IP Utils Esp: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) (→nogger) |
Thomas (Diskussion | Beiträge) |
||
| Zeile 40: | Zeile 40: | ||
==Kontrolle== | ==Kontrolle== | ||
*ip xfrm state | *ip xfrm state | ||
| + | <pre> | ||
src 192.168.244.52 dst 192.168.244.53 | src 192.168.244.52 dst 192.168.244.53 | ||
| − | + | proto esp spi 0x12345678 reqid 305419896 mode tunnel | |
replay-window 0 | replay-window 0 | ||
auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96 | auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96 | ||
| Zeile 54: | Zeile 55: | ||
anti-replay context: seq 0x0, oseq 0x196, bitmap 0x00000000 | anti-replay context: seq 0x0, oseq 0x196, bitmap 0x00000000 | ||
sel src 0.0.0.0/0 dst 0.0.0.0/0 | sel src 0.0.0.0/0 dst 0.0.0.0/0 | ||
| + | </pre> | ||
| + | *ip xfrm policy | ||
| + | <pre> | ||
| − | |||
src 10.10.52.0/24 dst 10.10.53.0/24 | src 10.10.52.0/24 dst 10.10.53.0/24 | ||
dir in priority 0 | dir in priority 0 | ||
| Zeile 64: | Zeile 67: | ||
tmpl src 192.168.244.53 dst 192.168.244.52 | tmpl src 192.168.244.53 dst 192.168.244.52 | ||
proto esp reqid 305419896 mode tunnel | proto esp reqid 305419896 mode tunnel | ||
| + | </pre> | ||
=Skript= | =Skript= | ||
Version vom 10. Oktober 2016, 11:14 Uhr
Prinzip
tic
ip xfrm state flush ip xfrm state add src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 \ reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \ enc aes 0x0000123456789012345678901234567890123456789012345678901234567890 ip xfrm state add src 192.168.244.52 dst 192.168.244.53 proto esp spi 0x12345678 \ reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \ enc aes 0x0000123456789012345678901234567890123456789012345678901234567890 ip xfrm policy flush ip xfrm policy add src 10.10.53.0/24 dst 10.10.52.0/24 dir out tmpl src 192.168.244.53 dst 192.168.244.52 \ proto esp reqid 0x12345678 mode tunnel ip xfrm policy add src 10.10.52.0/24 dst 10.10.53.0/24 dir in tmpl src 192.168.244.52 dst 192.168.244.53 \ proto esp reqid 0x12345678 mode tunnel
nogger
ip xfrm state flush ip xfrm state add src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 \ reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \ enc aes 0x0000123456789012345678901234567890123456789012345678901234567890 ip xfrm state add src 192.168.244.52 dst 192.168.244.53 proto esp spi 0x12345678 \ reqid 0x12345678 mode tunnel auth sha256 0x1234567890123456789012345678901234567890123456789012345678901234 \ enc aes 0x0000123456789012345678901234567890123456789012345678901234567890 ip xfrm policy flush ip xfrm policy add src 10.10.52.0/24 dst 10.10.53.0/24 dir out tmpl src 192.168.244.52 dst 192.168.244.53 \ proto esp reqid 0x12345678 mode tunnel ip xfrm policy add src 10.10.53.0/24 dst 10.10.52.0/24 dir in tmpl src 192.168.244.53 dst 192.168.244.52 \ proto esp reqid 0x12345678 mode tunnel
Kontrolle
- ip xfrm state
src 192.168.244.52 dst 192.168.244.53 proto esp spi 0x12345678 reqid 305419896 mode tunnel replay-window 0 auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96 enc cbc(aes) 0x0000123456789012345678901234567890123456789012345678901234567890 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.168.244.53 dst 192.168.244.52 proto esp spi 0x12345678 reqid 305419896 mode tunnel replay-window 0 auth-trunc hmac(sha256) 0x1234567890123456789012345678901234567890123456789012345678901234 96 enc cbc(aes) 0x0000123456789012345678901234567890123456789012345678901234567890 anti-replay context: seq 0x0, oseq 0x196, bitmap 0x00000000 sel src 0.0.0.0/0 dst 0.0.0.0/0
- ip xfrm policy
src 10.10.52.0/24 dst 10.10.53.0/24 dir in priority 0 tmpl src 192.168.244.52 dst 192.168.244.53 proto esp reqid 305419896 mode tunnel src 10.10.53.0/24 dst 10.10.52.0/24 dir out priority 0 tmpl src 192.168.244.53 dst 192.168.244.52 proto esp reqid 305419896 mode tunnel
Skript
- /usr/local/sbin/tunnel.sh
#!/bin/bashWireshark VPN entschlüsseln
if [ "$4" == "" ]; then
echo "usage: $0 <local_ip> <remote_ip> <new_local_ip> <new_remote_ip>"
echo "creates an ipsec tunnel between two machines"
exit 1
fi
SRC="$1"; shift
DST="$1"; shift
LOCAL="$1"; shift
REMOTE="$1"; shift
KEY1=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
KEY2=0x`dd if=/dev/urandom count=32 bs=1 2> /dev/null| xxd -p -c 64`
echo KEY1 = $KEY1
echo KEY2 = $KEY2
ID=0x`dd if=/dev/urandom count=4 bs=1 2> /dev/null| xxd -p -c 8`
echo "spdflush; flush;" | sudo setkey -c
echo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
echo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
echo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
#echo 5
#sudo ip addr add $LOCAL dev lo
#echo 6
#sudo ip route add $REMOTE dev eth0 src $LOCAL
ssh $DST /bin/bash << EOF
echo "spdflush; flush;" | sudo setkey -c
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel auth sha256 $KEY1 enc aes $KEY2
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
# sudo ip addr add $REMOTE dev lo
# sudo ip route add $LOCAL dev eth0 src $REMOTE
EOF