{"id":4029,"date":"2013-12-26T14:42:08","date_gmt":"2013-12-26T12:42:08","guid":{"rendered":"http:\/\/skeletor.org.ua\/?p=4029"},"modified":"2017-12-18T13:26:04","modified_gmt":"2017-12-18T11:26:04","slug":"ipsec-openbsd-linux","status":"publish","type":"post","link":"https:\/\/skeletor.org.ua\/?p=4029","title":{"rendered":"IPSec: OpenBSD <--> Linux"},"content":{"rendered":"

\u0422\u0435\u0441\u0442\u043e\u0432\u044b\u0439 \u0441\u0442\u0435\u043d\u0434:<\/span><\/strong><\/em>\u00a0OpenBSD 5.4, Debian Linux 6 (kernel 3.2), ipsec transport mode with preshared keys<\/strong><\/p>\n

\u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u00a0IPSec<\/strong>\u00a0\u0441\u043e\u0441\u0442\u043e\u0438\u0442 \u0438\u0437 2-\u0445 \u0447\u0430\u0441\u0442\u0435\u0439: \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u00a0IPSec\u2019a<\/strong>\u00a0\u0438 \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u043e\u0431\u043c\u0435\u043d\u0430 \u043a\u043b\u044e\u0447\u0430\u043c\u0438 (ike<\/strong>).<\/p>\n

\u0418\u043c\u0435\u0435\u043c \u0441\u0430\u043c\u0443\u044e \u043e\u0431\u044b\u0447\u043d\u0443\u044e \u0441\u0445\u0435\u043c\u0443\u00a0OpenBSD (10.5.5.76) <\u2014> (10.5.5.78) Linux<\/strong><\/p>\n

\u0412 \u0434\u0430\u043d\u043d\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u043f\u043e\u0434\u0440\u0430\u0437\u0443\u043c\u0435\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0441 \u043d\u0443\u043b\u044f.<\/p>\n

<\/p>\n

OpenBSD<\/span><\/strong><\/h1>\n

\u0422\u0443\u0442 \u043d\u0435\u043c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0449\u0435, \u0447\u0435\u043c \u0432 Linux\/Solaris<\/strong>.<\/p>\n

\u041d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u043c ike<\/strong>. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043f\u0438\u0448\u0435\u043c \u0432 \u0444\u0430\u0439\u043b \/etc\/ipsec.conf<\/strong> \u0442\u0430\u043a\u0438\u0435 \u0441\u0442\u0440\u043e\u043a\u0438:<\/p>\n

ike active esp transport from 10.5.5.76 to 10.5.5.78 \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 peer 10.5.5.78 \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 main auth hmac-md5 enc 3des \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 quick auth hmac-md5 enc 3des \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 psk \"Very-Very-Secret-Key-1234567890\"\r\n\r\nike active esp transport from 10.5.5.78 to 10.5.5.76 \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 peer 10.5.5.78 \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 main auth hmac-md5 enc 3des \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 quick auth hmac-md5 enc 3des \\\r\n\u00a0 \u00a0 \u00a0 \u00a0 psk \"Very-Very-Secret-Key-1234567890\"<\/pre>\n
\u0412 \u043e\u0431\u0449\u0435\u043c \u0441\u043b\u0443\u0447\u0430\u0435, \u0444\u043e\u0440\u043c\u0430\u0442 \u0434\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0437\u0430\u043f\u0438\u0441\u0435\u0439 \u0432 \/etc\/ipsec.conf<\/strong> \u0442\u0430\u043a\u043e\u0439:<\/p>\n
ike [mode] [encap] [tmode] \\\r\n from src to dst \\\r\n local localip peer remoteip \\\r\n main auth algorithm enc algorithm \\\r\n quick auth algorithm enc algorithm \\\r\n psk key<\/pre>\n
\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u043f\u0446\u0438\u0439:<\/p>\n
– mode<\/span><\/em><\/strong><\/p>\n
Defines whether isakmpd will attempt to initiate the IPsec connection or whether it will wait for a connection request from the remote peer. Possible values are:<\/p>\n
    \n
  • active \u2013 Tells isakmpd to initiate the IPsec connection. This is the default.<\/li>\n
  • passive \u2013 Tells isakmpd to wait for a connection request.<\/li>\n
  • dynamic \u2013 Tells isakmpd to initiate the IPsec connection and to enable Dead Peer Detection. This mode should be used when the remote peer has a dynamic IP address.<\/li>\n<\/ul>\n
    – encap<\/span><\/strong><\/em><\/p>\n
    The transport protocol to use, either \u201cesp\u201d or \u201cah\u201c.<\/p>\n
    – tmode<\/span><\/strong><\/em><\/p>\n
    Either \u201ctunnel\u201d or \u201ctransport\u201d and indicates whether to enable tunnel mode or transport mode. The default is \u201ctunnel\u201c.<\/p>\n
    – src<\/span><\/strong><\/em><\/p>\n
    The IP address or subnet where the traffic to be protected is coming from. For a transport mode connection this will be the IP address of the local host. For a tunnel mode connection this will be the subnet and mask of the local network that should have its traffic sent through the IPsec tunnel.<\/p>\n
    – dest<\/span><\/strong><\/em><\/p>\n
    The IP address or subnet where the protected traffic is being sent to. For a transport mode connection this will be the IP address of the remote host. For a tunnel mode connection this will be the subnet and mask of the remote network that will be reachable through the IPsec tunnel.<\/p>\n
    – localip<\/span><\/strong><\/em><\/p>\n
    The IP address on the local machine where isakmpd should source the connection from. This option is generally not needed since isakmpd will choose the correct IP address automatically.<\/p>\n
    – remoteip<\/span><\/strong><\/em><\/p>\n
    The IP address of the remote IPsec gateway.<\/p>\n
    – algorithm<\/span><\/strong><\/em><\/p>\n
    The authentication or encryption algorithm to use during main mode and quick mode. The possible algorithms are documented in the ipsec.conf(5) man page under the \u201cCRYPTO TRANSFORMS\u201d section.<\/p>\n
    – key<\/span><\/strong><\/em><\/p>\n
    The pre-shared key.<\/p>\n
    \u0414\u043b\u044f \u0430\u0432\u0442\u043e\u0437\u0430\u043f\u0443\u0441\u043a\u0430 \u043f\u0440\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0435, \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0442\u0430\u043a\u0438\u0435 \u0441\u0442\u0440\u043e\u043a\u0438 \u0432 \/etc\/rc.conf.local<\/strong>:<\/p>\n
    isakmpd_flags=\"-K\" # Avoid keynote(4) policy checking
    \nipsec=YES<\/code><\/p>\n
    \u0422\u0430\u043a \u0436\u0435 \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0438\u0437\u043c\u0435\u043d\u0438\u0442\u044c \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 sysctl<\/strong>:<\/p>\n
    net.inet.esp.enable=1 # Enable the ESP IPsec protocol<\/i>
    \nnet.inet.ah.enable=1 # Enable the AH IPsec protocol<\/i>
    \nnet.inet.ip.forwarding=1 # Enable IP forwarding for the host. Set it to '2' to<\/i>\u00a0forward only IPsec traffic<\/i>
    \nnet.inet.ipcomp.enable=1 # Optional: compress IP datagrams<\/i><\/code><\/p>\n
    \u0417\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c \u0441 \u043a\u043e\u043d\u0441\u043e\u043b\u0438:<\/p>\n
    # isakmpd -K
    \n#\u00a0ipsecctl -f \/etc\/ipsec.conf<\/code><\/p>\n
    \u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 \u043e\u0447\u0435\u043d\u044c \u043f\u0440\u043e\u0441\u0442\u044b\u0435. \u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0432\u0438\u043d\u0443\u0442\u044b\u0445 \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043a (\u0432\u0440\u0435\u043c\u044f \u043e\u0431\u043c\u0435\u043d\u0430 \u043a\u043b\u044e\u0447\u0430\u043c\u0438 \u0438 \u043f\u0440\u043e\u0447\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b) \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0444\u0430\u0439\u043b\u00a0\/etc\/isakmpd\/isakmpd.policy<\/strong><\/p>\n
    Linux<\/span><\/strong><\/h1>\n
    \u0421\u0442\u0430\u0432\u0438\u043c racoon<\/strong>:<\/p>\n
    # apt-get install racoon<\/code><\/p>\n
    \u041f\u043e\u0441\u043b\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u0431\u0443\u0434\u0435\u0442 \u0437\u0430\u0434\u0430\u043d \u0432\u043e\u043f\u0440\u043e\u0441 \u043e \u0442\u043e\u043c, \u0447\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c: direct<\/strong> \u0438\u043b\u0438 ipsec-tools<\/strong>:<\/p>\n
    Configuration mode for racoon IKE daemon.<\/code><\/p>\n
    \u0412\u044b\u0431\u0438\u0440\u0430\u0435\u043c direct<\/strong><\/p>\n
    \u041f\u043e\u0441\u043b\u0435 \u044d\u0442\u043e \u043c\u043e\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0443:<\/p>\n
    # dpkg-reconfigure racoon<\/code><\/p>\n
    \u041f\u043e\u0441\u043b\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u043c \u0444\u0430\u0439\u043b\u00a0\/etc\/ipsec-tools.conf<\/strong> \u043a \u0442\u0430\u043a\u043e\u043c\u0443 \u0432\u0438\u0434\u0443 (\u044d\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442)<\/p>\n
    #!\/usr\/sbin\/setkey -f
    \nflush;
    \nspdflush;
    \nspdadd 10.5.5.78 10.5.5.76 any -P out ipsec esp\/transport\/\/require;
    \nspdadd 10.5.5.76 10.5.5.78 any -P in ipsec esp\/transport\/\/require;
    \n<\/code>
    \n\u0412\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u043c \u043f\u0430\u0440\u043e\u043b\u044c\u043d\u0443\u044e \u0444\u0440\u0430\u0437\u0443 \u0432 \u0444\u0430\u0439\u043b\u00a0\/etc\/racoon\/psk.txt<\/strong>:<\/p>\n
    10.5.5.76 Very-Very-Secret-Key-1234567890<\/code><\/p>\n
    \u041e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0441\u0442\u0430\u0432\u0438\u043c \u043f\u0440\u0430\u0432\u0430 \u043d\u0430 \u0444\u0430\u0439\u043b psk.txt 0600 \u0438 \u0432\u043b\u0430\u0434\u0435\u043b\u044c\u0446\u0430 root. \u0411\u0435\u0437 \u044d\u0442\u043e\u0433\u043e \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u043d\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c\u0441\u044f, \u0430 racoon \u0431\u0443\u0434\u0435\u0442 \u0440\u0443\u0433\u0430\u0442\u044c\u0441\u044f.<\/span><\/em><\/p>\n
    \u041f\u0440\u0438\u0432\u043e\u0434\u0438\u043c \u0433\u043b\u0430\u0432\u043d\u044b\u0439 \u0444\u0430\u0439\u043b\u00a0\/etc\/raccon.conf<\/strong> \u043a \u0442\u0430\u043a\u043e\u043c\u0443 \u0432\u0438\u0434\u0443:<\/p>\n
    path include \"\/etc\/racoon\";\r\npath pre_shared_key \"\/etc\/racoon\/psk.txt\";\r\nlog debug;\r\n\r\nremote 10.5.5.76 {\r\n        exchange_mode main;\r\n        proposal {\r\n                encryption_algorithm 3des;\r\n                hash_algorithm md5;\r\n                authentication_method pre_shared_key;\r\n                dh_group 2;\r\n                lifetime time 8 hour;\r\n        }\r\n}\r\n\r\nsainfo anonymous{\r\n        pfs_group 5;\r\n        lifetime time 8 hour;\r\n        encryption_algorithm 3des;\r\n        authentication_algorithm hmac_md5;\r\n        compression_algorithm deflate;\r\n}<\/pre>\n
    \u041f\u043e\u0447\u0435\u043c\u0443-\u0442\u043e \u0443 \u043c\u0435\u043d\u044f \u043d\u0435 \u0441\u0442\u0430\u0440\u0442\u043e\u0432\u0430\u043b racoon<\/strong> \u0447\u0435\u0440\u0435\u0437 \u0441\u0442\u0430\u0440\u0442\u043e\u0432\u044b\u0435 \u0441\u043a\u0440\u0438\u043f\u0442\u044b, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043f\u0440\u0438\u0448\u043b\u043e\u0441\u044c \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0442\u044c \u0432 \/etc\/rc.local<\/strong> \u0442\u0430\u043a\u0438\u0435 \u0441\u0442\u0440\u043e\u043a\u0438.<\/p>\n
    \/etc\/init.d\/setkey start
    \n\/etc\/init.d\/racoon start<\/code><\/p>\n
    \u041f\u043e\u0441\u043b\u0435 \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0433\u043e \u043f\u043e\u0434\u043d\u044f\u0442\u0438\u044f IPSec’a<\/strong> \u043f\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0441\u0442\u0430\u0442\u0438\u0441\u0442\u0438\u043a\u0443 \u043e\u0431\u043c\u0435\u043d\u0430:<\/p>\n
    # setkey -D\r\n10.5.5.78 10.5.5.76 \r\n        esp mode=transport spi=1830646201(0x6d1d71b9) reqid=0(0x00000000)\r\n        E: 3des-cbc  2be2465b 17de93fc 36a4bbd7 80701c3d 014a708f d7fa83b4\r\n        A: hmac-md5  20ad897e 2a9fd760 f194405f 5a7b5b5f\r\n        seq=0x00000000 replay=4 flags=0x00000000 state=mature \r\n        created: Dec 16 10:49:30 2013   current: Dec 16 10:54:35 2013\r\n        diff: 305(s)    hard: 28800(s)  soft: 23040(s)\r\n        last: Dec 16 10:49:30 2013      hard: 0(s)      soft: 0(s)\r\n        current: 38912(bytes)   hard: 0(bytes)  soft: 0(bytes)\r\n        allocated: 608  hard: 0 soft: 0\r\n        sadb_seq=1 pid=2337 refcnt=0\r\n10.5.5.76 10.5.5.78 \r\n        esp mode=transport spi=1123026(0x001122d2) reqid=0(0x00000000)\r\n        E: 3des-cbc  8033551c 2a437bca a7f49840 6b4c9297 3599ec3f 66c3a897\r\n        A: hmac-md5  54f4f442 de9b2a0d ede65369 9657885d\r\n        seq=0x00000000 replay=4 flags=0x00000000 state=mature \r\n        created: Dec 16 10:49:30 2013   current: Dec 16 10:54:35 2013\r\n        diff: 305(s)    hard: 28800(s)  soft: 23040(s)\r\n        last: Dec 16 10:49:30 2013      hard: 0(s)      soft: 0(s)\r\n        current: 38912(bytes)   hard: 0(bytes)  soft: 0(bytes)\r\n        allocated: 608  hard: 0 soft: 0\r\n        sadb_seq=2 pid=2337 refcnt=0<\/pre>\n
    \u0418 \u0442\u0440\u0430\u0434\u0438\u0446\u0438\u043e\u043d\u043d\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u0447\u0435\u0440\u0435\u0437 tcpdump<\/strong>, \u0447\u0442\u043e \u0432\u0441\u0451 \u0448\u0438\u0444\u0440\u0443\u0435\u0442\u0441\u044f:<\/p>\n
    # tcpdump -i eth0 host 10.5.5.76\r\n10:49:30.763461 IP 10.5.5.76 > 10.5.5.78: ESP(spi=0x001122d2,seq=0x2), length 100\r\n10:49:30.763594 IP 10.5.5.78 > 10.5.5.76: ESP(spi=0x6d1d71b9,seq=0x1), length 100\r\n10:49:31.025071 IP 10.5.5.78 > 10.5.5.76: ESP(spi=0x6d1d71b9,seq=0x2), length 100\r\n10:49:31.025586 IP 10.5.5.76 > 10.5.5.78: ESP(spi=0x001122d2,seq=0x3), length 100<\/pre>\n","protected":false},"excerpt":{"rendered":"
    \u0422\u0435\u0441\u0442\u043e\u0432\u044b\u0439 \u0441\u0442\u0435\u043d\u0434:\u00a0OpenBSD 5.4, Debian Linux 6 (kernel 3.2), ipsec transport mode with preshared keys \u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u00a0IPSec\u00a0\u0441\u043e\u0441\u0442\u043e\u0438\u0442 \u0438\u0437 2-\u0445 \u0447\u0430\u0441\u0442\u0435\u0439: \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u00a0IPSec\u2019a\u00a0\u0438 \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u043e\u0431\u043c\u0435\u043d\u0430 \u043a\u043b\u044e\u0447\u0430\u043c\u0438 (ike). \u0418\u043c\u0435\u0435\u043c \u0441\u0430\u043c\u0443\u044e \u043e\u0431\u044b\u0447\u043d\u0443\u044e \u0441\u0445\u0435\u043c\u0443\u00a0OpenBSD (10.5.5.76) <\u2014> (10.5.5.78) Linux \u0412 \u0434\u0430\u043d\u043d\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u043f\u043e\u0434\u0440\u0430\u0437\u0443\u043c\u0435\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0441 \u043d\u0443\u043b\u044f.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,25],"tags":[],"class_list":["post-4029","post","type-post","status-publish","format-standard","hentry","category-linux","category-openbsd"],"_links":{"self":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4029","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4029"}],"version-history":[{"count":5,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4029\/revisions"}],"predecessor-version":[{"id":5385,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/4029\/revisions\/5385"}],"wp:attachment":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4029"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4029"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}