GRE kusuka emibhalweni esemthethweni. Ngakha ifayela le-gre1 kuhla lwemibhalo /etc/network/interfaces.d nokuqukethwe.

Okwe-VG1:

auto gre1
iface gre1 inet static
address 1.1.1.1
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.254 local 172.16.1.253 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Okwe-VG2:

auto gre1
iface gre1 inet static
address 1.1.1.2
netmask 255.255.255.252
pre-up ip tunnel add gre1 mode gre remote 172.16.1.253 local 172.16.1.254 key 1 ttl 64 tos inherit
pre-up ethtool -K gre1 tx off > /dev/null
pre-up ip link set gre1 mtu 1400
post-down ip link del gre1

Ngiphakamisa isixhumi esibonakalayo kusistimu:

root@VG1:~# ifup gre1
root@VG2:~# ifup gre1

Iyahlola:

root@VG1:~# ip address show
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 172.16.1.253 peer 172.16.1.254
    inet 1.1.1.1/30 brd 1.1.1.3 scope global gre1
       valid_lft forever preferred_lft forever

root@VG1:~# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 172.16.1.254 local 172.16.1.253 ttl 64 tos inherit key 1

I-C-Terra Gateway inephakethe le-sniffer elakhelwe ngaphakathi - tcpdump. Ngizobhala ukulahlwa kwethrafikhi kufayela le-pcap:

root@VG2:~# tcpdump -i eth0 -w /home/dump.pcap

Ngiqala uku-ping phakathi kwe-GRE interfaces:

root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.850 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=0.918 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=0.974 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.850/0.915/0.974/0.043 ms

Umhubhe we-GRE uyasebenza futhi:

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Isinyathelo sesi-3. Bethela nge-GOST GRE

Ngibeka uhlobo lokuhlonza - ngekheli. Ukuqinisekisa ngokhiye ochazwe ngaphambilini (ngokweMigomo Yokusebenzisa, izitifiketi zedijithali kufanele zisetshenziswe):

VG1(config)#
crypto isakmp identity address
crypto isakmp key KEY address 172.16.1.254

Ngisetha amapharamitha we-IPsec Phase I:

VG1(config)#
crypto isakmp policy 1
encr gost
hash gost3411-256-tc26
auth pre-share
group vko2

Ngisetha amapharamitha we-IPsec Phase II:

VG1(config)#
crypto ipsec transform-set TSET esp-gost28147-4m-imit
mode tunnel

Ngidala uhlu lokufinyelela lokubethelwa. Ithrafikhi eqondiwe - GRE:

VG1(config)#
ip access-list extended LIST
permit gre host 172.16.1.253 host 172.16.1.254

Ngakha imephu ye-crypto futhi ngiyibophe ku-WAN interface:

VG1(config)#
crypto map CMAP 1 ipsec-isakmp
match address LIST
set transform-set TSET
set peer 172.16.1.253
interface fa0/0
  crypto map CMAP

Ku-VG2, ukucushwa kuboniswa, umehluko uwukuthi:

VG2(config)#
crypto isakmp key KEY address 172.16.1.253
ip access-list extended LIST
permit gre host 172.16.1.254 host 172.16.1.253
crypto map CMAP 1 ipsec-isakmp
set peer 172.16.1.254

Iyahlola:

root@VG2:~# tcpdump -i eth0 -w /home/dump2.pcap
root@VG1:~# ping 1.1.1.2 -c 4
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=1128 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=126 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=64 time=1.07 ms
64 bytes from 1.1.1.2: icmp_seq=4 ttl=64 time=1.12 ms

--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.077/314.271/1128.419/472.826 ms, pipe 2

Izibalo ze-ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 1 (172.16.1.253,500)-(172.16.1.254,500) active 1086 1014

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 1 (172.16.1.253,*)-(172.16.1.254,*) 47 ESP tunn 480 480

Awekho amaphakethe endaweni yokulahla ithrafikhi ye-GRE:

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Isiphetho: Uhlelo lwe-GRE-over-IPsec lusebenza kahle.

Umfanekiso 1.5: IPsec-over-GRE

Angihleli ukusebenzisa i-IPsec-over-GRE kunethiwekhi. Ngiqoqa ngoba ngifuna.

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Ukuze usebenzise uhlelo lwe-GRE-over-IPsec ngenye indlela:

  • Lungisa uhlu lokufinyelela lokubethela - ithrafikhi eqondiwe kusuka ku-LAN1 kuya ku-LAN2 futhi ngokuphambene nalokho;
  • Lungiselela umzila nge-GRE;
  • Lengisa i-cryptomap kusixhumi esibonakalayo se-GRE.

Ngokuzenzakalelayo, asikho isikhombimsebenzisi se-GRE ku-Cisco-like gateway console. Itholakala kuphela ohlelweni lokusebenza.

Ngengeza isikhombimsebenzisi se-GRE kukhonsoli efana neCisco. Ukwenza lokhu, ngihlela ifayela /etc/ifaliases.cf:

interface (name="FastEthernet0/0" pattern="eth0")
interface (name="FastEthernet0/1" pattern="eth1")
interface (name="FastEthernet0/2" pattern="eth2")
interface (name="FastEthernet0/3" pattern="eth3")
interface (name="Tunnel0" pattern="gre1")
interface (name="default" pattern="*")

lapho i-gre1 iwuphawu lwesixhumi esibonakalayo kusistimu yokusebenza, i-Tunnel0 iwuphawu lwesixhumi esibonakalayo kukhonsoli efana ne-Cisco.

Ngibala kabusha i-hash yefayela:

root@VG1:~# integr_mgr calc -f /etc/ifaliases.cf

SUCCESS:  Operation was successful.

Manje i-interface ye-Tunnel0 ivele kukhonsoli efana ne-Cisco:

VG1# show run
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
mtu 1400

Ukulungisa uhlu lokufinyelela lokubethela:

VG1(config)#
ip access-list extended LIST
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Ngilungiselela umzila nge-GRE:

VG1(config)#
no ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 192.168.3.0 255.255.255.0 1.1.1.2

Ngisusa i-cryptomap ku-Fa0 / 0 futhi ngiyibophe ku-GRE interface:

VG1(config)#
interface Tunnel0
crypto map CMAP

Ku-VG2 kuyafana.

Iyahlola:

root@VG2:~# tcpdump -i eth0 -w /home/dump3.pcap

root@VG1:~# ping 192.168.2.254 -I 192.168.1.253 -c 4
PING 192.168.2.254 (192.168.2.254) from 192.168.1.253 : 56(84) bytes of data.
64 bytes from 192.168.2.254: icmp_seq=1 ttl=64 time=492 ms
64 bytes from 192.168.2.254: icmp_seq=2 ttl=64 time=1.08 ms
64 bytes from 192.168.2.254: icmp_seq=3 ttl=64 time=1.06 ms
64 bytes from 192.168.2.254: icmp_seq=4 ttl=64 time=1.07 ms

--- 192.168.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 1.064/124.048/492.972/212.998 ms

Izibalo ze-ISAKMP/IPsec:

root@VG1:~# sa_mgr show
ISAKMP sessions: 0 initiated, 0 responded

ISAKMP connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) State Sent Rcvd
1 2 (172.16.1.253,500)-(172.16.1.254,500) active 1094 1022

IPsec connections:
Num Conn-id (Local Addr,Port)-(Remote Addr,Port) Protocol Action Type Sent Rcvd
1 2 (192.168.1.0-192.168.1.255,*)-(192.168.2.0-192.168.2.255,*) * ESP tunn 352 352

Endaweni yokulahla ithrafikhi ye-ESP, amaphakethe ahlanganiswe ku-GRE:

1.5 izikimu ku-IPsec VPN yasekhaya. Ihlola amademo

Isiphetho: I-IPsec-over-GRE isebenza kahle.

Imiphumela

Inkomishi eyodwa yekhofi yayanele. Ngidwebe imiyalelo yokuthola inguqulo yedemo. Ilungiselelwe i-GRE-over-IPsec futhi yasetshenziswa ngokuphambene.

Imephu yokuxhumana kwenethiwekhi enguqulweni 4.3 iyazenzakalela! Ngisahlola futhi.

Unjiniyela ongaziwa
t.me/anonymous_engineer

Source: www.habr.com

Engeza amazwana