问题一:第三方对接都配置好了,实时抓包却未见AF-1020发isakmp或esp包。
1,第一阶段里要配线路出口,网络接口要选对接口并指定同样的线路出口。
2,VPN接口设置里要选择另一个网络接口为内网接口。
3,线路出口对应的网络接口与内网对应的网络接口不能相同网段。
问题二:第一阶段过后不进行第二阶段。
有可能在第二阶段设置中,出站策略与入站策略的源IP子网相同了。
问题三:同一个连接中无法生成多个ESP通道。
比如,同一个连接对应的第二阶段设置中,出站策略两个,入站策略两个,在AF-1020主动发起quick mode协商时,会一股脑儿向对端发2X2=4个esp sa isakmp包。
但根据ike协议的要求,每个包取hash需要的iv是放在ike sa的上下文中,这样其中3个esp sa isakmp包会被对端认为hash payload不正确而被抛弃。
而AF-1020 DLAN运行状态中却显示第二个通信连接成功了,其实是个BUG。
但是AF-1020在被动quick mode协商中,可以正确生成多个ESP通道。
ipsec
验证IPSec抗重放攻击
linux内核xfrm参数replay-window用于设定抗重放攻击效果。
replay-window为0表示不启用抗重放攻击,大于0时表示当前esp/ah包活动序列窗口大小,序号太旧的包因赶不上活动窗口而被丢弃或回复失败包。
在基于
StrongSwan PSK RSA
连通的环境下。
在C机器中编辑/etc/strongswan.d/charon.conf,更改replay-window值。
重启strongswan并启动连接后,可能通过命令
1 | ip xfrm state |
查看strongswan有没有将参数值设定到内核中。
在B机器中
1 | apt install tcpreplay |
在B机器中启动两个wireshark进程,分别抓包vmnet2和vmnet3。
当B和C中的strongswan都启动并连通后,在A中ping D的ip。
此时在B中抓vmnet3上的esp包,抓了几个后,点击对应wireshark窗口菜单
1 | File/Export Specified Packet |
将这些esp包保存为文件
1 | /tmp/esp-b2c.pcapng |
在A中停止ping D的ip。
在B的bash中执行
1 | tcpreplay -i enp2s6 /tmp/esp-b2c.pcapng |
其中enp2s6是网卡vmnet3对应的识别名。
可以看到,
当C中的replay-window参数设为0时,B中的vmnet2上会抓到模拟重放的icmp ping包,并且方向是10.2.0.10至10.1.0.10。
当C中的replay-window参数不为0时,B中的vmnet2上抓不到模拟重放的icmp ping包。
一旦重启B或C中的strongswan,使用旧的esp-b2c.pcapng文件重放时,不管C中的replay-window取何值,B中的vmnet2上都不会出现模拟重放包。
IPSec备忘录
名词缩写
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | psk: pre-shared key pki: public key infrastructure pkcs: the public-key cryptography standards ah: authentication header esp: encapsulating security payload esn: extended sequence number, rfc 4304 spi: security parameter index ike: internet key exchange isakmp: internet security association and key management protocol sa: security association spd: security policy database sad: sa database pad: peer authorization database dh: diffie-hellman, oakley gre: general routing encapsulation nas: network access server pap: password authentication protocol chap: challenge-handshake authentication protocol eap: extensible authentication protocol leap: lightweight eap peap: protected eap tls:transport layer security ssl: secure socket layer fast: flexible authentication via secure tunneling pac: protected authentication credential pptp: point to point tunneling protocol l2f: layer 2 forwarding l2tp: layer 2 tunneling protocol sstp: secure socket tunneling protocol vrc: vpn remote client des: data encryption standard aes: advanced encryption standard ecb: electronic codebook book cbc: cipher block chaining ctr: counter cfb: cipher feedback ofb: output feedback hmac: hash-based message authentication code sha1: secure hash algorithm 1 prf: pseudo-random function aead: authenticated encryption with associated data icv: integrity check value ocsp: online certificate status protocol dpd: dead peer detection |
rfc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | rfc1994: PPP Challenge Handshake Authentication Protocol (CHAP) rfc2865: Remote Authentication Dial In User Service (RADIUS) rfc3579: RADIUS Support For Extensible Authentication Protocol (EAP) rfc3748: Extensible Authentication Protocol (EAP) rfc4186: EAP Method for GSM Subscriber Identity Modules (EAP-SIM) rfc4187: EAP Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) rfc4301: Security Architecture for the Internet Protocol rfc4306: Internet Key Exchange (IKEv2) Protocol rfc4307: Cryptographic Algorithms for Use in IKEv2 rfc4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol rfc4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH rfc4555: IKEv2 Mobility and Multihoming Protocol (MOBIKE) rfc4718: IKEv2 Clarifications and Implementation Guidelines rfc4739: Multiple Authentication Exchanges in the Internet Key Exchange (IKEv2) Protocol rfc4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2 rfc5996: Internet Key Exchange Protocol Version 2 (IKEv2) rfc5998: An Extension for EAP-Only Authentication in IKEv2 rfc6479: IPsec Anti-Replay Algorithm without Bit Shifting |
ipsec-tools
1 2 | setkey: sad, spd racoon: ike sa, ipsec sa |
网络分层
1 2 3 4 5 | 物理层,也叫第一层 链路层,也叫第二层(MAC) 网络层,也叫第三层(IP) 传输层(TCP) 应用层(HTTP) |
TCP术语
1 2 3 4 5 6 7 8 9 10 | tos: type of service ecn: explicit congestion notification dscp: differentiated services codepoint rtt: round-trip time ttl: time to live tso: tcp segmentation offloading ufo: udp fragmentation offloading qdisc: queueing discipline poe: power over ethernet toe: tcp offload engine |
IPS
1 2 | ids: intrusion detection system ips: intrusion prevention system |
refer to:
https://blog.csdn.net/jiangwlee/article/details/7395903
https://baike.baidu.com/item/PKCS/1042350?fr=aladdin
https://blog.csdn.net/qq_27969037/article/details/95929199
https://wikitech.wikimedia.org/wiki/IPsec
https://datatracker.ietf.org/doc/html/rfc2401
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
odp禁止ipsec
1 2 3 4 5 6 7 8 9 10 11 12 13 | odp_init_t init_param; odp_init_param_init(&init_param); init_param.not_used.feat.ipsec = 1; init_param.not_used.feat.crypto = 1; init_param.not_used.feat.compress = 1; init_param.not_used.feat.tm = 1; if (0 != odp_init_global(&instance, &init_param, NULL)) { DBG(("init odp global failed.\n")); return 0; } |