Настройка IPSEC между edge gateway VMware и libreswan на Centos 7

Настроим IPSEC туннель между vShield (edge gateway) и роутером на базе Centos 7.2, в итоге у нас получится вот такая схема:

О том как настроить офисную часть на Windows Server 2012 R2 читайте тут.

Важное замечание, все endpoint IP адреса в данном примере белые.

Для начала настроим VPN со стороны Edge gateway.

Логинимся в vCloud Director, заходим в наш датацентр и выбираем вкладку Edge Gateways.

Становимся курсором на наш Edge нажимаем правую кнопку мыши и выбираем пункт "Edge Gateway Services ..."

Далее переходим на вкладку VPN

Тут ставим галочку "Enable VPN" и жмем кнопку "Add"

В открывшимся окошке вдумчиво заполняем поля:

1. Name - имя соединения;

2. Description - описание, полезно заполнять, особенно если у вас много соединений;

3. Проверьте, что бы галочка "Enable this VPN configuration" была установлена;

4. Establish VPN to: тут нужно выбрать "a remote network";

5. Local Networks - Выбираем нашу виртуальную сеть, в данном случае 172.16.0.0/24, сетей может быть несколько;

6. Peer Networks - Указываем сеть нашего офиса 192.168.100.0/24;

7. Local Endpoint - выбираем наш внешний пул;

8. Local ID - я тут указываю внешний IP: 185.32.226.177;

9. Peer ID: - внешний IP нашего Linux router'а в офисе;

Это не все, проматываем ползунок справа вниз и продолжаем ...

10. Peer IP - внешний IP нашего Linux роутера в офисе;

11. Encryption protocol - выбираем AES-256;

Группу Diffie-Hellman'а в этом интерфейсе нельзя выбрать (в vShield можно), просто запомним, что она будет DH2;

12. MTU оставляем как есть 1500;

13. Жмем галочку Show key и копируем его куда-нибудь в блокнот, можно использовать свой ключ, по желанию.

Нажимаем OK.

Если все заполнено корректно, то в предыдущем окне увидите строчку с настройками, правда Status будет гореть красным, нажимаем OK.

Теперь настроим шлюз на CentOS 7.2

Настроим сетевые интерфейсы следующим образом:

Внешний интерфейс:

[root@localhost sysconfig]# cat /etc/sysconfig/network-scripts/ifcfg-eno16777984

TYPE=Ethernet

BOOTPROTO=static

DEFROUTE=yes

PEERDNS=yes

PEERROUTES=yes

IPV4_FAILURE_FATAL=no

NAME=eno16777984

UUID=685c04f9-4023-4528-bf51-59171d6a6b2d

DEVICE=eno16777984

ONBOOT=yes

IPADDR=185.65.136.140

NETMASK=255.255.255.0

GATEWAY=185.65.136.1

Повторюсь, это белый IP адрес, в данном примере рассматривается настройка без NAT.

Интерфейс который смотрит в локальную сеть офиса:

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eno33557248

TYPE=Ethernet

BOOTPROTO=static

IPV4_FAILURE_FATAL=no

NAME=eno33557248

DEVICE=eno33557248

ONBOOT=yes

IPADDR=192.168.100.1

NETMASK=255.255.255.0

Т.к. это тестовый стенд, то на нем отключен firewalld и selinux:

[root@localhost etc]# systemctl disable firewalld

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=disabled

# SELINUXTYPE= can take one of three two values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

А так же включаем IP-форвардинг

[root@localhost etc]# cat /etc/sysctl.conf

net.ipv4.ip_forward = 1

Устанавливаем пакет libreswan

[root@localhost etc]# yum install libreswan

И настраиваем его следующим образом:

Создаем файлик с ключем, который мы ранее сохранили, формат простой, сначала наш IP адрес, затем удаленный (облачный), после чего указываем ключ.

[root@localhost etc]# cat /etc/ipsec.d/bc.secrets

185.65.136.140 185.32.226.177 : PSK "xE8HJ3J5fdi54hxDbcviQCUsYwF5FgtJchu9JNBjyPhI4i4dDu5Midn8z898zhK3"

А вот сами настройки:

[root@localhost etc]# cat /etc/ipsec.d/bc.conf

conn BC

    authby=secret

    auto=start

    left=185.65.136.140

    leftid=185.65.136.140

    leftsubnet=192.168.100.0/24

    right=185.32.226.177

    rightid=185.32.226.177

    rightsubnet=172.16.0.0/24

    ike=aes256-sha1-modp1024

    ikelifetime=28800

    keyexchange=ike

    lifetime=8h

    type=tunnel

    #ikelifetime=60m

    rekeymargin=3m

    keyingtries=1

    pfs=yes

Если мы настраиваем edge со стороны web-интерфейса vShield, то там можно указать DH5, тогда в этом файле нужно также поменять протокол на ike=aes256-sha1-modp1536

Запускаем ipsec и включаем его в автозагрузку

[root@localhost etc]# systemctl start ipsec

[root@localhost etc]# systemctl enable ipsec

В syslog при этом будет такой вывод:

[root@localhost ~]# journalctl -af

дек 15 06:07:19 localhost.localdomain systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...

дек 15 06:07:19 localhost.localdomain kernel: sha512_ssse3: Using AVX2 optimized SHA-512 implementation

дек 15 06:07:19 localhost.localdomain kernel: NET: Registered protocol family 15

дек 15 06:07:19 localhost.localdomain kernel: IPv4 over IPsec tunneling driver

дек 15 06:07:19 localhost.localdomain NetworkManager[615]: <info>  (ip_vti0): new Generic device (carrier: UNKNOWN, driver: 'vti', ifindex: 4)

дек 15 06:07:19 localhost.localdomain ipsec[2628]: nflog ipsec capture disabled

дек 15 06:07:19 localhost.localdomain polkitd[642]: Unregistered Authentication Agent for unix-process:2208:383917 (system bus name :1.31, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ru_RU.utf8) (disconnected from bus)

дек 15 06:07:19 localhost.localdomain systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.

дек 15 06:07:19 localhost.localdomain pluto[2642]: pluto: warning: chdir("/var/run/pluto/") to dumpdir failed (2: No such file or directory)

дек 15 06:07:19 localhost.localdomain pluto[2642]: NSS DB directory: sql:/etc/ipsec.d

дек 15 06:07:19 localhost.localdomain pluto[2642]: Dec 15 06:07:19: pluto: warning: chdir("/var/run/pluto/") to dumpdir failed (2: No such file or directory)

дек 15 06:07:19 localhost.localdomain pluto[2642]: NSS initialized

дек 15 06:07:19 localhost.localdomain pluto[2642]: libcap-ng support [enabled]

дек 15 06:07:19 localhost.localdomain pluto[2642]: FIPS HMAC integrity verification test passed

дек 15 06:07:19 localhost.localdomain pluto[2642]: FIPS: pluto daemon NOT running in FIPS mode

дек 15 06:07:19 localhost.localdomain pluto[2642]: Linux audit support [enabled]

дек 15 06:07:19 localhost.localdomain pluto[2642]: Linux audit activated

дек 15 06:07:19 localhost.localdomain pluto[2642]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:2642

дек 15 06:07:19 localhost.localdomain pluto[2642]: core dump dir: /var/run/pluto/

дек 15 06:07:19 localhost.localdomain pluto[2642]: secrets file: /etc/ipsec.secrets

дек 15 06:07:19 localhost.localdomain pluto[2642]: leak-detective disabled

дек 15 06:07:19 localhost.localdomain pluto[2642]: NSS crypto [enabled]

дек 15 06:07:19 localhost.localdomain pluto[2642]: XAUTH PAM support [enabled]

дек 15 06:07:19 localhost.localdomain pluto[2642]:    NAT-Traversal support  [enabled]

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: starting up 1 crypto helpers

дек 15 06:07:19 localhost.localdomain pluto[2642]: started thread for crypto helper 0 (master fd 10)

дек 15 06:07:19 localhost.localdomain pluto[2642]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-327.el7.x86_64

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating aes_ccm_8: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating aes_ccm_12: Ok

дек 15 06:07:19 localhost.localdomain pluto[2642]: ike_alg_register_enc(): Activating aes_ccm_16: Ok

дек 15 06:07:19 localhost.localdomain kernel: alg: No test for fips(ansi_cprng) (fips_ansi_cprng)

дек 15 06:07:20 localhost.localdomain pluto[2642]: | selinux support is NOT enabled.

дек 15 06:07:21 localhost.localdomain pluto[2642]: | certificate not loaded for this end

дек 15 06:07:21 localhost.localdomain pluto[2642]: | certificate not loaded for this end

дек 15 06:07:21 localhost.localdomain pluto[2642]: added connection description "BC"

дек 15 06:07:21 localhost.localdomain pluto[2642]: listening for IKE messages

дек 15 06:07:21 localhost.localdomain pluto[2642]: adding interface eno33557248/eno33557248 192.168.100.1:500

дек 15 06:07:21 localhost.localdomain pluto[2642]: adding interface eno33557248/eno33557248 192.168.100.1:4500

дек 15 06:07:21 localhost.localdomain pluto[2642]: adding interface eno16777984/eno16777984 185.65.136.140:500

дек 15 06:07:21 localhost.localdomain pluto[2642]: adding interface eno16777984/eno16777984 185.65.136.140:4500

дек 15 06:07:21 localhost.localdomain pluto[2642]: adding interface lo/lo 127.0.0.1:500

дек 15 06:07:21 localhost.localdomain pluto[2642]: adding interface lo/lo 127.0.0.1:4500

дек 15 06:07:21 localhost.localdomain pluto[2642]: adding interface lo/lo ::1:500

дек 15 06:07:21 localhost.localdomain pluto[2642]: | setup callback for interface lo:500 fd 24

дек 15 06:07:21 localhost.localdomain pluto[2642]: | setup callback for interface lo:4500 fd 23

дек 15 06:07:21 localhost.localdomain pluto[2642]: | setup callback for interface lo:500 fd 22

дек 15 06:07:21 localhost.localdomain pluto[2642]: | setup callback for interface eno16777984:4500 fd 21

дек 15 06:07:21 localhost.localdomain pluto[2642]: | setup callback for interface eno16777984:500 fd 20

дек 15 06:07:21 localhost.localdomain pluto[2642]: | setup callback for interface eno33557248:4500 fd 19

дек 15 06:07:21 localhost.localdomain pluto[2642]: | setup callback for interface eno33557248:500 fd 18

дек 15 06:07:21 localhost.localdomain pluto[2642]: loading secrets from "/etc/ipsec.secrets"

дек 15 06:07:21 localhost.localdomain pluto[2642]: loading secrets from "/etc/ipsec.d/bc.secrets"

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: initiating Main Mode

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: ignoring Vendor ID payload [Openswan(project)]

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: received Vendor ID payload [Dead Peer Detection]

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: received Vendor ID payload [RFC 3947]

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: STATE_MAIN_I2: sent MI2, expecting MR2

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: STATE_MAIN_I3: sent MI3, expecting MR3

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: received Vendor ID payload [CAN-IKEv2]

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: Main mode peer ID is ID_IPV4_ADDR: '185.32.226.177'

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024}

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:61c45d16 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

дек 15 06:07:21 localhost.localdomain pluto[2642]: "BC" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9ad60306 <0xcf8cbdca xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

Статус можно посмотреть следующим образом:

[root@localhost ~]# ipsec status

000 using kernel interface: netkey

000 interface lo/lo ::1@500

000 interface lo/lo 127.0.0.1@4500

000 interface lo/lo 127.0.0.1@500

000 interface eno16777984/eno16777984 185.65.136.140@4500

000 interface eno16777984/eno16777984 185.65.136.140@500

000 interface eno33557248/eno33557248 192.168.100.1@4500

000 interface eno33557248/eno33557248 192.168.100.1@500

000 fips mode=disabled;

000 SElinux=disabled

000 config setup options:

000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset

000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec

000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15

000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s

000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto

000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0

000 secctx-attr-type=32001

000 myid = (none)

000 debug none

000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500

000 virtual-private (%priv):

000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10

000 ESP algorithms supported:

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192

000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128

000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128

000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160

000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256

000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384

000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512

000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160

000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128

000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0

000 IKE algorithms supported:

000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192

000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20

000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32

000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48

000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64

000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024

000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048

000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

000 Connection list:

000 "BC": 192.168.100.0/24===185.65.136.140<185.65.136.140>...185.32.226.177<185.32.226.177>===172.16.0.0/24; erouted; eroute owner: #4

000 "BC":     oriented; my_ip=unset; their_ip=unset

000 "BC":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]

000 "BC":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;

000 "BC":   labeled_ipsec:no;

000 "BC":   policy_label:unset;

000 "BC":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1;

000 "BC":   retransmit-interval: 500ms; retransmit-timeout: 60s;

000 "BC":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;

000 "BC":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;

000 "BC":   conn_prio: 24,24; interface: eno16777984; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;

000 "BC":   newest ISAKMP SA: #3; newest IPsec SA: #4;

000 "BC":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2)

000 "BC":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)

000 "BC":   IKE algorithm newest: AES_CBC_256-SHA1-MODP1024

000 "BC":   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<Phase1>

000 Total IPsec connections: loaded 1, active 1

000 State Information: DDoS cookies not required, Accepting new IKE connections

000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)

000 IPsec SAs: total(2), authenticated(2), anonymous(0)

000 #4: "BC":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1456s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set

000 #4: "BC" esp.5e809174@185.32.226.177 esp.35f74378@185.65.136.140 tun.0@185.32.226.177 tun.0@185.65.136.140 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B

000 #3: "BC":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 26656s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set

000 #2: "BC":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26483s; isakmp#1; idle; import:admin initiate

000 #2: "BC" esp.9ad60306@185.32.226.177 esp.cf8cbdca@185.65.136.140 tun.0@185.32.226.177 tun.0@185.65.136.140 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B

000 #1: "BC":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26402s; lastdpd=22s(seq in:0 out:0); idle; import:admin initiate

000 Bare Shunt list:

Со стороны vCloud director увидим, что статус поменялся

Смотрим состояние туннеля на линукс маршрутизаторе:

[root@localhost etc]# ip xfrm state show

src 185.65.136.140 dst 185.32.226.177

        proto esp spi 0x43bc799b reqid 16389 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0xb896577b1f8229d4905c1fa3ab8af28c062b68a2 96

        enc cbc(aes) 0x59310f66425810f99690a4ed79806496d63d4f00c4d286d149139baa5a4f8cce

src 185.32.226.177 dst 185.65.136.140

        proto esp spi 0xe394338f reqid 16389 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0x2d9cfbc450908e02586273c88eb10457b5b3e89a 96

        enc cbc(aes) 0x5c986eb51cc842eda519b56c2423bb9c008e4537e4e914cbe6a6c1b4c875f541

src 185.65.136.140 dst 185.32.226.177

        proto esp spi 0x5e809174 reqid 16389 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0x39d9a1729c9be447feecd5b9c2d7142152225e6c 96

        enc cbc(aes) 0x6e1434ac77f83198937628b4a6df3dc32da7f962a87a2899aa85c8bea52ed839

src 185.32.226.177 dst 185.65.136.140

        proto esp spi 0x35f74378 reqid 16389 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0xb706845a6f34bb72446f369435dbf81d0aa84662 96

        enc cbc(aes) 0xb30d4d06a84ad8f14d5aec2baa8b94be34fe4aec17eb4e31079cebcf0e5d85ff

src 185.32.226.177 dst 185.65.136.140

        proto esp spi 0xcf8cbdca reqid 16389 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0x7196fde610bccfe82164f1135f3006cf933083b3 96

        enc cbc(aes) 0xc53eedebc1bdbe830d930da3fab991a1

src 185.65.136.140 dst 185.32.226.177

        proto esp spi 0x9ad60306 reqid 16389 mode tunnel

        replay-window 32 flag af-unspec

        auth-trunc hmac(sha1) 0x353028026f29e8d0d03a20924eaa7e72693ca23f 96

        enc cbc(aes) 0xacbeb7b6e5d49e1dd4af043cc14e6ddf

Вывод policy show:

[root@localhost etc]# ip xfrm policy show

src 192.168.100.0/24 dst 172.16.0.0/24

        dir out priority 2344 ptype main

        tmpl src 185.65.136.140 dst 185.32.226.177

                proto esp reqid 16389 mode tunnel

src 172.16.0.0/24 dst 192.168.100.0/24

        dir fwd priority 2344 ptype main

        tmpl src 185.32.226.177 dst 185.65.136.140

                proto esp reqid 16389 mode tunnel

src 172.16.0.0/24 dst 192.168.100.0/24

        dir in priority 2344 ptype main

        tmpl src 185.32.226.177 dst 185.65.136.140

                proto esp reqid 16389 mode tunnel

src ::/0 dst ::/0

        socket out priority 0 ptype main

src ::/0 dst ::/0

        socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket out priority 0 ptype main

src 0.0.0.0/0 dst 0.0.0.0/0

        socket in priority 0 ptype main

Попробуем попинговать виртуальную машину в облаке, со стороны Linux шлюза:

[root@localhost etc]# ping 172.16.0.20 -I 192.168.100.1

PING 172.16.0.20 (172.16.0.20) from 192.168.100.1 : 56(84) bytes of data.

64 bytes from 172.16.0.20: icmp_seq=1 ttl=63 time=42.6 ms

64 bytes from 172.16.0.20: icmp_seq=2 ttl=63 time=41.8 ms

64 bytes from 172.16.0.20: icmp_seq=3 ttl=63 time=41.5 ms

^C

--- 172.16.0.20 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2003ms

rtt min/avg/max/mdev = 41.586/42.024/42.651/0.454 ms

Заметьте, что я тут выбираю IP адрес источника для ping.

Теперь с офисной машинки за linux шлюзом:

[root@localhost ~]# ping 172.16.0.20 -c 3

PING 172.16.0.20 (172.16.0.20) 56(84) bytes of data.

64 bytes from 172.16.0.20: icmp_seq=1 ttl=62 time=42.1 ms

64 bytes from 172.16.0.20: icmp_seq=2 ttl=62 time=42.1 ms

64 bytes from 172.16.0.20: icmp_seq=3 ttl=62 time=42.2 ms

--- 172.16.0.20 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2002ms

rtt min/avg/max/mdev = 42.148/42.193/42.245/0.039 ms

В это время на Linux-роутере можно наблюдать:

[root@localhost ~]# ip xfrm monitor

Async event  (0x10)  replay update

        src 185.65.136.140 dst 185.32.226.177  reqid 0x4005 protocol esp  SPI 0xab882f2f

Async event  (0x10)  replay update

        src 185.32.226.177 dst 185.65.136.140  reqid 0x4005 protocol esp  SPI 0x1f5e3329

Async event  (0x20)  timer expired

        src 185.65.136.140 dst 185.32.226.177  reqid 0x4005 protocol esp  SPI 0xab882f2f

Async event  (0x20)  timer expired

        src 185.32.226.177 dst 185.65.136.140  reqid 0x4005 protocol esp  SPI 0x1f5e3329

Async event  (0x20)  timer expired

        src 185.65.136.140 dst 185.32.226.177  reqid 0x4005 protocol esp  SPI 0xab882f2f

Async event  (0x20)  timer expired

        src 185.32.226.177 dst 185.65.136.140  reqid 0x4005 protocol esp  SPI 0x1f5e3329

Теперь ping из виртуальной машины в сторону офиса:

Как видим все работает, облачная инфраструктура доступна из офиса.

Google Sites

Report abuse