StrongSwan PSK RSA

四台虚拟机ABCD,三段Host Only虚拟网络vmnet2、vmnet3、vmnet4,DHCP都禁掉。

1
2
3
4
5
6
7
8
9
10
A
vmnet2: 10.1.0.10/24 gw 10.1.0.2
B
vmnet2: 10.1.0.2/24
vmnet3: 192.168.0.2/24
C
vmnet3: 192.168.0.3/24
vmnet4: 10.2.0.2/24
D
vmnet4: 10.2.0.10/24 gw 10.2.0.2

BC两台上下载编译安装strongswan 5.4.0,其版本信息可在config.h中辨认。

1
2
3
4
5
6
wget http://download.strongswan.org/strongswan-5.4.0.tar.bz2
apt-get install libgmp-dev
apt-get install libssl-dev
tar -jxvf strongswan-5.4.0.tar.bz2
./configure --sysconfdir=/etc --enable-openssl --enable-gmp --prefix=`pwd`/installed
make && make install

BC两虚拟机都指向同一个共享文件夹share。
在B中生成证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
mkdir cert && cd cert
ipsec pki --gen --outform pem > ca.pem
ipsec pki --self --in ca.pem --dn "C=CN, O=NetworkLab, CN=NetworkLab CA" --ca --outform pem > ca.cert.pem
 
ipsec pki --gen --outform pem > sun.server.pem
ipsec pki --pub --in sun.server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=sun.com" --san="sun.com" --flag serverAuth --flag ikeIntermediate --outform pem > sun.server.cert.pem
ipsec pki --gen --outform pem > moon.server.pem
ipsec pki --pub --in moon.server.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=moon.com" --san="moon.com" --flag serverAuth --flag ikeIntermediate --outform pem > moon.server.cert.pem
 
ipsec pki --gen --outform pem > sun.client.pem
ipsec pki --pub --in sun.client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=client" --outform pem > sun.client.cert.pem
ipsec pki --gen --outform pem > moon.client.pem
ipsec pki --pub --in moon.client.pem | ipsec pki --issue --cacert ca.cert.pem --cakey ca.pem --dn "C=CN, O=NetworkLab, CN=client" --outform pem > moon.client.cert.pem
mv cert /mnt/hgfs/share/

B中安装证书

1
2
3
4
5
cp -r /mnt/hgfs/share/cert/ca.cert.pem /etc/ipsec.d/cacerts/
cp -r /mnt/hgfs/share/cert/moon.server.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/moon.server.pem /etc/ipsec.d/private/
cp -r /mnt/hgfs/share/cert/sun.client.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/sun.client.pem /etc/ipsec.d/private/

C中安装证书

1
2
3
4
5
cp -r /mnt/hgfs/share/cert/ca.cert.pem /etc/ipsec.d/cacerts/
cp -r /mnt/hgfs/share/cert/sun.server.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/sun.server.pem /etc/ipsec.d/private/
cp -r /mnt/hgfs/share/cert/moon.client.cert.pem /etc/ipsec.d/certs/
cp -r /mnt/hgfs/share/cert/moon.client.pem /etc/ipsec.d/private/

B中配置
/etc/ipsec.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
config setup
	# strictcrlpolicy=yes
	# uniqueids = no
conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no
conn net-net-rsa
	left=192.168.0.2
	leftcert=moon.server.cert.pem
	leftsubnet=10.1.0.0/24
	leftid=@moon.com
	leftfirewall=yes
	right=192.168.0.3
	rightsubnet=10.2.0.0/24
	rightid=@sun.com
	auto=add
conn net-net-psk
	keyexchange=ikev1
	authby=secret
	left=192.168.0.2
	leftsubnet=10.1.0.0/16
	leftid=@xxx.server.com
	leftfirewall=yes
	right=192.168.0.3
	rightsubnet=10.2.0.0/16
	rightid=@yyy.server.com
	ike=aes-sha1-modp1024
	esp=aes-sha1-modp1024
	auto=route
	type=tunnel

/etc/ipsec.secrets

1
2
@xxx.server.com @yyy.server.com : PSK hello
: RSA moon.server.pem

/etc/strongswan.conf

1
2
3
4
5
6
7
charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
}
include strongswan.d/*.conf

C中配置
/etc/ipsec.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
config setup
	# strictcrlpolicy=yes
	# uniqueids = no
conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no
conn net-net-rsa
	left=192.168.0.3
	leftcert=sun.server.cert.pem
	leftsubnet=10.2.0.0/24
	leftid=@sun.com
	leftfirewall=yes
	right=192.168.0.2
	rightsubnet=10.1.0.0/24
	rightid=@moon.com
	auto=add
conn net-net-psk
	keyexchange=ikev1
	authby=secret
	left=192.168.0.3
	leftsubnet=10.2.0.0/16
	leftid=@yyy.server.com
	leftfirewall=yes
	right=192.168.0.2
	rightsubnet=10.1.0.0/16
	rightid=@xxx.server.com
	ike=aes-sha1-modp1024
	esp=aes-sha1-modp1024
	auto=route
	type=tunnel

/etc/ipsec.secrets

1
2
@xxx.server.com @yyy.server.com : PSK hello
: RSA sun.server.pem

/etc/strongswan.conf

1
2
3
4
5
6
7
charon {
	load_modular = yes
	plugins {
		include strongswan.d/charon/*.conf
	}
}
include strongswan.d/*.conf

到此,BC两台机器中都运行

1
2
3
4
5
6
echo 1 > /proc/sys/net/ipv4/ip_forward
ipsec restart --nofork
#如果要以rsa方式
ipsec up net-net-rsa
#如果要以psk方式
ipsec up net-net-psk

最后在A中ping机器D。

refer to:
https://www.strongswan.org/
https://blog.csdn.net/puppylpg/article/details/64918562
http://www.hqyman.cn/post/543.html
https://www.cnblogs.com/hugetong/p/10150992.html

IPSec备忘录

名词缩写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
psk: pre-shared key
pki: public key infrastructure
pkcs: the public-key cryptography standards
ah: authentication header
esp: encapsulating security payload
esn: extended sequence number, rfc 4304
spi: security parameter index
ike: internet key exchange
isakmp: internet security association and key management protocol
sa: security association
spd: security policy database
sad: sa database
pad: peer authorization database
dh: diffie-hellman, oakley
gre: general routing encapsulation
nas: network access server
pap: password authentication protocol
chap: challenge-handshake authentication protocol
eap: extensible authentication protocol
leap: lightweight eap
peap: protected eap
tls:transport layer security
ssl: secure socket layer
fast: flexible authentication via secure tunneling
pac: protected authentication credential
pptp: point to point tunneling protocol
l2f: layer 2 forwarding
l2tp: layer 2 tunneling protocol
sstp: secure socket tunneling protocol
vrc: vpn remote client
des: data encryption standard
aes: advanced encryption standard
 ecb: electronic codebook book
 cbc: cipher block chaining
 ctr: counter
 cfb: cipher feedback
 ofb: output feedback
hmac: hash-based message authentication code
sha1: secure hash algorithm 1
prf: pseudo-random function
aead: authenticated encryption with associated data
icv: integrity check value
ocsp: online certificate status protocol
dpd: dead peer detection

rfc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
rfc1994: PPP Challenge Handshake Authentication Protocol (CHAP)
rfc2865: Remote Authentication Dial In User Service (RADIUS)
rfc3579: RADIUS Support For Extensible Authentication Protocol (EAP)
rfc3748: Extensible Authentication Protocol (EAP)
rfc4186: EAP Method for GSM Subscriber Identity Modules (EAP-SIM)
rfc4187: EAP Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)
rfc4301: Security Architecture for the Internet Protocol
rfc4306: Internet Key Exchange (IKEv2) Protocol
rfc4307: Cryptographic Algorithms for Use in IKEv2
rfc4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
rfc4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
rfc4555: IKEv2 Mobility and Multihoming Protocol (MOBIKE)
rfc4718: IKEv2 Clarifications and Implementation Guidelines
rfc4739: Multiple Authentication Exchanges in the Internet Key Exchange (IKEv2) Protocol
rfc4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2
rfc5996: Internet Key Exchange Protocol Version 2 (IKEv2)
rfc5998: An Extension for EAP-Only Authentication in IKEv2
rfc6479: IPsec Anti-Replay Algorithm without Bit Shifting

ipsec-tools

1
2
setkey: sad, spd
racoon: ike sa, ipsec sa

网络分层

1
2
3
4
5
物理层,也叫第一层
链路层,也叫第二层(MAC)
网络层,也叫第三层(IP)
传输层(TCP)
应用层(HTTP)

TCP术语

1
2
3
4
5
6
7
8
9
10
tos: type of service
ecn: explicit congestion notification
dscp: differentiated services codepoint
rtt: round-trip time
ttl: time to live
tso: tcp segmentation offloading
ufo: udp fragmentation offloading
qdisc: queueing discipline
poe: power over ethernet
toe: tcp offload engine

IPS

1
2
ids: intrusion detection system
ips: intrusion prevention system

refer to:
https://blog.csdn.net/jiangwlee/article/details/7395903
https://baike.baidu.com/item/PKCS/1042350?fr=aladdin
https://blog.csdn.net/qq_27969037/article/details/95929199
https://wikitech.wikimedia.org/wiki/IPsec
https://datatracker.ietf.org/doc/html/rfc2401
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf