2010-03-15

実装 : 事前共有鍵認証 トランスポートモード(ipcomp + esp)

 
◆ 構成


             ┌────────┐
 192.168.0.1 │                │ 192.168.0.2
           ┌┴┐            ┌┴┐
           │ │            │ │
           └┬┘            └┬┘
             │                │



◆ 192.168.0.1 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
  isakmp 192.168.0.1 [500];
}
remote anonymous {
  exchange_mode aggressive;
  lifetime time 8 hour;
  passive on;
  proposal {
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}
sainfo anonymous {
  pfs_group 2;
  lifetime time 8 hour;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 192.168.0.1 192.168.0.2 any -P out ipsec ipcomp/transport//use esp/transport//require;
spdadd 192.168.0.2 192.168.0.1 any -P in ipsec ipcomp/transport//use esp/transport//require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
192.168.0.2 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt


# iptables の設定
#iptables -A INPUT -s 192.168.0.2 -p esp -j ACCEPT
#iptables -A INPUT -s 192.168.0.2 -p udp -m udp --dport 500 -j ACCEPT
※ その他諸々いるかもしれない



◆ 192.168.0.2 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
  isakmp 192.168.0.2 [500];
}
remote 192.168.0.1 {
  exchange_mode aggressive;
  lifetime time 8 hour;
  proposal {
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}
sainfo anonymous {
  pfs_group 2;
  lifetime time 8 hour;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 192.168.0.2 192.168.0.1 any -P out ipsec ipcomp/transport//use esp/transport//require;
spdadd 192.168.0.1 192.168.0.2 any -P in ipsec ipcomp/transport//use esp/transport//require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
192.168.0.1 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt



◆ 実行


/usr/local/sbin/setkey -F
/usr/local/sbin/setkey -FP
/usr/local/sbin/setkey -f /home/racoon/sample1/ipsec.conf
/usr/local/sbin/racoon -f /home/racoon/sample1/racoon.conf



◆ 接続


# 192.168.0.2
#ping 192.168.0.1


# 192.168.0.1 - log
INFO: respond new phase 1 negotiation: 192.168.0.1[500]<=>192.168.0.2[500]
INFO: begin Aggressive mode.
INFO: received Vendor ID: RFC 3947
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
INFO: received Vendor ID: DPD
INFO: Selected NAT-T version: RFC 3947
NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
INFO: Adding remote and local NAT-D payloads.
INFO: Hashing 192.168.0.2[500] with algo #2
INFO: Hashing 192.168.0.1[500] with algo #2
INFO: Hashing 192.168.0.1[500] with algo #2
INFO: NAT-D payload #0 verified
INFO: Hashing 192.168.0.2[500] with algo #2
INFO: NAT-D payload #1 verified
INFO: NAT not detected
INFO: ISAKMP-SA established 192.168.0.1[500]-192.168.0.2[500] spi:174237a9a3178169:c4ebac56f9847803
INFO: respond new phase 2 negotiation: 192.168.0.1[500]<=>192.168.0.2[500]
INFO: Update the generated policy : 192.168.0.2/32[500] 192.168.0.1/32[500] proto=any dir=in
INFO: IPsec-SA established: ESP/Transport 192.168.0.2[500]->192.168.0.1[500] spi=58330792(0x37a0ea8)
INFO: IPsec-SA established: IPCOMP/Transport 192.168.0.2[500]->192.168.0.1[500] spi=63472(0xf7f0)
INFO: IPsec-SA established: ESP/Transport 192.168.0.1[500]->192.168.0.2[500] spi=25991933(0x18c9afd)
INFO: IPsec-SA established: IPCOMP/Transport 192.168.0.1[500]->192.168.0.2[500] spi=18948(0x4a04)
ERROR: pfkey X_SPDUPDATE failed: Invalid argument
ERROR: pfkey X_SPDUPDATE failed: Invalid argument

※ もしかしたら NAT-Traversal : on にしていたのかもしれないとかなんとか



◇ 環境


CentOS release 5.4 (Final) + kernel 2.6.18
ipsec-tools 0.6.5

0 件のコメント:

コメントを投稿