나는 ikev2 터널을 가지고 있으며, Strongswan이 cisco asa로 가는 우분투 상자의 왼쪽에서 시작되었습니다. ASA를 사용하여 ASA 여러 네트워크가 작동하지만 Strongswan으로는 얻을 수 없습니다.
#config setup
# strictcrlpolicy=yes
# uniqueids = no
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=yes
# Add connections here.
conn host2
left=8.8.8.8 #Changed from real for this example
leftsubnet=172.27.1.0/20
right=8.8.4.4 # changed
rightsubnet=192.168.1.0/24,192.168.2.0/24
ike=aes256-sha512-modp2048s256
esp=aes256-sha512
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=add
keyexchange=ikev2
type=tunnel
연결 후: ip xfm 정책
src 192.168.1.0/24 dst 8.8.8.8/32
dir fwd priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 192.168.1.0/24 dst 8.8.8.8/32
dir in priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 8.8.8.8/32 dst 192.168.1.0/24
dir out priority 185664
tmpl src 8.8.8.8 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
$ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-37-generic, x86_64):
uptime: 119 seconds, since Mar 23 09:08:33 2018
malloc: sbrk 2297856, mmap 532480, used 1224384, free 1073472
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
8.8.8.8
172.27.1.3
Connections:
host2: 8.8.8.8...4.4.4.4 IKEv2
host2: local: [8.8.8.8] uses pre-shared key authentication
host2: remote: [4.4.4.4] uses pre-shared key authentication
host2: child: 8.8.8.8/32 === 192.168.1.0/24 192.168.2.0/24
TUNNEL
Security Associations (1 up, 0 connecting):
host2[1]: ESTABLISHED 115 seconds ago, 8.8.8.8[8.8.8.8]...4.4.4.4[4.4.4.4]
host2[1]: IKEv2 SPIs: 1f4ce050e3e482ac_i* 35d68fd4c114ef25_r, pre-shared key reauthentication in 2 hours
host2[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048_256
host2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca77e9b9_i a6993362_o
host2{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
host2{1}: 8.8.8.8/32 === 192.168.2.0/24
성공적인 연결 후 ASA:
asa-fw1# show crypto ipsec sa peer 8.8.4.4 | include ident
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.240.0/0/0)
그리고 2개의 ASA 사이의 다른 터널:
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.252/0/0)
remote ident (addr/mask/prot/port) : (192.168.10.2/255.255.255.255/0/0)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.2/255.255.255.255/0/0)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.2/255.255.255.255/0/0)
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.2/255.255.255.255/0/0)
또한 다음과 같이 추가로 올바른 서브넷을 자체적으로 배치해 보았습니다.
conn host2
left=8.8.8.8 #Changed from real for this example
leftsubnet=172.27.1.0/20
right=4.4.4.4 # changed
rightsubnet=192.168.1.0/24
ike=aes256-sha512-modp2048s256
esp=aes256-sha512
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=secret
auto=add
keyexchange=ikev2
type=tunnel
conn host2-2
also=host2
rightsubnet=192.168.2.0/24
연결 후:
$ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.13.0-37-generic, x86_64):
uptime: 52 seconds, since Mar 23 09:02:22 2018
malloc: sbrk 2293760, mmap 532480, used 1203936, free 1089824
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
8.8.8.8
172.27.1.3
Connections:
host2: 8.8.8.8...4.4.4.4 IKEv2
host2: local: [8.8.8.8] uses pre-shared key authentication
host2: remote: [4.4.4.4] uses pre-shared key authentication
host2: child: 8.8.8.8/32 === 192.168.1.0/24 TUNNEL
host2-2: child: 8.8.8.8/32 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
host2[1]: ESTABLISHED 50 seconds ago,
8.8.8.8[8.8.8.8]...4.4.4.4[4.4.4.4]
host2[1]: IKEv2 SPIs: 98cf15596219b433_i* 8177dc2c8f0605d8_r, pre-shared key reauthentication in 2 hours
host2[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048_256
host2-2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ccc8bf25_i 1cec9278_o
host2-2{1}: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 40s ago), 336 bytes_o (4 pkts, 40s ago), rekeying in 41 minutes
host2-2{1}: 8.8.8.8/32 === 192.168.2.0/24
그리고 ip xfrm 정책은 다음과 같습니다.
src 192.168.2.0/24 dst 8.8.8.8/32
dir fwd priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 192.168.2.0/24 dst 8.8.8.8/32
dir in priority 185664
tmpl src 4.4.4.4 dst 8.8.8.8
proto esp reqid 1 mode tunnel
src 8.8.8.8/32 dst 192.168.2.0/24
dir out priority 185664
tmpl src 8.8.8.8 dst 4.4.4.4
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
위 방법을 사용할 때 192.168.2.0에는 액세스할 수 있지만 더 이상 192.168.1.0에는 액세스할 수 없습니다.
그럼에도 불구하고 xfrm 정책은 동일하며 192.168.2.0/24에만 액세스할 수 있습니다.
성공하지 못한 채 서브넷에 대한 트래픽을 생성하려고 했습니다. 오른쪽에 있는 하나의 원격 서브넷에만 액세스할 수 있는 이유를 아는 사람이 있습니까?
답변1
대답은 간단합니다. Cisco ASACHILD_SA당 여러 트래픽 선택기를 지원하지 않습니다.. 따라서 터널링하려는 로컬 및 원격 서브넷의 각 조합에 대해 개별 CHILD_SA를 협상해야 합니다. 즉, 다음과 같습니다.
conn host2
...
rightsubnet=192.168.1.0/24
...
conn host2-2
also=host2
rightsubnet=192.168.2.0/24
conn host2-3
also=host2
rightsubnet=192.168.3.0/24