江苏龙网

  1. 主页 > 生活百科 > >

加密网络通信,IPSec 的配置( 二 )

IPSec


# kldload ipsec.ko依次执行前面主机一执行过的两个命令:
# setkey -f /usr/local/etc/racoon/setkey.conf# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.logForeground mode.2022-06-15 09:51:49: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)2022-06-15 09:51:49: INFO: @(#)This product linked OpenSSL 1.1.1o-freebsd3 May 2022 (http://www.openssl.org/)2022-06-15 09:51:49: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"2022-06-15 09:51:49: INFO: 10.10.10.74[4500] used for NAT-T2022-06-15 09:51:49: INFO: 10.10.10.74[4500] used as isakmp port (fd=5)2022-06-15 09:51:49: INFO: 10.10.10.74[500] used as isakmp port (fd=6)在主机一ping主机二,会这样显示:

加密网络通信,IPSec 的配置

文章插图
 
第一次ping,丢掉了两个包,建立加密连接之后,就正常了 。
看主机一的输出:
2022-06-15 09:51:49: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)2022-06-15 09:51:49: INFO: @(#)This product linked OpenSSL 1.1.1o-freebsd3 May 2022 (http://www.openssl.org/)2022-06-15 09:51:49: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"2022-06-15 09:51:49: INFO: 10.10.10.74[4500] used for NAT-T2022-06-15 09:51:49: INFO: 10.10.10.74[4500] used as isakmp port (fd=5)2022-06-15 09:51:49: INFO: 10.10.10.74[500] used as isakmp port (fd=6)2022-06-15 09:52:28: INFO: IPsec-SA request for 10.10.10.92 queued due to no phase1 found.2022-06-15 09:52:28: INFO: initiate new phase 1 negotiation: 10.10.10.74[500]<=>10.10.10.92[500]2022-06-15 09:52:28: INFO: begin Identity Protection mode.2022-06-15 09:52:28: INFO: received Vendor ID: DPD2022-06-15 09:52:28: INFO: ISAKMP-SA established 10.10.10.74[500]-10.10.10.92[500] spi:9c05e88e55dd0ead:3be77ea323c63ae82022-06-15 09:52:28: [10.10.10.92] INFO: received INITIAL-CONTACT2022-06-15 09:52:29: INFO: initiate new phase 2 negotiation: 10.10.10.74[500]<=>10.10.10.92[500]2022-06-15 09:52:29: INFO: IPsec-SA established: AH/Transport 10.10.10.74[500]->10.10.10.92[500] spi=187131851(0xb2767cb)2022-06-15 09:52:29: INFO: IPsec-SA established: ESP/Transport 10.10.10.74[500]->10.10.10.92[500] spi=196520647(0xbb6aac7)2022-06-15 09:52:29: INFO: IPsec-SA established: AH/Transport 10.10.10.74[500]->10.10.10.92[500] spi=56908505(0x3645ad9)2022-06-15 09:52:29: INFO: IPsec-SA established: ESP/Transport 10.10.10.74[500]->10.10.10.92[500] spi=170687013(0xa2c7a25)主机二的输出:
Foreground mode.2022-06-15 17:52:11: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)2022-06-15 17:52:11: INFO: @(#)This product linked OpenSSL 1.1.1o-freebsd3 May 2022 (http://www.openssl.org/)2022-06-15 17:52:11: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"2022-06-15 17:52:11: INFO: 10.10.10.92[4500] used for NAT-T2022-06-15 17:52:11: INFO: 10.10.10.92[4500] used as isakmp port (fd=5)2022-06-15 17:52:11: INFO: 10.10.10.92[500] used as isakmp port (fd=6)2022-06-15 17:52:27: INFO: respond new phase 1 negotiation: 10.10.10.92[500]<=>10.10.10.74[500]2022-06-15 17:52:27: INFO: begin Identity Protection mode.2022-06-15 17:52:27: INFO: received Vendor ID: DPD2022-06-15 17:52:27: INFO: ISAKMP-SA established 10.10.10.92[500]-10.10.10.74[500] spi:9c05e88e55dd0ead:3be77ea323c63ae82022-06-15 17:52:27: [10.10.10.74] INFO: received INITIAL-CONTACT2022-06-15 17:52:28: INFO: respond new phase 2 negotiation: 10.10.10.92[500]<=>10.10.10.74[500]2022-06-15 17:52:28: INFO: IPsec-SA established: AH/Transport 10.10.10.92[500]->10.10.10.74[500] spi=56908505(0x3645ad9)2022-06-15 17:52:28: INFO: IPsec-SA established: ESP/Transport 10.10.10.92[500]->10.10.10.74[500] spi=170687013(0xa2c7a25)2022-06-15 17:52:28: INFO: IPsec-SA established: AH/Transport 10.10.10.92[500]->10.10.10.74[500] spi=187131851(0xb2767cb)2022-06-15 17:52:28: INFO: IPsec-SA established: ESP/Transport 10.10.10.92[500]->10.10.10.74[500] spi=196520647(0xbb6aac7)到路由器用 tcpdump 查看传送的数据:
# tcpdump -i em0 host 10.10.10.92 and dst 10.10.10.74tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes09:56:29.252361 IP 10.10.10.92 > 10.10.10.74: AH(spi=0x0b2767cb,seq=0x5): ESP(spi=0x0bb6aac7,seq=0x5), length 8409:56:29.254597 IP 10.10.10.92 > 10.10.10.74: AH(spi=0x0b2767cb,seq=0x6): ESP(spi=0x0bb6aac7,seq=0x6), length 37209:56:29.254961 IP 10.10.10.92 > 10.10.10.74: AH(spi=0x0b2767cb,seq=0x7): ESP(spi=0x0bb6aac7,seq=0x7), length 8409:56:29.255449 IP 10.10.10.92 > 10.10.10.74: AH(spi=0x0b2767cb,seq=0x8): ESP(spi=0x0bb6aac7,seq=0x8), length 84表明数据已经被加密 。退出 racoon,再用 tcpdump 查看数据,显示这样:
# tcpdump -i em0 host 10.10.10.92 and dst 10.10.10.74tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes09:59:01.746824 IP 10.10.10.92.http > 10.10.10.74.54689: Flags [S.], seq 4062076932, ack 3510823228, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3952843041 ecr 1536066686], length 009:59:01.748276 IP 10.10.10.92.http > 10.10.10.74.54689: Flags [P.], seq 1:303, ack 266, win 1027, options [nop,nop,TS val 3952843041 ecr 1536066687], length 302: HTTP: HTTP/1.1 200 OK09:59:01.748480 IP 10.10.10.92.http > 10.10.10.74.54689: Flags [F.], seq 303, ack 266, win 1027, options [nop,nop,TS val 3952843041 ecr 1536066687], length 009:59:01.748796 IP 10.10.10.92.http > 10.10.10.74.54689: Flags [.], ack 267, win 1026, options [nop,nop,TS val 3952843041 ecr 1536066688], length 0


推荐阅读


上一篇:Hadoop数据去重

下一篇:美团一面:为什么线程崩溃崩溃不会导致 JVM 崩溃