Strongswan zu strongswan ikev2 site to site: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (5 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 9: | Zeile 9: | ||
conn s2s | conn s2s | ||
authby=secret | authby=secret | ||
| − | keyexchange= | + | keyexchange=ikev2 |
left=10.82.227.12 | left=10.82.227.12 | ||
leftid=10.82.227.12 | leftid=10.82.227.12 | ||
| Zeile 30: | Zeile 30: | ||
*ipsec up s2s | *ipsec up s2s | ||
<pre> | <pre> | ||
| − | initiating | + | initiating IKE_SA s2s[2] to 10.82.227.22 |
| − | generating | + | generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] |
| − | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] ( | + | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (720 bytes) |
| − | received packet: from 10.82.227.22[500] to 10.82.227.12[500] ( | + | received packet: from 10.82.227.22[500] to 10.82.227.12[500] (728 bytes) |
| − | parsed | + | parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] |
| − | |||
| − | |||
| − | |||
| − | |||
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096 | selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096 | ||
| − | + | authentication of '10.82.227.12' (myself) with pre-shared key | |
| − | + | establishing CHILD_SA s2s{2} | |
| − | + | generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] | |
| − | + | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (256 bytes) | |
| − | generating | + | received packet: from 10.82.227.22[500] to 10.82.227.12[500] (224 bytes) |
| − | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] ( | + | parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ] |
| − | received packet: from 10.82.227.22[500] to 10.82.227.12[500] ( | + | authentication of '10.82.227.22' with pre-shared key successful |
| − | parsed | + | IKE_SA s2s[2] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22] |
| − | IKE_SA s2s[ | + | scheduling reauthentication in 10119s |
| − | scheduling reauthentication in | + | maximum IKE_SA lifetime 10659s |
| − | maximum IKE_SA lifetime | + | selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ |
| − | + | CHILD_SA s2s{2} established with SPIs cc16cb02_i c89d755d_o and TS 10.82.243.0/24 === 10.82.244.0/24 | |
| − | |||
| − | |||
| − | |||
| − | selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128 | ||
| − | CHILD_SA s2s{ | ||
connection 's2s' established successfully | connection 's2s' established successfully | ||
</pre> | </pre> | ||
| Zeile 63: | Zeile 54: | ||
*ipsec down s2s | *ipsec down s2s | ||
<pre> | <pre> | ||
| − | + | deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22] | |
| − | + | sending DELETE for IKE_SA s2s[2] | |
| − | + | generating INFORMATIONAL request 2 [ D ] | |
| − | + | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes) | |
| − | deleting IKE_SA s2s[ | + | received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes) |
| − | sending DELETE for IKE_SA s2s[ | + | parsed INFORMATIONAL response 2 [ ] |
| − | generating | + | IKE_SA deleted |
| − | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] ( | + | IKE_SA [2] closed successfully |
| − | IKE_SA [ | + | |
</pre> | </pre> | ||
| + | |||
=Status= | =Status= | ||
*ipsec status s2s | *ipsec status s2s | ||
| Zeile 85: | Zeile 77: | ||
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode | tcpdump: verbose output suppressed, use -v[v]... for full protocol decode | ||
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes | listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes | ||
| − | + | listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes | |
| − | + | 09:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I] | |
| − | + | 09:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R] | |
| − | + | 09:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa ikev2_auth[I] | |
| − | + | 09:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa ikev2_auth[R] | |
| − | + | ||
| − | |||
| − | |||
| − | |||
</pre> | </pre> | ||
down | down | ||
<pre> | <pre> | ||
| − | + | 09:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa inf2[I] | |
| − | + | 09:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa inf2[R] | |
</pre> | </pre> | ||
| Zeile 108: | Zeile 97: | ||
authby=secret | authby=secret | ||
keyexchange=ikev2 | keyexchange=ikev2 | ||
| − | left= | + | left=10.82.227.12 |
| − | leftid= | + | leftid=10.82.227.12 |
| − | leftsubnet= | + | leftsubnet=10.82.243.0/24,192.168.20.0/24 |
| − | right= | + | mobike=no |
| − | rightid= | + | right=10.82.227.22 |
| − | rightsubnet= | + | rightid=10.82.227.22 |
| − | ike=aes256- | + | rightsubnet=10.82.244.0/24 |
| − | esp=aes256- | + | ike=aes256-sha256-modp4096! |
| + | esp=aes256-sha256-modp4096! | ||
auto=start | auto=start | ||
</pre> | </pre> | ||
| Zeile 121: | Zeile 111: | ||
<pre> | <pre> | ||
Security Associations (1 up, 0 connecting): | Security Associations (1 up, 0 connecting): | ||
| − | s2s[ | + | s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22] |
| − | s2s{ | + | s2s{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o |
| − | s2s{ | + | s2s{2}: 10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24 |
</pre> | </pre> | ||
=Links= | =Links= | ||
*https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html | *https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html | ||
Aktuelle Version vom 5. September 2022, 09:08 Uhr
Config is the same on both sites
ipsec.conf
Erklärung
Datei
conn s2s
authby=secret
keyexchange=ikev2
left=10.82.227.12
leftid=10.82.227.12
leftsubnet=10.82.243.0/24
mobike=no
right=10.82.227.22
rightid=10.82.227.22
rightsubnet=10.82.244.0/24
ike=aes256-sha256-modp4096!
esp=aes256-sha256-modp4096!
auto=start
ipsec.secrets
- ID Kombination mit Authentifizierungsmethodes
10.82.227.12 10.82.227.22 : PSK "suxer"
Handling
Up
- ipsec up s2s
initiating IKE_SA s2s[2] to 10.82.227.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (720 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (728 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
authentication of '10.82.227.12' (myself) with pre-shared key
establishing CHILD_SA s2s{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (256 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (224 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of '10.82.227.22' with pre-shared key successful
IKE_SA s2s[2] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
scheduling reauthentication in 10119s
maximum IKE_SA lifetime 10659s
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA s2s{2} established with SPIs cc16cb02_i c89d755d_o and TS 10.82.243.0/24 === 10.82.244.0/24
connection 's2s' established successfully
Down
- ipsec down s2s
deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22] sending DELETE for IKE_SA s2s[2] generating INFORMATIONAL request 2 [ D ] sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes) received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes) parsed INFORMATIONAL response 2 [ ] IKE_SA deleted IKE_SA [2] closed successfully
Status
- ipsec status s2s
Security Associations (1 up, 0 connecting):
s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
s2s{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
s2s{4}: 10.82.243.0/24 === 10.82.244.0/24
TCPDump der Verbindung
- tcpdump -ni eth0 port 500 or esp
- up
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 09:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I] 09:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R] 09:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa ikev2_auth[I] 09:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa ikev2_auth[R]
down
09:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa inf2[I] 09:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa inf2[R]
Mehrere Subnetze
alice und tiazel
- /etc/ipsec.conf
conn s2s
authby=secret
keyexchange=ikev2
left=10.82.227.12
leftid=10.82.227.12
leftsubnet=10.82.243.0/24,192.168.20.0/24
mobike=no
right=10.82.227.22
rightid=10.82.227.22
rightsubnet=10.82.244.0/24
ike=aes256-sha256-modp4096!
esp=aes256-sha256-modp4096!
auto=start
- ipsec status
Security Associations (1 up, 0 connecting):
s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
s2s{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o
s2s{2}: 10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24