[linux] IPsec ...
Marek Zima
marek.zima na zimas.sk
Neděle Srpen 6 22:53:04 CEST 2006
OK ...
Skusim to blizsie opisat ....
LAN 1 (10.1.2.0/24) <---> linux box (1.2.3.4) <----> Inet <-----> (5.6.7.8)
ZyXEL <---> (172.16.3.0/24) LAN 2
(K tym LAN rozsahom som sa uz ja dostal, ja som ich nenavrhoval ;))
ZyXEL je nakonfigurovany standardne akurat pouzijem DH 1 a SHA1 (ale to bude
zrejmejsie z konfigov dalej)
Cize konfiguraky na linux box:
/etc/racoon/psk.txt
5.6.7.8 verryverrysecretpsk
1.2.3.4 verryverrysecretpsk
/etc/racoon/setkey
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 172.16.3.0/24 10.1.2.0/24 any -P in ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 10.1.2.0/24 172.16.3.0/24 any -P out ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require;
/etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
log notify;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 1.2.3.4 [500];
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote 5.6.7.8
{
exchange_mode main;
my_identifier address 1.2.3.4;
peers_identifier address 5.6.7.8;
verify_identifier on;
nonce_size 16;
lifetime time 28800 sec;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 1;
}
}
sainfo address 10.1.2.0/24 any address 172.16.3.0/24 any
{
pfs_group 1;
lifetime time 28800 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
-----
OK ... spustam:
setkey -f /etc/racoon/setkey.conf
racoon -f /etc/racoon/racoon.conf (popripade s -F)
Ked pustim ping z 172.16.3.0/24 na 10.1.2.3 (napr.) tak pakety pridu (vidim v
tcpdump na 10.1.2.3) ale nic neodchadza ;(
Ked pustim ping z 10.1.2.0/24 na 172.16.3.10 (napr.) tak pakety nepridu
(nevidim v tcpdump na 172.16.3.10
CIZE zo strany ZyXEL to funguje ... nefunguje to zo strany linux boxu.
Kes si pozriem logy tak racoon hlasi established a pravdepodobne ma pravdu,
lebo pakety z LAN 2 pridu cez VPN.
Forward mam zapnuty lebo z LAN1 sa na internet dostanem ...
Firewall som pre istotu vypol ... cize INPUT, OUTPUT FORWARD su ACCEPT
a aj NAT PREROUTING, OUTPUT aj POSTROUTING su ACCEPT
a ziadne pravidli v nich nie je (az na maskaradu).
Maskaradu som upravil:
iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -d !
172.16.3.0/24 -j SNAT --to-source 1.2.3.4
-----
Ale stale to nejde ...
Este prilozim toto:
root na dsl:/etc/racoon# setkey -D
1.2.3.4 5.6.7.8
esp mode=tunnel spi=26900642(0x019a78a2) reqid=0(0x00000000)
E: 3des-cbc da7049d1 01a54034 56f42e56 9fd7e9d8 5ff4f185 47f43cc8
A: hmac-sha1 c919d41f c7980f82 b38e51d9 70c8d827 f45160e0
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Aug 6 17:20:05 2006 current: Aug 6 17:20:11 2006
diff: 6(s) hard: 28800(s) soft: 23040(s)
last: Aug 6 17:20:06 2006 hard: 0(s) soft: 0(s)
current: 800(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5 hard: 0 soft: 0
sadb_seq=1 pid=3534 refcnt=0
5.6.7.8 1.2.3.4
esp mode=tunnel spi=258926406(0x0f6ee746) reqid=0(0x00000000)
E: 3des-cbc c6b58aed cf9814d1 1a6c9f43 1f2fcb26 80210775 b924e0a3
A: hmac-sha1 e4a21f73 01bd1442 f6a4ee7d 1d1a6714 b353f351
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Aug 6 17:20:05 2006 current: Aug 6 17:20:11 2006
diff: 6(s) hard: 28800(s) soft: 23040(s)
last: Aug 6 17:20:06 2006 hard: 0(s) soft: 0(s)
current: 540(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5 hard: 0 soft: 0
sadb_seq=0 pid=3534 refcnt=0
a
root na dsl:/etc/racoon# setkey -DP
172.16.3.0/24[any] 10.1.2.0/24[any] any
in prio def ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require
created: Aug 6 17:17:58 2006 lastused: Aug 6 17:20:44 2006
lifetime: 0(s) validtime: 0(s)
spid=144 seq=4 pid=3599
refcnt=2
10.1.2.0/24[any] 172.16.3.0/24[any] any
out prio def ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require
created: Aug 6 17:17:58 2006 lastused: Aug 6 17:22:19 2006
lifetime: 0(s) validtime: 0(s)
spid=137 seq=3 pid=3599
refcnt=2
172.16.3.0/24[any] 10.1.2.0/24[any] any
fwd prio def ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require
created: Aug 6 17:17:58 2006 lastused: Aug 6 17:22:19 2006
lifetime: 0(s) validtime: 0(s)
spid=154 seq=2 pid=3599
refcnt=2
(per-socket policy)
in none
created: Aug 6 17:19:59 2006 lastused: Aug 6 17:22:04 2006
lifetime: 0(s) validtime: 0(s)
spid=163 seq=1 pid=3599
refcnt=1
(per-socket policy)
out none
created: Aug 6 17:19:59 2006 lastused: Aug 6 17:22:03 2006
lifetime: 0(s) validtime: 0(s)
spid=172 seq=0 pid=3599
refcnt=1
====================
Momentalne som zmateny ...
setkey a racoon (a zrusenie maskarady) stacia?
Nie je potrebne vytvorit este nejaky tunel alebo device (ipsec0 ako vo
FreeSWAN?)
Co smeruje pakety spravnym smerom?
(Skusal som vselico ale nepomohlo ;( )
Snad uz niekto vidi chybu :) a ja budem rad ak mi ju prezradi ;)
Vdaka.
Marek
Dňa Ne 6. August 2006 17:44 riki napísal:
> musis to vynat z maskarady, ale kedze nepises nic blizsie o konfiguracii
> tak ti nepoviem ci to pojde, ale ak ta toto nenapadlo tak urcite si
> zabudol este aj na nieco ine :).
>
> Marek Zima wrote:
> > Pockaj,
> >
> > kedze ja na linuxe vytacam PPPoE a mam maskaradu na ppp0 (kde je
> > vonkasia IP) pre LAN siet, ... tak toto je chyba?
> > Cize staci len vynechat z maskarady pakety s cielom LAN na druhej strane
> > (v mojom pripade za ZyXELom) .... a uz to pojde?
> >
> > Marek
> >
> > Dňa Ne 6. August 2006 14:20 riki napísal:
> >> iptables -t nat -A POSTROUTING -s tvojalanka/maska -d !
> >> lankazazyxelom/maska -j SNAT --to-source vonkajsiinterfejslinuxu
> >>
> >> tak je mozne ze sa ti pakety smerovane z lanky za linuxom prenatuju na
> >> verejnu adresu a neodidu cez ipsec ale do internetu, pripadne nematchnu
> >> ipsec policy ktoru si zadefinoval.
> >>
> >> predpokladam ze ten zyxel to robi automaticky.
> >>
> >> Marek Zima wrote:
> >>> Aky tunel a ako mam vytvorit ...
> >>>
> >>> Zatial co sa mi uspesne podarilo je, ze Racoon spravne funguje a VPN je
> >>> vytvorena ...
> >>>
> >>> Ja momentalne neviem, ze co dalej ... aky tunel a ako vytvorit ... :(
> >>>
> >>> Marek
> >>>
> >>>> skus pakety ktore chces aby isli do tunela nenatovat a naroutovat ich
> >>>> spravnym smerom :)
> >>>>
> >>>> r.
> >>>>
> >>>> Marek Zima wrote:
> >>>>> Zdravim vas ...
> >>>>>
> >>>>> Nahodil som IPsec (ipsec-tools) na linuxovy stroj a snazim sa
> >>>>> komunikovat so zariadenim ZyXEL .
> >>>>>
> >>>>> IPsec mi bezi, pretoze z LAN (za ZyXELom) ked pingnem LAN za
> >>>>> linuxom, tak mi pakety pridu avsak odpovede idu kamsi do Internetu.
> >>>>>
> >>>>> Viete mi poradit co mam este na linuxe urobit aby mi pakety na LAN
> >>>>> za ZyXELom nesli do internetu ale priamo na ZyXEL ...?
> >>>>> skusal som pridavat rozne route a vytvarat tunnel ... ale zjavne
> >>>>> nespravne ...
> >>>>>
> >>>>> Diky za kazdu radu ...
> >>>>>
> >>>>> Marek
> >>>>>
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>>-- -
> >>>>>
> >>>>> _______________________________________________
> >>>>> https://lists.linux.sk/mailman/listinfo/linux
> >>>>> Prehladavanie archivu: http://search.lists.linux.sk
> >>>>> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
> >>>>
> >>>> _______________________________________________
> >>>> https://lists.linux.sk/mailman/listinfo/linux
> >>>> Prehladavanie archivu: http://search.lists.linux.sk
> >>>> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
> >>
> >> _______________________________________________
> >> https://lists.linux.sk/mailman/listinfo/linux
> >> Prehladavanie archivu: http://search.lists.linux.sk
> >> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
> >
> > _______________________________________________
> > https://lists.linux.sk/mailman/listinfo/linux
> > Prehladavanie archivu: http://search.lists.linux.sk
> > Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
>
> _______________________________________________
> https://lists.linux.sk/mailman/listinfo/linux
> Prehladavanie archivu: http://search.lists.linux.sk
> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
Další informace o konferenci linux