IPsec Manual Keying: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) |
|||
| Zeile 28: | Zeile 28: | ||
</pre> | </pre> | ||
*Auf der Gegenseite muss die selbe Datei erstellt werden, lediglich die IP-Addressen müssen vertauscht werden | *Auf der Gegenseite muss die selbe Datei erstellt werden, lediglich die IP-Addressen müssen vertauscht werden | ||
| + | |||
| + | ==Starten== | ||
| + | *chmod + x /usr/local/sbin/tunnel.sh | ||
| + | *./ /usr/local/sbin/tunnel.sh | ||
| + | |||
| + | ==Überprüfung des Tunnels== | ||
| + | *setkey -D | ||
| + | |||
| + | <pre> | ||
| + | 192.168.242.1 192.168.244.2 | ||
| + | esp mode=tunnel spi=24501(0x00005fb5) reqid=0(0x00000000) | ||
| + | E: 3des-cbc 31323334 35363738 39303132 31323334 35363738 39303132 | ||
| + | A: hmac-sha1 74686973 20697320 74686520 74657374 206b6579 | ||
| + | seq=0x00000000 replay=0 flags=0x00000000 state=mature | ||
| + | created: Oct 5 09:31:55 2016 current: Oct 5 09:32:01 2016 | ||
| + | diff: 6(s) hard: 0(s) soft: 0(s) | ||
| + | last: hard: 0(s) soft: 0(s) | ||
| + | current: 0(bytes) hard: 0(bytes) soft: 0(bytes) | ||
| + | allocated: 0 hard: 0 soft: 0 | ||
| + | sadb_seq=1 pid=15756 refcnt=0 | ||
| + | 192.168.244.2 192.168.242.1 | ||
| + | esp mode=tunnel spi=15701(0x00003d55) reqid=0(0x00000000) | ||
| + | E: 3des-cbc 31323334 35363738 39303132 31323334 35363738 39303132 | ||
| + | A: hmac-sha1 74686973 20697320 74686520 74657374 206b6579 | ||
| + | seq=0x00000000 replay=0 flags=0x00000000 state=mature | ||
| + | created: Oct 5 09:31:55 2016 current: Oct 5 09:32:01 2016 | ||
| + | diff: 6(s) hard: 0(s) soft: 0(s) | ||
| + | last: hard: 0(s) soft: 0(s) | ||
| + | current: 0(bytes) hard: 0(bytes) soft: 0(bytes) | ||
| + | allocated: 0 hard: 0 soft: 0 | ||
| + | sadb_seq=0 pid=15756 refcnt=0 | ||
| + | </pre> | ||
=Alternative= | =Alternative= | ||
Version vom 5. Oktober 2016, 07:32 Uhr
Installation/Vorraussetzungen
Für diese Art der Verbindung wird das Programm "setkey" benötigt, dass im Paket "ipsec-tools" vorhanden ist
- apt-get install ipsec-tools
Konfigurationsdatei erstellen
- In einem beliebigen Verzeichnis eine Datei mit folgendem Inhalt erstellen
#!/usr/sbin/setkey -f
flush;
spdflush;
# ESP
add 192.168.244.2 192.168.242.1 esp 15701 -m tunnel
-E 3des-cbc "123456789012123456789012"
-A hmac-sha1 "this is the test key";
add 192.168.242.1 192.168.244.2 esp 24501 -m tunnel
-E 3des-cbc "123456789012123456789012"
-A hmac-sha1 "this is the test key";
spdadd 10.88.88.0/24 10.44.44.0/24 any -P out ipsec
esp/tunnel/192.168.242.1-192.168.244.2/require;
spdadd 10.44.44.0/24 10.88.88.0/24 any -P in ipsec
esp/tunnel/192.168.244.2-192.168.242.1/require;
- Auf der Gegenseite muss die selbe Datei erstellt werden, lediglich die IP-Addressen müssen vertauscht werden
Starten
- chmod + x /usr/local/sbin/tunnel.sh
- ./ /usr/local/sbin/tunnel.sh
Überprüfung des Tunnels
- setkey -D
192.168.242.1 192.168.244.2 esp mode=tunnel spi=24501(0x00005fb5) reqid=0(0x00000000) E: 3des-cbc 31323334 35363738 39303132 31323334 35363738 39303132 A: hmac-sha1 74686973 20697320 74686520 74657374 206b6579 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 5 09:31:55 2016 current: Oct 5 09:32:01 2016 diff: 6(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=15756 refcnt=0 192.168.244.2 192.168.242.1 esp mode=tunnel spi=15701(0x00003d55) reqid=0(0x00000000) E: 3des-cbc 31323334 35363738 39303132 31323334 35363738 39303132 A: hmac-sha1 74686973 20697320 74686520 74657374 206b6579 seq=0x00000000 replay=0 flags=0x00000000 state=mature created: Oct 5 09:31:55 2016 current: Oct 5 09:32:01 2016 diff: 6(s) hard: 0(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=15756 refcnt=0
Alternative
- /usr/local/sbin/tunnel.sh
#!/bin/bash
if [ "$4" == "" ]; then
echo "usage: $0 <local_ip> <remote_ip> <new_local_ip> <new_remote_ip>"
echo "creates an ipsec tunnel between two machines"
exit 1
fi
SRC="$1"; shift
DST="$1"; shift
LOCAL="$1"; shift
REMOTE="$1"; shift
KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
echo KEY1 = $KEY1
echo KEY2 = $KEY2
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8`
echo "spdflush; flush;" | sudo setkey -c
echo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
echo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
#echo 5
#sudo ip addr add $LOCAL dev lo
#echo 6
#sudo ip route add $REMOTE dev eth0 src $LOCAL
ssh $DST /bin/bash << EOF
echo "spdflush; flush;" | sudo setkey -c
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
# sudo ip addr add $REMOTE dev lo
# sudo ip route add $LOCAL dev eth0 src $REMOTE
EOF