时间戳

首页 > 技术文章 > openswan一条隧道多保护子网配置

openswan一条隧道多保护子网配置

s2603898260 2021-01-22 23:32 原文

  • Author       :
  • Email         : vip_13031075266@163.com
  • Date          : 2021.01.22
  • Copyright : 未经同意不得转载!!!
  • Version    : openswan-2.6.51.5
  • Referencehttps://download.openswan.org/openswan/

在学习IKE协商过程中,一般都知道IKE支持这种配置:“一个IKE SA可以保护多个Ipsec SA”。这种场景在实际ipsec环境部署过程中也是相当常见,但是对于openswan是否支持此功能,以及如何进行配置一直不太清楚,直到前几天才得到确定,因此特意记录下来。

我是在两台虚拟机中搭建的测试环境,并通过配置文件进行IPsec隧道配置。

我的网络拓扑如下:

 

我配置了一条隧道test,协商地址为:192.168.1.10 VS 192.168.1.13,他们中间是我家的路由器(木办法,我电脑通过无线网卡上网,普通的那个网卡没用,无法桥接使用,因此将虚拟机网卡桥接到了我的无线网卡上,这样虚拟机便可以直接通讯了);

第二阶段保护子网有三个,分别为 :

左端保护子网

右端保护子网

224.0.0.0/24

224.0.0.0/24

192.168.105.0/24

224.0.0.0/24

10.1.2.0/24

224.0.0.0/24

具体配置信息如下(兩端配置文件相同):

  
conn test

        auto=start
        pfs=no                  # PFS(Perfect Forward Secrecy)
        compress=no             # IP Compression
        type=tunnel
        keyingtries=0
        disablearrivalcheck=no

        ## phase 1 ##
        ike=aes128-sha1;modp1024  # 第一阶段参数
        ikelifetime=86400s        # 第一阶段的生存时间
        keyexchange=ike
        ## phase 2 ##
        phase2alg=aes128-sha1     # 第二阶段参数
        salifetime=3600s          # 第二阶段参数
        phase2=esp

        left=192.168.1.10
        leftid=ToneySun@papa.com.cn
        leftsubnets={224.0.0.0/24 10.1.2.0/24 192.168.105.0/24}
        leftsourceip=192.168.1.10
        leftnexthop=%defaultroute

        right=192.168.1.13
        rightid=@right
        rightsubnet=224.0.0.0/24
        rightsourceip=192.168.1.13
        rightnexthop=%defaultroute

        # rsakey AQPGLAfkE
        leftrsasigkey=0sAQPGLAfkEfGISg4FfXZqRe47LMX5sGyG+0ec1b5FWDriEpy4tiOvjusVzx2eyP3PTM+J9uKW93GxRugxpqa82O/aegGpnUpWGHBnEBBIvjpiMawrv3RhtCYeXodMKKqI6jhdEYzU69AYHkbPI3jOtk8TVYhaoSEkDRoBkbUzasAXOCrxL6a61G8C8XwOaW0qz+yEaoYwh/Nhc0fz1li/vQWofwXuR7ZQ5FlfDUY+JCgqbIhpmUfA9mRtawqIupYxQO3j55lhX4yUT9mBcRl9dlUNZnNEXL3hvoIABm/O+xMTwM695JBF0lVM5MJ/zizy7TsbHFJlNEPuGMI/An4FseHK0pQwe4BUZ08A8izIiI9ZT4Lp
        # rsakey AQOzIeXfR
        rightrsasigkey=0sAQOzIeXfRPL5ODGw97Y6wwotc9LExdihgdfxprYLKukKSpe3oH9G6smILqqkU+8INImuHwpL7mDPqKxDWb/YiYxRgRciXAMkuhq8c/IjcVIbK9EXSmWyPkC1Rn5+cD+2FDUd85FtQWMlEObwLJDC0UxqN5ZoFr7sR0Kur9LqZFS1FlD72E/x3RckY1R/LiR27R83Zv2EXEi1lhYf/ZstKPsGuzlEAzSnyV6jRz9Urz/SFrnyL8vGapiq5p6q+PkBEqsw97Wp8taj8tzK+lH1oxMB4+ArUKhGNk/w+tKPgKrLI8AR2nh2892P6cN0dta83t67k8Mf0ZrOCpxWLcZUnjLkFBvs9fJca3ONXH2RA+jMjn1l

当时为了测试保护子网是否可以配置组播,因此我将保护子网设置成了224.0.0.0组播网段。结果是隧道可以协商成功,但感兴趣流是否真的可以走此流量,仍是不清楚,但从结果和常理推测来看,应该是可以封装组播报文了,因为openswan开源代码和Linux内核实现时,如果说保护子网不支持组播报文,那么应该不会让配置组播地址,这相当于一个重大bug。但是两个都没有进行限制,因此我个人认为它是可以封装组播报文的。

 

隧道添加完毕后,通过whack命令查看隧道配置情况:

000 "test/1x0": 224.0.0.0/24===192.168.1.10[ToneySun@papa.com.cn]---192.168.1.1...192.168.1.1---192.168.1.13[@right]===224.0.0.0/24; erouted; eroute owner: #12

000 "test/1x0":     myip=192.168.1.10; hisip=192.168.1.13;

000 "test/1x0":   keys: 1:8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022 2:none...

000 "test/1x0":        ....1:AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D 2:none

000 "test/1x0":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "test/1x0":   policy: RSASIG+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: ens33; kind=CK_PERMANENT

000 "test/1x0":   newest ISAKMP SA: #3; newest IPsec SA: #12; eroute owner: #12;

000 "test/1x0":   aliases: test

000 "test/1x0":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict

000 "test/1x0":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)

000 "test/1x0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024

000 "test/1x0":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict

000 "test/1x0":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160

000 "test/1x0":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>

 

 

000 "test/2x0": 10.1.2.0/24===192.168.1.10[ToneySun@papa.com.cn]---192.168.1.1...192.168.1.1---192.168.1.13[@right]===224.0.0.0/24; erouted; eroute owner: #11

000 "test/2x0":     myip=192.168.1.10; hisip=192.168.1.13;

000 "test/2x0":   keys: 1:8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022 2:none...

000 "test/2x0":        ....1:AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D 2:none

000 "test/2x0":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "test/2x0":   policy: RSASIG+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: ens33; kind=CK_PERMANENT

000 "test/2x0":   newest ISAKMP SA: #2; newest IPsec SA: #11; eroute owner: #11;

000 "test/2x0":   aliases: test

000 "test/2x0":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict

000 "test/2x0":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)

000 "test/2x0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024

000 "test/2x0":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict

000 "test/2x0":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160

000 "test/2x0":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>

 

 

000 "test/3x0": 192.168.105.0/24===192.168.1.10[ToneySun@papa.com.cn]---192.168.1.1...192.168.1.1---192.168.1.13[@right]===224.0.0.0/24; erouted; eroute owner: #10

000 "test/3x0":     myip=192.168.1.10; hisip=192.168.1.13;

000 "test/3x0":   keys: 1:8F4C 47D1 466A 6F7C C469 B04C 9525 1F9B E69A E022 2:none...

000 "test/3x0":        ....1:AD25 3E8F B131 F1DB 5926 B2C9 CCF1 2D3E A9D7 858D 2:none

000 "test/3x0":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "test/3x0":   policy: RSASIG+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK; prio: 24,24; interface: ens33; kind=CK_PERMANENT

000 "test/3x0":   newest ISAKMP SA: #1; newest IPsec SA: #10; eroute owner: #10;

000 "test/3x0":   aliases: test

000 "test/3x0":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict

000 "test/3x0":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)

000 "test/3x0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024

000 "test/3x0":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict

000 "test/3x0":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160

000 "test/3x0":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>

000

隧道协商成功后,通过whack命令查看隧道协商情况:

 

000 #14: "test/1x0":500 IKEv1.0 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 24s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000 #12: "test/1x0":500 IKEv1.0 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 675s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate

000 #12: "test/1x0" esp.da8cbccf@192.168.1.13 esp.d360f4f8@192.168.1.10 tun.0@192.168.1.13 tun.0@192.168.1.10 ref=0 refhim=4294901761

000 #3: "test/1x0":500 IKEv1.0 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 82667s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000 #4: "test/1x0":500 IKEv1.0 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 83181s; lastdpd=-1s(seq in:0 out:0); idle; import:not set

000 #9: "test/1x0":500 IKEv1.0 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 390s; isakmp#6; idle; import:not set

000 #9: "test/1x0" esp.43aae72@192.168.1.13 esp.5b469df8@192.168.1.10 tun.0@192.168.1.13 tun.0@192.168.1.10 ref=0 refhim=4294901761

000 #6: "test/1x0":500 IKEv1.0 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 83190s; lastdpd=-1s(seq in:0 out:0); idle; import:not set

000 #5: "test/1x0":500 IKEv1.0 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 83181s; lastdpd=-1s(seq in:0 out:0); idle; import:not set

 

 

000 #15: "test/2x0":500 IKEv1.0 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 37s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000 #11: "test/2x0":500 IKEv1.0 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 665s; newest IPSEC; eroute owner; isakmp#2; idle; import:admin initiate

000 #11: "test/2x0" esp.ab81cf5e@192.168.1.13 esp.dfb5ea09@192.168.1.10 tun.0@192.168.1.13 tun.0@192.168.1.10 ref=0 refhim=4294901761

000 #2: "test/2x0":500 IKEv1.0 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 82615s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000 #8: "test/2x0":500 IKEv1.0 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 381s; isakmp#5; idle; import:not set

000 #8: "test/2x0" esp.a232fdce@192.168.1.13 esp.b66703a8@192.168.1.10 tun.0@192.168.1.13 tun.0@192.168.1.10 ref=0 refhim=4294901761

 

 

000 #7: "test/3x0":500 IKEv1.0 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 381s; isakmp#4; idle; import:not set

000 #7: "test/3x0" esp.d288020b@192.168.1.13 esp.205dd4b1@192.168.1.10 tun.0@192.168.1.13 tun.0@192.168.1.10 ref=0 refhim=4294901761

000 #10: "test/3x0":500 IKEv1.0 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 107s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate

000 #10: "test/3x0" esp.6084c13a@192.168.1.13 esp.43d65919@192.168.1.10 tun.0@192.168.1.13 tun.0@192.168.1.10 ref=0 refhim=4294901761

000 #1: "test/3x0":500 IKEv1.0 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 82845s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000

 

可以看出3个保护子网全部协商成功。

推荐阅读