• 用ip xfrm搭ipsec隧道

    拓扑如下

    基本的IP配置就不说了,直接写重点,在LS上配置

    #配置SA
ip xfrm state add src 194.168.10.4 dst 194.168.10.5 proto esp spi 0x00004005 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm state add src 194.168.10.5 dst 194.168.10.4 proto esp spi 0x00005004 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
#配置SP
ip xfrm policy add src 194.168.10.4 dst 194.168.10.5 dir out tmpl src 194.168.10.4 dst 194.168.10.5 proto esp mode tunnel
ip xfrm policy add src 194.168.10.5 dst 194.168.10.4 dir in tmpl src 194.168.10.5 dst 194.168.10.4 proto esp mode tunnel

     在RS上配置

    #配置SA
ip xfrm state add src 194.168.10.4 dst 194.168.10.5 proto esp spi 0x00004005 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71      d9181a67b
ip xfrm state add src 194.168.10.5 dst 194.168.10.4 proto esp spi 0x00005004 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71      d9181a67b
#配置SP
ip xfrm policy add src 194.168.10.4 dst 194.168.10.5 dir in tmpl src 194.168.10.4 dst 194.168.10.5 proto esp mode tunnel
ip xfrm policy add src 194.168.10.5 dst 194.168.10.4 dir out tmpl src 194.168.10.5 dst 194.168.10.4 proto esp mode tunnel

     这就可以了,从RS上ping LS,用tcpdump抓包结果如下

    23:28:21.300088 IP 194.168.10.5 > 194.168.10.4: ESP(spi=0x00005004,seq=0x8), length 116
23:28:21.300354 IP 194.168.10.4 > 194.168.10.5: ESP(spi=0x00004005,seq=0x9), length 116
23:28:21.300354 IP 194.168.10.4 > 194.168.10.5: ICMP echo reply, id 4873, seq 1, length 64
23:28:22.301986 IP 194.168.10.5 > 194.168.10.4: ESP(spi=0x00005004,seq=0x9), length 116
23:28:22.302366 IP 194.168.10.4 > 194.168.10.5: ESP(spi=0x00004005,seq=0xa), length 116
23:28:22.302366 IP 194.168.10.4 > 194.168.10.5: ICMP echo reply, id 4873, seq 2, length 64
23:28:23.302824 IP 194.168.10.5 > 194.168.10.4: ESP(spi=0x00005004,seq=0xa), length 116
23:28:23.303139 IP 194.168.10.4 > 194.168.10.5: ESP(spi=0x00004005,seq=0xb), length 116
23:28:23.303139 IP 194.168.10.4 > 194.168.10.5: ICMP echo reply, id 4873, seq 3, length 64
23:28:24.304512 IP 194.168.10.5 > 194.168.10.4: ESP(spi=0x00005004,seq=0xb), length 116
23:28:24.305172 IP 194.168.10.4 > 194.168.10.5: ESP(spi=0x00004005,seq=0xc), length 116
23:28:24.305172 IP 194.168.10.4 > 194.168.10.5: ICMP echo reply, id 4873, seq 4, length 64

     证明已经走ipsec加密了,这种用法太简陋了,有点徒手玩火的感觉,可以自己做实验玩,不要在实际环境中用,毕竟手工处理密钥不方便,而且隧道的运行情况也不太好监测。还是推荐用openswan。
  • 相关阅读:
    appium for windows 环境搭建
    jenkins+maven+testng参数化执行测试用例
    java追加文本到文件末尾
    jenkins下添加HTML Publisher Plugin及配置
    jenkins配置本机JDK和maven环境
    Linux运维基础入门(三):网络基础知识梳理03
    Linux运维入门(二):网络基础知识梳理02
    Linux运维基础入门(一)网络基础知识梳理01
    Linux实战教学笔记55:开源虚拟化KVM(三)管理虚拟网络
    Linux实战教学笔记54:开源虚拟化KVM(二)管理虚拟存储
  • 原文地址:https://www.cnblogs.com/4a8a08f09d37b73795649038408b5f33/p/11959104.html
Copyright © 2020-2023  润新知