Thomas: Die Seite wurde neu angelegt: „=Prinzip= ==tic== ip xfrm state flush ip xfrm state add src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 \ reqid 0x12345678 mode tunnel aut…“

2017-10-22T06:51:44Z

Die Seite wurde neu angelegt: „=Prinzip= ==tic== ip xfrm state flush ip xfrm state add src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 \ reqid 0x12345678 mode tunnel aut…“

Neue Seite

=Prinzip=
==tic==
ip xfrm state flush

ip xfrm state add src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 \
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890

ip xfrm state add src 192.168.244.52 dst 192.168.244.53 proto esp spi 0x12345678 \
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890

ip xfrm policy flush

ip xfrm policy add src 10.10.53.0/24 dst 10.10.52.0/24 dir out tmpl src 192.168.244.53 dst 192.168.244.52 \
proto esp reqid 0x12345678 mode tunnel

ip xfrm policy add src 10.10.52.0/24 dst 10.10.53.0/24 dir in tmpl src 192.168.244.52 dst 192.168.244.53 \
proto esp reqid 0x12345678 mode tunnel

==nogger==
ip xfrm state flush

ip xfrm state add src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 \
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890

ip xfrm state add src 192.168.244.52 dst 192.168.244.53 proto esp spi 0x12345678 \
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890

ip xfrm policy flush

ip xfrm policy add src 10.10.52.0/24 dst 10.10.53.0/24 dir out tmpl src 192.168.244.52 dst 192.168.244.53 \
proto esp reqid 0x12345678 mode tunnel

ip xfrm policy add src 10.10.53.0/24 dst 10.10.52.0/24 dir in tmpl src 192.168.244.53 dst 192.168.244.52 \
proto esp reqid 0x12345678 mode tunnel

==Kontrolle==
*ip xfrm state
<pre>
src 192.168.244.52 dst 192.168.244.53
proto esp spi 0x12345678 reqid 305419896 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96
enc cbc(aes) 0x0000123456789012345678901234567890123456789012345678901234567890
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 192.168.244.53 dst 192.168.244.52
proto esp spi 0x12345678 reqid 305419896 mode tunnel
replay-window 0
auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96
enc cbc(aes) 0x0000123456789012345678901234567890123456789012345678901234567890
anti-replay context: seq 0x0, oseq 0x196, bitmap 0x00000000
sel src 0.0.0.0/0 dst 0.0.0.0/0
</pre>
*ip xfrm policy
<pre>

src 10.10.52.0/24 dst 10.10.53.0/24
dir in priority 0
tmpl src 192.168.244.52 dst 192.168.244.53
proto esp reqid 305419896 mode tunnel
src 10.10.53.0/24 dst 10.10.52.0/24
dir out priority 0
tmpl src 192.168.244.53 dst 192.168.244.52
proto esp reqid 305419896 mode tunnel
</pre>
*ip xfrm monitor
<pre>
Async event (0x10) replay update
src 192.168.244.53 dst 192.168.244.52 reqid 0x12345678 protocol esp SPI 0x12345678
Async event (0x20) timer expired
src 192.168.244.53 dst 192.168.244.52 reqid 0x12345678 protocol esp SPI 0x12345678
Async event (0x20) timer expired
src 192.168.244.53 dst 192.168.244.52 reqid 0x12345678 protocol esp SPI 0x12345678
Async event (0x20) timer expired
src 192.168.244.53 dst 192.168.244.52 reqid 0x12345678 protocol esp SPI 0x12345678
</pre>

=Skript=

*/usr/local/sbin/tunnel.sh
<pre>
#!/bin/bashWireshark VPN entschlüsseln

if [ "$4" == "" ]; then
echo "usage: $0 <local_ip> <remote_ip> <new_local_ip> <new_remote_ip>"
echo "creates an ipsec tunnel between two machines"
exit 1
fi

SRC="$1"; shift
DST="$1"; shift
LOCAL="$1"; shift
REMOTE="$1"; shift

KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
echo KEY1 = $KEY1
echo KEY2 = $KEY2
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8`

echo "spdflush; flush;" | sudo setkey -c
echo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
echo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
#echo 5
#sudo ip addr add $LOCAL dev lo
#echo 6
#sudo ip route add $REMOTE dev eth0 src $LOCAL

ssh $DST /bin/bash << EOF
echo "spdflush; flush;" | sudo setkey -c
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
# sudo ip addr add $REMOTE dev lo
# sudo ip route add $LOCAL dev eth0 src $REMOTE
EOF
</pre>

=Links=
*https://gist.github.com/vishvananda/7094676

Ip xfrm - Versionsgeschichte

Thomas: Die Seite wurde neu angelegt: „=Prinzip= ==tic== ip xfrm state flush ip xfrm state add src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 \ reqid 0x12345678 mode tunnel aut…“