VPP/IPSec 配置文档
官方文档:https://wiki.fd.io/view/VPP/IPSec_and_IKEv2
Features 简述:
Payload Types:Security Association (SA)
Encryption Algorithm:AES-CBC (128/192/256)
Integrity Algorithm:HMAC-SHA1-96
Pseudo-random Function:HMAC-SHA1
Diffie-Hellman Group:2048bit MODP
ID Types:IPv4 address
Authentication Method:Authentication Method
Traffic Selector Types:IPv4 address range
Security Protocol Identifiers:ESP
Configuration
Profile creation
# 创建一个 IKEV2 Profile
# ikev2 profile [add|del] <id>
ikev2 profile add profile1
Authentication:
# 设置预共享密钥认证方式
# ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex] <data>
ikev2 profile set profile1 auth shared-key-mic string Vpp123
# or
ikev2 profile set profile1 auth shared-key-mic hex abcd1234
# or
ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem
set ikev2 local key /home/localadmin/certs/client-key.pem
ID:
# 设置 IPsec 标识。
# ikev2 profile set <id> id <local|remote> <type> <data>
ikev2 profile set profile1 id remote ip4-addr 192.168.123.20
# or
ikev2 profile set profile1 id local fqdn vpp.home
# or
ikev2 profile set profile1 id local key-id 0xabcd
# or
ikev2 profile set profile1 id local rfc822 vpp@vvp.home
Traffic Selector:
# 设置 Local IP 地址和 Remote IP 地址
# ikev2 profile set <id> traffic-selector <local|remote> ip-range <start-addr> - <end-addr> port-range <start-port> - <end-port> protocol <protocol-number>
ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0
ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0
Use case 1
IKEv2 negotiation between a VPP responder and a strongSwan initiator, using Pre-Shared Key authentication method.
strongSwan client will reach the HTTP Server going through the VPP gateway securely.
The communication will be encrypted between strongSwan initiator and VPP responder.
-------------- ------------- -------------
| | 192.168.4.0/24 | | 192.168.5.0/24 | |
192.168.3.1 X strongSwan X================X VPP X=================X HTTP |
| Initiator |.1 .2| Responder |.2 .1| Server |
-------------- ------------- -------------
HTTP Server configuration
ip link set dev enp5s0f0 up
ip address add 192.168.5.1/24 dev enp5s0f0
ip route add 192.168.3.0/24 via 192.168.5.2
strongSwan initiator configuration
Global settings
ip link add name loop1 type dummy
ip link set dev loop1 up
ip address add 192.168.3.1/24 dev loop1
ip link set dev enp5s0f0 up
ip address add 192.168.4.1/24 dev enp5s0f0
ip route add 192.168.5.0/24 via 192.168.4.2
Setting up strongSwan
$ vi /etc/ipsec.conf
config setup
strictcrlpolicy=no
conn %default
ike=aes256-sha1-modp2048!
esp=aes192-sha1-esn!
mobike=no
keyexchange=ikev2
ikelifetime=24h
lifetime=24h
conn net-net
right=192.168.4.2
rightsubnet=192.168.5.0/24
rightauth=psk
rightid=@vpp.home
left=192.168.4.1
leftsubnet=192.168.3.0/24
leftauth=psk
leftid=@roadwarrior.vpn.example.com
auto=start
$ vi /etc/ipsec.secrets
: PSK "Vpp123"
Setting up the VPP responder
set interface state TenGigabitEthernet4/0/0 up
set interface ip address TenGigabitEthernet4/0/0 192.168.4.2/24
set interface state TenGigabitEthernet5/0/0 up
set interface ip address TenGigabitEthernet5/0/0 192.168.5.2/24
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp.home
ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com
ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0
vpp# show ikev2 profile
profile pr1
auth-method shared-key-mic auth data Vpp123
local id-type fqdn data vpp.home
remote id-type fqdn data roadwarrior.vpn.example.com
local traffic-selector addr 192.168.5.0 - 192.168.5.255 port 0 - 65535 protocol 0
remote traffic-selector addr 192.168.3.0 - 192.168.3.255 port 0 - 65535 protocol 0
Launch IKEv2 negotiation(协商)
vpp# ipsec restart
vpp# show interface
Name Idx State Counter Count
TenGigabitEthernet4/0/0 1 up rx packets 5
rx bytes 1426
tx packets 4
tx bytes 766
drops 2
ip4 3
TenGigabitEthernet5/0/0 5 up
ipsec0 9 down
local0 0 down
vpp# show ikev2 sa
iip 192.168.4.1 ispi f40329997e6563dd rip 192.168.4.2 rspi 984e52c554274bc6
encr:aes-cbc-256 prf:hmac-sha1 integ:sha1-96 dh-group:modp-2048
nonce i:255224a51f9466c127a38dbc8a02d26aef126b761cffd226ce50e913fc924401
r:5b753c202b6e3ea60f0bfe10bf0bee86fb882c4fd686934de4e19053b9c17e57
SK_d bee5291d974f8119af474620f9ec70a51704a422
SK_a i:54cee37b588e7a91c3ddac4b28eae7cd02ca3592
r:e236ab21a5403cbb381d0f33431600ad1fe1cc6e
SK_e i:dca8461456b9b02050d5fa5d73ec57d5159e6f3dade91aac57c2a4c2a6c95b48
r:d477f31b2d7befc557b8b14aea7101aedd43eb90cc028ab540f03dce762fda42
SK_p i:1f169c5abc7fef5e863bbc8f9aa2d973548ead8f
r:07fb9076ad5a47bd715677c60e1dadf7831c5af0
identifier (i) fqdn roadwarrior.vpn.example.com
identifier (r) fqdn vpp.home
child sa 0:
encr:aes-cbc-192 integ:sha1-96 esn:yes
spi(i) c0b24047 spi(r) 63199535
SK_e i:7ee71f3b1168b19b656e39575e985466fa86a71f802d55e6
r:2e43283551a2408a1b8ebf16769d748118e439f2591ab562
SK_a i:ab331c5718cc21811e8bd35313a17c6149d0a7f4
r:6111429868ff314520d43c12523b23f06e6f9e7d
traffic selectors (i):
0 type 7 protocol_id 0 addr 192.168.3.0 - 192.168.3.255 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 192.168.5.0 - 192.168.5.255 port 0 - 65535
iip 192.168.4.1 ispi f40329997e6563dd rip 192.168.4.2 rspi 984e52c554274bc6
协商成功后会创建一个逻辑 Interface:ipsec0。
vpp# show ipsec
tunnel interfaces
ipsec0 seq
seq 0 seq-hi 0 esn 1 anti-replay 1
local-spi 3232907335 local-ip 192.168.4.2
local-crypto aes-cbc-192 2e43283551a2408a1b8ebf16769d748118e439f2591ab562
local-integrity sha1-96 6111429868ff314520d43c12523b23f06e6f9e7d
last-seq 0 last-seq-hi 0 esn 1 anti-replay 1 window 0000000000000000000000000000000000000000000000000000000000000000
remote-spi 1662620981 remote-ip 192.168.4.1
remote-crypto aes-cbc-192 7ee71f3b1168b19b656e39575e985466fa86a71f802d55e6
remote-integrity sha1-96 ab331c5718cc21811e8bd35313a17c6149d0a7f4
Routing traffic through ipsec0 interface on the VPP responder
通过 ipsec0 这个逻辑 Interface 来路由需要进行 IPSec 加密的流量。
# 1. using a dummy IP address.
set interface state ipsec0 up
set interface ip address ipsec0 11.11.11.11/32
# 2. add route.
ip route add 192.168.3.0/24 via 11.11.11.11 ipsec0
# 3. binding logical and physical interfaces
ip route add 192.168.3.0/24 via ipsec0
set interface state ipsec0 up
set interface unnumbered ipsec0 use TenGigabitEthernet4/0/0
Verify connectivity and encryption
从 Client 访问 HTTP Server,并在 IPSec Endpoint 上进行 tcpdump 抓包。
wget --bind-address=192.168.3.1 192.168.5.1/index.html
Use case 2
VPP initiator
strongSwan responder
strongSwan responder
配置
$ /etc/strongswan/ipsec.conf
config setup
strictcrlpolicy=no
conn %default
mobike=no
keyexchange=ikev2
ikelifetime=24h
lifetime=24h
conn net-net
left=192.168.1.1
leftsubnet=172.18.22.0/24
leftauth=psk
leftid=@sun.home
right=192.168.1.24
rightsubnet=172.20.231.0/24
rightauth=psk
rightid=@moon.home
auto=add
$ vi /etc/strongswan/ipsec.secrets
: PSK "Vpp123"
启动
$ systemctl restart strongswan
$ strongswan status
Security Associations (0 up, 0 connecting):
none
VPP initiator
配置
set int state VirtualFunctionEthernet0/8/0 up
set int ip address VirtualFunctionEthernet0/8/0 192.168.1.24/24
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string upf123
ikev2 profile set pr1 id local fqdn moon.home
ikev2 profile set pr1 id remote fqdn sun.home
ikev2 profile set pr1 traffic-selector local ip-range 172.20.231.0 - 172.20.231.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 172.18.22.0 - 172.18.22.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 responder VirtualFunctionEthernet0/8/0 192.168.1.1
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-2048
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-2048
# sa-lifetime <seconds> <jitter> <handover> <max bytes>.
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
初始化 SA
$ show ikev2 profile
$ ikev2 initiate sa-init pr1
查看 VPP SA 状态
$ show ikev2 sa
iip 192.168.1.24 ispi 71bc27df5bb8f6e9 rip 192.168.1.1 rspi 2a61bce4398c804
encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048
nonce i:a440a2cdcbfe83871b8f450caa27f53f6524ce501f34dac17bc7d6c86beb804f
r:bfb27a66e624983caaabf32ba8863d2597ec5b7e6cb8e8ec3cb32101d72d209b
SK_d aca25855a1b95b833be862f831f2755f6d510d084cc9e920e376ff5eeabd0726
SK_a i:24b5a188c57c5e7eb5caddceeb678866d24afe27
r:e6feca2ac5e629665eef41971f5aa6f0dbb52989
SK_e i:6b3ee75566695ae7fde1cbc985c02b56
r:cab1913cb6c890a39e473abf2702a1e5
SK_p i:c4e14ff2884a1141f63c995c7ea0038a2657d99be1edb78b0ab6232df1e4d532
r:587d9827951ff4e0c9ae694cd6bc10cc1d2e8a48720d56daf85ecea1c3fe8021
identifier (i) fqdn moon.home
identifier (r) fqdn sun.home
child sa 0:
encr:aes-cbc-128 integ:sha1-96 esn:no
spi(i) cee0127 spi(r) c59959c0
SK_e i:a79f06470868e9893a270719fe19362d
r:429b0b22e060663afd1450207ee7efa7
SK_a i:f0980c73941f9e5e066bf8b5f127951b24296822
r:10b8eeb52f1c8dc74666982c75ac0f5def558943
traffic selectors (i):
0 type 7 protocol_id 0 addr 172.20.231.0 - 172.20.231.254 port 0 - 65535
traffic selectors (r):
0 type 7 protocol_id 0 addr 172.18.22.0 - 172.18.22.254 port 0 - 65535
iip 192.168.1.24 ispi 71bc27df5bb8f6e9 rip 192.168.1.1 rspi 2a61bce4398c804
查看 strongswan SA 状态
$ strongswan status
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 5 minutes ago, 192.168.1.1[sun.home]...192.168.1.24[moon.home]
net-net{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c59959c0_i 0cee0127_o
net-net{1}: 172.18.22.0..172.18.22.254 === 172.20.231.0..172.20.231.254
配置网络流量
set int state ipip0 up
set interface ip address ipip0 11.11.11.11/32
ip route add 172.18.22.0/24 via 11.11.11.11 ipip0
set int unnumbered ipip0 use VirtualFunctionEthernet0/8/0
Use case 3
示例;VPP1 主动发起 IKEv2 协商(VPP/IPSec 目前仅支持 IKEv2)并建立 IPSec 隧道,VPP2 被动和 VPP1 建立 IPSec 隧道。PC1 ping PC2,可以 ping 通,抓包可以看到报文进行封装发送。
VPP Responder(被动)
接口配置
set int state GigabitEthernet2/2/0 up
set int ip address GigabitEthernet2/2/0 11.0.0.1/24
set int state GigabitEthernet2/3/0 up
set int ip address GigabitEthernet2/3/0 10.66.0.2/24
IKEv2 配置
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp2.home
ikev2 profile set pr1 id remote fqdn vpp1.home
ikev2 profile set pr1 traffic-selector local ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0
# 查看 IKEv2 配置
show ikev2 profile
# 查看 IKEv2 协商结果
show ikev2 sa
# 启用 IPSec 接口
set int state ipsec0 up
# 路由引到 IPSec 接口
ip route add 10.0.0.0/24 via ipsec0
# IPSec 接口绑定物理接口
set int unnumbered ipsec0 use GigabitEthernet2/3/0
VPP Initiator(主动)
接口配置
set int state GigabitEthernet2/1/0 up
set int ip address GigabitEthernet2/1/0 10.66.0.1/24
set int state GigabitEthernet2/4/0 up
set int ip address GigabitEthernet2/4/0 10.0.0.1/24
IKEv2 配置
ikev2 profile add pr1
ikev2 profile set pr1 auth shared-key-mic string Vpp123
ikev2 profile set pr1 id local fqdn vpp1.home
ikev2 profile set pr1 id remote fqdn vpp2.home
ikev2 profile set pr1 traffic-selector local ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0
ikev2 profile set pr1 traffic-selector remote ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0
# 设置 Remote responder IP 地址及协商对应的网络接口
# ikev2 profile set <id> responder <interface> <addr>
ikev2 profile set pr1 responder GigabitEthernet2/1/0 10.66.0.2
# 设置 IKE 秘钥套件和 ESP 秘钥套件,可以只在请求秘钥协商方添加秘钥套件。
# ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>
ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024
# ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> esp-integ-alg <integ alg> esp-dh <dh type>
ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024
# 设备 IKE SA 的生命周期。
ikev2 profile set pr1 sa-lifetime 3600 10 5 0
# 发起 IPSec 协商请求
# ikev2 initiate sa-init <profile id>
ikev2 initiate sa-init pr1
# 查看 IKEv2 配置
show ikev2 profile
# 查看 IKEv2 协商结果
show ikev2 sa
# 启用 IPSec 接口
set int state ipsec0 up
# 路由引到 IPSec 接口
ip route add 11.0.0.0/24 via ipsec0
# IPSec 接口绑定物理接口
set int unnumbered ipsec0 use GigabitEthernet2/1/0
TS
SA 建立失败,因为新版本的 strongswan > 5.6.1 删除了一些弱类型的密码,所以当 VPP 再使用这些弱类型密码时候就会导致 SA 建立失败。可以通过查看 strongswan log 发现这一点:received proposals 与 configured proposals 没有交集。
Apr 20 21:30:47 11[CFG] <1> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/MODP_2048
Apr 20 21:30:47 11[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Apr 20 21:30:47 11[CFG] <1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/MODP_2048