# VPP/IPSec 配置文档 **官方文档**:https://wiki.fd.io/view/VPP/IPSec_and_IKEv2 **Features 简述**: - Payload Types:Security Association (SA) - Encryption Algorithm:AES-CBC (128/192/256) - Integrity Algorithm:HMAC-SHA1-96 - Pseudo-random Function:HMAC-SHA1 - Diffie-Hellman Group:2048bit MODP - ID Types:IPv4 address - Authentication Method:Authentication Method - Traffic Selector Types:IPv4 address range - Security Protocol Identifiers:ESP ## Configuration - **Profile creation** ```bash # 创建一个 IKEV2 Profile # ikev2 profile [add|del] ikev2 profile add profile1 ``` - **Authentication**: ```bash # 设置预共享密钥认证方式 # ikev2 profile set auth [rsa-sig|shared-key-mic] [cert-file|string|hex] ikev2 profile set profile1 auth shared-key-mic string Vpp123 # or ikev2 profile set profile1 auth shared-key-mic hex abcd1234 # or ikev2 profile set profile1 auth rsa-sig cert-file /home/localadmin/certs/server-cert.pem set ikev2 local key /home/localadmin/certs/client-key.pem ``` - **ID**: ```bash # 设置 IPsec 标识。 # ikev2 profile set id ikev2 profile set profile1 id remote ip4-addr 192.168.123.20 # or ikev2 profile set profile1 id local fqdn vpp.home # or ikev2 profile set profile1 id local key-id 0xabcd # or ikev2 profile set profile1 id local rfc822 vpp@vvp.home ``` - **Traffic Selector**: ```bash # 设置 Local IP 地址和 Remote IP 地址 # ikev2 profile set traffic-selector ip-range - port-range - protocol ikev2 profile set profile1 traffic-selector local ip-range 192.168.124.0 - 192.168.124.255 port-range 0 - 65535 protocol 0 ikev2 profile set profile1 traffic-selector remote ip-range 192.168.125.0 - 192.168.125.255 port-range 0 - 65535 protocol 0 ``` ## Use case 1 - IKEv2 negotiation between a VPP responder and a strongSwan initiator, using Pre-Shared Key authentication method. - strongSwan client will reach the HTTP Server going through the VPP gateway securely. - The communication will be encrypted between strongSwan initiator and VPP responder. ```bash -------------- ------------- ------------- | | 192.168.4.0/24 | | 192.168.5.0/24 | | 192.168.3.1 X strongSwan X================X VPP X=================X HTTP | | Initiator |.1 .2| Responder |.2 .1| Server | -------------- ------------- ------------- ``` ### HTTP Server configuration ```bash ip link set dev enp5s0f0 up ip address add 192.168.5.1/24 dev enp5s0f0 ip route add 192.168.3.0/24 via 192.168.5.2 ``` ### strongSwan initiator configuration - Global settings ```bash ip link add name loop1 type dummy ip link set dev loop1 up ip address add 192.168.3.1/24 dev loop1 ip link set dev enp5s0f0 up ip address add 192.168.4.1/24 dev enp5s0f0 ip route add 192.168.5.0/24 via 192.168.4.2 ``` - Setting up strongSwan ```bash $ vi /etc/ipsec.conf config setup strictcrlpolicy=no conn %default ike=aes256-sha1-modp2048! esp=aes192-sha1-esn! mobike=no keyexchange=ikev2 ikelifetime=24h lifetime=24h conn net-net right=192.168.4.2 rightsubnet=192.168.5.0/24 rightauth=psk rightid=@vpp.home left=192.168.4.1 leftsubnet=192.168.3.0/24 leftauth=psk leftid=@roadwarrior.vpn.example.com auto=start $ vi /etc/ipsec.secrets : PSK "Vpp123" ``` ### Setting up the VPP responder ```bash set interface state TenGigabitEthernet4/0/0 up set interface ip address TenGigabitEthernet4/0/0 192.168.4.2/24 set interface state TenGigabitEthernet5/0/0 up set interface ip address TenGigabitEthernet5/0/0 192.168.5.2/24 ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp.home ikev2 profile set pr1 id remote fqdn roadwarrior.vpn.example.com ikev2 profile set pr1 traffic-selector local ip-range 192.168.5.0 - 192.168.5.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.3.0 - 192.168.3.255 port-range 0 - 65535 protocol 0 vpp# show ikev2 profile profile pr1 auth-method shared-key-mic auth data Vpp123 local id-type fqdn data vpp.home remote id-type fqdn data roadwarrior.vpn.example.com local traffic-selector addr 192.168.5.0 - 192.168.5.255 port 0 - 65535 protocol 0 remote traffic-selector addr 192.168.3.0 - 192.168.3.255 port 0 - 65535 protocol 0 ``` ### Launch IKEv2 negotiation(协商) ```bash vpp# ipsec restart vpp# show interface Name Idx State Counter Count TenGigabitEthernet4/0/0 1 up rx packets 5 rx bytes 1426 tx packets 4 tx bytes 766 drops 2 ip4 3 TenGigabitEthernet5/0/0 5 up ipsec0 9 down local0 0 down vpp# show ikev2 sa iip 192.168.4.1 ispi f40329997e6563dd rip 192.168.4.2 rspi 984e52c554274bc6 encr:aes-cbc-256 prf:hmac-sha1 integ:sha1-96 dh-group:modp-2048 nonce i:255224a51f9466c127a38dbc8a02d26aef126b761cffd226ce50e913fc924401 r:5b753c202b6e3ea60f0bfe10bf0bee86fb882c4fd686934de4e19053b9c17e57 SK_d bee5291d974f8119af474620f9ec70a51704a422 SK_a i:54cee37b588e7a91c3ddac4b28eae7cd02ca3592 r:e236ab21a5403cbb381d0f33431600ad1fe1cc6e SK_e i:dca8461456b9b02050d5fa5d73ec57d5159e6f3dade91aac57c2a4c2a6c95b48 r:d477f31b2d7befc557b8b14aea7101aedd43eb90cc028ab540f03dce762fda42 SK_p i:1f169c5abc7fef5e863bbc8f9aa2d973548ead8f r:07fb9076ad5a47bd715677c60e1dadf7831c5af0 identifier (i) fqdn roadwarrior.vpn.example.com identifier (r) fqdn vpp.home child sa 0: encr:aes-cbc-192 integ:sha1-96 esn:yes spi(i) c0b24047 spi(r) 63199535 SK_e i:7ee71f3b1168b19b656e39575e985466fa86a71f802d55e6 r:2e43283551a2408a1b8ebf16769d748118e439f2591ab562 SK_a i:ab331c5718cc21811e8bd35313a17c6149d0a7f4 r:6111429868ff314520d43c12523b23f06e6f9e7d traffic selectors (i): 0 type 7 protocol_id 0 addr 192.168.3.0 - 192.168.3.255 port 0 - 65535 traffic selectors (r): 0 type 7 protocol_id 0 addr 192.168.5.0 - 192.168.5.255 port 0 - 65535 iip 192.168.4.1 ispi f40329997e6563dd rip 192.168.4.2 rspi 984e52c554274bc6 ``` 协商成功后会创建一个逻辑 Interface:ipsec0。 ```bash vpp# show ipsec tunnel interfaces ipsec0 seq seq 0 seq-hi 0 esn 1 anti-replay 1 local-spi 3232907335 local-ip 192.168.4.2 local-crypto aes-cbc-192 2e43283551a2408a1b8ebf16769d748118e439f2591ab562 local-integrity sha1-96 6111429868ff314520d43c12523b23f06e6f9e7d last-seq 0 last-seq-hi 0 esn 1 anti-replay 1 window 0000000000000000000000000000000000000000000000000000000000000000 remote-spi 1662620981 remote-ip 192.168.4.1 remote-crypto aes-cbc-192 7ee71f3b1168b19b656e39575e985466fa86a71f802d55e6 remote-integrity sha1-96 ab331c5718cc21811e8bd35313a17c6149d0a7f4 ``` ### Routing traffic through ipsec0 interface on the VPP responder 通过 ipsec0 这个逻辑 Interface 来路由需要进行 IPSec 加密的流量。 ```bash # 1. using a dummy IP address. set interface state ipsec0 up set interface ip address ipsec0 11.11.11.11/32 # 2. add route. ip route add 192.168.3.0/24 via 11.11.11.11 ipsec0 # 3. binding logical and physical interfaces ip route add 192.168.3.0/24 via ipsec0 set interface state ipsec0 up set interface unnumbered ipsec0 use TenGigabitEthernet4/0/0 ``` ### Verify connectivity and encryption 从 Client 访问 HTTP Server,并在 IPSec Endpoint 上进行 tcpdump 抓包。 ```bash wget --bind-address=192.168.3.1 192.168.5.1/index.html ``` ## Use case 2 - VPP initiator - strongSwan responder ### strongSwan responder - 配置 ```bash $ /etc/strongswan/ipsec.conf config setup strictcrlpolicy=no conn %default mobike=no keyexchange=ikev2 ikelifetime=24h lifetime=24h conn net-net left=192.168.1.1 leftsubnet=172.18.22.0/24 leftauth=psk leftid=@sun.home right=192.168.1.24 rightsubnet=172.20.231.0/24 rightauth=psk rightid=@moon.home auto=add $ vi /etc/strongswan/ipsec.secrets : PSK "Vpp123" ``` - 启动 ```bash $ systemctl restart strongswan $ strongswan status Security Associations (0 up, 0 connecting): none ``` ### VPP initiator - 配置 ```bash set int state VirtualFunctionEthernet0/8/0 up set int ip address VirtualFunctionEthernet0/8/0 192.168.1.24/24 ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string upf123 ikev2 profile set pr1 id local fqdn moon.home ikev2 profile set pr1 id remote fqdn sun.home ikev2 profile set pr1 traffic-selector local ip-range 172.20.231.0 - 172.20.231.254 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 172.18.22.0 - 172.18.22.254 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder VirtualFunctionEthernet0/8/0 192.168.1.1 ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-2048 ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-2048 # sa-lifetime . ikev2 profile set pr1 sa-lifetime 3600 10 5 0 ``` - 初始化 SA ```bash $ show ikev2 profile $ ikev2 initiate sa-init pr1 ``` - 查看 VPP SA 状态 ```bash $ show ikev2 sa iip 192.168.1.24 ispi 71bc27df5bb8f6e9 rip 192.168.1.1 rspi 2a61bce4398c804 encr:aes-cbc-128 prf:hmac-sha2-256 integ:sha1-96 dh-group:modp-2048 nonce i:a440a2cdcbfe83871b8f450caa27f53f6524ce501f34dac17bc7d6c86beb804f r:bfb27a66e624983caaabf32ba8863d2597ec5b7e6cb8e8ec3cb32101d72d209b SK_d aca25855a1b95b833be862f831f2755f6d510d084cc9e920e376ff5eeabd0726 SK_a i:24b5a188c57c5e7eb5caddceeb678866d24afe27 r:e6feca2ac5e629665eef41971f5aa6f0dbb52989 SK_e i:6b3ee75566695ae7fde1cbc985c02b56 r:cab1913cb6c890a39e473abf2702a1e5 SK_p i:c4e14ff2884a1141f63c995c7ea0038a2657d99be1edb78b0ab6232df1e4d532 r:587d9827951ff4e0c9ae694cd6bc10cc1d2e8a48720d56daf85ecea1c3fe8021 identifier (i) fqdn moon.home identifier (r) fqdn sun.home child sa 0: encr:aes-cbc-128 integ:sha1-96 esn:no spi(i) cee0127 spi(r) c59959c0 SK_e i:a79f06470868e9893a270719fe19362d r:429b0b22e060663afd1450207ee7efa7 SK_a i:f0980c73941f9e5e066bf8b5f127951b24296822 r:10b8eeb52f1c8dc74666982c75ac0f5def558943 traffic selectors (i): 0 type 7 protocol_id 0 addr 172.20.231.0 - 172.20.231.254 port 0 - 65535 traffic selectors (r): 0 type 7 protocol_id 0 addr 172.18.22.0 - 172.18.22.254 port 0 - 65535 iip 192.168.1.24 ispi 71bc27df5bb8f6e9 rip 192.168.1.1 rspi 2a61bce4398c804 ``` - 查看 strongswan SA 状态 ```bash $ strongswan status Security Associations (1 up, 0 connecting): net-net[1]: ESTABLISHED 5 minutes ago, 192.168.1.1[sun.home]...192.168.1.24[moon.home] net-net{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c59959c0_i 0cee0127_o net-net{1}: 172.18.22.0..172.18.22.254 === 172.20.231.0..172.20.231.254 ``` - 配置网络流量 ```bash set int state ipip0 up set interface ip address ipip0 11.11.11.11/32 ip route add 172.18.22.0/24 via 11.11.11.11 ipip0 set int unnumbered ipip0 use VirtualFunctionEthernet0/8/0 ``` ## Use case 3 ![在这里插入图片描述](https://img-blog.csdnimg.cn/20210417160720522.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0ptaWxr,size_16,color_FFFFFF,t_70) 示例;VPP1 主动发起 IKEv2 协商(VPP/IPSec 目前仅支持 IKEv2)并建立 IPSec 隧道,VPP2 被动和 VPP1 建立 IPSec 隧道。PC1 ping PC2,可以 ping 通,抓包可以看到报文进行封装发送。 ### VPP Responder(被动) #### 接口配置 ```bash set int state GigabitEthernet2/2/0 up set int ip address GigabitEthernet2/2/0 11.0.0.1/24 set int state GigabitEthernet2/3/0 up set int ip address GigabitEthernet2/3/0 10.66.0.2/24 ``` #### IKEv2 配置 ```bash ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp2.home ikev2 profile set pr1 id remote fqdn vpp1.home ikev2 profile set pr1 traffic-selector local ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0 # 查看 IKEv2 配置 show ikev2 profile # 查看 IKEv2 协商结果 show ikev2 sa # 启用 IPSec 接口 set int state ipsec0 up # 路由引到 IPSec 接口 ip route add 10.0.0.0/24 via ipsec0 # IPSec 接口绑定物理接口 set int unnumbered ipsec0 use GigabitEthernet2/3/0 ``` ### VPP Initiator(主动) #### 接口配置 ```bash set int state GigabitEthernet2/1/0 up set int ip address GigabitEthernet2/1/0 10.66.0.1/24 set int state GigabitEthernet2/4/0 up set int ip address GigabitEthernet2/4/0 10.0.0.1/24 ``` #### IKEv2 配置 ```bash ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string Vpp123 ikev2 profile set pr1 id local fqdn vpp1.home ikev2 profile set pr1 id remote fqdn vpp2.home ikev2 profile set pr1 traffic-selector local ip-range 10.0.0.0 - 10.0.0.254 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector remote ip-range 11.0.0.0 - 11.0.0.254 port-range 0 - 65535 protocol 0 # 设置 Remote responder IP 地址及协商对应的网络接口 # ikev2 profile set responder ikev2 profile set pr1 responder GigabitEthernet2/1/0 10.66.0.2 # 设置 IKE 秘钥套件和 ESP 秘钥套件,可以只在请求秘钥协商方添加秘钥套件。 # ikev2 profile set ike-crypto-alg ike-integ-alg ike-dh ikev2 profile set pr1 ike-crypto-alg aes-cbc 128 ike-integ-alg sha1-96 ike-dh modp-1024 # ikev2 profile set esp-crypto-alg esp-integ-alg esp-dh ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh modp-1024 # 设备 IKE SA 的生命周期。 ikev2 profile set pr1 sa-lifetime 3600 10 5 0 # 发起 IPSec 协商请求 # ikev2 initiate sa-init ikev2 initiate sa-init pr1 # 查看 IKEv2 配置 show ikev2 profile # 查看 IKEv2 协商结果 show ikev2 sa # 启用 IPSec 接口 set int state ipsec0 up # 路由引到 IPSec 接口 ip route add 11.0.0.0/24 via ipsec0 # IPSec 接口绑定物理接口 set int unnumbered ipsec0 use GigabitEthernet2/1/0 ``` ## TS SA 建立失败,因为新版本的 strongswan > 5.6.1 删除了一些弱类型的密码,所以当 VPP 再使用这些弱类型密码时候就会导致 SA 建立失败。可以通过查看 strongswan log 发现这一点:received proposals 与 configured proposals 没有交集。 ```bash Apr 20 21:30:47 11[CFG] <1> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/MODP_2048 Apr 20 21:30:47 11[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Apr 20 21:30:47 11[CFG] <1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/MODP_2048 ```