IPSec kasutamine Debianiga

Allikas: Kuutõrvaja

Sissejuhatus

IPSec kasutamine tundub olema selline teema, kus on nö sõltuvalt kasutusjuhust üks, teine või mõni järgmine lahendus sobivaim. Käesolev tekst dokumenteerib ära mõned teadaolevalt töötavad konkreetsed kasutusjuhud.

IPSec (Internet Protocol Security) esineb kahel kujul

  • transport režiim - suhtlevad kaks otspunkti kusjuures ip paketi päised jäävad puutumatuks, tegeldakse paketi sees sisalduva tcp, udp, icmp vmt osaga
  • tunnel režiim - suhtlevad kahe lüüsi taga alamvõrkudes asuvad arvutid; tegeldakse kogu ip paketiga kapseldades ta uude, IPSec lüüsis moodustatud ip paketti

Tööpõhimõte

IPSec puhul toimub andmete krüptimine IP kihis, asjakohaste päiste lisamisel on võimalik saavutada

  • AH (Authentication Header) - suhtlevate osapoolte autentsus
  • ESP (Encapsulated Security Payload) - andmete salastatus ja terviklus

IPSec töös kasutatakse kahte sorti reegleid

  • SA (Security Association) - reegilid, mis ütlevad, kuidas toimub andmete mingi tegevus, st autentsuse ja tervikluste tagamine, salastamine
  • SP (Security Policy) - reeglid, mis ütlevad millisele andmevahtusele SA abil kirjeldatud reegleid rakendada

Neid reegleid hoitakse vastavates andmebaasides

  • SAD - Security Association Database
  • SPD - Security Policy Database

IPSec kasutamiseks tuleb mõlemas osalises kirjeldada kooskõlaliselt SA ja SP andmebaasid, põhimõtteliselt tuleb kernelile öelda vastavad reeglid ja seda saab teha nt programmi setkey abil. Kuna praktiliselt on aga ebamugav ja ka ebaturvaline käsitsi osapoolte koostööd tagada, siis on välja mõeldud IKE (Internet Key Exchange) Protocol. IKE on implementeeritud Debianil nt tarkvarana isakmpd ja Racoon.

Tarkvara

Debiani paketihalduses esineb mitmed IPSec lahendusi

  • KAME - algselt IPv6 protokolli jaoks tehtud ja IPv4 jaoks backporditud lahendus
  • FreeS/WAN - iseseisev lahendus
  • isakmpd - OpenBSD IPSec implementatsioon, mis on porditud Debianile

Käesolevas tekstis kirjeldataks KAME projekti tarkvara kasutamist, paigaldada tuleb kaks paketti

  • ipsec-tools - tuuma SA ja SP andmebaaside sisu haldamine
 # apt-get install ipsec-tools
  • racoon - IKE võtmevahetuse deemon
 # apt-get install racoon

Kuna IPSec on protokoll, millel on mitmeid erinevaid implementatsioone, siis põhimõtteliselt ja ka teatud juhtumitel praktiliselt saab erinevaid süsteemi koos kasutada, nt OpenBSD isakmpd ja Debiani Racoon, mida allpool ka demonstreeritakse.

IPSec tööks on vajalikud ka vastavad tuumamoodulid, Debiani nn paketihalduse tuumas on vastavad moodulid olemas.

Käsitsi võtmehaldusega transport-režiim

Praktiliseks kasutuseks kohmakas, kuid samal ajal IPSec'i tööpõhimõtte illustreerimiseks sobilik.

Ühes arvutis peab olema selline nn setkey skript

 192.168.10.144# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.144 192.168.10.145 any -P out ipsec
    esp/transport//require
    ah/transport//require;
 
 spdadd 192.168.10.145 192.168.10.144 any -P in ipsec
    esp/transport//require
    ah/transport//require;

ning teises arvutis

 192.168.10.145# cat /root/ipsec-static.sh
 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 add 192.168.10.144 192.168.10.145 ah 123456 -A hmac-sha1 "AH SA configuration!";
 add 192.168.10.145 192.168.10.144 ah 123457 -A hmac-sha1 "AH SA configuration!";
 
 add 192.168.10.144 192.168.10.145 esp 0x10001 -E des-cbc 0x3ffe05014819ffff;
 add 192.168.10.145 192.168.10.144 esp 0x10002 -E des-cbc 0x3ffe05014819ffff;
 
 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
    esp/transport//require
    ah/transport//require;
          
 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
    esp/transport//require
    ah/transport//require;

IPSec sisselülitamiseks tuleb laadida sellised tuumamoodulid

 # cat /root/ipsec.modules
 xfrm6_tunnel
 tunnel6
 esp6
 ah6
 ipcomp
 esp4
 ah4
 xfrm_user
 cast5
 khazad
 arc4
 tgr192
 tea
 crc32c
 libcrc32c
 michael_mic
 sha512
 anubis
 cast6
 md4
 wp512
 # for i in `cat /root/ipsec.modules`; do modprobe $i; done

ja öelda mõlemas arvutis üks kord

 # chmod /root/ipsec-static.sh

ning edaspidi

 # /root/ipsec-static.sh

Kontrollimaks, et andmevahetus on tõepoolest turvaline maksab ühest arvutist teist nt pingida samal ajal kuulates liiklust tcpdump abil

 # tcpdump -nettti eth0 host 192.168.10.145
 000000 00:16:3e:6a:0d:4d > 00:16:3e:6a:0d:4e, ethertype IPv4 (0x0800), length 146: \
 192.168.10.144 > 192.168.10.145:   AH(spi=0x0001e240,seq=0x1e): ESP(spi=0x00010001,seq=0x1e), length 88
 000452 00:16:3e:6a:0d:4e > 00:16:3e:6a:0d:4d, ethertype IPv4 (0x0800), length 146: \
 192.168.10.145 > 192.168.10.144: AH(spi=0x0001e241,seq=0x1e): ESP(spi=0x00010002,seq=0x1e), length 88

Laaditud SAD (Security Associations Database) vaatamiseks tuleb öelda

 # setkey -D

ja SPD (Security Policy Database) vaatamiseks tuleb öelda

 # setkey -DP

Nende andmebaaside sisu kustutamiseks tuleb öelda vastavalt

 # setkey -F

ja

 # setkey -FP

Racoon kasutamine eeljaotatud võtmetega transport-režiimis

Mõlemas arvutis peab olema fail /etc/racoon/psk.txt, ühes sisuga

 192.168.10.144# cat /etc/racoon/psk.txt 
 192.168.10.145  saladus123

ja teises

 192.168.10.145# cat /etc/racoon/psk.txt 
 192.168.10.144  saladus123

Lisaks ühes arvutis peab olema seadistusfail /etc/racoon/racoon.conf

 path pre_shared_key "/etc/racoon/psk.txt";
 remote 192.168.10.145 {
       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
 }
 sainfo address 192.168.10.144 any address 192.168.10.145 any {
       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;
 }

ja teises arvutis

 path pre_shared_key "/etc/racoon/psk.txt";
 remote 192.168.10.144 {
       exchange_mode main;
       peers_identifier address;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group modp1024;
       }
 }
 
 sainfo address 192.168.10.145 any address 192.168.10.144 any {
       pfs_group modp1024;
       encryption_algorithm aes,3des;
       authentication_algorithm hmac_sha1,hmac_md5;
       compression_algorithm deflate;
 }

Ning lisaks olema /etc/ipsec-tools.conf sisuga mõlemas arvutis, in ja out vastupidi

 spdadd 192.168.10.145 192.168.10.144 any -P out ipsec
       esp/transport//require
       ah/transport//require;
 spdadd 192.168.10.144 192.168.10.145 any -P in ipsec
       esp/transport//require
       ah/transport//require;

Käivitamiseks tuleb öelda kummaski arvutis, esmalt SA'de laadimiseks

 # /etc/ipsec-tools.conf

ning seejärel

 # racoon -Fv
 Foreground mode.
 2008-07-20 12:44:00: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-20 12:44:00: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-20 12:44:00: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-20 12:44:01: INFO: Resize address pool from 0 to 255
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
 2008-07-20 12:44:01: INFO: 127.0.0.1[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used as isakmp port (fd=7)
 2008-07-20 12:44:01: INFO: 192.168.10.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used as isakmp port (fd=8)
 2008-07-20 12:44:01: INFO: 192.168.11.145[500] used for NAT-T
 2008-07-20 12:44:01: INFO: ::1[500] used as isakmp port (fd=9)
 2008-07-20 12:44:01: INFO: fe80::216:3eff:fe6a:d4e%eth0[500] used as isakmp port (fd=10)
 2008-07-20 12:44:01: INFO: fe80::c499:d5ff:fe29:e6b2%dummy0[500] used as isakmp port (fd=11)
 2008-07-20 12:44:12: INFO: respond new phase 1 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:12: INFO: begin Identity Protection mode.
 2008-07-20 12:44:12: INFO: received Vendor ID: DPD
 2008-07-20 12:44:12: INFO: ISAKMP-SA established 192.168.10.145[500]-192.168.10.144[500]   spi:cdd44e43a7303585:63ef33d8d8446163
 2008-07-20 12:44:13: INFO: respond new phase 2 negotiation: 192.168.10.145[500]<=>192.168.10.144[500]
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.144[0]->192.168.10.145[0] spi=8119090(0x7be332)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[0]->192.168.10.145[0] spi=117850401(0x7064121)
 2008-07-20 12:44:13: INFO: IPsec-SA established: AH/Transport 192.168.10.145[500]->192.168.10.144[500] spi=155051761(0x93de6f1)
 2008-07-20 12:44:13: INFO: IPsec-SA established: ESP/Transport 192.168.10.145[500]->192.168.10.144[500] spi=31436875(0x1dfb04b)

OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine transport-režiimis sertifikaatidega

Esmalt tuleb genereerida kummalegi osalisele sertifikaadid, teeme seda OpenBSD abil

  • CA sertifikaadi tekitamine
 # mkdir /root/ipsec-certs
 # cd /root/ipsec-serts
 # openssl req -x509 -days 365 -newkey rsa:1024 -keyout ca.key -out ca.crt
  • 192.168.10.144 (Debian) arvuti sertifikaadi tekitamine
 # openssl genrsa -out 192.168.10.144.key 1024
 # openssl req -new -key 192.168.10.144.key -out 192.168.10.144.csr
 # env CERTIP=192.168.10.144 openssl x509 -req -days 365 -in 192.168.10.144.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.144.crt
  • 192.168.10.241 (OpenBSD) arvuti sertifikaadi tekitamine
 # openssl genrsa -out 192.168.10.241.key 1024
 # openssl req -new -key 192.168.10.241.key -out 192.168.10.241.csr
 # env CERTIP=192.168.10.241 openssl x509 -req -days 365 -in 192.168.10.241.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf \
  -extensions x509v3_IPAddr -out 192.168.10.241.crt
  • Kopeerime OpenBSD arvutisse vajalikud sertifikaadid paika
 # cp ca.crt /etc/isakmpd/ca
 # cp 192.168.10.241.crt 192.168.10.144.crt /etc/isakmpd/certs
 # cp 192.168.10.241.key /etc/isakmpd/private/local.key
 # chown 0600 /etc/isakmpd/private/192.168.10.241.key
  • Kopeerime Debiani arvutisse vajalikud sertifikaadid paika
 # scp 192.168.10.241.crt 192.168.10.144.crt ca.crt 192.168.10.144.key root@192.168.10.144:/etc/racoon/certs
  • Lisame OpenBSD /etc/ipsec.conf faili
 ike esp transport from 192.168.10.241 to 192.168.10.144 \
 main auth hmac-sha1 enc blowfish group modp1024 \
 quick auth hmac-sha2-256 enc blowfish group modp1024
  • Debiani /etc/ipsec-tools.conf faili peab olema käivitatav ning sisaldama
 #!/usr/sbin/setkey -f
 flush;
 spdflush;
 
 spdadd 192.168.10.144 192.168.10.241 any -P out ipsec
       esp/transport//require;
 
 spdadd 192.168.10.241 192.168.10.144 any -P in ipsec
       esp/transport//require;
  • Debiani /etc/racoon/racoon.conf peab sisaldama
 path certificate "/etc/racoon/certs";
 
 # "padding" defines some padding parameters.
 # You should not touch these.
 padding
 {
       maximum_length 20;      # maximum padding length.
       randomize off;          # enable randomize length.
       strict_check off;       # enable strict check.
       exclusive_tail off;     # extract last one octet.
 }
 
 listen
 {
       isakmp 192.168.10.144;
 }
 
 remote anonymous
 {
       exchange_mode main;
       doi ipsec_doi;
       situation identity_only;
 
       my_identifier asn1dn;
       certificate_type x509 "192.168.10.144.crt" "192.168.10.144.key";
       peers_certfile x509 "192.168.10.241.crt";
 
       nonce_size 16;
       initial_contact on;
       proposal_check obey;
 
       proposal {
               encryption_algorithm blowfish;
               hash_algorithm sha1;
               authentication_method rsasig;
               dh_group modp1024;
       }
 }
 
 sainfo anonymous
 {
       pfs_group modp1024;
       encryption_algorithm blowfish;
       authentication_algorithm hmac_sha256;
       compression_algorithm deflate;
 }
  • OpenBSD poolel IPSec sisselülitamiseks tuleb öelda
 # isakmpd -Kdv
 194552.887107 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
 194552.887646 Default message_negotiate_sa: no compatible proposal found
 194552.887974 Default dropped message from 10.0.10.250 port 500 due to notification type NO_PROPOSAL_CHOSEN
 194610.737219 Default isakmpd: phase 1 done: initiator id c0a80af1: 192.168.10.241, responder id \
   /C=EE/ST=Tartu/L=Tartu/CN=sid1.auul, src:   192.168.10.241 dst: 192.168.10.144
 194610.806354 Default isakmpd: quick mode done: src: 192.168.10.241 dst: 192.168.10.144

ning

 # ipsecctl -f /etc/ipsec.conf
  • Debiabi poolel IPSec sisselülitamiseks tuleb öelda
 # setkey -F && setkey -FP
 # /etc/ipsec-tools.conf
 # racoon -Fv
 Foreground mode.
 2008-07-20 15:52:14: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-20 15:52:14: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-20 15:52:14: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-20 15:52:14: INFO: Resize address pool from 0 to 255
 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used as isakmp port (fd=6)
 2008-07-20 15:52:14: INFO: 192.168.10.144[500] used for NAT-T
 2008-07-20 15:52:16: INFO: respond new phase 1 negotiation: 192.168.10.144[500]<=>192.168.10.241[500]
 2008-07-20 15:52:16: INFO: begin Identity Protection mode.
 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
 2008-07-20 15:52:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
 2008-07-20 15:52:16: INFO: received Vendor ID: RFC 3947
 2008-07-20 15:52:16: INFO: received Vendor ID: DPD
 2008-07-20 15:52:16: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
 2008-07-20 15:52:16: INFO: ISAKMP-SA established 192.168.10.144[500]-192.168.10.241[500] spi:078680685f34034b:3537ef1b297d0a21
 2008-07-20 15:52:16: INFO: respond new phase 2 negotiation: 192.168.10.144[500]<=>192.168.10.241[500]
 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.241[0]->192.168.10.144[0] spi=153552890(0x92707fa)
 2008-07-20 15:52:16: INFO: IPsec-SA established: ESP/Transport 192.168.10.144[500]->192.168.10.241[500] spi=3129349703(0xba861647)

OpenBSD isakmpd ja Debiani Racoon tarkvara kasutamine tunnel-režiimis sertifikaatidega

Sertifikaatide moodustamine ja kasutamine on sarnane eelmises punktis esitatule, muudatused esinevad vaid kahes failis.

OpenBSD poolel faili /etc/ipsec.conf sisu on selline

 ike esp tunnel from 192.168.51.0/24 to 192.168.40.0/24 peer 192.168.50.144 \
 main auth hmac-sha1 enc blowfish group modp1024 \
 quick auth hmac-sha2-256 enc blowfish group modp1024

Debiani poolel faili /etc/ipsec-tools sisu on selline

 #!/usr/sbin/setkey -f
 
 flush;
 spdflush;
 
 spdadd 192.168.40.0/24 192.168.51.0/24 any -P in ipsec
       esp/tunnel/10.0.10.251-192.168.50.144/require;
 
 spdadd 192.168.51.0/24 192.168.40.0/24 any -P out ipsec
       esp/tunnel/192.168.50.144-10.0.10.251/require;

IPSec üle NAT lüüsi, kaks Debiani, eeljaotatud võtmetega

IPSec NAT taga olevast arvutist on võimalik vaid tunnel režiimis.

             ------|----------------------|-------- 
                   |                      |  
     10.0.10.250  _|_                    _|_  10.0.10.251
         Ruuter1 |   |                  |   | Ruuter2
                 |___| NAT              |___|
  192.168.50.250   |                      |   192.168.40.251
                   |                      |
                   |                      |
                   |                      |
  192.168.50.144  _|_                    _|_  192.168.40.145
            VPN1 |   |                  |   | VPN2
  192.168.51.254 |___|                  |___| 192.168.41.254
                   |                      |
                   |                      |
                  _|_                    _|_
         kalake  |   |                  |   | tuvike
  192.168.51.144 |___|                  |___| 192.168.41.145

Selleks, et kalake saaks IPSec abil võtta ühendust tuvikesega peab olema VPN1 arvutis kolm faili, sellise sisuga

  • /etc/racoon/psk.txt
 10.0.10.250 saladus
  • /etc/ipsec-tools.conf
 #!/usr/sbin/setkey -f
 flush;
 spdflush;
 
 spdadd 192.168.41.0/24 192.168.51.0/24 any -P in ipsec 
       esp/tunnel/192.168.40.145-192.168.50.144/require;
 
 spdadd 192.168.51.0/24 192.168.41.0/24 any -P out ipsec 
       esp/tunnel/192.168.50.144-192.168.40.145/require;
  • /etc/racoon/racoon.conf
 path pre_shared_key "/etc/racoon/psk.txt";
 
 timer
 {
        natt_keepalive 10 sec;
 }
 
 listen 
 {
         isakmp 192.168.50.144 [500];
         isakmp_natt 192.168.50.144 [4500];
 }
   
 remote 192.168.40.145 {
      exchange_mode main;
      peers_identifier address;
      nat_traversal on;
 
      proposal {
              encryption_algorithm 3des;
              hash_algorithm sha1;
              authentication_method pre_shared_key;
              dh_group modp1024;
      }
 }
 
 sainfo address 192.168.51.0/24[any] any address 192.168.41.0/24[any] any {
      pfs_group modp1024;
      encryption_algorithm aes,3des;
      authentication_algorithm hmac_sha1,hmac_md5;
      compression_algorithm deflate;
  }

ja VPN2 arvutis failid

  • /etc/racoon/psk.txt
 10.0.10.250 saladus
  • /etc/ipsec-tools.conf
 #!/usr/sbin/setkey -f
 flush;
 spdflush;
 
 spdadd 192.168.51.0/24 192.168.41.0/24 any -P in ipsec
       esp/tunnel/10.0.10.250-192.168.40.145/require;
 
 spdadd 192.168.41.0/24 192.168.51.0/24 any -P out ipsec
       esp/tunnel/192.168.40.145-10.0.10.250/require;
  • /etc/racoon/racoon.conf
 path pre_shared_key "/etc/racoon/psk.txt";
 
 timer
 { 
       natt_keepalive 10 sec;
 }
 
 listen
 {
      isakmp 192.168.40.145 [500];
      isakmp_natt 192.168.40.145 [4500];
 }
 
 remote 10.0.10.250 {
     exchange_mode main;
     peers_identifier address;
     nat_traversal force;
     proposal {
              encryption_algorithm 3des;
              hash_algorithm sha1;
              authentication_method pre_shared_key;
              dh_group modp1024;
      }
 } 
 
 sainfo address 192.168.41.0/24[any] any address 192.168.51.0/24[any] any {
      pfs_group modp1024;
      encryption_algorithm aes,3des;
      authentication_algorithm hmac_sha1,hmac_md5;
      compression_algorithm deflate;
 }

Käivitamiseks tuleb öelda VPN1 arvutis

 vpn1# /etc/ipsec-tools.conf
 vpn1# racoon -Fv
 Foreground mode.
 2008-07-21 20:17:42: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-21 20:17:42: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-21 20:17:42: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-21 20:17:42: INFO: Resize address pool from 0 to 255
 2008-07-21 20:17:42: INFO: 192.168.50.144[4500] used as isakmp port (fd=6)
 2008-07-21 20:17:42: INFO: 192.168.50.144[4500] used for NAT-T
 2008-07-21 20:17:42: INFO: 192.168.50.144[500] used as isakmp port (fd=7)
 2008-07-21 20:17:42: INFO: 192.168.50.144[500] used for NAT-T
 2008-07-21 20:17:52: INFO: IPsec-SA request for 192.168.40.145 queued due to no phase1 found.
 2008-07-21 20:17:52: INFO: initiate new phase 1 negotiation: 192.168.50.144[500]<=>192.168.40.145[500]
 2008-07-21 20:17:52: INFO: begin Identity Protection mode.
 2008-07-21 20:17:52: INFO: received Vendor ID: RFC 3947
 2008-07-21 20:17:52: INFO: received Vendor ID: DPD
 2008-07-21 20:17:52: INFO: Selected NAT-T version: RFC 3947
 2008-07-21 20:17:52: INFO: Hashing 192.168.40.145[500] with algo #2 
 2008-07-21 20:17:52: INFO: Hashing 192.168.50.144[500] with algo #2 
 2008-07-21 20:17:52: INFO: Adding remote and local NAT-D payloads.
 2008-07-21 20:17:52: INFO: Hashing 192.168.50.144[500] with algo #2 
 2008-07-21 20:17:52: INFO: NAT-D payload #0 doesn't match
 2008-07-21 20:17:52: INFO: Hashing 192.168.40.145[500] with algo #2 
 2008-07-21 20:17:52: INFO: NAT-D payload #1 doesn't match
 2008-07-21 20:17:52: INFO: NAT detected: ME PEER
 2008-07-21 20:17:52: INFO: KA list add: 192.168.50.144[4500]->192.168.40.145[4500]
 2008-07-21 20:17:52: INFO: ISAKMP-SA established 192.168.50.144[4500]-192.168.40.145[4500] spi:02394245f17370b6:6b9410cb66b2bae5
 2008-07-21 20:17:53: INFO: initiate new phase 2 negotiation: 192.168.50.144[4500]<=>192.168.40.145[4500]
 2008-07-21 20:17:53: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
 2008-07-21 20:17:53: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
 2008-07-21 20:17:53: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 192.168.40.145[0]->192.168.50.144[0] spi=47764357(0x2d8d385)
 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 192.168.50.144[4500]->192.168.40.145[4500] spi=134315151(0x8017c8f)

ning VPN2 arvutis samuti

 vpn2# /etc/ipsec-tools.conf
 vpn2# racoon -Fv
 Foreground mode.
 2008-07-21 20:17:46: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
 2008-07-21 20:17:46: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
 2008-07-21 20:17:46: INFO: Reading configuration from "/etc/racoon/racoon.conf"
 2008-07-21 20:17:46: INFO: Resize address pool from 0 to 255
 2008-07-21 20:17:46: INFO: 192.168.40.145[4500] used as isakmp port (fd=6)
 2008-07-21 20:17:46: INFO: 192.168.40.145[4500] used for NAT-T
 2008-07-21 20:17:46: INFO: 192.168.40.145[500] used as isakmp port (fd=7)
 2008-07-21 20:17:46: INFO: 192.168.40.145[500] used for NAT-T
 2008-07-21 20:17:52: INFO: respond new phase 1 negotiation: 192.168.40.145[500]<=>10.0.10.250[52723]
 2008-07-21 20:17:52: INFO: begin Identity Protection mode.
 2008-07-21 20:17:52: INFO: received Vendor ID: RFC 3947
 2008-07-21 20:17:52: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
 2008-07-21 20:17:52: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
 2008-07-21 20:17:52: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
 2008-07-21 20:17:52: INFO: received Vendor ID: DPD
 2008-07-21 20:17:52: INFO: Selected NAT-T version: RFC 3947
 2008-07-21 20:17:52: INFO: NAT-D payload #0 doesn't match
 2008-07-21 20:17:52: INFO: NAT-D payload #1 doesn't match
 2008-07-21 20:17:52: INFO: NAT detected: ME PEER
 2008-07-21 20:17:52: INFO: Hashing 10.0.10.250[52723] with algo #2 (NAT-T forced)
 2008-07-21 20:17:52: INFO: Hashing 192.168.40.145[500] with algo #2 (NAT-T forced)
 2008-07-21 20:17:52: INFO: Adding remote and local NAT-D payloads.
 2008-07-21 20:17:52: INFO: NAT-T: ports changed to: 10.0.10.250[64752]<->192.168.40.145[4500]
 2008-07-21 20:17:52: INFO: KA list add: 192.168.40.145[4500]->10.0.10.250[64752]
 2008-07-21 20:17:52: INFO: ISAKMP-SA established 192.168.40.145[4500]-10.0.10.250[64752] spi:02394245f17370b6:6b9410cb66b2bae5
 2008-07-21 20:17:53: INFO: respond new phase 2 negotiation: 192.168.40.145[4500]<=>10.0.10.250[64752]
 2008-07-21 20:17:53: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
 2008-07-21 20:17:53: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 10.0.10.250[64752]->192.168.40.145[4500] spi=134315151(0x8017c8f)
 2008-07-21 20:17:53: INFO: IPsec-SA established: ESP/Tunnel 192.168.40.145[4500]->10.0.10.250[64752] spi=47764357(0x2d8d385)

Kusjuures, kui ruuteris kuulata liiklust pealt, väliselt seadmelt, paistab see selline

 ruuter1# tcpdump -ntti rl0
 tcpdump: listening on rl0, link-type EN10MB
 1216674942.146178 0800 60: 192.168.40.145.4500 > 10.0.10.250.64752:NAT-T Keepalive (DF)
 1216674942.507406 0800 174: 10.0.10.250.64752 > 192.168.40.145.4500:udpencap: esp 10.0.10.250 > 192.168.40.145 spi 0x08017C8F seq 4 len 132 (DF)
 1216674942.511139 0800 174: 192.168.40.145.4500 > 10.0.10.250.64752:udpencap: esp 192.168.40.145 > 10.0.10.250 spi 0x02D8D385 seq 4 len 132
 1216674943.507159 0800 174: 10.0.10.250.64752 > 192.168.40.145.4500:udpencap: esp 10.0.10.250 > 192.168.40.145 spi 0x08017C8F seq 5 len 132 (DF)
 1216674943.507948 0800 174: 192.168.40.145.4500 > 10.0.10.250.64752:udpencap: esp 192.168.40.145 > 10.0.10.250 spi 0x02D8D385 seq 5 len 132

IPSec Debian pöördub üle NAT lüüsi OpenBSD poole

Debiani pool on vaja seadistada ülalkirjeldatud moel NAT võimeliseks, OpenBSD isakmpd avastab automaatselt üle NAT toimuva suhtlemise ning andmevahetus töötab.

Kasulikud lisamaterjalid