Linux從2.6內核開始自帶IPsec模塊,配合IPsec-Tools,可以實現Linux的IPsec功能。
IPsec-Tools包含4個模塊
- libipsec:PF_KEY實現庫
- setkey:用於配置SAD(安全關聯數據庫)和SPD(安全策略數據庫)
- racoon:IKE守護程序,用於自動建立IPsec連接
- racoonctl:操作racoon的shell工具
安裝步驟
- 下載壓縮包ipsec-tools-0.8.0.tar.bz2。
- 解壓
tar -jxvf ipsec-tools-0.8.0.tar.bz2 - 進入解壓目錄,configure
cd ipsec-tools-0.8.0
export CFLAGS="-fno-strict-aliasing"這一步不執行make階段會報錯。
./configure --with-kernel-headers=/lib/modules/2.6.*/build/include此處必須指定kernel header,系統內核版本必須為2.6 - make
make - make install
make install
配置文件
- setkey.conf:SAD和SPD配置信息
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;- psk.txt 預共享密鑰,用於進行IPsec連接
1.1.1.1 testkey
2.2.2.2 testkey
注:psk.txt文件的權限應該為400,可使用dd if=/dev/random count=16 bs=1| xxd -ps命令生成密鑰。
- racoon.conf:自動建立IPsec連接的配置文件
#!/usr/local/bin/racoon
path include "/root";
path pre_shared_key "/root/psk.txt";
remote 10.114.30.21 {
exchange_mode aggressive;
lifetime time 15 min;
proposal {
encryption_algorithm rijndael 128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 14;
}
}
sainfo address 10.114.30.1/32 any address 10.114.30.21/32 any
{
pfs_group 14;
lifetime time 15 mins;
encryption_algorithm rijndael 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 10.114.30.21/32 any address 10.114.30.1/32 any
{
pfs_group 14;
lifetime time 15 mins;
encryption_algorithm rijndael 128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
} 建立IPsec隧道
1、 加載setkey.cof配置文件
setkey -f setkey.conf
此時使用setkey -DP命令可以看到SPD數據
1.1.1.1[any] 2.2.2.2[any] any
in prio def ipsec
esp/tunnel/10.114.30.21-10.114.30.1/require
created: Apr 18 09:45:58 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=600 seq=2 pid=97144
refcnt=1
2.2.2.2[any] 1.1.1.1[any] any
out prio def ipsec
esp/tunnel/10.114.30.1-10.114.30.21/require
created: Apr 18 09:45:58 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=593 seq=3 pid=97144
refcnt=1使用setkey -D顯示無SAD Entry
No SAD entries.
2、啟動racoon進程
/usr/local/sbin/racoon -f -ddddddd /root/racoon.conf -l /tmp/ipsec-log.txt -v
此時在1.1.1.1上ping 2.2.2.2,並在2.2.2.2上使用tcpdump抓esp報文
tcpdump -i eth0 -n src 1.1.1.1 and esp
20:27:46.708527 IP 10.114.30.1 > 10.114.30.21: ESP(spi=0x0cedc045,seq=0x1), length 132
20:27:47.708474 IP 10.114.30.1 > 10.114.30.21: ESP(spi=0x0cedc045,seq=0x2), length 132
可以看到esp報文,說明IPsec隧道已經建立,ping命令發出的的ICMP報文已經被加密。
setkey -FP 刷新SPD
setkey -F 刷新SAD
這兩個操作會清楚SAD和SPD,關閉ipsec隧道。
- 查看日志
tail -f /tmp/ipsec-log.txt2018-04-17 19:40:23: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2018-04-17 19:40:23: INFO: @(#)This product linked OpenSSL 1.0.1e-fips 11 Feb 2013 (http://www.openssl.org/)
2018-04-17 19:40:23: INFO: Reading configuration from "/root/racoon.conf"
2018-04-17 19:40:23: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
2018-04-17 19:40:23: INFO: 1.1.1.1[500] used as isakmp port (fd=7)
從日志中可以看到建立隧道的過程,需要開啟Debug模式。