Strongswan zu strongswan ikev2 site to site: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „=Strongswan= ==alice und tiazel== */etc/ipsec.conf <pre> conn s2s authby=secret keyexchange=ikev2 left=192.168.244.93 leftid=@alice le…“)
 
 
(6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
=Strongswan=
+
 
==alice und tiazel==
+
 
*/etc/ipsec.conf
+
=Config is the same on both sites=
 +
==ipsec.conf==
 +
===Erklärung===
 +
*[[ipsec.conf Erklärung]]
 +
===Datei===
 
<pre>
 
<pre>
 
conn s2s
 
conn s2s
 
     authby=secret
 
     authby=secret
 
     keyexchange=ikev2
 
     keyexchange=ikev2
     left=192.168.244.93
+
     left=10.82.227.12
     leftid=@alice
+
     leftid=10.82.227.12
     leftsubnet=172.16.93.0/24
+
     leftsubnet=10.82.243.0/24
     right=192.168.244.59
+
    mobike=no
     rightid=@tiazel
+
     right=10.82.227.22
     rightsubnet=172.16.59.0/24
+
     rightid=10.82.227.22
     ike=aes256-sha1-modp1536
+
     rightsubnet=10.82.244.0/24
     esp=aes256-sha1-modp1536
+
     ike=aes256-sha256-modp4096!
 +
     esp=aes256-sha256-modp4096!
 
     auto=start
 
     auto=start
 
</pre>
 
</pre>
*/etc/ipsec.secrets
+
 
  @tiazel @alice : PSK "suxer"
+
==ipsec.secrets==
==alice==
+
;ID Kombination mit Authentifizierungsmethodes
 +
  10.82.227.12 10.82.227.22 : PSK "suxer"
 +
 
 +
=Handling=
 +
=Up=
 
*ipsec up  s2s
 
*ipsec up  s2s
 
<pre>
 
<pre>
initiating IKE_SA s2s[3] to 192.168.244.59
+
initiating IKE_SA s2s[2] to 10.82.227.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
+
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.244.93[500] to 192.168.244.59[500] (1004 bytes)
+
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (720 bytes)
received packet: from 192.168.244.59[500] to 192.168.244.93[500] (376 bytes)
+
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (728 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
+
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
authentication of 'alice' (myself) with pre-shared key
+
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
establishing CHILD_SA s2s
+
authentication of '10.82.227.12' (myself) with pre-shared key
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
+
establishing CHILD_SA s2s{2}
sending packet: from 192.168.244.93[4500] to 192.168.244.59[4500] (364 bytes)
+
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
received packet: from 192.168.244.59[4500] to 192.168.244.93[4500] (236 bytes)
+
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (256 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
+
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (224 bytes)
authentication of 'tiazel' with pre-shared key successful
+
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
IKE_SA s2s[3] established between 192.168.244.93[alice]...192.168.244.59[tiazel]
+
authentication of '10.82.227.22' with pre-shared key successful
scheduling reauthentication in 9834s
+
IKE_SA s2s[2] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
maximum IKE_SA lifetime 10374s
+
scheduling reauthentication in 10119s
 +
maximum IKE_SA lifetime 10659s
 +
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
 +
CHILD_SA s2s{2} established with SPIs cc16cb02_i c89d755d_o and TS 10.82.243.0/24 === 10.82.244.0/24
 
connection 's2s' established successfully
 
connection 's2s' established successfully
 
</pre>
 
</pre>
*tcpdump -ni eth0 port 500 or port 4500
+
 
 +
=Down=
 +
*ipsec down s2s
 +
<pre>
 +
deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
sending DELETE for IKE_SA s2s[2]
 +
generating INFORMATIONAL request 2 [ D ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes)
 +
parsed INFORMATIONAL response 2 [ ]
 +
IKE_SA deleted
 +
IKE_SA [2] closed successfully
 +
 
 +
</pre>
 +
 
 +
=Status=
 +
*ipsec status  s2s
 +
Security Associations (1 up, 0 connecting):
 +
          s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
          s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
 +
          s2s{4}:  10.82.243.0/24 === 10.82.244.0/24
 +
=TCPDump der Verbindung=
 +
*tcpdump -ni eth0 port 500 or esp
 +
;up
 +
<pre>
 +
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
 +
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 +
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 +
09:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I]
 +
09:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R]
 +
09:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  ikev2_auth[I]
 +
09:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  ikev2_auth[R]
 +
 
 +
</pre>
 +
down
 
<pre>
 
<pre>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+
09:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  inf2[I]
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
+
09:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  inf2[R]
11:03:13.883570 IP 192.168.244.93.500 > 192.168.244.59.500: isakmp: parent_sa ikev2_init[I]
 
11:03:13.892845 IP 192.168.244.59.500 > 192.168.244.93.500: isakmp: parent_sa ikev2_init[R]
 
11:03:13.903029 IP 192.168.244.93.4500 > 192.168.244.59.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
 
11:03:13.905576 IP 192.168.244.59.4500 > 192.168.244.93.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
 
 
</pre>
 
</pre>
 +
 
=Mehrere Subnetze=
 
=Mehrere Subnetze=
 
==alice und tiazel==
 
==alice und tiazel==
Zeile 54: Zeile 97:
 
     authby=secret
 
     authby=secret
 
     keyexchange=ikev2
 
     keyexchange=ikev2
     left=192.168.244.93
+
     left=10.82.227.12
     leftid=@alice
+
     leftid=10.82.227.12
     leftsubnet=172.16.93.0/24,10.16.93.0/24
+
     leftsubnet=10.82.243.0/24,192.168.20.0/24
     right=192.168.244.59
+
    mobike=no
     rightid=@tiazel
+
     right=10.82.227.22
     rightsubnet=172.16.59.0/24,10.16.59.0/24
+
     rightid=10.82.227.22
     ike=aes256-sha1-modp1536
+
     rightsubnet=10.82.244.0/24
     esp=aes256-sha1-modp1536
+
     ike=aes256-sha256-modp4096!
 +
     esp=aes256-sha256-modp4096!
 
     auto=start
 
     auto=start
 
</pre>
 
</pre>
Zeile 67: Zeile 111:
 
<pre>
 
<pre>
 
Security Associations (1 up, 0 connecting):
 
Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 80 seconds ago, 192.168.244.93[alice]...192.168.244.59[tiazel]
+
         s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{4}:  INSTALLED, TUNNEL, ESP SPIs: c0087b2d_i c3cf4303_o
+
         s2s{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o
         s2s{4}:  172.16.93.0/24 10.16.93.0/24 === 172.16.59.0/24 10.16.59.0/24
+
         s2s{2}:  10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24
 
</pre>
 
</pre>
  
 
=Links=
 
=Links=
 
*https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html
 
*https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html

Aktuelle Version vom 5. September 2022, 09:08 Uhr


Config is the same on both sites

ipsec.conf

Erklärung

Datei

conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.82.227.12
     leftid=10.82.227.12
     leftsubnet=10.82.243.0/24
     mobike=no
     right=10.82.227.22
     rightid=10.82.227.22
     rightsubnet=10.82.244.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start

ipsec.secrets

ID Kombination mit Authentifizierungsmethodes
10.82.227.12 10.82.227.22  : PSK "suxer"

Handling

Up

  • ipsec up s2s
initiating IKE_SA s2s[2] to 10.82.227.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (720 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (728 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
authentication of '10.82.227.12' (myself) with pre-shared key
establishing CHILD_SA s2s{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (256 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (224 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of '10.82.227.22' with pre-shared key successful
IKE_SA s2s[2] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
scheduling reauthentication in 10119s
maximum IKE_SA lifetime 10659s
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA s2s{2} established with SPIs cc16cb02_i c89d755d_o and TS 10.82.243.0/24 === 10.82.244.0/24
connection 's2s' established successfully

Down

  • ipsec down s2s
deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
sending DELETE for IKE_SA s2s[2]
generating INFORMATIONAL request 2 [ D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes)
parsed INFORMATIONAL response 2 [ ]
IKE_SA deleted
IKE_SA [2] closed successfully

Status

  • ipsec status s2s
Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
         s2s{4}:   10.82.243.0/24 === 10.82.244.0/24

TCPDump der Verbindung

  • tcpdump -ni eth0 port 500 or esp
up
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I]
09:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R]
09:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  ikev2_auth[I]
09:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  ikev2_auth[R]

down 

09:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  inf2[I]
09:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  inf2[R]

Mehrere Subnetze

alice und tiazel

  • /etc/ipsec.conf
conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.82.227.12
     leftid=10.82.227.12
     leftsubnet=10.82.243.0/24,192.168.20.0/24
     mobike=no
     right=10.82.227.22
     rightid=10.82.227.22
     rightsubnet=10.82.244.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start
  • ipsec status
Security Associations (1 up, 0 connecting):
         s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o
         s2s{2}:   10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_zu_strongswan_ikev2_site_to_site&oldid=34530