IPsec Manual Keying: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 31: Zeile 31:
 
=Alternative=
 
=Alternative=
 
*https://gist.github.com/vishvananda/7094676
 
*https://gist.github.com/vishvananda/7094676
 +
 +
*/usr/local/sbin/tunnel.sh
 +
<pre>
 +
#!/bin/bash
 +
 +
if [ "$4" == "" ]; then
 +
    echo "usage: $0 <local_ip> <remote_ip> <new_local_ip> <new_remote_ip>"
 +
    echo "creates an ipsec tunnel between two machines"
 +
    exit 1
 +
fi
 +
 +
SRC="$1"; shift
 +
DST="$1"; shift
 +
LOCAL="$1"; shift
 +
REMOTE="$1"; shift
 +
 +
KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
 +
KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
 +
echo KEY1 = $KEY1
 +
echo KEY2 = $KEY2
 +
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8`
 +
 +
echo "spdflush; flush;" | sudo setkey -c
 +
echo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 +
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 +
echo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 +
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 +
echo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
 +
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
 +
echo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
 +
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
 +
#echo 5
 +
#sudo ip addr add $LOCAL dev lo
 +
#echo 6
 +
#sudo ip route add $REMOTE dev eth0 src $LOCAL
 +
 +
 +
ssh $DST /bin/bash << EOF
 +
    echo "spdflush; flush;" | sudo setkey -c
 +
    sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 +
    sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 +
    sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
 +
    sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
 +
#    sudo ip addr add $REMOTE dev lo
 +
#    sudo ip route add $LOCAL dev eth0 src $REMOTE
 +
EOF
 +
</pre>

Version vom 4. Oktober 2016, 20:07 Uhr

Installation/Vorraussetzungen

Für diese Art der Verbindung wird das Programm "setkey" benötigt, dass im Paket "ipsec-tools" vorhanden ist

  • apt-get install ipsec-tools

Konfigurationsdatei erstellen

  • In einem beliebigen Verzeichnis eine Datei mit folgendem Inhalt erstellen
#!/usr/sbin/setkey -f
flush;
spdflush;


# ESP
add 192.168.244.2 192.168.242.1 esp 15701 -m tunnel
                        -E 3des-cbc "123456789012123456789012"
                        -A hmac-sha1 "this is the test key";

add 192.168.242.1 192.168.244.2 esp 24501 -m tunnel
                        -E 3des-cbc "123456789012123456789012"
                        -A hmac-sha1 "this is the test key";


spdadd 10.88.88.0/24 10.44.44.0/24 any -P out ipsec
           esp/tunnel/192.168.242.1-192.168.244.2/require;

spdadd 10.44.44.0/24 10.88.88.0/24 any -P in ipsec
           esp/tunnel/192.168.244.2-192.168.242.1/require;
  • Auf der Gegenseite muss die selbe Datei erstellt werden, lediglich die IP-Addressen müssen vertauscht werden

Alternative

  • /usr/local/sbin/tunnel.sh
#!/bin/bash

if [ "$4" == "" ]; then
    echo "usage: $0 <local_ip> <remote_ip> <new_local_ip> <new_remote_ip>"
    echo "creates an ipsec tunnel between two machines"
    exit 1
fi

SRC="$1"; shift
DST="$1"; shift
LOCAL="$1"; shift
REMOTE="$1"; shift

KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
echo KEY1 = $KEY1
echo KEY2 = $KEY2
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8`

echo "spdflush; flush;" | sudo setkey -c
echo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
echo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
#echo 5
#sudo ip addr add $LOCAL dev lo
#echo 6
#sudo ip route add $REMOTE dev eth0 src $LOCAL


ssh $DST /bin/bash << EOF
    echo "spdflush; flush;" | sudo setkey -c
    sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
    sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
    sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
    sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
#    sudo ip addr add $REMOTE dev lo
#    sudo ip route add $LOCAL dev eth0 src $REMOTE
EOF
Abgerufen von „http://wiki.ixheim.de/index.php?title=IPsec_Manual_Keying&oldid=11417