IPSec tunnel¶
Network connections¶
- guest1: MN, guest2: MAG/CN
- guest1:eth0 - guest2:eth0, guest1:eth1 - guest2:eth1
- eth0: plain text; eth1: IPSec
- guest1: 192.168.0.1 -- main IP, 192.168.5.1 -- assigned to eth1
- guest2: 192.168.6.2 -- sample correspondent node IP, 192.168.5.2 -- assigned to eth1
guest1 configuration¶
interfaces:
bash-4.0# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:01
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:887 errors:0 dropped:0 overruns:0 frame:0
TX packets:1468 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:63594 (62.1 KiB) TX bytes:2075964 (1.9 MiB)
eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:02
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:822 errors:0 dropped:0 overruns:0 frame:0
TX packets:1190 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:94728 (92.5 KiB) TX bytes:1359792 (1.2 MiB)
eth1:0 Link encap:Ethernet HWaddr 00:00:00:00:00:02
inet addr:192.168.0.1 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
routing (eth0 active):
bash-4.0# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.2 0.0.0.0 UG 0 0 0 eth0
routing (eth1 active):
bash-4.0# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.5.2 0.0.0.0 UG 0 0 0 eth1
/etc/setkey.conf:
#!/usr/sbin/setkey -f
# Configuration for 192.168.5.1
# Flush the SAD and SPD
flush;
spdflush;
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 192.168.5.1 192.168.5.2 ah 0x200 -m tunnel -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.5.2 192.168.5.1 ah 0x300 -m tunnel -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.5.1 192.168.5.2 esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.5.2 192.168.5.1 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 192.168.0.1 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.5.1-192.168.5.2/require
ah/tunnel/192.168.5.1-192.168.5.2/require;
spdadd 0.0.0.0/0 192.168.0.1 any -P in ipsec
esp/tunnel/192.168.5.2-192.168.5.1/require
ah/tunnel/192.168.5.2-192.168.5.1/require;
guest2 configuration¶
interfaces:
bash-4.0# ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:00:00:01:01
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:101/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1142 errors:0 dropped:0 overruns:0 frame:0
TX packets:885 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1394536 (1.3 MiB) TX bytes:63666 (62.1 KiB)
eth0:0 Link encap:Ethernet HWaddr 00:00:00:00:01:01
inet addr:192.168.6.2 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:00:00:00:01:02
inet addr:192.168.5.2 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:102/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:960 errors:0 dropped:0 overruns:0 frame:0
TX packets:824 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:966608 (943.9 KiB) TX bytes:95004 (92.7 KiB)
eth1:0 Link encap:Ethernet HWaddr 00:00:00:00:01:02
inet addr:192.168.6.2 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
routing (eth0 active):
bash-4.0# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
routing (eth1 active):
bash-4.0# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.1 192.168.5.1 255.255.255.255 UGH 0 0 0 eth1 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
/etc/setkey.conf:
#!/usr/sbin/setkey -f
# Configuration for 192.168.5.2
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 192.168.5.1 192.168.5.2 ah 0x200 -m tunnel -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.5.2 192.168.5.1 ah 0x300 -m tunnel -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.5.1 192.168.5.2 esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.5.2 192.168.5.1 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 192.168.0.1 0.0.0.0/0 any -P out ipsec
esp/tunnel/192.168.5.1-192.168.5.2/require
ah/tunnel/192.168.5.1-192.168.5.2/require;
spdadd 0.0.0.0/0 192.168.0.1 any -P in ipsec
esp/tunnel/192.168.5.2-192.168.5.1/require
ah/tunnel/192.168.5.2-192.168.5.1/require;
Switching¶
- guest1:
- eth0 -> eth1: ifconfig eth0 down ; setkey -f /etc/setkey.conf ; ifconfig eth1 up ; route add default gw 192.168.5.2
- eth1 -> eth0: ifconfig eth1 down ; setkey -PF ; ifconfig eth0 up ; route add default gw 192.168.0.2
- guest2:
- eth0 -> eth1: ifconfig eth0 down ; setkey -f /etc/setkey.conf ; ifconfig eth1 up ; route add 192.168.0.1 gw 192.168.5.1
- eth1 -> eth0: ifconfig eth1 down ; setkey -PF ; ifconfig eth0 up
Test¶
- guest1:
- iperf -c 192.168.6.2 -B 192.168.0.1 -t 15 -i 2
- sleep5 ; eth0 -> eth1 ; sleep5 ; eth1 -> eth0
- guest2:
- iperf -s 192.168.6.2
- sleep5 ; eth0 -> eth1 ; sleep 5 ; eth1 -> eth0
Pcaps from eth0 and eth1 are attached.