使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通

使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通


文章目录

  • 使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通
    • 一、libreswan 简介
      • - > IKE
      • - > ESP
      • Libreswan功能
    • 二、 环境介绍
      • 环境:
    • 三、软件安装:
      • 3.1 libreswan下载
      • 3.2 libreswan 安装
    • 四、 配置内核参数
      • 加载生效内核参数
    • 五、启动服务,验证内核配置是否正常
    • 六、 防火墙策略开发udp500 和 udp4500端口
      • 6.1 保障防火墙关闭或者开通udp500 和udp4500 策略
      • 6.2 云主机环境,请在安全组中添加相关ip的 4500 和 500策略
      • 6.3 nmap 验证端口连通性
    • 七、 配置预共享秘钥
    • 八、 配置 ipsec 连接
      • 8.1 主配置:
      • 8.2 创建连接配置:
    • 九、 重启两端服务,建立ipsec隧道
      • 9.1 查看ipsec建立情况
    • 十、 测试网络连通性
    • 十一、坑:
    • 十二、 排错
      • 12.1 tcpdump
      • 12.2 查看日志
      • 12.3 查看状态
      • 12.4 手动调试链接
    • 十三、参考:

一、libreswan 简介

LibreSwan是IPsec协议的开源实现,它基于FreeSwan项目,可以在RedHat的Linux发行版上使用该软件包。关于LibreSwan的IPsec协议的两个部分的简要信息如下所述。

基于IPsec的***由Internet密钥交换协议和封装安全有效载荷 (ESP)协议组成。

- > IKE

正如名称所示,IKE协议的目的是认证(使用***的预共享密钥,公开密钥加密,自由连接)对等体来动态生成密钥并与***对等体共享密钥。 IPsec第二阶段的加密密钥也取决于IKE。 Libreswan使用项目的pluto程序实现IKE协议。

- > ESP

ESP协议是在Linux内核(NETEY / XFRM)IPsec中实现的对等体约定策略的实际规范。

Libreswan功能

  • 支持基于预共享密钥的认证。
  • 支持基于公钥的认证。
  • 支持IKE v1 / v2版本的密钥交换。
  • 支持NSS加密库。
  • 还支持Xauth和DNSSec。

本文我们将使用 libreswan 搭建 点对点的ipsec网络,实现两idc内网互通。

二、 环境介绍

环境:

idc-重庆区域:

  • 内网网段: 172.16.30.0/24
  • 公网ip: 192.191.91.71 (公网ip修改)
  • 内网ip: 172.16.30.15
  • 主机版本: centos7

idc-香港区域:

  • 内网网段: 172.19.0.0/24
  • 公网ip: 192.226.50.61(公网ip修改)
  • 内网ip: 172.19.0.13
  • 主机版本: centos7

架构图:
使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通_第1张图片

三、软件安装:

3.1 libreswan下载

centos 系统yum仓库中提供了libreswan的包,但为了安全起见,我们采用最新版本的rpm进行安装

# wget  https://download.libreswan.org/binaries/rhel/7/x86_64/libreswan-3.31-1.el7_7.x86_64.rpm

3.2 libreswan 安装

yum localinstall -y libreswan-3.31-1.el7_7.x86_64.rpm



[root@VM_0_13_centos ipsec.d]# yum info libreswan
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Installed Packages
Name        : libreswan
Arch        : x86_64
Version     : 3.31
Release     : 1.el7_7
Size        : 4.4 M
Repo        : installed
From repo   : /libreswan-3.31-1.el7_7.x86_64
Summary     : Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
URL         : https://libreswan.org/
License     : GPLv2
Description : Libreswan is a free implementation of IPsec & IKE for Linux.  IPsec is
            : the Internet Protocol Security and uses strong cryptography to provide
            : both authentication and encryption services.  These services allow you
            : to build secure tunnels through untrusted networks.  Everything passing
            : through the untrusted net is encrypted by the ipsec gateway machine and
            : decrypted by the gateway at the other end of the tunnel.  The resulting
            : tunnel is a virtual private network or ***.
            : 
            : This package contains the daemons and userland tools for setting up
            : Libreswan.
            : 
            : Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
            : 
            : Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04


[root@VM_0_13_centos ipsec.d]# rpm -ql libreswan|grep -E -v "share|libe"
/etc/ipsec.conf                                  # 主配文件
/etc/ipsec.d                                     # 配置文件子目录
/etc/ipsec.d/policies                            # 策略目录
/etc/ipsec.d/policies/block
/etc/ipsec.d/policies/clear
/etc/ipsec.d/policies/clear-or-private
/etc/ipsec.d/policies/portexcludes.conf
/etc/ipsec.d/policies/private
/etc/ipsec.d/policies/private-or-clear
/etc/ipsec.secrets                               # 秘钥配置文件
/etc/pam.d/pluto                                 # 协议认证模块
/etc/prelink.conf.d
/etc/prelink.conf.d/libreswan-fips.conf
/etc/sysctl.d/50-libreswan.conf                  # 内置系统内核文件
/run/pluto
/usr/lib/systemd/system/ipsec.service            # 服务systemd启动脚本文件
/usr/lib/tmpfiles.d/libreswan.conf
/usr/lib64/fipscheck/pluto.hmac
/usr/sbin/ipsec                                  # ipsec 二进制文件
/var/log/pluto
/var/log/pluto/peer

四、 配置内核参数

在libereswan软件安装中,内置了一下需要修改的内核参数[ /etc/sysctl.d/50-libreswan.conf ]。但这些还不够,ipsec是一个路由协议,需要开启路由转发

echo "## 开启路由转发功能" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

关闭源路由验证

echo "## 关闭源路由验证(跟进网卡名称添加如:ens33..)" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.all.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.default.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf
echo "net.ipv4.conf.eth0.rp_filter = 0" >> /etc/sysctl.d/50-libreswan.conf

关闭icmp重定向

echo "## 关闭icmp重定向"
sysctl -a | egrep "ipv4.*(accept|send)_redirects" | awk -F "=" '{print$1"= 0"}' >> /etc/sysctl.d/50-libreswan.conf

加载生效内核参数

  • sysctl -p
# cat /etc/sysctl.d/50-lireswan.conf
# when using 1 interface for two networks when using NETKEY, the kernel
# thinks it can be clever by sending a redirect (cause it cannot tell
# an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
#
# We disable redirects for XFRM/IPsec
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0

# sysctl -p 

五、启动服务,验证内核配置是否正常

  • systemctl start ipsec
[root@VM_0_13_centos ~]# systemctl start ipsec
[root@VM_0_13_centos ~]# systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-03-24 09:36:27 CST; 51min ago
     Docs: man:ipsec(8)
           man:pluto(8)
           man:ipsec.conf(5)
  Process: 2052 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
  Process: 2050 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 2048 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 2044 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 2326 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
  Process: 2324 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
  Process: 2060 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 2059 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 2338 (pluto)
   Status: "Startup completed."
   CGroup: /system.slice/ipsec.service
           └─2338 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Mar 24 09:36:26 VM_0_13_centos systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Mar 24 09:36:26 VM_0_13_centos systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Mar 24 09:36:27 VM_0_13_centos ipsec[2326]: nflog ipsec capture disabled
Mar 24 09:36:27 VM_0_13_centos systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
  • ipsec verify
[root@VM_0_13_centos ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.31 (netkey) on 3.10.0-1062.9.1.el7.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OK]

要确保所有检查都为OK,部分内核参数修改 sysctl -p也不能立即生效的,可以手动配置,或重启系统。

六、 防火墙策略开发udp500 和 udp4500端口

针对 Internet Key Exchange (IKE) 协议的 UDP 端口 500
针对 IKE NAT-Traversal的 UDP 端口 4500
针对 Encapsulated Security Payload (ESP) IPsec 数据包的端口 50
针对 Authenticated Header (AH) IPsec 数据包(非常见)的端口 51

[root@VM_0_13_centos ~]# netstat -unlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name           
udp        0      0 127.0.0.1:4500          0.0.0.0:*                           2338/pluto          
udp        0      0 172.19.0.13:4500        0.0.0.0:*                           2338/pluto          
udp        0      0 127.0.0.1:500           0.0.0.0:*                           2338/pluto          
udp        0      0 172.19.0.13:500         0.0.0.0:*                           2338/pluto                    
udp6       0      0 ::1:500                 :::*                                2338/pluto  

6.1 保障防火墙关闭或者开通udp500 和udp4500 策略

[root@VM_0_13_centos ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

6.2 云主机环境,请在安全组中添加相关ip的 4500 和 500策略

使用libreswan搭建ipsec点对点隧道 实现两idc内网网段互通_第2张图片

6.3 nmap 验证端口连通性

[root@VM_0_15_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -Pn
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-24 10:34 CST
Nmap scan report for 192.226.50.61
Host is up.
PORT     STATE         SERVICE
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 9.83 seconds


[root@VM_0_13_centos ~]# nmap -sU 192.226.50.61 -p 500,4500 -Pn
Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-24 10:35 CST
Nmap scan report for 192.226.50.61
Host is up.
PORT     STATE         SERVICE
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
Nmap done: 1 IP address (1 host up) scanned in 3.26 seconds

七、 配置预共享秘钥

ipsec ike支持 预共享秘钥,证书,x.509 等方式验证,在这里我们使用预共享秘钥

authby=secret

查看 secret 主配文件/etc/ipsec.secrets,创建秘钥

[root@VM_0_13_centos ~]# cat /etc/ipsec.secrets 
include /etc/ipsec.d/*.secrets

[root@VM_0_13_centos ~]# vim /etc/ipsec.d/test-vm.secrets 
## 源ip 目的ip : PSK "key" (0.0.0.0 所有ip)

0.0.0.0  0.0.0.0 : PSK "1234567890"

测试阶段为了方便我们使用 1234567890 作为所有连接的秘钥

八、 配置 ipsec 连接

8.1 主配置:

[root@VM_0_13_centos ~]# cat /etc/ipsec.conf 
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/

config setup
	# Normally, pluto logs via syslog.
	logfile=/var/log/pluto.log
	#
	# Do not enable debug options to debug configuration issues!
	#
	# plutodebug="control parsing"
	# plutodebug="all crypt"
	plutodebug=none
	#
	# NAT-TRAVERSAL support
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	# It seems that T-Mobile in the US and Rogers/Fido in Canada are
	# using 25/8 as "private" address space on their wireless networks.
	# This range has never been announced via BGP (at least up to 2015)
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config

# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf

主配置告诉我们自配置文件的在 /etc/ipsec.d/*.conf 和内网bgp传送信息,为了方便起见我们开启日志,调试。

8.2 创建连接配置:

vim /etc/ipsec.d/test-vm.conf

conn test-vm-test
        ### phase 1 ###

        # 指定认证类型预共享秘钥
        authby=secret
        # 指定ike算法为3des-sha1
        ike=3des-sha1
        # 指定ike
        keyexchange=ike

        ### phase 2 ###
        phase2=esp
        phase2alg=3des-sha1
        # 指定是否压缩
        compress=no
        # 指定是否加密
        pfs=yes
        # 指定连接添加类型。start 为开机自启,add为添加 不主动连接
        auto=start
        # 指定模式类型为隧道模式|传输模式
        type=tunnel

        left=172.30.0.15
        leftsubnet=172.30.0.0/24
        leftid=192.191.91.71
        leftnexthop=%defaultroute

        right=192.226.50.61
        rightsubnet=172.19.0.0/24
        rightid=192.226.50.61
        rightnexthop=%defaultroute

Libreswan 不使用术语 “source”(来源) 或 “destination”(目的)。相反,它用术语 “left”(左边) 和 “right”(右边) 来代指终端(主机)。虽然大多数管理员用 “left” 表示本地主机,“right” 表示远程主机,但是这样可以再大多数情况下在两个终端上使用相同的配置。
由于我们的服务器使用的是vpc网络,采用静态nat的形式,在配置left 和right 时,本端的ip需要使用内网ip,或 %defaultroute。left 和 right 是两端的ip地址,而leftid 和 rightid 为代号id。

[root@VM_0_15_centos ~]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:47:0b:03 brd ff:ff:ff:ff:ff:ff
    inet 172.30.0.15/20 brd 172.30.15.255 scope global eth0
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
4: ip_vti0@NONE:  mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0

跟进实际情况,写对端配置

vim /etc/ipsec.d/test-vm.conf

conn test-vm-test
        # 指定认证类型预共享秘钥
        authby=secret
        # 指定ike算法为3des-sha1
        ike=3des-sha1
        # 指定ike
        keyexchange=ike

        ### phase 2 ###
        phase2=esp
        phase2alg=3des-sha1
        # 指定是否压缩
        compress=no
        # 指定是否加密
        pfs=yes
        # 指定连接添加类型。start 为开机自启,add为添加 不主动连接
        auto=start
        # 指定模式类型为隧道模式|传输模式
        type=tunnel

        left=192.191.91.71
        leftsubnet=172.30.0.0/24
        leftid=192.191.91.71
        leftnexthop=%defaultroute

        right=172.19.0.13
        rightsubnet=172.19.0.0/24
        rightid=192.226.50.61
        rightnexthop=%defaultroute

九、 重启两端服务,建立ipsec隧道

# 两端都需要重启服务,查看日志

[root@VM_0_15_centos ~]# systemctl restart ipsec && tailf /var/log/pluto.log 
Mar 24 11:13:31.653094:   RFC 2104: MD5_HMAC test 2
Mar 24 11:13:31.653253:   RFC 2104: MD5_HMAC test 3
Mar 24 11:13:31.653454: 1 CPU cores online
Mar 24 11:13:31.653463: starting up 1 crypto helpers
Mar 24 11:13:31.653508: started thread for crypto helper 0
Mar 24 11:13:31.653523: Using Linux XFRM/NETKEY IPsec kernel support code on 3.10.0-514.21.1.el7.x86_64
Mar 24 11:13:31.653842: selinux support is NOT enabled.
Mar 24 11:13:31.653857: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Mar 24 11:13:31.653861: watchdog: sending probes every 100 secs
Mar 24 11:13:31.658117: added connection description "test-vm-test"
Mar 24 11:13:31.663092: listening for IKE messages
Mar 24 11:13:31.663151: Kernel does not support NIC esp-hw-offload (ETHTOOL_GSSET_INFO failed)
Mar 24 11:13:31.663164: adding interface tun0/tun0 (esp-hw-offload not supported by kernel) 10.8.0.1:500
Mar 24 11:13:31.663179: adding interface tun0/tun0 10.8.0.1:4500
Mar 24 11:13:31.663193: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 172.30.0.15:500
Mar 24 11:13:31.663206: adding interface eth0/eth0 172.30.0.15:4500
Mar 24 11:13:31.663220: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500
Mar 24 11:13:31.663233: adding interface lo/lo 127.0.0.1:4500
Mar 24 11:13:31.664646: loading secrets from "/etc/ipsec.secrets"
Mar 24 11:13:31.664699: loading secrets from "/etc/ipsec.d/test-vm.secrets"
Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SA
Mar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE): 
Mar 24 11:13:31.665475: "test-vm-test":   1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): 
Mar 24 11:13:31.698669: "test-vm-test":   1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLED
Mar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'
Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secret
Mar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]
Mar 24 11:13:31.795155: "test-vm-test"  #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}

IPsec SA established tunnel mode# 看到日志为建立隧道成功

9.1 查看ipsec建立情况

ipsec auto --status

[root@VM_0_15_centos ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.30.0.15:4500
000 interface eth0/eth0 172.30.0.15:500
000 interface tun0/tun0 10.8.0.1:4500
000 interface tun0/tun0 10.8.0.1:500
000  
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.31, pluto_vendorid=OE-Libreswan-3.31, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=no, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=
000 ocsp-trust-name=
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=
000 secctx-attr-type=32001
000 debug:
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "test-vm-test": 172.30.0.0/24===172.30.0.15<172.30.0.15>[192.191.91.71]---172.30.0.1...192.226.50.61<192.226.50.61>===172.19.0.0/24; erouted; eroute owner: #2
000 "test-vm-test":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test-vm-test":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "test-vm-test":   our auth:secret, their auth:secret
000 "test-vm-test":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "test-vm-test":   policy_label:unset;
000 "test-vm-test":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "test-vm-test":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "test-vm-test":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "test-vm-test":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "test-vm-test":   v2-auth-hash-policy: none;
000 "test-vm-test":   conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test-vm-test":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "test-vm-test":   our idtype: ID_IPV4_ADDR; our id=192.191.91.71; their idtype: ID_IPV4_ADDR; their id=192.226.50.61
000 "test-vm-test":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "test-vm-test":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "test-vm-test":   IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31
000 "test-vm-test":   IKEv2 algorithm newest: 3DES_CBC_192-HMAC_SHA1-MODP2048
000 "test-vm-test":   ESP algorithms: 3DES_CBC-HMAC_SHA1_96
000 "test-vm-test":   ESP algorithm newest: 3DES_CBC_192-HMAC_SHA1_96; pfsgroup=
000  
000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(1), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #1: "test-vm-test":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2444s; newest ISAKMP; idle;
000 #2: "test-vm-test":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 27885s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "test-vm-test" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 
000 #3: "test-vm-test":500 STATE_PARENT_R1 (received v2I1, sent v2R1); EVENT_SO_DISCARD in 37s; idle;
000  
000 Bare Shunt list:
000  

十、 测试网络连通性

分别在两端ping对端ip

[root@VM_0_15_centos ~]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:47:0b:03 brd ff:ff:ff:ff:ff:ff
    inet 172.30.0.15/20 brd 172.30.15.255 scope global eth0
       valid_lft forever preferred_lft forever
3: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
4: ip_vti0@NONE:  mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0


[root@VM_0_15_centos ~]# ip route
default via 172.30.0.1 dev eth0 
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1 
169.254.0.0/16 dev eth0  scope link  metric 1002 
172.30.0.0/20 dev eth0  proto kernel  scope link  src 172.30.0.15 

[root@VM_0_15_centos ~]# ping 172.19.0.13
PING 172.19.0.13 (172.19.0.13) 56(84) bytes of data.
64 bytes from 172.19.0.13: icmp_seq=1 ttl=64 time=40.2 ms
^C


---

[root@VM_0_13_centos ipsec.d]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:16:68:89 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.13/20 brd 172.19.15.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe16:6889/64 scope link 
       valid_lft forever preferred_lft forever
3: ip_vti0@NONE:  mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0

[root@VM_0_13_centos ipsec.d]# ping 172.30.0.15
PING 172.30.0.15 (172.30.0.15) 56(84) bytes of data.
64 bytes from 172.30.0.15: icmp_seq=1 ttl=64 time=40.1 ms
^C

[root@VM_0_13_centos ipsec.d]# ip route
default via 172.19.0.1 dev eth0 
169.254.0.0/16 dev eth0 scope link metric 1002 
172.19.0.0/20 dev eth0 proto kernel scope link src 172.19.0.13 

我们看到网络已经通了,查看路由表 发现已经新增ipsec相关的路由条目了。

十一、坑:

  • 预共享秘钥不一致
  • vps nat网络模式下,配置文件本段ip写内网ip,对端写公网
  • ike=3des-sha1加密算法,dh24 后,ipsec不连接

十二、 排错

12.1 tcpdump

tcpdump -n -i interface esp and udp port 500 and udp port 4500
00:32:32.632165 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1a), length 132
00:32:32.632592 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1a), length 132
00:32:32.632592 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 7, length 64
00:32:33.632221 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1b), length 132
00:32:33.632731 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1b), length 132
00:32:33.632731 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 8, length 64
00:32:34.632183 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1c), length 132
00:32:34.632607 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1c), length 132
00:32:34.632607 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 9, length 64
00:32:35.632233 IP 192.1.2.45 > 192.1.2.23: ESP(spi=0x63ad7e17,seq=0x1d), length 132
00:32:35.632685 IP 192.1.2.23 > 192.1.2.45: ESP(spi=0x4841b647,seq=0x1d), length 132
00:32:35.632685 IP 192.0.2.254 > 192.0.1.254: ICMP echo reply, id 2489, seq 10, length 64

12.2 查看日志

# tailf /var/log/pluto.log 

Mar 24 11:13:31.665433: "test-vm-test" #1: initiating IKEv2 IKE SA
Mar 24 11:13:31.665462: "test-vm-test": local IKE proposals (IKE SA initiator selecting KE): 
Mar 24 11:13:31.665475: "test-vm-test":   1:IKE=3DES-HMAC_SHA1-HMAC_SHA1_96-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Mar 24 11:13:31.666747: "test-vm-test" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Mar 24 11:13:31.698633: "test-vm-test": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): 
Mar 24 11:13:31.698669: "test-vm-test":   1:ESP=3DES-HMAC_SHA1_96-NONE-DISABLED
Mar 24 11:13:31.698718: "test-vm-test" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=3DES_CBC_192 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
Mar 24 11:13:31.752437: "test-vm-test" #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.226.50.61'
Mar 24 11:13:31.752554: "test-vm-test" #2: Authenticated using authby=secret
Mar 24 11:13:31.795116: "test-vm-test" #2: negotiated connection [172.30.0.0-172.30.0.255:0-65535 0] -> [172.19.0.0-172.19.0.255:0-65535 0]
Mar 24 11:13:31.795155: "test-vm-test"  #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xead78a70 <0x677c8223 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=192.226.50.61:4500 DPD=passive}

12.3 查看状态

ipsec auto --status

12.4 手动调试链接

ipsec auto --up 连接名

十三、参考:

https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks

https://www.linuxprobe.com/centos7-install-.html

https://www.mtyun.com/library/how-to-configure-ipsec-{***}-on-centos6

你可能感兴趣的:(网络)