آموزش IPSEC بر روي Cent OS

**Sohan Roh** · June 10th, 2013, 00:28

IPSec in CentOS 5
This is how I implement a tunnel mode IPSec *** in linux using CentOS 5. No additional
software is needed just do a minimal install.

(PH) Network to (RO) Network IPsec Tunneled Diagram
================================================== =
10.0.10.0/24 10.0.20.0/24
| |
| eth1 eth0 eth0 eth1 |
|--------[GW-PH]--------------[Internet]--------------[GW-RO]--------|
| \ / \ / |
| \ / \ / |
LAN-PH \ / \ / LAN-RO
+------[IPSEC0]------+ +------[IPSEC1]------+

Test Network Lab
================
GW-PH connected to ISP1

eth0: X.X.X.X
eth1: 10.0.10.254/24

GW-RO connected to ISP2

eth0: Y.Y.Y.Y
eth1: 10.0.20.254/24

Configuration GW-PH
===================

/etc/sysconfig/network-scripts/ifcfg-ipsec0
-------------------------------------------
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=10.0.10.254
DSTGW=10.0.20.254
SRCNET=10.0.10.0/24
DSTNET=10.0.20.0/24
DST=Y.Y.Y.Y

/etc/sysconfig/network-scripts/keys-ipsec0 <- (Pre-Shared Key File)
------------------------------------------
IKE_PSK=xM45t1m3

# chmod 600 /etc/sysconfig/network-scripts/keys-ipsec0

Configuration GW-RO
===================

/etc/sysconfig/network-scripts/ifcfg-ipsec1
-------------------------------------------
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=10.0.20.254
DSTGW=10.0.10.254
SRCNET=10.0.20.0/24
DSTNET=10.0.10.0/24
DST=X.X.X.X

/etc/sysconfig/network-scripts/keys-ipsec1 <- (Pre-Shared Key File)
------------------------------------------
IKE_PSK=xM45t1m3

# chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1

Test IPsec connection
=====================

Ping test from 10.0.10.1 (LAN-PH) to 10.0.20.1 (LAN-RO)
================================================== =====

# ping -c 5 10.0.20.1
PING 10.0.20.1 (10.0.20.1) 56(84) bytes of data.
64 bytes from 10.0.20.1: icmp_seq=1 ttl=62 time=323 ms
64 bytes from 10.0.20.1: icmp_seq=2 ttl=62 time=352 ms
64 bytes from 10.0.20.1: icmp_seq=3 ttl=62 time=303 ms
64 bytes from 10.0.20.1: icmp_seq=4 ttl=62 time=303 ms
64 bytes from 10.0.20.1: icmp_seq=5 ttl=62 time=287 ms

--- 10.0.20.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 287.301/314.007/352.577/22.485 ms

Ping test from 10.0.20.1 (LAN-RO) to 10.0.10.1 (LAN-PH)
================================================== =====

# ping -c 5 10.0.10.1
PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data.
64 bytes from 10.0.10.1: icmp_seq=1 ttl=62 time=280 ms
64 bytes from 10.0.10.1: icmp_seq=2 ttl=62 time=281 ms
64 bytes from 10.0.10.1: icmp_seq=3 ttl=62 time=301 ms
64 bytes from 10.0.10.1: icmp_seq=4 ttl=62 time=280 ms
64 bytes from 10.0.10.1: icmp_seq=5 ttl=62 time=301 ms

--- 10.0.10.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 280.531/289.254/301.588/10.074 ms

Tcpdump at GW-PH eth0 external interface
========================================

# tcpdump -ne -i eth0 | grep AH

20:01:34.220270 00:0f:ea:44:32:8f > 00:0c:30:12

ff, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x9e4): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x9e4), length 116 (ipip-proto-4)
20:01:34.519944 00:0c:30:12

ff > 00:0f:ea:44:32:8f, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x9e5): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x9e5), length 116 (ipip-proto-4)
20:01:34.520080 00:0f:ea:44:32:8f > 00:0c:30:12

ff, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x9e5): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x9e5), length 116 (ipip-proto-4)
20:01:34.529972 00:0c:30:12

ff > 00:0f:ea:44:32:8f, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x9e6): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x9e6), length 116 (ipip-proto-4)

Tcpdump at GW-RO eth0 external interface
========================================

# tcpdump -ne -i eth0 | grep AH

20:00:27.629763 00:14:85

95:1c > 00:18:b9:f4:97:ce, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x97d): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x97d), length 116 (ipip-proto-4)
20:00:27.633652 00:18:b9:f4:97:ce > 00:14:85

95:1c, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x97c): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x97c), length 116 (ipip-proto-4)
20:00:27.633777 00:14:85

95:1c > 00:18:b9:f4:97:ce, ethertype IPv4 (0x0800), length 194: Y.Y.Y.Y > X.X.X.X:
AH(spi=0x0cb22b2f,seq=0x97e): Y.Y.Y.Y > X.X.X.X: ESP(spi=0x07f9ed8e,seq=0x97e), length 116 (ipip-proto-4)
20:00:27.908204 00:18:b9:f4:97:ce > 00:14:85

95:1c, ethertype IPv4 (0x0800), length 194: X.X.X.X > Y.Y.Y.Y:
AH(spi=0x0c4fd1d5,seq=0x97d): X.X.X.X > Y.Y.Y.Y: ESP(spi=0x07c70a90,seq=0x97d), length 116 (ipip-proto-4

موضوع: آموزش IPSEC بر روي Cent OS

ابزارهای موضوع

نحوه نمایش موضوع

آموزش IPSEC بر روي Cent OS

تعداد تشکر ها از Sohan Roh به دلیل پست مفید

اطلاعات موضوع

کاربرانی که در حال مشاهده این موضوع هستند

موضوعات مشابه

آموزش ايجاد وي پي اس بر روي سرور اختصاصي

مجوز های ارسال و ویرایش