SWAN之ikev2协议host2host-transport-connmark配置测试

本测试在NAT网关moon背后的两台主机alice和venus上发起到外部sun网关的安全连接,使用传输模式。sun网关使用connmark插件和netfilter标记mark来区分两个安全连接,以便可与NAT网关之后的两个主机通信。本次测试拓扑如下:
在这里插入图片描述

测试配置

alice的配置文件:ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf,内容如下,type字段为transport,指定传输模式。venus主机的配置与alice基本相同。

conn nat-t
        leftcert=aliceCert.pem
        leftid=alice@strongswan.org
        right=192.168.0.2
        rightid=@sun.strongswan.org
        type=transport
        auto=add

sun网关的配置文件:ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf,内容如下,连接nat-t的定义中,type指定使用传输模式。mark字段%unique为每个连接的流设置唯一的防火墙标记fwmark。

conn %default
        left=192.168.0.2
        leftcert=sunCert.pem
        leftid=@sun.strongswan.org

conn nat-t
        right=%any
        type=transport
        mark=%unique
        auto=add

sun网关的配置文件:ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf,内容如下,其中加载本次测试要用到的connmark插件。

charon {
  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default connmark
}

测试准备阶段

配置文件:ikev2/host2host-transport-connmark/pretest.dat,内容除了通常的ipsec连接的启动语句外,还有对中间NAT网关moon的配置,moon网关位于远程客户端alice/venus和VPN网关sun之间。这里为源地址10.1.0.0/16网段的流量开启Masquerade NAT功能,并且在FORWARD链上运行10.1.0.0/16网段的报文。

moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16  -j ACCEPT

测试阶段

配置文件:ikev2/host2host-transport-connmark/evaltest.dat内容如下。在确认alice、venus主机和sun网关连接(nat-t)建立之后,在主机alice和venus上分别执行ssh命令连接sun网关(192.168.0.2),执行echo命令,检查结果。

alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES

由于alice和venus位于NAT网关moon之后,在执行NAT之后,将两者的源地址都变更为moon网关eth0接口的地址:192.168.0.1,另外,还将修改四层源端口号以作区分。以上sun网关的ipsec.conf文件中的mark配置为%unique,将为这两个客户分配不同的mark标记。按照顺序,alice先发起连接,其使用mark值1; venus使用mark值2,在sun网关上使用mark值和源端口号区分两个连接。参见以下mangle表的PREROUTING链上的规则,设置Netfilter标记。

另外,mangle表在INPUT和OUTPUT链上将操作conntrack的标记mark,此与以上netfilter的mark标记不同。netfilter的标记是基于报文的,而conntrack标记是基于连接的。INPUT和OUTPUT链上的规则目的在于sun主机发送的报文可正确的到达目的地(alice或者venus)。首先,在INPUT链上配置IPSec的policy匹配扩展,对于in方向的spi为:0xae4086cb和0x3c83fac5的流量设置连接mark值2或1,区分流量。特别注意这里的SPI值为主机字节序,与ip xfrm state命令的输出不同。

在OUTPUT链,将conntrack的标记mark恢复到netfilter的mark。以便在IPSec的SA匹配时使用此mark值。

=== mangle table ===
Chain PREROUTING (policy ACCEPT 186 packets, 25684 bytes)
 pkts bytes target     prot opt in     out     source               destination
   25  4788 MARK       udp  --  *      *       192.168.0.1          192.168.0.2          udp spt:62409 dpt:4500 MARK set 0x2
   25  4788 MARK       udp  --  *      *       192.168.0.1          192.168.0.2          udp spt:4500 dpt:4500 MARK set 0x1

Chain INPUT (policy ACCEPT 186 packets, 25684 bytes)
 pkts bytes target     prot opt in     out     source               destination
   25  3256 CONNMARK   all  --  *      *       192.168.0.1          192.168.0.2          policy match dir in pol ipsec spi 0xae4086cb CONNMARK set 0x2
   25  3256 CONNMARK   all  --  *      *       192.168.0.1          192.168.0.2          policy match dir in pol ipsec spi 0x3c83fac5 CONNMARK set 0x1

Chain OUTPUT (policy ACCEPT 208 packets, 58674 bytes)
 pkts bytes target     prot opt in     out     source               destination
   49  8962 CONNMARK   all  --  *      *       192.168.0.2          192.168.0.1          mark match 0x0 CONNMARK restore
    5  4285 CONNMARK   all  --  *      *       192.168.0.2          192.168.0.1          mark match 0x0 CONNMARK restore

以下为sun网关上执行ip -s xfrm state命令的输出结果。由sun网关192.168.0.2发往192.168.0.1的报文,根据mark值(2/1)来选择使用的安全关联SA。实际上mark值1对应于去往alice主机的SA;而mark值2对应于去往venus的SA。

src 192.168.0.2 dst 192.168.0.1
        proto esp spi 0xc818ea39(3357076025) reqid 2(0x00000002) mode transport
        mark 0x2/0xffffffff
        auth-trunc hmac(sha256) 0x65c2fcdef2fc9f815ee026041afcced175a1c916b2b7408b3fcbb5dfe4c3adb7 (256 bits) 128
        enc cbc(aes) 0x2d2b46d5451aa067a442d65eda69cda6 (128 bits)
        encap type espinudp sport 4500 dport 62409 addr 0.0.0.0
        sel src 192.168.0.2/32 dst 192.168.0.1/32 uid 0
src 192.168.0.2 dst 192.168.0.1
        proto esp spi 0xc9ceb8f4(3385768180) reqid 1(0x00000001) mode transport
        mark 0x1/0xffffffff
        auth-trunc hmac(sha256) 0x61ef57a82516bd8890ab158cb1371186e85b073767070135afa315c9ee639f1b (256 bits) 128
        enc cbc(aes) 0x770c38b9a13a054045ffea81fa276c94 (128 bits)
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        sel src 192.168.0.2/32 dst 192.168.0.1/32 uid 0

另外,由alice和venus发往sun网关的流量对应的两个SA的SPI分别为: 0xc5fa833c和0xcb8640ae,注意这里的SPI为网络字节序。分别对于与以上INPUT链中匹配规则中的SPI值:0x3c83fac5和0xae4086cb。

src 192.168.0.1 dst 192.168.0.2
        proto esp spi 0xcb8640ae(3414573230) reqid 2(0x00000002) mode transport
        auth-trunc hmac(sha256) 0x7c257ac3ae0b0347fe026ab2cbc87ebe0d919b9d1d03aaf36467544a11319d11 (256 bits) 128
        enc cbc(aes) 0x65ac5c4e2b5240b842056065fb4185fc (128 bits)
        encap type espinudp sport 62409 dport 4500 addr 0.0.0.0
        sel src 192.168.0.1/32 dst 192.168.0.2/32 uid 0
src 192.168.0.1 dst 192.168.0.2
        proto esp spi 0xc5fa833c(3321529148) reqid 1(0x00000001) mode transport
        auth-trunc hmac(sha256) 0xeabc76045042ce78b2b68a525f50b4b62d55e6e7d4237e762f149f2d54122816 (256 bits) 128
        enc cbc(aes) 0xe781366beb6d940ed83e77bd8ac91d6d (128 bits)
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        sel src 192.168.0.1/32 dst 192.168.0.2/32 uid 0

以下为sun网关上执行ip -s xfrm policy命令的输出结果。可见其中根据mark值区分的策略。

src 192.168.0.2/32 dst 192.168.0.1/32 uid 0
        dir out action allow index 425 priority 367231 ptype main share any flag  (0x00000000)
        mark 0x2/0xffffffff
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp spi 0xc818ea39(3357076025) reqid 2(0x00000002) mode transport
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

src 192.168.0.2/32 dst 192.168.0.1/32 uid 0
        dir out action allow index 409 priority 367231 ptype main share any flag  (0x00000000)
        mark 0x1/0xffffffff
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp spi 0xc9ceb8f4(3385768180) reqid 1(0x00000001) mode transport
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

入方向策略:

src 192.168.0.1/32 dst 192.168.0.2/32 uid 0
        dir in action allow index 416 priority 367231 ptype main share any flag  (0x00000000)
        mark 0x2/0xffffffff
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.0.1/32 dst 192.168.0.2/32 uid 0
        dir in action allow index 400 priority 367231 ptype main share any flag  (0x00000000)
        mark 0x1/0xffffffff
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode transport
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

使用conntrack命令可查看sun网关上增加了mark标记的连接信息。

sun# conntrack -L | grep '' []
tcp      6 119 TIME_WAIT src=192.168.0.1 dst=192.168.0.2 sport=46790 dport=22 src=192.168.0.2 dst=192.168.0.1 sport=22 dport=46790 [ASSURED] mark=2 use=1
tcp      6 119 TIME_WAIT src=192.168.0.1 dst=192.168.0.2 sport=53278 dport=22 src=192.168.0.2 dst=192.168.0.1 sport=22 dport=53278 [ASSURED] mark=1 use=1

strongswan测试版本: 5.8.1

END

相关推荐
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页