Strongswan zu strongswan: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(13 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
=net-net-ikev2-x509=
+
 
==huey==
+
 
;certs
+
=Config is the same on both sites=
/etc/ipsec.d/certs/huey.xinux.org.crt
+
==ipsec.conf==
/etc/ipsec.d/crls/xinux-ca.crl
+
===Erklärung===
/etc/ipsec.d/cacerts/xinux-ca.crt
+
*[[ipsec.conf Erklärung]]
/etc/ipsec.d/private/huey.xinux.org.key
+
===Datei===
;/etc/ipsec.conf
+
<pre>
conn net-net
+
conn s2s
     left=%defaultroute
+
    authby=secret
     leftsubnet=10.18.44.0/24
+
    keyexchange=ikev1
     leftcert=huey.xinux.org.crt
+
    left=10.82.227.12
     right=192.168.242.249
+
     leftid=10.82.227.12
     rightsubnet=10.4.3.0/16
+
     leftsubnet=10.82.243.0/24
     rightid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=franz.xinux.org, E=technik@xinux.de"
+
     mobike=no
 +
    right=10.82.227.22
 +
     rightid=10.82.227.22
 +
     rightsubnet=10.82.244.0/24
 +
     ike=aes256-sha256-modp4096!
 +
    esp=aes256-sha256-modp4096!
 
     auto=start
 
     auto=start
;/etc/ipsec.secrets
+
</pre>
: RSA franz.xinux.org.key ""
 
  
==franz==
+
==ipsec.secrets==
;certs
+
;ID Kombination mit Authentifizierungsmethodes
  /etc/ipsec.d/certs/franz.xinux.org.crt
+
  10.82.227.12 10.82.227.22  : PSK "suxer"
/etc/ipsec.d/cacerts/xinux-ca.crt
+
 
/etc/ipsec.d/private/franz.xinux.org.key
+
=Handling=
/etc/ipsec.d/crls/xinux-ca.crl
+
=Up=
;/etc/ipsec.conf
+
*ipsec up  s2s
conn net-net
+
<pre>
    left=%defaultroute
+
initiating Main Mode IKE_SA s2s[3] to 10.82.227.22
    leftsubnet=10.4.3.0/16
+
generating ID_PROT request 0 [ SA V V V V V ]
    leftcert=franz.xinux.org.crt
+
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (180 bytes)
    right=192.168.244.151
+
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (160 bytes)
    rightsubnet=10.18.44.0/24
+
parsed ID_PROT response 0 [ SA V V V V ]
    rightid="C=de, ST=rlp, L=zweibruecken, O=xinux, OU=edv, CN=huey.xinux.org, E=technik@xinux.de"
+
received XAuth vendor ID
    auto=start
+
received DPD vendor ID
;/etc/ipsec.secrets
+
received FRAGMENTATION vendor ID
: RSA franz.xinux.org.key ""
+
received NAT-T (RFC 3947) vendor ID
 +
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
 +
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (652 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (652 bytes)
 +
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
 +
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (92 bytes)
 +
parsed ID_PROT response 0 [ ID HASH ]
 +
IKE_SA s2s[3] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
scheduling reauthentication in 10142s
 +
maximum IKE_SA lifetime 10682s
 +
generating QUICK_MODE request 1581114031 [ HASH SA No KE ID ID ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (716 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (716 bytes)
 +
parsed QUICK_MODE response 1581114031 [ HASH SA No KE ID ID ]
 +
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
 +
CHILD_SA s2s{3} established with SPIs c2c20b47_i c1f461d9_o and TS 10.82.243.0/24 === 10.82.244.0/24
 +
connection 's2s' established successfully
 +
</pre>
 +
 
 +
=Down=
 +
*ipsec down s2s
 +
<pre>
 +
closing CHILD_SA s2s{3} with SPIs c2c20b47_i (0 bytes) c1f461d9_o (0 bytes) and TS 10.82.243.0/24 === 10.82.244.0/24
 +
sending DELETE for ESP CHILD_SA with SPI c2c20b47
 +
generating INFORMATIONAL_V1 request 2875265242 [ HASH D ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (92 bytes)
 +
deleting IKE_SA s2s[3] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
sending DELETE for IKE_SA s2s[3]
 +
generating INFORMATIONAL_V1 request 510142709 [ HASH D ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
 +
IKE_SA [3] closed successfully
 +
</pre>
 +
=Status=
 +
*ipsec status  s2s
 +
Security Associations (1 up, 0 connecting):
 +
          s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
          s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
 +
          s2s{4}:  10.82.243.0/24 === 10.82.244.0/24
 +
=TCPDump der Verbindung=
 +
*tcpdump -ni eth0 port 500 or  esp
 +
;up
 +
<pre>
 +
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
 +
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 +
08:37:31.702968 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
 +
08:37:31.707296 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
 +
08:37:31.764500 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
 +
08:37:31.888131 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
 +
08:37:31.945758 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident[E]
 +
08:37:31.949075 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident[E]
 +
08:37:32.018782 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]
 +
08:37:32.128716 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 2/others R oakley-quick[E]
 +
08:37:32.193586 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]
 +
</pre>
 +
down
 +
<pre>
 +
08:38:13.527180 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
 +
08:38:13.527950 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
 +
</pre>

Aktuelle Version vom 5. September 2022, 09:00 Uhr


Config is the same on both sites

ipsec.conf

Erklärung

Datei

conn s2s
     authby=secret
     keyexchange=ikev1
     left=10.82.227.12
     leftid=10.82.227.12
     leftsubnet=10.82.243.0/24
     mobike=no
     right=10.82.227.22
     rightid=10.82.227.22
     rightsubnet=10.82.244.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start

ipsec.secrets

ID Kombination mit Authentifizierungsmethodes
10.82.227.12 10.82.227.22  : PSK "suxer"

Handling

Up

  • ipsec up s2s
initiating Main Mode IKE_SA s2s[3] to 10.82.227.22
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (180 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (652 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (652 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA s2s[3] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
scheduling reauthentication in 10142s
maximum IKE_SA lifetime 10682s
generating QUICK_MODE request 1581114031 [ HASH SA No KE ID ID ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (716 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (716 bytes)
parsed QUICK_MODE response 1581114031 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
CHILD_SA s2s{3} established with SPIs c2c20b47_i c1f461d9_o and TS 10.82.243.0/24 === 10.82.244.0/24
connection 's2s' established successfully

Down

  • ipsec down s2s
closing CHILD_SA s2s{3} with SPIs c2c20b47_i (0 bytes) c1f461d9_o (0 bytes) and TS 10.82.243.0/24 === 10.82.244.0/24
sending DELETE for ESP CHILD_SA with SPI c2c20b47
generating INFORMATIONAL_V1 request 2875265242 [ HASH D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (92 bytes)
deleting IKE_SA s2s[3] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
sending DELETE for IKE_SA s2s[3]
generating INFORMATIONAL_V1 request 510142709 [ HASH D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
IKE_SA [3] closed successfully

Status

  • ipsec status s2s
Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
         s2s{4}:   10.82.243.0/24 === 10.82.244.0/24

TCPDump der Verbindung

  • tcpdump -ni eth0 port 500 or esp
up
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:37:31.702968 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
08:37:31.707296 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
08:37:31.764500 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
08:37:31.888131 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
08:37:31.945758 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident[E]
08:37:31.949075 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident[E]
08:37:32.018782 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]
08:37:32.128716 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 2/others R oakley-quick[E]
08:37:32.193586 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]

down 

08:38:13.527180 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
08:38:13.527950 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_zu_strongswan&oldid=34523