IP Utils Esp: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde geleert.)
 
(Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt)
Zeile 1: Zeile 1:
=Prinzip=
 
==tic==
 
ip xfrm state flush
 
 
ip xfrm state add src 192.168.244.53 dst 192.168.244.52  proto esp spi 0x12345678 \
 
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
 
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890
 
 
ip xfrm state add src 192.168.244.52 dst 192.168.244.53  proto esp spi 0x12345678 \
 
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
 
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890
 
 
ip xfrm policy flush
 
 
ip xfrm policy add src 10.10.53.0/24 dst 10.10.52.0/24 dir out tmpl src 192.168.244.53 dst 192.168.244.52 \
 
proto esp reqid 0x12345678 mode tunnel
 
 
ip xfrm policy add src 10.10.52.0/24 dst 10.10.53.0/24 dir in tmpl src 192.168.244.52 dst 192.168.244.53 \
 
proto esp reqid 0x12345678 mode tunnel
 
  
==nogger==
 
ip xfrm state flush
 
 
ip xfrm state add src 192.168.244.53 dst 192.168.244.52  proto esp spi 0x12345678 \
 
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
 
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890
 
 
ip xfrm state add src 192.168.244.52 dst 192.168.244.53  proto esp spi 0x12345678 \
 
reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \
 
enc aes 0x0000123456789012345678901234567890123456789012345678901234567890
 
 
ip xfrm policy flush
 
 
ip xfrm policy add src 10.10.52.0/24 dst 10.10.53.0/24 dir out tmpl src 192.168.244.52 dst 192.168.244.53 \
 
proto esp reqid 0x12345678 mode tunnel
 
 
ip xfrm policy add src 10.10.53.0/24 dst 10.10.52.0/24 dir in tmpl src 192.168.244.53 dst 192.168.244.52 \
 
proto esp reqid 0x12345678 mode tunnel
 
 
==Kontrolle==
 
*ip xfrm state
 
<pre>
 
src 192.168.244.52 dst 192.168.244.53
 
proto esp spi 0x12345678 reqid 305419896 mode tunnel
 
replay-window 0
 
auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96
 
enc cbc(aes) 0x0000123456789012345678901234567890123456789012345678901234567890
 
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
 
sel src 0.0.0.0/0 dst 0.0.0.0/0
 
src 192.168.244.53 dst 192.168.244.52
 
proto esp spi 0x12345678 reqid 305419896 mode tunnel
 
replay-window 0
 
auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96
 
enc cbc(aes) 0x0000123456789012345678901234567890123456789012345678901234567890
 
anti-replay context: seq 0x0, oseq 0x196, bitmap 0x00000000
 
sel src 0.0.0.0/0 dst 0.0.0.0/0
 
</pre>
 
*ip xfrm policy
 
<pre>
 
 
src 10.10.52.0/24 dst 10.10.53.0/24
 
dir in priority 0
 
tmpl src 192.168.244.52 dst 192.168.244.53
 
proto esp reqid 305419896 mode tunnel
 
src 10.10.53.0/24 dst 10.10.52.0/24
 
dir out priority 0
 
tmpl src 192.168.244.53 dst 192.168.244.52
 
proto esp reqid 305419896 mode tunnel
 
</pre>
 
 
=Skript=
 
 
 
 
*/usr/local/sbin/tunnel.sh
 
<pre>
 
#!/bin/bashWireshark VPN entschlüsseln
 
 
if [ "$4" == "" ]; then
 
    echo "usage: $0 <local_ip> <remote_ip> <new_local_ip> <new_remote_ip>"
 
    echo "creates an ipsec tunnel between two machines"
 
    exit 1
 
fi
 
 
SRC="$1"; shift
 
DST="$1"; shift
 
LOCAL="$1"; shift
 
REMOTE="$1"; shift
 
 
KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
 
KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
 
echo KEY1 = $KEY1
 
echo KEY2 = $KEY2
 
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8`
 
 
echo "spdflush; flush;" | sudo setkey -c
 
echo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 
echo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 
echo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
 
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
 
echo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
 
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
 
#echo 5
 
#sudo ip addr add $LOCAL dev lo
 
#echo 6
 
#sudo ip route add $REMOTE dev eth0 src $LOCAL
 
 
 
ssh $DST /bin/bash << EOF
 
    echo "spdflush; flush;" | sudo setkey -c
 
    sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 
    sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
 
    sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
 
    sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
 
#    sudo ip addr add $REMOTE dev lo
 
#    sudo ip route add $LOCAL dev eth0 src $REMOTE
 
EOF
 
</pre>
 
 
=Links=
 
*https://gist.github.com/vishvananda/7094676
 

Aktuelle Version vom 22. Oktober 2017, 06:51 Uhr

Abgerufen von „http://wiki.ixheim.de/index.php?title=IP_Utils_Esp&oldid=14791