Ubuntu StrongSwan IPSEC

Часто возникает необходимость шифровать  трафик между точкой А и точкой Б  — в данной статье рассмотрим настройку StrongSwan IPSEC <> Cisco ASA

Есть ряд моментов которые я бы хотел отметить с которыми в той или иной мере прийдется столкнуться

 

cat > /etc/apt/sources.list
# Ansible managed: /data/jenkins/workspace/STEP_N2_main_role/ansible_main/roles/Default/REPO/apt/templates/sources.list.j2 on ansible
#



deb http://ru.archive.ubuntu.com/ubuntu/ trusty main restricted
deb-src http://ru.archive.ubuntu.com/ubuntu/ trusty main restricted
deb http://ru.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb-src http://ru.archive.ubuntu.com/ubuntu/ trusty-updates main restricted
deb http://ru.archive.ubuntu.com/ubuntu/ trusty universe
deb-src http://ru.archive.ubuntu.com/ubuntu/ trusty universe
deb http://ru.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb-src http://ru.archive.ubuntu.com/ubuntu/ trusty-updates universe
deb http://ru.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://ru.archive.ubuntu.com/ubuntu/ trusty multiverse
deb http://ru.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb-src http://ru.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb http://ru.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://ru.archive.ubuntu.com/ubuntu/ trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb-src http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb-src http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse
deb-src http://security.ubuntu.com/ubuntu trusty-security multiverse

 

# apt-get update

# apt-get install strongswan

 

Конфиг IPSEC Cisco ASA

 

 

crypto ikev2 enable outside

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 14 5 2
 prf sha
 lifetime seconds 86400

 

object-group network OG_OPENSTACK_TEST
 network-object 172.16.254.254 255.255.255.255

 
nat (inside,outside) source static OG_4LES-BRANCH OG_4LES-BRANCH destination static OG_OPENSTACK_TEST OG_OPENSTACK_TEST no-proxy-arp route-lookup
access-list ACL_4LES-BRANCH<>OPENSTACK_TEST extended permit ip object-group OG_4LES-BRANCH object-group OG_OPENSTACK_TEST


crypto map CMAP 130 set pfs
crypto map CMAP 130 set peer 23.111.X.X
crypto map CMAP 130 set ikev1 transform-set ESP-3DES-MD5
crypto map CMAP 130 set security-association lifetime seconds 86400


tunnel-group 23.111.X.X type ipsec-l2l
tunnel-group 23.111.X.X ipsec-attributes
 ikev1 pre-shared-key 1234567890X
 isakmp keepalive threshold 10 retry 2


Или для версии IKEV2

 

 

crypto map CMAP 130 set pfs
crypto map CMAP 130 set peer 23.111.X.X
crypto map CMAP 130 set ikev2 ipsec-proposal AES256
crypto map CMAP 130 set security-association lifetime seconds 86400



tunnel-group 23.111.x.X type ipsec-l2l
tunnel-group 23.111.x.x ipsec-attributes
 isakmp keepalive threshold 10 retry 2
 ikev2 remote-authentication pre-shared-key 1234567890X
 ikev2 local-authentication pre-shared-key 1234567890X
Конфиг StrongSwan


# cat /etc/ipsec.secrets
 # This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
 # which knows the public part. Suitable public keys, for ipsec.conf, DNS,
 # or configuration of other implementations, can be extracted conveniently
 # with "ipsec showhostkey".

23.111.X.X 77.238.102.X : PSK "8564ed8cc86cc79025209d254f201g30l"

 

 

# cat /etc/ipsec.conf

conn %default
 dpdaction = restart
 closeaction = restart
 dpddelay = 10s
 dpdtimeout = 20s
 ikelifetime = 1440m
 keylife = 60m
 rekeymargin = 3m
 keyingtries = %forever



conn asa5515
 auto = start
 keyingtries = %forever
 authby = secret
 type = tunnel
 #esp = aes256-sha-modp2048!
 left = 23.111.X.X
 leftsubnet = 172.16.254.254/32
 right = 77.238.X.X
 rightsubnet = 192.168.80.0/21

 

 

По умолчанию если в конфиге не указать параметры ike and esp — он будет пыпаться поднять на самых максимальных параметрах — но так же можно их указать индивидуально для пира :

 

ike = aes256-sha1-modp2048
esp = aes256-sha1-modp2048

 

После этого туннель должен подняться :

# sh isakmp sa

Session-id:12, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
212057783 77.238.X.X/4500 23.111.X.X/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/755 sec
Child sa: local selector 192.168.80.0/0 — 192.168.87.255/65535
remote selector 172.16.254.254/0 — 172.16.254.254/65535
ESP spi in/out: 0x5e674691/0xcecce627

 

 

Полезные команды Strongswan :

#service ipsec restart
#ipsec status

Security Associations (1 up, 0 connecting):
asa5515[1]: ESTABLISHED 15 minutes ago, 23.111.X.X[23.111.X.X]…77.238.X.X[77.238.X.X]
asa5515{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cecce627_i 5e674691_o
asa5515{1}: 172.16.254.254/32 === 192.168.80.0/21

 

#ip xfrm monitor # вот так можно посмотреть что приходит по IPSEC в реальном времени :
Async event (0x10) replay update
src 77.238.X.X dst 23.111.X.X reqid 0x1 protocol esp SPI 0xcecce627
Async event (0x10) replay update

 

#ip xfrm policy

src 192.168.80.0/21 dst 172.16.254.254/32
dir fwd priority 2863
tmpl src 77.238.X.X dst 23.X.X
proto esp reqid 1 mode tunnel
src 192.168.80.0/21 dst 172.16.254.254/32
dir in priority 2863
tmpl src 77.238.X.X dst 23.111.X.X
proto esp reqid 1 mode tunnel
src 172.16.254.254/32 dst 192.168.80.0/21
dir out priority 2863
tmpl src 23.111.X.X dst 77.238.X.X
proto esp reqid 1 mode tunnel

 

 

# ip route list table 220
192.168.80.0/21 via 23.111.X.X dev ens7 proto static src 172.16.254.254