From: Denis Romanof <denis.romanof@gmail.com.>
Newsgroups: email
Date: Mon, 1 Jun 2008 14:31:37 +0000 (UTC)
Subject: Настройка IPSEC VPN между Linux и Cisco
Настройка IPSEC VPN между linux-2.6.25 (racoon) и Cisco 871 (IOS 12.4)
Для проверки и настройки собрана тестовая среда:
Примечания.
* Права на /etc/racoon/psk.txt - 0600, иначе его racoon не читает.
* Ядро собрано с поддержкой IPV6, иначе racoon не работает на каждом файрволе
нужно описать правило: "если пакет отправляется в сеть соседа по IPSEC VPN , то его не
натить.
* Далее используются сокращения: ЛИНУКС_ВНЕШ - внешний IP linux машины,
ЦИСКА_ВНЕШ - внешний IP cisco
* Версии: ipsec-tools 0.7, linux-2.6.25, IOS 12.4, gentoo-linux
Конфигурация Cisco
!
version 12.4
service nagle
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname A98
!
boot-start-marker
boot-end-marker
!
logging buffered 1048576 debugging
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
!
resource policy
!
clock timezone MST 3
clock summer-time MST recurring last Sun Mar 3:00 last Sun Oct 3:00
ip subnet-zero
ip cef
ip dhcp excluded-address 192.168.98.1 192.168.98.100
ip dhcp excluded-address 192.168.98.102 192.168.98.255
!
no ip domain lookup
ip domain name kazan-apteki.ru
ip name-server ДНС_ПРОВАЙДЕРА_1
ip name-server ДНС_ПРОВАЙДЕРА_2
!
no spanning-tree vlan 1
username root privilege 15 secret ЭТО_ПАРОЛЬ_РУТА_ЦИСКИ
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key VerYsEcretKey address ЛИНУКС_ВНЕШ
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set MyTransformSet esp-3des esp-sha-hmac
!
crypto map MyMap 10 ipsec-isakmp
set peer ЛИНУКС_ВНЕШ
set transform-set MyTransformSet
set pfs group2
match address my_lan_acl
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no ip address
ip access-group EXT in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 192.168.98.100 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1400
interface Dialer1
ip address negotiated
ip access-group EXT in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
load-interval 30
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ЭТО_ЛОГИН
ppp chap password ЭТО_ПАРОЛЬ
ppp pap sent-username ЭТО_ЛОГИН password ЭТО_ПАРОЛЬ
crypto map MyMap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.99.0 255.255.255.0 Dialer1 ЛИНУКС_ВНЕШ
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended EXT
permit tcp any any established
permit udp any eq domain any gt 1023
permit udp any eq ntp any eq ntp
permit icmp any any
permit ip host ЛИНУКС_ВНЕШ any
permit esp host ЛИНУКС_ВНЕШ any
permit udp host ЛИНУКС_ВНЕШ any
ip access-list extended NAT
deny ip 192.168.99.0 0.0.0.255 192.168.98.0 0.0.0.255
deny ip 192.168.98.0 0.0.0.255 192.168.99.0 0.0.0.255
permit ip 192.168.98.0 0.0.0.255 any
ip access-list extended my_lan_acl
permit ip 192.168.98.0 0.0.0.255 any
!
access-list 122 permit ip 192.168.98.0 0.0.0.255 any
access-list 122 permit ip 192.168.99.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
alias exec sib show ip interface brief
alias exec sir show ip route
alias exec sr show running-config
alias exec srb show running-config | begin
alias exec sl show logging
alias exec c configure terminal
alias exec sia show ip access-list
alias exec cl clear logging
alias exec cc clear counters
alias exec tm terminal monitor
alias exec sp show pppoe session
alias exec si show ip inspect all
alias exec sf show flash
alias exec cac clear access-list counters
!
line con 0
logging synchronous
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
privilege level 15
logging synchronous
transport input all
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17175059
ntp server 192.5.41.209
end
Конфигурация Linux
Файл /etc/ipsec/ipsec.conf
#!/usr/sbin/setkey -f
# Flush SAD and SPD
flush;
spdflush;
# Remote Office {192.168.98.0/24} - Main Office VPN {192.168.99.0/24}
spdadd 0.0.0.0/0 192.168.98.0/24 any -P out ipsec
esp/tunnel/ЛИНУКС_ВНЕШ-ЦИСКА_ВНЕШ/require; spdadd 192.168.98.0/24
0.0.0.0/0 any -P in ipsec esp/tunnel/ЦИСКА_ВНЕШ-ЛИНУКС_ВНЕШ/require;
Файл /etc/ipsec/racoon.conf
path include "/etc/ipsec";
path pre_shared_key "/etc/ipsec/psk.txt";
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
isakmp ЛИНУКС_ВНЕШ [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 90 sec;
phase2 90 sec;
}
# here begins the configuration of the Remote Office - Main Office VPN
remote ЦИСКА_ВНЕШ
{
my_identifier address ЛИНУКС_ВНЕШ;
exchange_mode aggressive,main;
initial_contact off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
}
Файл /etc/ipsec/psk.txt
ЦИСКА_ВНЕШ VerYsEcretKe
Файл /etc/iptables/access
#!/bin/sh
INET_IFACE="ppp0" #
INET_MASK="255.255.255.128" #
LAN_IP="192.168.0.9"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth2"
LAN_MASK="255.255.255.0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -p ALL -j ACCEPT
iptables -A FORWARD -o $LAN_IFACE -i $INET_IFACE -p ALL -m state
--state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING
-s 192.168.99.0/24 -d ! 192.168.98.0/24 -o ppp0 -p ALL -j SNAT
--to-source ЛИНУКС_ВНЕШ route add -host ЦИСКА_ВНЕШ dev ppp0
ip route add 192.168.98.0/24 via ЦИСКА_ВНЕШ
iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -d ! 192.168.98.0/24 -o ppp0 -p ALL -j SNAT --to-source ЛИНУКС_ВНЕШ
В логе /var/log/ipsec/racoon
May 23 18:13:26 src@localhost racoon: INFO: IPsec-SA established:
ESP/Tunnel ЦИСКА_ВНЕШ[0]->ЛИНУКС_ВНЕШ[0] spi=48440135(0x2e32347)
May 23 18:13:26 src@localhost racoon: INFO: IPsec-SA established:
ESP/Tunnel ЛИНУКС_ВНЕШ[0]->ЦИСКА_ВНЕШ[0] spi=255324632(0xf37f1d8)
May 23 19:01:26 src@localhost racoon: INFO: IPsec-SA expired: ESP/Tunnel
ЦИСКА_ВНЕШ[0]->ЛИНУКС_ВНЕШ[0] spi=48440135(0x2e32347)
May 23 19:01:26 src@localhost racoon: INFO: initiate new phase 2 negotiation:
ЛИНУКС_ВНЕШ[0]<=>ЦИСКА_ВНЕШ[0] May 23 19:01:26 src@localhost racoon:
INFO: IPsec-SA expired: ESP/Tunnel ЛИНУКС_ВНЕШ[0]->ЦИСКА_ВНЕШ[0] spi=255324632(0xf37f1d8)
May 23 19:01:26 src@localhost racoon: WARNING: ignore RESPONDER-LIFETIME notification.
May 23 19:01:26 src@localhost racoon: WARNING: attribute has been modified.
May 23 19:01:56 src@localhost racoon: INFO: purged IPsec-SA proto_id=ESP spi=255324632.
May 23 19:02:56 src@localhost racoon: ERROR: ЦИСКА_ВНЕШ give up to get IPsec-SA due to time up to wait.
May 23 19:13:25 src@localhost racoon: INFO: ISAKMP-SA expired
ЛИНУКС_ВНЕШ[500]-ЦИСКА_ВНЕШ[500] spi:ccd722f0a32dc8ba:197b6c2516eae82f
May 23 19:13:26 src@localhost racoon: INFO: ISAKMP-SA deleted
ЛИНУКС_ВНЕШ[500]-ЦИСКА_ВНЕШ[500] spi:ccd722f0a32dc8ba:197b6c2516eae82f
May 23 19:13:26 src@localhost racoon: INFO: IPsec-SA expired:
ESP/Tunnel ЦИСКА_ВНЕШ[0]->ЛИНУКС_ВНЕШ[0] spi=48440135(0x2e32347)
May 23 19:49:26 src@localhost racoon: INFO: IPsec-SA expired: ESP/Tunnel
ЦИСКА_ВНЕШ[0]->ЛИНУКС_ВНЕШ[0] spi=116441725(0x6f0c27d)
May 23 19:49:26 src@localhost racoon: INFO: IPsec-SA expired: ESP/Tunnel
ЛИНУКС_ВНЕШ[0]->ЦИСКА_ВНЕШ[0] spi=3569744905(0xd4c5fc09)
May 23 23:51:11 src@localhost syslog-ng[4843]: Log statistics;
processed='center(queued)=1037', processed='center(received)=899',
processed='destination(pluto)=0', processed='destination(ipsec)=2',
processed='destination(racoon)=86',
processed='destination(messages)=899',
processed='destination(ssh)=14', processed='destination(d_cisco)=0',
processed='destination(pppd)=36', processed='source(net)=0',
processed='source(src)=899'
May 24 00:01:26 src@localhost racoon: INFO: IPsec-SA expired: ESP/Tunnel ЦИСКА_ВНЕШ[0]->ЛИНУКС_ВНЕШ[0] spi=116441725(0x6f0c27d)
May 24 00:01:26 src@localhost racoon: INFO: IPsec-SA expired: ESP/Tunnel ЛИНУКС_ВНЕШ[0]->ЦИСКА_ВНЕШ[0] spi=3569744905(0xd4c5fc09)
May 24 09:57:54 src@localhost racoon: INFO: IPsec-SA request for ЦИСКА_ВНЕШ queued due to no phase1 found.
May 24 09:57:54 src@localhost racoon: INFO: initiate new phase 1 negotiation: ЛИНУКС_ВНЕШ[500]<=>ЦИСКА_ВНЕШ[500]
May 24 09:57:54 src@localhost racoon: INFO: begin Aggressive mode.
May 24 09:57:54 src@localhost racoon: INFO: received Vendor ID: CISCO-UNITY
May 24 09:57:54 src@localhost racoon: INFO: received Vendor ID: DPD
May 24 09:57:54 src@localhost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 24 09:57:54 src@localhost racoon: WARNING: port 62465 expected, but 0
May 24 09:57:54 src@localhost racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
May 24 09:57:54 src@localhost racoon: INFO: ISAKMP-SA established ЛИНУКС_ВНЕШ[500]-ЦИСКА_ВНЕШ[500] spi:69ed509776423590:197b6c25a26ca6fb
May 24 09:57:55 src@localhost racoon: INFO: initiate new phase 2 negotiation: ЛИНУКС_ВНЕШ[500]<=>ЦИСКА_ВНЕШ[500]
May 24 09:57:55 src@localhost racoon: WARNING: ignore RESPONDER-LIFETIME notification.
May 24 09:57:55 src@localhost racoon: WARNING: attribute has been modified.
May 24 09:57:55 src@localhost racoon: INFO: IPsec-SA established: ESP/Tunnel ЦИСКА_ВНЕШ[0]->ЛИНУКС_ВНЕШ[0] spi=267657449(0xff420e9)
May 24 09:57:55 src@localhost racoon: INFO: IPsec-SA established: ESP/Tunnel ЛИНУКС_ВНЕШ[0]->ЦИСКА_ВНЕШ[0] spi=2491516033(0x94818481)
1218 Прочтений • [Настройка IPSEC VPN между Linux и Cisco (ipsec vpn cisco linux racoon)] [08.05.2012] [Комментариев: 0]
Vova
