使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通
·
使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通
文章目录
一、libreswan 简介
LibreSwan是IPsec协议的开源实现,它基于FreeSwan项目,可以在RedHat的Linux发行版上使用该软件包。关于LibreSwan的IPsec协议的两个部分的简要信息如下所述。
基于IPsec的***由Internet密钥交换协议和封装安全有效载荷 (ESP)协议组成。
- > IKE
正如名称所示,IKE协议的目的是认证(使用***的预共享密钥,公开密钥加密,自由连接)对等体来动态生成密钥并与***对等体共享密钥。 IPsec第二阶段的加密密钥也取决于IKE。 Libreswan使用项目的pluto程序实现IKE协议。
- > ESP
ESP协议是在Linux内核(NETEY / XFRM)IPsec中实现的对等体约定策略的实际规范。
Libreswan功能
- 支持基于预共享密钥的认证。
- 支持基于公钥的认证。
- 支持IKE v1 / v2版本的密钥交换。
- 支持NSS加密库。
- 还支持Xauth和DNSSec。
本文我们将使用 libreswan 搭建 点对点的ipsec网络,实现两idc内网互通。
二、 环境介绍
环境:
idc-重庆区域:
- 内网网段: 172.16.30.0/24
- 公网ip: 192.191.91.71 (公网ip修改)
- 内网ip: 172.16.30.15
- 主机版本: centos7
idc-香港区域:
- 内网网段: 172.19.0.0/24
- 公网ip: 192.226.50.61(公网ip修改)
- 内网ip: 172.19.0.13
- 主机版本: centos7
架构图:
三、软件安装:
3.1 libreswan下载
centos 系统yum仓库中提供了libreswan的包,但为了安全起见,我们采用最新版本的rpm进行安装
# wget https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.31-1.el7_7.x86_64.rpm
3.2 libreswan 安装
yum localinstall -y libreswan-3.31-1.el7_7.x86_64.rpm
[root@VM_0_13_centos ipsec.d]# yum info libreswan
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Installed Packages
Name : libreswan
Arch : x86_64
Version : 3.31
Release : 1.el7_7
Size : 4.4 M
Repo : installed
From repo : /libreswan-3.31-1.el7_7.x86_64
Summary : Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
URL : https://libreswan.org/
License : GPLv2
Description : Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is
: the Internet Protocol Security and uses strong cryptography to provide
: both authentication and encryption services. These services allow you
: to build secure tunnels through untrusted networks. Everything passing
: through the untrusted net is encrypted by the ipsec gateway machine and
: decrypted by the gateway at the other end of the tunnel. The resulting
: tunnel is a virtual private network or ***.
:
: This package contains the daemons and userland tools for setting up
: Libreswan.
:
: Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
:
: Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
[root@VM_0_13_centos ipsec.d]# rpm -ql libreswan|grep -E -v "share|libe"
/etc/ipsec.conf # 主配文件
/etc/ipsec.d # 配置文件子目录
/etc/ipsec.d/policies # 策略目录
/etc/ipsec.d/policies/block
/etc/ipsec.d/policies/clear
/etc/ipsec.d/policies/clear-or-private
/etc/ipsec.d/policies/portexcludes.conf
/etc/ipsec.d/policies/private
/etc/ipsec.d/policies/private-or-clear
/etc/ipsec.secrets # 秘钥配置文件
/etc/pam.d/pluto # 协议认证模块
/etc/prelink.conf.d
/etc/prelink.conf.d/libreswan-fips.conf
/etc/sysctl.d/50-libreswan.conf # 内置系统内核文件
/run/pluto
/usr/lib/systemd/system/ipsec.service # 服务systemd启动脚本文件
/usr/lib/tmpfiles.d/libreswan.conf
/usr/lib64/fipscheck/pluto.hmac
/usr/sbin/ipsec # ipsec 二进制文件
/var/log/pluto
/var/log/pluto/peer
四、 配置内核参数
在libereswan软件安装中,内置了一下需要修改的内核参数[ /etc/sysctl.d/50-libreswan.conf ]。但这些还不够,ipsec是一个路由协议,需要开启路由转发
echo "## 开启路由转发功能" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
关闭源路由验证
echo "## 关闭源路由验证(跟进网卡名称添加如:ens33..)" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.eth0.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
关闭icmp重定向
echo "## 关闭icmp重定向"
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.d/50-libreswan.conf
加载生效内核参数
- sysctl -p
# cat /etc/sysctl.d/50-lireswan.conf
# when using 1 interface for two networks when using NETKEY, the kernel
# thinks it can be clever by sending a redirect (cause it cannot tell
# an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
#
# We disable redirects for XFRM/IPsec
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
# sysctl -p
五、启动服务,验证内核配置是否正常
- systemctl start ipsec
[root@VM_0_13_centos ~]# systemctl start ipsec
[root@VM_0_13_centos ~]# systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-03-24 09:36:27 CST; 51min ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 2052 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
Process: 2050 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
Process: 2048 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
Process: 2044 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
Process: 2326 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Process: 2324 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 2060 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 2059 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 2338 (pluto)
Status: "Startup completed."
CGroup: /system.slice/ipsec.service
└─2338 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Mar 24 09:36:26 VM_0_13_centos systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Mar 24 09:36:26 VM_0_13_centos systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Mar 24 09:36:27 VM_0_13_centos ipsec[2326]: nflog ipsec capture disabled
Mar 24 09:36:27 VM_0_13_centos systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
- ipsec verify
[root@VM_0_13_centos ~]# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.31 (netkey) on 3.10.0-1062.9.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
要确保所有检查都为OK,部分内核参数修改 sysctl -p也不能立即生效的,可以手动配置,或重启系统。
六、 防火墙策略开发udp500 和 udp4500端口
针对 Internet Key Exchange (IKE) 协议的 UDP 端口 500
针对 IKE NAT-Traversal的 UDP 端口 4500
针对 Encapsulated Security Payload (ESP) IPsec 数据包的端口 50
针对 Authenticated Header (AH) IPsec 数据包(非常见)的端口 51
[root@VM_0_13_centos ~]# netstat -unlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.1:4500 0.0.0.0:* 2338/pluto
udp 0 0 172.19.0.13:4500 0.0.0.0:* 2338/pluto
udp 0 0 127.0.0.1:500 0.0.0.0:* 2338/pluto
udp 0 0 172.19.0.13:500 0.0.0.0:* 2338/pluto
udp6 0 0 ::1:500 :::* 2338/pluto
6.1 保障防火墙关闭或者开通udp500 和udp4500 策略
[root@VM_0_13_centos ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
6.2 云主机环境,请在安全组中添加相关ip的 4500 和 500策略
6.3 nmap 验证端口连通性
[root@VM_0_15_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -Pn
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-24 10:34 CST
Nmap scan report for 192.226.50.61
Host is up.
PORT STATE SERVICE
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds
[root@VM_0_13_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -Pn
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-24 10:35 CST
Nmap scan report for 192.226.50.61
Host is up.
PORT STATE SERVICE
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 3.26 seconds
七、 配置预共享秘钥
ipsec ike支持 预共享秘钥,证书,x.509 等方式验证,在这里我们使用预共享秘钥
authby=secret
查看 secret 主配文件/etc/ipsec.secrets,创建秘钥
[root@VM_0_13_centos ~]# cat /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
[root@VM_0_13_centos ~]# vim /etc/ipsec.d/test-vm.secrets
## 源ip 目的ip : PSK "key" (0.0.0.0 所有ip)
0.0.0.0 0.0.0.0 : PSK "1234567890"
测试阶段为了方便我们使用 1234567890 作为所有连接的秘钥
八、 配置 ipsec 连接
8.1 主配置:
[root@VM_0_13_centos ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
# Normally, pluto logs via syslog.
logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
主配置告诉我们自配置文件的在 /etc/ipsec.d/*.conf 和内网bgp传送信息,为了方便起见我们开启日志,调试。
8.2 创建连接配置:
vim /etc/ipsec.d/test-vm.conf
conn test-vm-test
### phase 1 ###
# 指定认证类型预共享秘钥
authby=secret
# 指定ike算法为3des-sha1
ike=3des-sha1
# 指定ike
keyexchange=ike
### phase 2 ###
phase2=esp
phase2alg=3des-sha1
# 指定是否压缩
compress=no
# 指定是否加密
pfs=yes
# 指定连接添加类型。start 为开机自启,add为添加 不主动连接
auto=start
# 指定模式类型为隧道模式|传输模式
type=tunnel
left=172.30.0.15
leftsubnet=172.30.0.0/24
leftid=192.191.91.71
leftnexthop=%defaultroute
right=192.226.50.61
rightsubnet=172.19.0.0/24
rightid=192.226.50.61
rightnexthop=%defaultroute
Libreswan 不使用术语 “source”(来源) 或 “destination”(目的)。相反,它用术语 “left”(左边) 和 “right”(右边) 来代指终端(主机)。虽然大多数管理员用 “left” 表示本地主机,“right” 表示远程主机,但是这样可以再大多数情况下在两个终端上使用相同的配置。
由于我们的服务器使用的是vpc网络,采用静态nat的形式,在配置left 和right 时,本端的ip需要使用内网ip,或 %defaultroute。left 和 right 是两端的ip地址,而leftid 和 rightid 为代号id。
[root@VM_0_15_centos ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:47:0b:03 brd ff:ff:ff:ff:ff:ff
inet 172.30.0.15/20 brd 172.30.15.255 scope global eth0
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
跟进实际情况,写对端配置
vim /etc/ipsec.d/test-vm.conf
conn test-vm-test
# 指定认证类型预共享秘钥
authby=secret
# 指定ike算法为3des-sha1
ike=3des-sha1
# 指定ike
keyexchange=ike
### phase 2 ###
phase2=esp
phase2alg=3des-sha1
# 指定是否压缩
compress=no
# 指定是否加密
pfs=yes
# 指定连接添加类型。start 为开机自启,add为添加 不主动连接
auto=start
# 指定模式类型为隧道模式|传输模式
type=tunnel
left=192.191.91.71
leftsubnet=172.30.0.0/24
leftid=192.191.91.71
leftnexthop=%defaultroute
right=172.19.0.13
rightsubnet=172.19.0.0/24
rightid=192.226.50.61
rightnexthop=%defaultroute
九、 重启两端服务,建立ipsec隧道
# 两端都需要重启服务,查看日志
[root@VM_0_15_centos ~]# systemctl restart ipsec && tailf /var/log/pluto.log
Mar 24 11:13:31.653094: RFC 2104: MD5_HMAC test 2
Mar 24 11:13:31.653253: RFC 2104: MD5_HMAC test 3
Mar 24 11:13:31.653454: 1 CPU cores online
Mar 24 11:13:31.653463: starting up 1 crypto helpers
Mar 24 11:13:31.653508: started thread for crypto helper 0
Mar 24 11:13:31.653523: Using Linux XFRM/NETKEY IPsec kernel support code on 3.10.0-514.21.1.el7.x86_64
Mar 24 11:13:31.653842: selinux support is NOT enabled.
Mar 24 11:13:31.653857: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Mar 24 11:13:31.653861: watchdog: sending probes every 100 secs
Mar 24 11:13:31.658117: added connection description "test-vm-test"
Mar 24 11:13:31.663092: listening for IKE messages
Mar 24 11:13:31.663151: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
Mar 24 11:13:31.663164: adding interface tun0/tun0 (esp-hw-offload not supported by kernel) 10.8.0.1:500
Mar 24 11:13:31.663179: adding interface tun0/tun0 10.8.0.1:4500
Mar 24 11:13:31.663193: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 172.30.0.15:500
Mar 24 11:13:31.663206: adding interface eth0/eth0 172.30.0.15:4500
Mar 24 11:13:31.663220: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
Mar 24 11:13:31.663233: adding interface lo/lo 127.0.0.1:4500
Mar 24 11:13:31.664646: loading secrets from "/etc/ipsec.secrets"
Mar 24 11:13:31.664699: loading secrets from "/etc/ipsec.d/test-vm.secrets"
Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SA
Mar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE):
Mar 24 11:13:31.665475: "test-vm-test": 1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals):
Mar 24 11:13:31.698669: "test-vm-test": 1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLED
Mar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'
Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secret
Mar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]
Mar 24 11:13:31.795155: "test-vm-test" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}
IPsec SA established tunnel mode# 看到日志为建立隧道成功
9.1 查看ipsec建立情况
ipsec auto --status
[root@VM_0_15_centos ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.30.0.15:4500
000 interface eth0/eth0 172.30.0.15:500
000 interface tun0/tun0 10.8.0.1:4500
000 interface tun0/tun0 10.8.0.1:500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.31, pluto_vendorid=OE-Libreswan-3.31, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "test-vm-test": 172.30.0.0/24===172.30.0.15<172.30.0.15>[192.191.91.71]---172.30.0.1...192.226.50.61<192.226.50.61>===172.19.0.0/24; erouted; eroute owner: #2
000 "test-vm-test": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test-vm-test": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "test-vm-test": our auth:secret, their auth:secret
000 "test-vm-test": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "test-vm-test": policy_label:unset;
000 "test-vm-test": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "test-vm-test": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "test-vm-test": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "test-vm-test": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "test-vm-test": v2-auth-hash-policy: none;
000 "test-vm-test": conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test-vm-test": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "test-vm-test": our idtype: ID_IPV4_ADDR; our id=192.191.91.71; their idtype: ID_IPV4_ADDR; their id=192.226.50.61
000 "test-vm-test": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "test-vm-test": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "test-vm-test": IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
000 "test-vm-test": IKEv2 algorithm newest: 3DES_CBC_192-HMAC_SHA1-MODP2048
000 "test-vm-test": ESP algorithms: 3DES_CBC-HMAC_SHA1_96
000 "test-vm-test": ESP algorithm newest: 3DES_CBC_192-HMAC_SHA1_96; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(1), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "test-vm-test":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2444s; newest ISAKMP; idle;
000 #2: "test-vm-test":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 27885s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "test-vm-test" esp.ead78a70@192.226.50.61 esp.677c8223@172.30.0.15 tun.0@192.226.50.61 tun.0@172.30.0.15 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #3: "test-vm-test":500 STATE_PARENT_R1 (received v2I1, sent v2R1); EVENT_SO_DISCARD in 37s; idle;
000
000 Bare Shunt list:
000
十、 测试网络连通性
分别在两端ping对端ip
[root@VM_0_15_centos ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:47:0b:03 brd ff:ff:ff:ff:ff:ff
inet 172.30.0.15/20 brd 172.30.15.255 scope global eth0
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
4: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
[root@VM_0_15_centos ~]# ip route
default via 172.30.0.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
169.254.0.0/16 dev eth0 scope link metric 1002
172.30.0.0/20 dev eth0 proto kernel scope link src 172.30.0.15
[root@VM_0_15_centos ~]# ping 172.19.0.13
PING 172.19.0.13 (172.19.0.13) 56(84) bytes of data.
64 bytes from 172.19.0.13: icmp_seq=1 ttl=64 time=40.2 ms
^C
---
[root@VM_0_13_centos ipsec.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:16:68:89 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.13/20 brd 172.19.15.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe16:6889/64 scope link
valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
[root@VM_0_13_centos ipsec.d]# ping 172.30.0.15
PING 172.30.0.15 (172.30.0.15) 56(84) bytes of data.
64 bytes from 172.30.0.15: icmp_seq=1 ttl=64 time=40.1 ms
^C
[root@VM_0_13_centos ipsec.d]# ip route
default via 172.19.0.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1002
172.19.0.0/20 dev eth0 proto kernel scope link src 172.19.0.13
我们看到网络已经通了,查看路由表 发现已经新增ipsec相关的路由条目了。
十一、坑:
- 预共享秘钥不一致
- vps nat网络模式下,配置文件本段ip写内网ip,对端写公网
- ike=3des-sha1加密算法,dh24 后,ipsec不连接
十二、 排错
12.1 tcpdump
tcpdump -n -i interface esp and udp port 500 and udp port 4500
00:32:32.632165 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1a), length 132
00:32:32.632592 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1a), length 132
00:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 7, length 64
00:32:33.632221 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1b), length 132
00:32:33.632731 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1b), length 132
00:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 8, length 64
00:32:34.632183 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1c), length 132
00:32:34.632607 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1c), length 132
00:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 9, length 64
00:32:35.632233 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1d), length 132
00:32:35.632685 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1d), length 132
00:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 10, length 64
12.2 查看日志
# tailf /var/log/pluto.log
Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SA
Mar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE):
Mar 24 11:13:31.665475: "test-vm-test": 1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals):
Mar 24 11:13:31.698669: "test-vm-test": 1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLED
Mar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'
Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secret
Mar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]
Mar 24 11:13:31.795155: "test-vm-test" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}
12.3 查看状态
ipsec auto --status
12.4 手动调试链接
ipsec auto --up 连接名
十三、参考:
https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks
https://www.linuxprobe.com/centos7-install-l2tp.html
https://www.mtyun.com/library/how-to-configure-ipsec-{***}-on-centos6
旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。
更多推荐
5
0- 0
已为社区贡献1条内容
所有评论(0)