Strongswan zu strongswan psk ikev1 site to site: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde geleert.)
Markierung: Geleert
 
Zeile 1: Zeile 1:
  
 +
 +
=Config is the same on both sites=
 +
==ipsec.conf==
 +
===Erklärung===
 +
*[[ipsec.conf Erklärung]]
 +
===Datei===
 +
<pre>
 +
conn s2s
 +
    authby=secret
 +
    keyexchange=ikev1
 +
    left=10.82.227.12
 +
    leftid=10.82.227.12
 +
    leftsubnet=10.82.243.0/24
 +
    mobike=no
 +
    right=10.82.227.22
 +
    rightid=10.82.227.22
 +
    rightsubnet=10.82.244.0/24
 +
    ike=aes256-sha256-modp4096!
 +
    esp=aes256-sha256-modp4096!
 +
    auto=start
 +
</pre>
 +
 +
==ipsec.secrets==
 +
;ID Kombination mit Authentifizierungsmethodes
 +
10.82.227.12 10.82.227.22  : PSK "suxer"
 +
 +
=Handling=
 +
=Up=
 +
*ipsec up  s2s
 +
<pre>
 +
initiating Main Mode IKE_SA s2s[3] to 10.82.227.22
 +
generating ID_PROT request 0 [ SA V V V V V ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (180 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (160 bytes)
 +
parsed ID_PROT response 0 [ SA V V V V ]
 +
received XAuth vendor ID
 +
received DPD vendor ID
 +
received FRAGMENTATION vendor ID
 +
received NAT-T (RFC 3947) vendor ID
 +
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
 +
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (652 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (652 bytes)
 +
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
 +
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (92 bytes)
 +
parsed ID_PROT response 0 [ ID HASH ]
 +
IKE_SA s2s[3] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
scheduling reauthentication in 10142s
 +
maximum IKE_SA lifetime 10682s
 +
generating QUICK_MODE request 1581114031 [ HASH SA No KE ID ID ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (716 bytes)
 +
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (716 bytes)
 +
parsed QUICK_MODE response 1581114031 [ HASH SA No KE ID ID ]
 +
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
 +
CHILD_SA s2s{3} established with SPIs c2c20b47_i c1f461d9_o and TS 10.82.243.0/24 === 10.82.244.0/24
 +
connection 's2s' established successfully
 +
</pre>
 +
 +
=Down=
 +
*ipsec down s2s
 +
<pre>
 +
closing CHILD_SA s2s{3} with SPIs c2c20b47_i (0 bytes) c1f461d9_o (0 bytes) and TS 10.82.243.0/24 === 10.82.244.0/24
 +
sending DELETE for ESP CHILD_SA with SPI c2c20b47
 +
generating INFORMATIONAL_V1 request 2875265242 [ HASH D ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (92 bytes)
 +
deleting IKE_SA s2s[3] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
sending DELETE for IKE_SA s2s[3]
 +
generating INFORMATIONAL_V1 request 510142709 [ HASH D ]
 +
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
 +
IKE_SA [3] closed successfully
 +
</pre>
 +
=Status=
 +
*ipsec status  s2s
 +
Security Associations (1 up, 0 connecting):
 +
          s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 +
          s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
 +
          s2s{4}:  10.82.243.0/24 === 10.82.244.0/24
 +
=TCPDump der Verbindung=
 +
*tcpdump -ni eth0 port 500 or  esp
 +
;up
 +
<pre>
 +
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
 +
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 +
08:37:31.702968 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
 +
08:37:31.707296 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
 +
08:37:31.764500 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
 +
08:37:31.888131 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
 +
08:37:31.945758 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident[E]
 +
08:37:31.949075 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident[E]
 +
08:37:32.018782 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]
 +
08:37:32.128716 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 2/others R oakley-quick[E]
 +
08:37:32.193586 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]
 +
</pre>
 +
down
 +
<pre>
 +
08:38:13.527180 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
 +
08:38:13.527950 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
 +
</pre>

Aktuelle Version vom 5. September 2022, 09:13 Uhr


Config is the same on both sites

ipsec.conf

Erklärung

Datei

conn s2s
     authby=secret
     keyexchange=ikev1
     left=10.82.227.12
     leftid=10.82.227.12
     leftsubnet=10.82.243.0/24
     mobike=no
     right=10.82.227.22
     rightid=10.82.227.22
     rightsubnet=10.82.244.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start

ipsec.secrets

ID Kombination mit Authentifizierungsmethodes
10.82.227.12 10.82.227.22  : PSK "suxer"

Handling

Up

  • ipsec up s2s
initiating Main Mode IKE_SA s2s[3] to 10.82.227.22
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (180 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (652 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (652 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA s2s[3] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
scheduling reauthentication in 10142s
maximum IKE_SA lifetime 10682s
generating QUICK_MODE request 1581114031 [ HASH SA No KE ID ID ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (716 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (716 bytes)
parsed QUICK_MODE response 1581114031 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ
CHILD_SA s2s{3} established with SPIs c2c20b47_i c1f461d9_o and TS 10.82.243.0/24 === 10.82.244.0/24
connection 's2s' established successfully

Down

  • ipsec down s2s
closing CHILD_SA s2s{3} with SPIs c2c20b47_i (0 bytes) c1f461d9_o (0 bytes) and TS 10.82.243.0/24 === 10.82.244.0/24
sending DELETE for ESP CHILD_SA with SPI c2c20b47
generating INFORMATIONAL_V1 request 2875265242 [ HASH D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (92 bytes)
deleting IKE_SA s2s[3] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
sending DELETE for IKE_SA s2s[3]
generating INFORMATIONAL_V1 request 510142709 [ HASH D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (108 bytes)
IKE_SA [3] closed successfully

Status

  • ipsec status s2s
Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
         s2s{4}:   10.82.243.0/24 === 10.82.244.0/24

TCPDump der Verbindung

  • tcpdump -ni eth0 port 500 or esp
up
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
08:37:31.702968 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
08:37:31.707296 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
08:37:31.764500 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident
08:37:31.888131 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident
08:37:31.945758 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident[E]
08:37:31.949075 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident[E]
08:37:32.018782 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]
08:37:32.128716 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 2/others R oakley-quick[E]
08:37:32.193586 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]

down 

08:38:13.527180 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
08:38:13.527950 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_zu_strongswan_psk_ikev1_site_to_site&oldid=34535