[linux] IPsec ...

Marek Zima marek.zima na zimas.sk
Neděle Srpen 6 22:53:04 CEST 2006


OK ... 

Skusim to blizsie opisat ....
LAN 1 (10.1.2.0/24) <---> linux box (1.2.3.4) <----> Inet <-----> (5.6.7.8) 
ZyXEL  <---> (172.16.3.0/24) LAN 2
(K tym LAN rozsahom som sa uz ja dostal, ja som ich nenavrhoval ;))

ZyXEL je nakonfigurovany standardne akurat pouzijem DH 1 a SHA1 (ale to bude 
zrejmejsie z konfigov dalej)

Cize konfiguraky na linux box:
/etc/racoon/psk.txt
5.6.7.8 verryverrysecretpsk
1.2.3.4 verryverrysecretpsk

/etc/racoon/setkey
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 172.16.3.0/24 10.1.2.0/24 any -P in ipsec 		   
		 esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 10.1.2.0/24 172.16.3.0/24 any -P out ipsec
		 esp/tunnel/1.2.3.4-5.6.7.8/require;

/etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";


log notify;

padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        isakmp 1.2.3.4 [500];
}

timer
{
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        phase1 30 sec;
        phase2 15 sec;
}

remote 5.6.7.8 
{
        exchange_mode main;

        my_identifier address 1.2.3.4; 
        peers_identifier address 5.6.7.8;  
        verify_identifier on;
        nonce_size 16;
    	lifetime time 28800 sec;   
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 1;
        }
}

sainfo address 10.1.2.0/24 any address 172.16.3.0/24 any  
{
        pfs_group 1;
        lifetime time 28800 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

-----
OK ... spustam:
setkey -f /etc/racoon/setkey.conf
racoon -f /etc/racoon/racoon.conf (popripade s -F)

Ked pustim ping z 172.16.3.0/24 na 10.1.2.3 (napr.) tak pakety pridu (vidim v 
tcpdump na 10.1.2.3) ale nic neodchadza ;(
Ked pustim ping z 10.1.2.0/24 na 172.16.3.10 (napr.) tak pakety nepridu 
(nevidim v tcpdump na 172.16.3.10 
CIZE zo strany ZyXEL to funguje ... nefunguje to zo strany linux boxu.

Kes si pozriem logy tak racoon hlasi established a pravdepodobne ma pravdu, 
lebo pakety z LAN 2 pridu cez VPN.

Forward mam zapnuty lebo z LAN1 sa na internet dostanem ...
Firewall som pre istotu vypol ... cize INPUT, OUTPUT FORWARD su ACCEPT
a aj NAT PREROUTING, OUTPUT aj POSTROUTING su ACCEPT
a ziadne pravidli v nich nie je (az na maskaradu).
Maskaradu som upravil:
iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -d ! 
172.16.3.0/24 -j SNAT --to-source 1.2.3.4

-----

Ale stale to nejde ...
Este prilozim toto:
root na dsl:/etc/racoon# setkey -D
1.2.3.4 5.6.7.8
        esp mode=tunnel spi=26900642(0x019a78a2) reqid=0(0x00000000)
        E: 3des-cbc  da7049d1 01a54034 56f42e56 9fd7e9d8 5ff4f185 47f43cc8
        A: hmac-sha1  c919d41f c7980f82 b38e51d9 70c8d827 f45160e0
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Aug  6 17:20:05 2006   current: Aug  6 17:20:11 2006
        diff: 6(s)      hard: 28800(s)  soft: 23040(s)
        last: Aug  6 17:20:06 2006      hard: 0(s)      soft: 0(s)
        current: 800(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=1 pid=3534 refcnt=0
5.6.7.8 1.2.3.4
        esp mode=tunnel spi=258926406(0x0f6ee746) reqid=0(0x00000000)
        E: 3des-cbc  c6b58aed cf9814d1 1a6c9f43 1f2fcb26 80210775 b924e0a3
        A: hmac-sha1  e4a21f73 01bd1442 f6a4ee7d 1d1a6714 b353f351
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Aug  6 17:20:05 2006   current: Aug  6 17:20:11 2006
        diff: 6(s)      hard: 28800(s)  soft: 23040(s)
        last: Aug  6 17:20:06 2006      hard: 0(s)      soft: 0(s)
        current: 540(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 0 soft: 0
        sadb_seq=0 pid=3534 refcnt=0

a

root na dsl:/etc/racoon# setkey -DP
172.16.3.0/24[any] 10.1.2.0/24[any] any
        in prio def ipsec
        esp/tunnel/1.2.3.4-5.6.7.8/require
        created: Aug  6 17:17:58 2006  lastused: Aug  6 17:20:44 2006
        lifetime: 0(s) validtime: 0(s)
        spid=144 seq=4 pid=3599
        refcnt=2
10.1.2.0/24[any] 172.16.3.0/24[any] any
        out prio def ipsec
        esp/tunnel/1.2.3.4-5.6.7.8/require
        created: Aug  6 17:17:58 2006  lastused: Aug  6 17:22:19 2006
        lifetime: 0(s) validtime: 0(s)
        spid=137 seq=3 pid=3599
        refcnt=2
172.16.3.0/24[any] 10.1.2.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/1.2.3.4-5.6.7.8/require
        created: Aug  6 17:17:58 2006  lastused: Aug  6 17:22:19 2006
        lifetime: 0(s) validtime: 0(s)
        spid=154 seq=2 pid=3599
        refcnt=2
(per-socket policy)
        in none
        created: Aug  6 17:19:59 2006  lastused: Aug  6 17:22:04 2006
        lifetime: 0(s) validtime: 0(s)
        spid=163 seq=1 pid=3599
        refcnt=1
(per-socket policy)
        out none
        created: Aug  6 17:19:59 2006  lastused: Aug  6 17:22:03 2006
        lifetime: 0(s) validtime: 0(s)
        spid=172 seq=0 pid=3599
        refcnt=1

====================
Momentalne som zmateny ...
setkey a racoon (a zrusenie maskarady) stacia?
Nie je potrebne vytvorit este nejaky tunel alebo device (ipsec0 ako vo 
FreeSWAN?)
Co smeruje pakety spravnym smerom?
(Skusal som vselico ale nepomohlo ;( )

Snad uz niekto vidi chybu :) a ja budem rad ak mi ju prezradi ;)

Vdaka.

Marek

Dňa Ne 6. August 2006 17:44 riki napísal:
> musis to vynat z maskarady, ale kedze nepises nic blizsie o konfiguracii
> tak ti nepoviem ci to pojde, ale ak ta toto nenapadlo tak urcite si
> zabudol este aj na nieco ine :).
>
> Marek Zima wrote:
> > Pockaj,
> >
> > 	kedze ja na linuxe vytacam PPPoE a mam maskaradu na ppp0 (kde je
> > vonkasia IP) pre LAN siet, ... tak toto je chyba?
> > 	Cize staci len vynechat z maskarady pakety s cielom LAN na druhej strane
> > (v mojom pripade za ZyXELom) .... a uz to pojde?
> >
> > Marek
> >
> > Dňa Ne 6. August 2006 14:20 riki napísal:
> >> iptables -t nat -A POSTROUTING -s tvojalanka/maska -d !
> >> lankazazyxelom/maska -j SNAT --to-source vonkajsiinterfejslinuxu
> >>
> >> tak je mozne ze sa ti pakety smerovane z lanky za linuxom prenatuju na
> >> verejnu adresu a neodidu cez ipsec ale do internetu, pripadne nematchnu
> >> ipsec policy ktoru si zadefinoval.
> >>
> >> predpokladam ze ten zyxel to robi automaticky.
> >>
> >> Marek Zima wrote:
> >>> Aky tunel a ako mam vytvorit ...
> >>>
> >>> Zatial co sa mi uspesne podarilo je, ze Racoon spravne funguje a VPN je
> >>> vytvorena ...
> >>>
> >>> Ja momentalne neviem, ze co dalej ... aky tunel a ako vytvorit ... :(
> >>>
> >>> Marek
> >>>
> >>>> skus pakety ktore chces aby isli do tunela nenatovat a naroutovat ich
> >>>> spravnym smerom :)
> >>>>
> >>>> r.
> >>>>
> >>>> Marek Zima wrote:
> >>>>> Zdravim vas ...
> >>>>>
> >>>>> 	Nahodil som IPsec (ipsec-tools) na linuxovy stroj  a snazim sa
> >>>>> komunikovat so zariadenim ZyXEL .
> >>>>>
> >>>>> 	IPsec mi bezi, pretoze z LAN (za ZyXELom) ked pingnem LAN za
> >>>>> linuxom, tak mi pakety pridu avsak odpovede idu kamsi do Internetu.
> >>>>>
> >>>>> 	Viete mi poradit co mam este na linuxe urobit aby mi pakety na LAN
> >>>>> za ZyXELom nesli do internetu ale priamo na ZyXEL ...?
> >>>>> 	skusal som pridavat rozne route a vytvarat tunnel ... ale zjavne
> >>>>> nespravne ...
> >>>>>
> >>>>> Diky za kazdu radu ...
> >>>>>
> >>>>> Marek
> >>>>>
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>>-- -
> >>>>>
> >>>>> _______________________________________________
> >>>>> https://lists.linux.sk/mailman/listinfo/linux
> >>>>> Prehladavanie archivu: http://search.lists.linux.sk
> >>>>> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
> >>>>
> >>>> _______________________________________________
> >>>> https://lists.linux.sk/mailman/listinfo/linux
> >>>> Prehladavanie archivu: http://search.lists.linux.sk
> >>>> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
> >>
> >> _______________________________________________
> >> https://lists.linux.sk/mailman/listinfo/linux
> >> Prehladavanie archivu: http://search.lists.linux.sk
> >> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
> >
> > _______________________________________________
> > https://lists.linux.sk/mailman/listinfo/linux
> > Prehladavanie archivu: http://search.lists.linux.sk
> > Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
>
> _______________________________________________
> https://lists.linux.sk/mailman/listinfo/linux
> Prehladavanie archivu: http://search.lists.linux.sk
> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html



Další informace o konferenci linux