我想创建两个使用ipsec加密的Solaris10隧道。配置很简单:2个solaris10节点,lan不加密,隧道加密。 Lan 是 e1000g0,隧道是 ip.tun0 节点 1 的“清除”IP 是 192.168.0.21 节点 2 的“清除”IP 是 192.168.0.199 我执行此过程
a) 在两个节点中启用 ipv4 转发和路由
routeadm -u -e ipv4-routing
routeadm -u -e ipv4-forwarding
b)在两个节点上编辑/etc/inet/ike/config
p1_xform
{ auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
c)在两个节点上编辑/etc/inet/secret/ike.preshared,当然使用反向本地/远程
{ localidtype IP
localid 192.168.0.21
remoteidtype IP
remoteid 192.168.0.119
}
d)在两个节点上启用 IKE,svcs 确认正在工作
svcadm enable ike
svcs ike
e)编辑文件/etc/inet/ipsecinit.conf
# LAN traffic to and from this host can bypass IPsec.
{laddr 192.168.0.0 dir both} bypass {}
# WAN traffic uses ESP with AES and SHA-1.
{tunnel ip.tun0 negotiate tunnel}
ipsec {encr_algs aes encr_auth_algs sha1 sa shared}
f) 刷新..
svcadm refresh ipsec/policy
g)看起来一切正常,所以我创建了隧道
svcs -a|grep -i ipsec
disabled 9:35:34 svc:/network/ipsec/manual-key:default
online 9:35:53 svc:/network/ipsec/ipsecalgs:default
online 9:35:53 svc:/network/ipsec/ike:default
online 9:54:38 svc:/network/ipsec/policy:default
在主机A上
ifconfig ip.tun0 plumb
ifconfig ip.tun0 192.168.192.24 192.168.192.40 tsrc 192.168.0.21 tdst 192.168.0.199 router up
在主机B上
ifconfig ip.tun0 plumb
ifconfig ip.tun0 192.168.192.40 192.168.192.24 tsrc 192.168.0.199 tdst 192.168.0.21 router up
看起来一切正常,但是..不起作用。
HostA 可以 ping 通 HostB
ping 192.168.0.199
192.168.0.199 is alive
HostB 可以 ping 通 HostA
ping 192.168.0.2
192.168.0.2 is alive
但是如果我对隧道执行 ping 操作...
从主机A到主机B
ping -s 192.168.192.40
PING 192.168.192.40: 56 data bytes
----192.168.192.40 PING Statistics----
25 packets transmitted, 0 packets received, 100% packet loss
从主机B到主机A
ping -s 192.168.192.24
PING 192.168.192.24: 56 data bytes
----192.168.192.24 PING Statistics----
25 packets transmitted, 0 packets received, 100% packet loss
在hostA上netstat -rn说
netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 192.168.0.1 UG 1 1
192.168.0.0 192.168.0.21 U 1 3 e1000g0
192.168.192.40 192.168.192.24 UH 1 0 ip.tun0
224.0.0.0 192.168.0.21 U 1 0 e1000g0
127.0.0.1 127.0.0.1 UH 1 48 lo0
在 HostB 上 netstat -rn 说
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 192.168.0.1 UG 1 2 e1000g0
192.168.0.0 192.168.0.199 U 1 7 e1000g0
192.168.192.24 192.168.192.40 UH 1 1 ip.tun0
127.0.0.1 127.0.0.1 UH 3 122 lo0
我错过了什么?两个节点上都禁用了防火墙。
答案1
找到的解决方案错误在于许多conf的语法中。文件首先是文件
/etc/inet/ike.preshared
必须是这样,使用的IP必须是隧道的IP而不是“主”接口的IP。
# ike.preshared on hostA
#…
{ localidtype IP
localid 10.4.0.1
remoteidtype IP
remoteid 10.4.0.2
key keyinhexformat
# The preshared key can also be represented in hex
# as in 0xf47cb0f432e14480951095f82b
# key "This is an ASCII Cqret phrAz, use str0ng p@ssword tekniques"
}
要生成十六进制密钥,请使用此命令
echo "mypassword" | od -t x1|head -1|tr -d ' '
文件
/etc/inet/ike/config
必须与此类似,即使在这种情况下使用隧道的 ip,而不是主接口的 ip。
p1_xform
{ auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }
p2_pfs 2
{ label "test1-test2" local_addr 10.4.0.1 remote_addr 10.4.0.2 p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes } p2_pfs 5 }
当然,在 hostB 中,两个文件都必须将 10.4.0.1 与 10.4.0.2 反向。
最后编辑文件/etc/inet/ipsecinit.conf
{laddr 192.168.0.21 dir both} bypass {}
{laddr 10.4.0.1 raddr 10.4.0.2} ipsec {encr_algs aes encr_auth_algs sha256 sa shared}
当然,在hostB中必须将10.4.0.1与10.4.0.2反向,并且192.168.0.21必须与hostB的主机主IP更改
现在在hostA上运行脚本
ifconfig ip.tun0 unplumb
ifconfig ip.tun0 plumb
ifconfig ip.tun0 10.4.0.1 10.4.0.2 netmask 255.255.255.0 tsrc 192.168.0.21 tdst 192.168.0.199 router up
for i in ike ipsec/policy;do svcadm refresh $i; done
现在在hostB上运行脚本
ifconfig ip.tun0 unplumb
ifconfig ip.tun0 plumb
ifconfig ip.tun0 10.4.0.2 10.4.0.1 netmask 255.255.255.0 tsrc 192.168.0.199 tdst 192.168.0.21 router up
for i in ike ipsec/policy;do svcadm refresh $i; done
一切正常,用 ping 和 snoop 进行测试。