2010-03-16

実装 : 事前共有鍵認証 トランスポートモード(esp + nat-t)

 
◆ 構成


              ┌────┴────┐
              │                  │ 
 192.168.0.1┌┴┐         [NAT]┌┴┐1.1.1.1
            │ │              └┬┘
            └┬┘                │
              │                ┌┴┐10.0.0.1
                                │ │
                                └┬┘
                                  │



◆ 192.168.0.1 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
  isakmp 192.168.0.1 [500];
  isakmp_natt 192.168.0.1 [4500];
}
remote anonymous {
  exchange_mode aggressive;
  lifetime time 8 hour;
  nat_traversal force;
  generate_policy on;
  passive on;
  proposal {
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}
sainfo anonymous {
  pfs_group 2;
  lifetime time 8 hour;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 192.168.0.1 1.1.1.1 any -P out ipsec esp/transport//require;
spdadd 1.1.1.1 192.168.0.1 any -P in ipsec esp/transport//require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
1.1.1.1 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt


# iptables の設定
#iptables -A INPUT -s 1.1.1.1 -p esp -j ACCEPT
#iptables -A INPUT -s 1.1.1.1 -p udp -m udp --dport 500 -j ACCEPT
#iptables -A INPUT -s 1.1.1.1 -p udp -m udp --dport 4500 -j ACCEPT
※ その他諸々いるかもしれない



◆ 10.0.0.1 の設定


# IEK 設定用ファイルの設定
#vi /home/racoon/sample1/racoon.conf
-----
path include  "/usr/local/sbin/racoon";
path pre_shared_key "/home/racoon/sample1/psk.txt";
log notify;
listen {
  isakmp 10.0.0.1 [500];
  isakmp_natt 10.0.0.1 [4500];
}
remote 192.168.0.1 {
  exchange_mode aggressive;
  lifetime time 8 hour;
  nat_traversal force;
  generate_policy on;
  proposal {
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}
sainfo anonymous {
  pfs_group 2;
  lifetime time 8 hour;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}
-----


# セキュリティポリシー設定ファイルの設定
#vi /home/racoon/sample1/ipsec.conf
-----
flush;
spdflush;

spdadd 10.0.0.1 192.168.0.1 any -P out ipsec esp/transport//require;
spdadd 192.168.0.1 10.0.0.1 any -P in ipsec esp/transport//require;
-----


# 事前共有鍵の設定
#vi /home/racoon/sample1/psk.txt
-----
192.168.0.1 abcdefg1234567890
-----
#chmod 0400 /home/racoon/sample1/psk.txt



◆ 実行

/usr/local/sbin/setkey -F
/usr/local/sbin/setkey -FP
/usr/local/sbin/setkey -f /home/racoon/sample1/ipsec.conf
/usr/local/sbin/racoon -f /home/racoon/sample1/racoon.conf



◆ 接続


# 10.0.0.1
#ping 192.168.0.1


# 192.168.0.1 - log
INFO: respond new phase 1 negotiation: 192.168.0.1[500]<=>1.1.1.1[500]
INFO: begin Aggressive mode.
INFO: received broken Microsoft ID: FRAGMENTATION
INFO: received Vendor ID: RFC 3947
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
INFO: received Vendor ID: DPD
INFO: Selected NAT-T version: RFC 3947
NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
INFO: Adding remote and local NAT-D payloads.
INFO: Hashing 1.1.1.1[500] with algo #2 (NAT-T forced)
INFO: Hashing 192.168.0.1[500] with algo #2 (NAT-T forced)
INFO: NAT-T: ports changed to: 1.1.1.1[4500]<->192.168.0.1[4500]
INFO: NAT-D payload #0 doesn't match
INFO: NAT-D payload #1 doesn't match
INFO: NAT detected: ME PEER
INFO: ISAKMP-SA established 192.168.0.1[4500]-1.1.1.1[4500] spi:fe0819ec74a31b8d:e84869765f89625a
INFO: respond new phase 2 negotiation: 192.168.0.1[4500]<=>1.1.1.1[4500]
INFO: no policy found, try to generate the policy : 10.0.0.1/32[0] 192.168.0.1/32[0] proto=any dir=in
INFO: Adjusting my encmode UDP-Transport->Transport
INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
INFO: IPsec-SA established: ESP/Transport 1.1.1.1[4500]->192.168.0.1[4500] spi=62640834(0x3bbd2c2)
INFO: IPsec-SA established: ESP/Transport 192.168.0.1[4500]->1.1.1.1[4500] spi=213371505(0xcb7ca71)
ERROR: such policy does not already exist: "10.0.0.1/32[0] 192.168.0.1/32[0] proto=any dir=in"
ERROR: such policy does not already exist: "192.168.0.1/32[0] 10.0.0.1/32[0] proto=any dir=out"
※ 最後に ERROR が出ているけれども SPD の自動生成は行われたよう



◇ 環境


CentOS release 5.4 (Final) + kernel 2.6.18
ipsec-tools 0.6.5



◇ その他


racoon.conf
  • nat_traversal を force に設定しているけれども on で十分な気がする(ログが force に設定したときのログ)
  • generate_policy を on にすると登録されていない SPD でも接続できてしまう。ので、NAT 配下の IP アドレスがわかるなら先に SPD を追加したい
  • てか、 NAT 配下に 2 台以上あると generate_policy では無理だと思う
 

0 件のコメント:

コメントを投稿