Linux从2.6内核开始自带IPsec模块,配合IPsec-Tools,可以实现Linux的IPsec功能。
IPsec-Tools包含4个模块
- libipsec:PF_KEY实现库
- setkey:用于配置SAD(安全关联数据库)和SPD(安全策略数据库)
- racoon:IKE守护程序,用于自动建立IPsec连接
- racoonctl:操作racoon的shell工具
安装步骤
- 下载压缩包ipsec-tools-0.8.0.tar.bz2。
- 解压
tar -jxvf ipsec-tools-0.8.0.tar.bz2
- 进入解压目录,configure
cd ipsec-tools-0.8.0
export CFLAGS="-fno-strict-aliasing"
这一步不执行make阶段会报错。./configure --with-kernel-headers=/lib/modules/2.6.*/build/include
此处必须指定kernel header,系统内核版本必须为2.6 - make
make
- make install
make install
配置文件
- setkey.conf:SAD和SPD配置信息
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
- psk.txt 预共享密钥,用于进行IPsec连接
1.1.1.1 testkey
2.2.2.2 testkey
注:psk.txt文件的权限应该为400,可使用dd if=/dev/random count=16 bs=1| xxd -ps
命令生成密钥。
- racoon.conf:自动建立IPsec连接的配置文件
#!/usr/local/bin/racoon
path include "/root";
path pre_shared_key "/root/psk.txt";
remote 10.114.30.21 {
exchange_mode aggressive;
lifetime time 15 min;
proposal {
encryption_algorithm rijndael 128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 14;
}
}
sainfo address 10.114.30.1/32 any address 10.114.30.21/32 any
{
pfs_group 14;
lifetime time 15 mins;
encryption_algorithm rijndael 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 10.114.30.21/32 any address 10.114.30.1/32 any
{
pfs_group 14;
lifetime time 15 mins;
encryption_algorithm rijndael 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
建立IPsec隧道
1、 加载setkey.cof配置文件 setkey -f setkey.conf
此时使用setkey -DP
命令可以看到SPD数据
1.1.1.1[any] 2.2.2.2[any] any
in prio def ipsec
esp/tunnel/10.114.30.21-10.114.30.1/require
created: Apr 18 09:45:58 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=600 seq=2 pid=97144
refcnt=1
2.2.2.2[any] 1.1.1.1[any] any
out prio def ipsec
esp/tunnel/10.114.30.1-10.114.30.21/require
created: Apr 18 09:45:58 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=593 seq=3 pid=97144
refcnt=1
使用setkey -D
显示无SAD Entry
No SAD entries.
2、启动racoon进程 /usr/local/sbin/racoon -f -ddddddd /root/racoon.conf -l /tmp/ipsec-log.txt -v
此时在1.1.1.1上ping 2.2.2.2,并在2.2.2.2上使用tcpdump抓esp报文 tcpdump -i eth0 -n src 1.1.1.1 and esp
20:27:46.708527 IP 10.114.30.1 > 10.114.30.21: ESP(spi=0x0cedc045,seq=0x1), length 132
20:27:47.708474 IP 10.114.30.1 > 10.114.30.21: ESP(spi=0x0cedc045,seq=0x2), length 132
可以看到esp报文,说明IPsec隧道已经建立,ping命令发出的的ICMP报文已经被加密。
setkey -FP
刷新SPD setkey -F
刷新SAD
这两个操作会清楚SAD和SPD,关闭ipsec隧道。
- 查看日志
tail -f /tmp/ipsec-log.txt
2018-04-17 19:40:23: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2018-04-17 19:40:23: INFO: @(#)This product linked OpenSSL 1.0.1e-fips 11 Feb 2013 (http://www.openssl.org/)
2018-04-17 19:40:23: INFO: Reading configuration from "/root/racoon.conf"
2018-04-17 19:40:23: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
2018-04-17 19:40:23: INFO: 1.1.1.1[500] used as isakmp port (fd=7)
从日志中可以看到建立隧道的过程,需要开启Debug模式。