让 ipsec-tools 在 Ubuntu Lucid 主机之间运行

tag-icon tag-icon linux ubuntu networking ipsec
让 ipsec-tools 在 Ubuntu Lucid 主机之间运行

我有两台主机,一台是 Charity,IP 为 67.207.128.184,另一台是 Hope,IP 为 67.207.130.204。我在每台主机上都安装了 ipsec-tools 软件包。两台主机上都没有安装 racoon。Charity 配置了 IPTables,而 Hope 没有。以下是每台主机上 IPTables 配置情况的报告(删除了不相关的敏感信息):

慈善机构# iptables -L -v

Chain INPUT (policy ACCEPT 63 packets, 6072 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   49  3160 ACCEPT     all  --  lo     any     anywhere             anywhere    
 6012  989K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
  208 12536 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:www
   13   824 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:https
    6   364 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
    0     0 ACCEPT     esp  --  any    any     anywhere             anywhere    
    0     0 ACCEPT     ah   --  any    any     anywhere             anywhere    
    3   245 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp echo-request
   31  1759 LOG        all  --  any    any     anywhere             anywhere            LOG level debug prefix `iptables debug: '
   31  1759 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     esp  --  any    any     anywhere             anywhere    
    0     0 ACCEPT     ah   --  any    any     anywhere             anywhere    
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 47 packets, 4920 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 5121 3650K ACCEPT     all  --  any    any     anywhere             anywhere

希望# iptables -L -v

Chain INPUT (policy ACCEPT 1194 packets, 195K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 1035 packets, 452K bytes)
 pkts bytes target     prot opt in     out     source               destination

我已经使用 /etc/ipsec-tools.conf 文件配置了 Charity (67.207.128.184),如下所示:

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
    0x18caf1d5d58297471cd63a21fd02adb6;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
    0xde8ba4d945acbe6e85db0978b0c30184;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
    0xa3f3baeaff7ad1cc3c00df7ad4b2bd26e4af4a703308431b;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
    0xf51e36bb6640072612366e134b5919f60f5a0af22fefa7fb;

# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
    esp/transport//require
    ah/transport//require;

spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
    esp/transport//require
    ah/transport//require;

我已经使用 /etc/ipsec-tools.conf 文件配置了 Hope (67.207.130.204),如下所示:

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
    0x18caf1d5d58297471cd63a21fd02adb6;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
    0xde8ba4d945acbe6e85db0978b0c30184;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
    0xa3f3baeaff7ad1cc3c00df7ad4b2bd26e4af4a703308431b;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
    0xf51e36bb6640072612366e134b5919f60f5a0af22fefa7fb;

# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P in ipsec
    esp/transport//require
    ah/transport//require;

spdadd 67.207.130.204 67.207.128.184 any -P out ipsec
    esp/transport//require
    ah/transport//require;

修改完这些文件后,我重启了 /etc/init.d/setkey。我在 Hope 上运行 tcpdump,然后从 Charity SSH 到 Hope,在 tcpdump 日志中看到以下内容:

18:46:11.218238 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x40): ESP(spi=0x00000201,seq=0x40), length 64    
18:46:11.218361 IP hope > charity.progclub.org: AH(spi=0x00000300,seq=0x22): ESP(spi=0x00000301,seq=0x22), length 64    
18:46:11.218822 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x41): ESP(spi=0x00000201,seq=0x41), length 56    
18:46:11.232615 IP hope > charity.progclub.org: AH(spi=0x00000300,seq=0x23): ESP(spi=0x00000301,seq=0x23), length 96    
18:46:11.233099 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x42): ESP(spi=0x00000201,seq=0x42), length 56    
18:46:11.233205 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x43): ESP(spi=0x00000201,seq=0x43), length 96

但是,SSH 会话只是挂在那里,“什么也没发生”。我必须按 Ctrl+C 取消尝试的 SSH 连接。

因此,我已在每个主机上配置了 IPSec,并且根据 tcpdump IPSec 正在使用,但测试连接却挂起了。我不知道下一步该怎么做。我该如何调试这个问题?我的配置中遗漏了什么?提前感谢任何建议。

附言:我将更改这些我已公开发布的密钥。

相关内容