Erinevus lehekülje "IPSec kasutamine Debianiga" redaktsioonide vahel
(→IPSec üle NAT lüüsi, kaks Debiani, eeljaotatud võtmetega) |
(→IPSec üle NAT lüüsi, kaks Debiani, eeljaotatud võtmetega) |
||
(ei näidata sama kasutaja 5 vahepealset redaktsiooni) | |||
6. rida: | 6. rida: | ||
* transport režiim - suhtlevad kaks otspunkti kusjuures ip paketi päised jäävad puutumatuks, tegeldakse paketi sees sisalduva tcp, udp, icmp vmt osaga | * transport režiim - suhtlevad kaks otspunkti kusjuures ip paketi päised jäävad puutumatuks, tegeldakse paketi sees sisalduva tcp, udp, icmp vmt osaga | ||
− | * tunnel režiim - suhtlevad kahe lüüsi taga alamvõrkudes asuvad arvutid; tegeldakse kogu ip | + | * tunnel režiim - suhtlevad kahe lüüsi taga alamvõrkudes asuvad arvutid; tegeldakse kogu ip paketiga kapseldades ta uude, IPSec lüüsis moodustatud ip paketti |
===Tööpõhimõte=== | ===Tööpõhimõte=== | ||
279. rida: | 279. rida: | ||
# cp ca.crt /etc/isakmpd/ca | # cp ca.crt /etc/isakmpd/ca | ||
− | # 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs | + | # cp 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs |
− | # cp 192.168.10.241.key /etc/isakmpd/private | + | # cp 192.168.10.241.key /etc/isakmpd/private/local.key |
# chown 0600 /etc/isakmpd/private/192.168.10.241.key | # chown 0600 /etc/isakmpd/private/192.168.10.241.key | ||
391. rida: | 391. rida: | ||
2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.241[0]->192.168.10.144[0] spi=153552890(0x92707fa) | 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.241[0]->192.168.10.144[0] spi=153552890(0x92707fa) | ||
2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[500]->192.168.10.241[500] spi=3129349703(0xba861647) | 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[500]->192.168.10.241[500] spi=3129349703(0xba861647) | ||
+ | |||
+ | ===OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine tunnel-režiimis sertifikaatidega=== | ||
+ | |||
+ | Sertifikaatide moodustamine ja kasutamine on sarnane eelmises punktis esitatule, muudatused esinevad vaid kahes failis. | ||
+ | |||
+ | OpenBSD poolel faili /etc/ipsec.conf sisu on selline | ||
+ | |||
+ | ike esp tunnel from 192.168.51.0/24 to 192.168.40.0/24 peer 192.168.50.144 \ | ||
+ | main auth hmac-sha1 enc blowfish group modp1024 \ | ||
+ | quick auth hmac-sha2-256 enc blowfish group modp1024 | ||
+ | |||
+ | Debiani poolel faili /etc/ipsec-tools sisu on selline | ||
+ | |||
+ | #!/usr/sbin/setkey -f | ||
+ | |||
+ | flush; | ||
+ | spdflush; | ||
+ | |||
+ | spdadd 192.168.40.0/24 192.168.51.0/24 any -P in ipsec | ||
+ | esp/tunnel/10.0.10.251-192.168.50.144/require; | ||
+ | |||
+ | spdadd 192.168.51.0/24 192.168.40.0/24 any -P out ipsec | ||
+ | esp/tunnel/192.168.50.144-10.0.10.251/require; | ||
===IPSec üle NAT lüüsi, kaks Debiani, eeljaotatud võtmetega=== | ===IPSec üle NAT lüüsi, kaks Debiani, eeljaotatud võtmetega=== | ||
484. rida: | 507. rida: | ||
spdadd 192.168.41.0/24 192.168.51.0/24 any -P out ipsec | spdadd 192.168.41.0/24 192.168.51.0/24 any -P out ipsec | ||
esp/tunnel/192.168.40.145-10.0.10.250/require; | esp/tunnel/192.168.40.145-10.0.10.250/require; | ||
− | |||
* /etc/racoon/racoon.conf | * /etc/racoon/racoon.conf | ||
601. rida: | 623. rida: | ||
1216674943.507159 0800 174: 10.0.10.250.64752 > 192.168.40.145.4500:udpencap: esp 10.0.10.250 > 192.168.40.145 spi 0x08017C8F seq 5 len 132 (DF) | 1216674943.507159 0800 174: 10.0.10.250.64752 > 192.168.40.145.4500:udpencap: esp 10.0.10.250 > 192.168.40.145 spi 0x08017C8F seq 5 len 132 (DF) | ||
1216674943.507948 0800 174: 192.168.40.145.4500 > 10.0.10.250.64752:udpencap: esp 192.168.40.145 > 10.0.10.250 spi 0x02D8D385 seq 5 len 132 | 1216674943.507948 0800 174: 192.168.40.145.4500 > 10.0.10.250.64752:udpencap: esp 192.168.40.145 > 10.0.10.250 spi 0x02D8D385 seq 5 len 132 | ||
+ | |||
+ | ===IPSec Debian pöördub üle NAT lüüsi OpenBSD poole=== | ||
+ | |||
+ | Debiani pool on vaja seadistada ülalkirjeldatud moel NAT võimeliseks, OpenBSD isakmpd avastab automaatselt üle NAT toimuva suhtlemise ning andmevahetus töötab. | ||
===Kasulikud lisamaterjalid=== | ===Kasulikud lisamaterjalid=== |
Viimane redaktsioon: 22. juuli 2008, kell 20:52
Sisukord
- 1 Sissejuhatus
- 2 Tööpõhimõte
- 3 Tarkvara
- 4 Käsitsi võtmehaldusega transport-režiim
- 5 Racoon kasutamine eeljaotatud võtmetega transport-režiimis
- 6 OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega
- 7 OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine tunnel-režiimis sertifikaatidega
- 8 IPSec üle NAT lüüsi, kaks Debiani, eeljaotatud võtmetega
- 9 IPSec Debian pöördub üle NAT lüüsi OpenBSD poole
- 10 Kasulikud lisamaterjalid
Sissejuhatus
IPSec kasutamine tundub olema selline teema, kus on nö sõltuvalt kasutusjuhust üks, teine või mõni järgmine lahendus sobivaim. Käesolev tekst dokumenteerib ära mõned teadaolevalt töötavad konkreetsed kasutusjuhud.
IPSec (Internet Protocol Security) esineb kahel kujul
- transport režiim - suhtlevad kaks otspunkti kusjuures ip paketi päised jäävad puutumatuks, tegeldakse paketi sees sisalduva tcp, udp, icmp vmt osaga
- tunnel režiim - suhtlevad kahe lüüsi taga alamvõrkudes asuvad arvutid; tegeldakse kogu ip paketiga kapseldades ta uude, IPSec lüüsis moodustatud ip paketti
Tööpõhimõte
IPSec puhul toimub andmete krüptimine IP kihis, asjakohaste päiste lisamisel on võimalik saavutada
- AH (Authentication Header) - suhtlevate osapoolte autentsus
- ESP (Encapsulated Security Payload) - andmete salastatus ja terviklus
IPSec töös kasutatakse kahte sorti reegleid
- SA (Security Association) - reegilid, mis ütlevad, kuidas toimub andmete mingi tegevus, st autentsuse ja tervikluste tagamine, salastamine
- SP (Security Policy) - reeglid, mis ütlevad millisele andmevahtusele SA abil kirjeldatud reegleid rakendada
Neid reegleid hoitakse vastavates andmebaasides
- SAD - Security Association Database
- SPD - Security Policy Database
IPSec kasutamiseks tuleb mõlemas osalises kirjeldada kooskõlaliselt SA ja SP andmebaasid, põhimõtteliselt tuleb kernelile öelda vastavad reeglid ja seda saab teha nt programmi setkey abil. Kuna praktiliselt on aga ebamugav ja ka ebaturvaline käsitsi osapoolte koostööd tagada, siis on välja mõeldud IKE (Internet Key Exchange) Protocol. IKE on implementeeritud Debianil nt tarkvarana isakmpd ja Racoon.
Tarkvara
Debiani paketihalduses esineb mitmed IPSec lahendusi
- KAME - algselt IPv6 protokolli jaoks tehtud ja IPv4 jaoks backporditud lahendus
- FreeS/WAN - iseseisev lahendus
- isakmpd - OpenBSD IPSec implementatsioon, mis on porditud Debianile
Käesolevas tekstis kirjeldataks KAME projekti tarkvara kasutamist, paigaldada tuleb kaks paketti
- ipsec-tools - tuuma SA ja SP andmebaaside sisu haldamine
# apt-get install ipsec-tools
- racoon - IKE võtmevahetuse deemon
# apt-get install racoon
Kuna IPSec on protokoll, millel on mitmeid erinevaid implementatsioone, siis põhimõtteliselt ja ka teatud juhtumitel praktiliselt saab erinevaid süsteemi koos kasutada, nt OpenBSD isakmpd ja Debiani Racoon, mida allpool ka demonstreeritakse.
IPSec tööks on vajalikud ka vastavad tuumamoodulid, Debiani nn paketihalduse tuumas on vastavad moodulid olemas.
Käsitsi võtmehaldusega transport-režiim
Praktiliseks kasutuseks kohmakas, kuid samal ajal IPSec'i tööpõhimõtte illustreerimiseks sobilik.
Ühes arvutis peab olema selline nn setkey skript
192.168.10.144# cat /root/ipsec-static.sh #!/usr/sbin/setkey -f flush; spdflush; add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!"; add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!"; add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff; add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff; spdadd 192.168.10.144 192.168.10.145 any -P out ipsec esp/transport//require ah/transport//require; spdadd 192.168.10.145 192.168.10.144 any -P in ipsec esp/transport//require ah/transport//require;
ning teises arvutis
192.168.10.145# cat /root/ipsec-static.sh #!/usr/sbin/setkey -f flush; spdflush; add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!"; add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!"; add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff; add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff; spdadd 192.168.10.145 192.168.10.144 any -P out ipsec esp/transport//require ah/transport//require; spdadd 192.168.10.144 192.168.10.145 any -P in ipsec esp/transport//require ah/transport//require;
IPSec sisselülitamiseks tuleb laadida sellised tuumamoodulid
# cat /root/ipsec.modules xfrm6_tunnel tunnel6 esp6 ah6 ipcomp esp4 ah4 xfrm_user cast5 khazad arc4 tgr192 tea crc32c libcrc32c michael_mic sha512 anubis cast6 md4 wp512
# for i in `cat /root/ipsec.modules`; do modprobe $i; done
ja öelda mõlemas arvutis üks kord
# chmod /root/ipsec-static.sh
ning edaspidi
# /root/ipsec-static.sh
Kontrollimaks, et andmevahetus on tõepoolest turvaline maksab ühest arvutist teist nt pingida samal ajal kuulates liiklust tcpdump abil
# tcpdump -nettti eth0 host 192.168.10.145 000000 00:16:3e:6a:0d:4d > 00:16:3e:6a:0d:4e, ethertype IPv4 (0x0800), length 146: \ 192.168.10.144 > 192.168.10.145: AH(spi=0x0001e240,seq=0x1e): ESP(spi=0x00010001,seq=0x1e), length 88 000452 00:16:3e:6a:0d:4e > 00:16:3e:6a:0d:4d, ethertype IPv4 (0x0800), length 146: \ 192.168.10.145 > 192.168.10.144: AH(spi=0x0001e241,seq=0x1e): ESP(spi=0x00010002,seq=0x1e), length 88
Laaditud SAD (Security Associations Database) vaatamiseks tuleb öelda
# setkey -D
ja SPD (Security Policy Database) vaatamiseks tuleb öelda
# setkey -DP
Nende andmebaaside sisu kustutamiseks tuleb öelda vastavalt
# setkey -F
ja
# setkey -FP
Racoon kasutamine eeljaotatud võtmetega transport-režiimis
Mõlemas arvutis peab olema fail /etc/racoon/psk.txt, ühes sisuga
192.168.10.144# cat /etc/racoon/psk.txt 192.168.10.145 saladus123
ja teises
192.168.10.145# cat /etc/racoon/psk.txt 192.168.10.144 saladus123
Lisaks ühes arvutis peab olema seadistusfail /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.10.145 { exchange_mode main; peers_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.10.144 any address 192.168.10.145 any { pfs_group modp1024; encryption_algorithm aes,3des; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; }
ja teises arvutis
path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.10.144 { exchange_mode main; peers_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.10.145 any address 192.168.10.144 any { pfs_group modp1024; encryption_algorithm aes,3des; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; }
Ning lisaks olema /etc/ipsec-tools.conf sisuga mõlemas arvutis, in ja out vastupidi
spdadd 192.168.10.145 192.168.10.144 any -P out ipsec esp/transport//require ah/transport//require;
spdadd 192.168.10.144 192.168.10.145 any -P in ipsec esp/transport//require ah/transport//require;
Käivitamiseks tuleb öelda kummaski arvutis, esmalt SA'de laadimiseks
# /etc/ipsec-tools.conf
ning seejärel
# racoon -Fv Foreground mode. 2008-07-20 12:44:00: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) 2008-07-20 12:44:00: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) 2008-07-20 12:44:00: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2008-07-20 12:44:01: INFO: Resize address pool from 0 to 255 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used as isakmp port (fd=6) 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used for NAT-T 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used as isakmp port (fd=7) 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used for NAT-T 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used as isakmp port (fd=8) 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used for NAT-T 2008-07-20 12:44:01: INFO: ::1[500] used as isakmp port (fd=9) 2008-07-20 12:44:01: INFO: fe80::216:3eff:fe6a:d4e%eth0[500] used as isakmp port (fd=10) 2008-07-20 12:44:01: INFO: fe80::c499:d5ff:fe29:e6b2%dummy0[500] used as isakmp port (fd=11) 2008-07-20 12:44:12: INFO: respond new phase 1 negotiation: 192.168.10.145[500]<=>192.168.10.144[500] 2008-07-20 12:44:12: INFO: begin Identity Protection mode. 2008-07-20 12:44:12: INFO: received Vendor ID: DPD 2008-07-20 12:44:12: INFO: ISAKMP-SA established 192.168.10.145[500]-192.168.10.144[500] spi:cdd44e43a7303585:63ef33d8d8446163 2008-07-20 12:44:13: INFO: respond new phase 2 negotiation: 192.168.10.145[500]<=>192.168.10.144[500] 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.144[0]->192.168.10.145[0] spi=8119090(0x7be332) 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[0]->192.168.10.145[0] spi=117850401(0x7064121) 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.145[500]->192.168.10.144[500] spi=155051761(0x93de6f1) 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.145[500]->192.168.10.144[500] spi=31436875(0x1dfb04b)
OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega
Esmalt tuleb genereerida kummalegi osalisele sertifikaadid, teeme seda OpenBSD abil
- CA sertifikaadi tekitamine
# mkdir /root/ipsec-certs # cd /root/ipsec-serts # openssl req -x509 -days 365 -newkey rsa:1024 -keyout ca.key -out ca.crt
- 192.168.10.144 (Debian) arvuti sertifikaadi tekitamine
# openssl genrsa -out 192.168.10.144.key 1024 # openssl req -new -key 192.168.10.144.key -out 192.168.10.144.csr # env CERTIP=192.168.10.144 openssl x509 -req -days 365 -in 192.168.10.144.csr \ -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 192.168.10.144.crt
- 192.168.10.241 (OpenBSD) arvuti sertifikaadi tekitamine
# openssl genrsa -out 192.168.10.241.key 1024 # openssl req -new -key 192.168.10.241.key -out 192.168.10.241.csr # env CERTIP=192.168.10.241 openssl x509 -req -days 365 -in 192.168.10.241.csr \ -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \ -extensions x509v3_IPAddr -out 192.168.10.241.crt
- Kopeerime OpenBSD arvutisse vajalikud sertifikaadid paika
# cp ca.crt /etc/isakmpd/ca # cp 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs # cp 192.168.10.241.key /etc/isakmpd/private/local.key # chown 0600 /etc/isakmpd/private/192.168.10.241.key
- Kopeerime Debiani arvutisse vajalikud sertifikaadid paika
# scp 192.168.10.241.crt 192.168.10.144.crt ca.crt 192.168.10.144.key root@192.168.10.144:/etc/racoon/certs
- Lisame OpenBSD /etc/ipsec.conf faili
ike esp transport from 192.168.10.241 to 192.168.10.144 \ main auth hmac-sha1 enc blowfish group modp1024 \ quick auth hmac-sha2-256 enc blowfish group modp1024
- Debiani /etc/ipsec-tools.conf faili peab olema käivitatav ning sisaldama
#!/usr/sbin/setkey -f flush; spdflush; spdadd 192.168.10.144 192.168.10.241 any -P out ipsec esp/transport//require; spdadd 192.168.10.241 192.168.10.144 any -P in ipsec esp/transport//require;
- Debiani /etc/racoon/racoon.conf peab sisaldama
path certificate "/etc/racoon/certs"; # "padding" defines some padding parameters. # You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 192.168.10.144; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier asn1dn; certificate_type x509 "192.168.10.144.crt" "192.168.10.144.key"; peers_certfile x509 "192.168.10.241.crt"; nonce_size 16; initial_contact on; proposal_check obey; proposal { encryption_algorithm blowfish; hash_algorithm sha1; authentication_method rsasig; dh_group modp1024; } } sainfo anonymous { pfs_group modp1024; encryption_algorithm blowfish; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
- OpenBSD poolel IPSec sisselülitamiseks tuleb öelda
# isakmpd -Kdv 194552.887107 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC 194552.887646 Default message_negotiate_sa: no compatible proposal found 194552.887974 Default dropped message from 10.0.10.250 port 500 due to notification type NO_PROPOSAL_CHOSEN 194610.737219 Default isakmpd: phase 1 done: initiator id c0a80af1: 192.168.10.241, responder id \ /C=EE/ST=Tartu/L=Tartu/CN=sid1.auul, src: 192.168.10.241 dst: 192.168.10.144 194610.806354 Default isakmpd: quick mode done: src: 192.168.10.241 dst: 192.168.10.144
ning
# ipsecctl -f /etc/ipsec.conf
- Debiabi poolel IPSec sisselülitamiseks tuleb öelda
# setkey -F && setkey -FP # /etc/ipsec-tools.conf # racoon -Fv Foreground mode. 2008-07-20 15:52:14: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) 2008-07-20 15:52:14: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) 2008-07-20 15:52:14: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2008-07-20 15:52:14: INFO: Resize address pool from 0 to 255 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used as isakmp port (fd=6) 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used for NAT-T 2008-07-20 15:52:16: INFO: respond new phase 1 negotiation: 192.168.10.144[500]<=>192.168.10.241[500] 2008-07-20 15:52:16: INFO: begin Identity Protection mode. 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2008-07-20 15:52:16: INFO: received Vendor ID: RFC 3947 2008-07-20 15:52:16: INFO: received Vendor ID: DPD 2008-07-20 15:52:16: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. 2008-07-20 15:52:16: INFO: ISAKMP-SA established 192.168.10.144[500]-192.168.10.241[500] spi:078680685f34034b:3537ef1b297d0a21 2008-07-20 15:52:16: INFO: respond new phase 2 negotiation: 192.168.10.144[500]<=>192.168.10.241[500] 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.241[0]->192.168.10.144[0] spi=153552890(0x92707fa) 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[500]->192.168.10.241[500] spi=3129349703(0xba861647)
OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine tunnel-režiimis sertifikaatidega
Sertifikaatide moodustamine ja kasutamine on sarnane eelmises punktis esitatule, muudatused esinevad vaid kahes failis.
OpenBSD poolel faili /etc/ipsec.conf sisu on selline
ike esp tunnel from 192.168.51.0/24 to 192.168.40.0/24 peer 192.168.50.144 \ main auth hmac-sha1 enc blowfish group modp1024 \ quick auth hmac-sha2-256 enc blowfish group modp1024
Debiani poolel faili /etc/ipsec-tools sisu on selline
#!/usr/sbin/setkey -f flush; spdflush; spdadd 192.168.40.0/24 192.168.51.0/24 any -P in ipsec esp/tunnel/10.0.10.251-192.168.50.144/require; spdadd 192.168.51.0/24 192.168.40.0/24 any -P out ipsec esp/tunnel/192.168.50.144-10.0.10.251/require;
IPSec üle NAT lüüsi, kaks Debiani, eeljaotatud võtmetega
IPSec NAT taga olevast arvutist on võimalik vaid tunnel režiimis.
------|----------------------|-------- | | 10.0.10.250 _|_ _|_ 10.0.10.251 Ruuter1 | | | | Ruuter2 |___| NAT |___| 192.168.50.250 | | 192.168.40.251 | | | | | | 192.168.50.144 _|_ _|_ 192.168.40.145 VPN1 | | | | VPN2 192.168.51.254 |___| |___| 192.168.41.254 | | | | _|_ _|_ kalake | | | | tuvike 192.168.51.144 |___| |___| 192.168.41.145
Selleks, et kalake saaks IPSec abil võtta ühendust tuvikesega peab olema VPN1 arvutis kolm faili, sellise sisuga
- /etc/racoon/psk.txt
10.0.10.250 saladus
- /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f flush; spdflush; spdadd 192.168.41.0/24 192.168.51.0/24 any -P in ipsec esp/tunnel/192.168.40.145-192.168.50.144/require; spdadd 192.168.51.0/24 192.168.41.0/24 any -P out ipsec esp/tunnel/192.168.50.144-192.168.40.145/require;
- /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt"; timer { natt_keepalive 10 sec; } listen { isakmp 192.168.50.144 [500]; isakmp_natt 192.168.50.144 [4500]; } remote 192.168.40.145 { exchange_mode main; peers_identifier address; nat_traversal on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.51.0/24[any] any address 192.168.41.0/24[any] any { pfs_group modp1024; encryption_algorithm aes,3des; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; }
ja VPN2 arvutis failid
- /etc/racoon/psk.txt
10.0.10.250 saladus
- /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f flush; spdflush; spdadd 192.168.51.0/24 192.168.41.0/24 any -P in ipsec esp/tunnel/10.0.10.250-192.168.40.145/require; spdadd 192.168.41.0/24 192.168.51.0/24 any -P out ipsec esp/tunnel/192.168.40.145-10.0.10.250/require;
- /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt"; timer { natt_keepalive 10 sec; } listen { isakmp 192.168.40.145 [500]; isakmp_natt 192.168.40.145 [4500]; } remote 10.0.10.250 { exchange_mode main; peers_identifier address; nat_traversal force; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.41.0/24[any] any address 192.168.51.0/24[any] any { pfs_group modp1024; encryption_algorithm aes,3des; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; }
Käivitamiseks tuleb öelda VPN1 arvutis
vpn1# /etc/ipsec-tools.conf vpn1# racoon -Fv Foreground mode. 2008-07-21 20:17:42: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) 2008-07-21 20:17:42: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) 2008-07-21 20:17:42: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2008-07-21 20:17:42: INFO: Resize address pool from 0 to 255 2008-07-21 20:17:42: INFO: 192.168.50.144[4500] used as isakmp port (fd=6) 2008-07-21 20:17:42: INFO: 192.168.50.144[4500] used for NAT-T 2008-07-21 20:17:42: INFO: 192.168.50.144[500] used as isakmp port (fd=7) 2008-07-21 20:17:42: INFO: 192.168.50.144[500] used for NAT-T 2008-07-21 20:17:52: INFO: IPsec-SA request for 192.168.40.145 queued due to no phase1 found. 2008-07-21 20:17:52: INFO: initiate new phase 1 negotiation: 192.168.50.144[500]<=>192.168.40.145[500] 2008-07-21 20:17:52: INFO: begin Identity Protection mode. 2008-07-21 20:17:52: INFO: received Vendor ID: RFC 3947 2008-07-21 20:17:52: INFO: received Vendor ID: DPD 2008-07-21 20:17:52: INFO: Selected NAT-T version: RFC 3947 2008-07-21 20:17:52: INFO: Hashing 192.168.40.145[500] with algo #2 2008-07-21 20:17:52: INFO: Hashing 192.168.50.144[500] with algo #2 2008-07-21 20:17:52: INFO: Adding remote and local NAT-D payloads. 2008-07-21 20:17:52: INFO: Hashing 192.168.50.144[500] with algo #2 2008-07-21 20:17:52: INFO: NAT-D payload #0 doesn't match 2008-07-21 20:17:52: INFO: Hashing 192.168.40.145[500] with algo #2 2008-07-21 20:17:52: INFO: NAT-D payload #1 doesn't match 2008-07-21 20:17:52: INFO: NAT detected: ME PEER 2008-07-21 20:17:52: INFO: KA list add: 192.168.50.144[4500]->192.168.40.145[4500] 2008-07-21 20:17:52: INFO: ISAKMP-SA established 192.168.50.144[4500]-192.168.40.145[4500] spi:02394245f17370b6:6b9410cb66b2bae5 2008-07-21 20:17:53: INFO: initiate new phase 2 negotiation: 192.168.50.144[4500]<=>192.168.40.145[4500] 2008-07-21 20:17:53: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). 2008-07-21 20:17:53: INFO: Adjusting my encmode UDP-Tunnel->Tunnel 2008-07-21 20:17:53: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 192.168.40.145[0]->192.168.50.144[0] spi=47764357(0x2d8d385) 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 192.168.50.144[4500]->192.168.40.145[4500] spi=134315151(0x8017c8f)
ning VPN2 arvutis samuti
vpn2# /etc/ipsec-tools.conf vpn2# racoon -Fv Foreground mode. 2008-07-21 20:17:46: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) 2008-07-21 20:17:46: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) 2008-07-21 20:17:46: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2008-07-21 20:17:46: INFO: Resize address pool from 0 to 255 2008-07-21 20:17:46: INFO: 192.168.40.145[4500] used as isakmp port (fd=6) 2008-07-21 20:17:46: INFO: 192.168.40.145[4500] used for NAT-T 2008-07-21 20:17:46: INFO: 192.168.40.145[500] used as isakmp port (fd=7) 2008-07-21 20:17:46: INFO: 192.168.40.145[500] used for NAT-T 2008-07-21 20:17:52: INFO: respond new phase 1 negotiation: 192.168.40.145[500]<=>10.0.10.250[52723] 2008-07-21 20:17:52: INFO: begin Identity Protection mode. 2008-07-21 20:17:52: INFO: received Vendor ID: RFC 3947 2008-07-21 20:17:52: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2008-07-21 20:17:52: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2008-07-21 20:17:52: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 2008-07-21 20:17:52: INFO: received Vendor ID: DPD 2008-07-21 20:17:52: INFO: Selected NAT-T version: RFC 3947 2008-07-21 20:17:52: INFO: NAT-D payload #0 doesn't match 2008-07-21 20:17:52: INFO: NAT-D payload #1 doesn't match 2008-07-21 20:17:52: INFO: NAT detected: ME PEER 2008-07-21 20:17:52: INFO: Hashing 10.0.10.250[52723] with algo #2 (NAT-T forced) 2008-07-21 20:17:52: INFO: Hashing 192.168.40.145[500] with algo #2 (NAT-T forced) 2008-07-21 20:17:52: INFO: Adding remote and local NAT-D payloads. 2008-07-21 20:17:52: INFO: NAT-T: ports changed to: 10.0.10.250[64752]<->192.168.40.145[4500] 2008-07-21 20:17:52: INFO: KA list add: 192.168.40.145[4500]->10.0.10.250[64752] 2008-07-21 20:17:52: INFO: ISAKMP-SA established 192.168.40.145[4500]-10.0.10.250[64752] spi:02394245f17370b6:6b9410cb66b2bae5 2008-07-21 20:17:53: INFO: respond new phase 2 negotiation: 192.168.40.145[4500]<=>10.0.10.250[64752] 2008-07-21 20:17:53: INFO: Adjusting my encmode UDP-Tunnel->Tunnel 2008-07-21 20:17:53: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 10.0.10.250[64752]->192.168.40.145[4500] spi=134315151(0x8017c8f) 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 192.168.40.145[4500]->10.0.10.250[64752] spi=47764357(0x2d8d385)
Kusjuures, kui ruuteris kuulata liiklust pealt, väliselt seadmelt, paistab see selline
ruuter1# tcpdump -ntti rl0 tcpdump: listening on rl0, link-type EN10MB 1216674942.146178 0800 60: 192.168.40.145.4500 > 10.0.10.250.64752:NAT-T Keepalive (DF) 1216674942.507406 0800 174: 10.0.10.250.64752 > 192.168.40.145.4500:udpencap: esp 10.0.10.250 > 192.168.40.145 spi 0x08017C8F seq 4 len 132 (DF) 1216674942.511139 0800 174: 192.168.40.145.4500 > 10.0.10.250.64752:udpencap: esp 192.168.40.145 > 10.0.10.250 spi 0x02D8D385 seq 4 len 132 1216674943.507159 0800 174: 10.0.10.250.64752 > 192.168.40.145.4500:udpencap: esp 10.0.10.250 > 192.168.40.145 spi 0x08017C8F seq 5 len 132 (DF) 1216674943.507948 0800 174: 192.168.40.145.4500 > 10.0.10.250.64752:udpencap: esp 192.168.40.145 > 10.0.10.250 spi 0x02D8D385 seq 5 len 132
IPSec Debian pöördub üle NAT lüüsi OpenBSD poole
Debiani pool on vaja seadistada ülalkirjeldatud moel NAT võimeliseks, OpenBSD isakmpd avastab automaatselt üle NAT toimuva suhtlemise ning andmevahetus töötab.