IPSEC ( GRE tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24
                                       10.0.0.1<---------GRE--------->10.0.0.2

#########################################################
### Cisco ###
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
 set transform-set tunnel
 set pfs group2
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.0
 tunnel source 10.66.66.1
 tunnel destination 10.66.66.2
 tunnel protection ipsec profile VPN
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 ip access-group 100 in
 ip access-group 101 out
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.0.0.2
!
!
!
access-list 100 permit gre host 10.66.66.2 host 10.66.66.1
access-list 100 permit esp host 10.66.66.2 host 10.66.66.1
access-list 100 permit ahp host 10.66.66.2 host 10.66.66.1
access-list 100 permit udp host 10.66.66.2 host 10.66.66.1eq isakmp
access-list 100 deny   ip any any
access-list 101 permit gre host 10.66.66.1host 10.66.66.2 
access-list 101 permit esp host 10.66.66.1host 10.66.66.2 
access-list 101 permit ahp host 10.66.66.1host 10.66.66.2 
access-list 101 permit udp host 10.66.66.1host 10.66.66.2 eq isakmp
access-list 101 deny   ip any any

!

##############################################

### Debian8 ###

modprobe gre

ip tunnel add tun1 mode gre remote 10.66.66.1 local 10.66.66.2

ifconfig tun1 10.0.0.2 pointopoint 10.0.0.1 up

или

auto tun1

iface tun1 inet tunnel
        address 10.0.0.2
        netmask 255.255.255.252
        dstaddr 10.0.0.1
        local 10.66.66.2
        endpoint 10.66.66.1
        mode gre

root@debian:/home/tuhvatov# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff

    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff

    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet 3.3.3.1/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fe6c:e82/64 scope link

       valid_lft forever preferred_lft forever

4: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default

    link/gre 0.0.0.0 brd 0.0.0.0

5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000

    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

6: tun1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default

    link/gre 10.66.66.2 peer 10.66.66.1

    inet 10.0.0.2 peer 10.0.0.1/32 scope global tun1

       valid_lft forever preferred_lft forever

    inet6 fe80::5efe:a42:4202/64 scope link

       valid_lft forever preferred_lft forever

/etc/racoon/racoon.conf

remote 10.66.66.1 {

        exchange_mode main,aggressive;

        lifetime time 28800 sec;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 10.66.66.2/32 47 address 10.66.66.1/32 47 {

        pfs_group 2;

        lifetime time 3600 sec;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

/etc/ipsec-tools.conf

flush;

spdflush;

spdadd 10.66.66.2/32 10.66.66.1/32 47 -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;

spdadd 10.66.66.1/32 10.66.66.2/32 47 -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

iptables -P INPUT     DROP

iptables -P FORWARD   DROP
iptables -P OUTPUT    ACCEPT
iptables -t filter -A INPUT -i tun1 -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p gre -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p esp -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT

https://www.altlinux.org/VPN_c_%D0%B4%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%BE%D0%B9_%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B5%D0%B9_(GRE_Racoon_OSPF)

http://www.rhd.ru/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-host2host.html

IPSEC (mode tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24

##########################################################3
### Cisco ###

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
 set peer 10.66.66.2
 set transform-set tunnel
 set pfs group2
 match address MY-ACL
!
!
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 duplex auto
 speed auto
 crypto map TEST
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.66.66.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MY-ACL
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
 deny   ip any any
!

##############################################

### Debian8 ###

root@debian:/etc/init.d# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff

    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff

    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet 3.3.3.1/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fe6c:e82/64 scope link

       valid_lft forever preferred_lft forever

root@debian:/etc/racoon# cat /etc/racoon/psk.txt

# IPv4/v6 addresses

10.66.66.1      test

root@debian:/etc/racoon# cat /etc/racoon/racoon.conf

log notify;

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

remote 10.66.66.1 {

        exchange_mode main,aggressive;

        lifetime time 28800 sec;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 3.3.3.0/24 any address 2.2.2.0/24 any {

        pfs_group 2;

        lifetime time 3600 sec;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

root@debian:/etc# cat /etc/ipsec-tools.conf

#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 3.3.3.0/24 2.2.2.0/24 any -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;

spdadd 2.2.2.0/24 3.3.3.0/24 any -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

######################################
######## Мониторинг
root@debian:/etc# racoonctl -ll ss isakmp
Source                                        Destination                                   Cookies                           ST S  V E Created             Phase2
10.66.66.2.500                                10.66.66.1.500                                2f884599e608cee3:69f1cc4a2e88d065  9 I 10 M 2016-07-01 09:12:30      1

root@debian:/etc# tail -f /var/log/syslog | grep racoon
Jul  1 09:06:56 debian racoon: [10.66.66.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Jul  1 09:12:29 debian racoon: WARNING: attribute has been modified.
Jul  1 09:12:29 debian racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Jul  1 09:12:29 debian racoon: INFO: @(#)This product linked OpenSSL 1.0.1k 8 Jan 2015 (http://www.openssl.org/)
Jul  1 09:12:29 debian racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Jul  1 09:12:31 debian racoon: WARNING: attribute has been modified.

cisco+freeradius (на Debian squeezy)

настройки Cisco 871 (192.168.4.176)

aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default
 action-type start-stop
 group radius
!
aaa accounting network default
 action-type start-stop
 group radius
!
radius-server host 192.168.4.212 auth-port 1812 acct-port 1813 key $$$$$

настройки freeradius (192.168.4.212)

root@aaa-serv:/etc/freeradius# egrep -v "#" clients.conf
client localhost {
        ipaddr = 127.0.0.1
        secret          = testing123
        require_message_authenticator = no
}

client 192.168.4.176 {
        secret          = $$$$$
        nastype         = cisco
}

root@aaa-serv:/etc/freeradius# egrep -v "#" users

user_cisco        NAS-IP-Address == 192.168.4.176
                cisco-avpair = "shell:priv-lvl=15"

• http://wiki.freeradius.org/Cisco
• http://ru.gentoo-wiki.com/wiki/%D0%9C%D0%B8%D0%BD%D0%B8%D0%BC%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B9_RADIUS_%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80_%D0%BD%D0%B0_freeradius
• http://www.opennet.ru/base/cisco/cisco_logging.txt.html

cisco

http://sites.google.com/site/amitsciscozone/home

ip sla, ipsec и event manager

Заметку делаю для себя, чтоб не забыть.
Итак, столкнулся с тем, что track отбивает маршрут, но сессия ipsec висит. Соответственно, пока её не прибить, трафик не ходит по новому маршруту с новым тунелем.
Проблему решил с помощью event manager. Настраивалось все на 2811.

track timer interface 5
track timer ip route 5
!
track 1 ip sla 10 reachability
!

канала для сети 192.168.125.0/24 два, оба через ipsec, основной канал по радиолинку через 10.11.12.13, и второй через инет по дефолтному маршруту.

ip route 192.168.125.0 255.255.255.0 10.11.12.13 track 1
ip route 0.0.0.0 0.0.0.0 10.9.8.7

когда линк по радио-каналу есть, работает основной маршрут для этой сети, в отсутствие линка, работает маршрут через инет.

ip sla 10
icmp-echo 10.11.12.13 source-interface FastEthernet0/1
timeout 2000
threshold 2
frequency 10
ip sla schedule 10 life forever start-time now

теперь собственно нужно отбить сессию ipsec, что проделывается следующим образом

event manager applet app-sla-10
description #crypto down if radio channel unav#
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "clear crypto session remote 10.11.12.13"
event manager applet app-sla-11
description #crypto down if radio channel av#
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "clear crypto session remote 10.9.8.6"

Вот таким образом всё работает. При пропадании линка через радио-модем, маршрут через него пропадает и ipsec сессия прибивается, соответственно, поднимается новая сессия ipsec по каналу через инет и работает основной маршрут. При появлении радио-линка все возвращается на круги своя.
Удачи в настройках.
© shadow_alone