setkey 命令,需要安装ipsec-tools
yum install ipsec-tools
主机A(172.16.113.173)和主机B(172.16.113.163)进行ipsec通信
一、主机A配置
1.创建setkey.conf配置文件
# vim /etc/setkey.conf
==============================setkey.conf================================
#flush SAD entries
flush;
#flush SPD entries
spdflush;
#add SA entries
add 172.16.113.173 172.16.113.163 esp 0x1234 -m transport -E 3des-cbc
0x84cc855d6892207565811df4edd6bff5cf53af9106b72461 -A hmac-sha1
0xb48408f4655000f588a1a22cc14697d1a4d259cd;
add 172.16.113.163 172.16.113.173 esp 0x5678 -m transport -E 3des-cbc
0x6df8e9fc37255c9ba467be460187abc29e20e808f17591aa -A hmac-sha1
0x760c7721c03cf906c7fd70d0c9b9afd5785a1548;
#add SP entries
spdadd 172.16.113.163 172.16.113.173 any -P in ipsec esp/transport//require
esp/transport//require;
spdadd 172.16.113.173 172.16.113.163 any -P out ipsec esp/transport//require
esp/transport//require;
==============================setkey.conf================================
说明:
SA
A->B
使用ESP协议加密和认证,SPI=0X1234,传输模式,加密算法(3des-cbc)+key, 认证算法(hmac-sha1)+key
B->A
使用ESP协议加密和认证,SPI=0X5678,传输模式,加密算法(3des-cbc)+key, 认证算法(hmac-sha1)+key
2. 激活setkey.conf配置
# setkey -f /etc/setkey.conf
二、主机B配置
1.创建setkey.conf配置文件
# vim /etc/setkey.conf
==============================setkey.conf================================
#flush SAD entries
flush;
#flush SPD entries
spdflush;
#add SA entries
add 172.16.113.173 172.16.113.163 esp 0x1234 -m transport -E 3des-cbc
0x84cc855d6892207565811df4edd6bff5cf53af9106b72461 -A hmac-sha1
0xb48408f4655000f588a1a22cc14697d1a4d259cd;
add 172.16.113.163 172.16.113.173 esp 0x5678 -m transport -E 3des-cbc
0x6df8e9fc37255c9ba467be460187abc29e20e808f17591aa -A hmac-sha1
0x760c7721c03cf906c7fd70d0c9b9afd5785a1548;
#add SP entries
spdadd 172.16.113.173 172.16.113.163 any -P in ipsec esp/transport//require
esp/transport//require;
spdadd 172.16.113.163 172.16.113.173 any -P out ipsec esp/transport//require
esp/transport//require;
==============================setkey.conf================================
2. 激活setkey.conf配置
# setkey -f /etc/setkey.conf
三、测试
1. 在主机B上ping 主机A
# ping 172.16.113.173 -c 4
2. 主机A上抓包如下:
# tcpdump -i eth0 host 172.16.113.163 and esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:36:11.163281 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x16), length 132
09:36:11.524023 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0xa), length
132
09:36:12.972743 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x18), length 132
09:36:12.972921 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0xc), length
132
09:36:14.784168 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x1a), length 132
09:36:14.784313 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0xe), length
132
09:36:16.624019 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x1c), length 132
09:36:16.624154 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0x10), length 132
8 packets captured
8 packets received by filter
0 packets dropped by kernel
四、Disable SA and SP
1. disable SA
# setkey -F
2. disable SP
# setkey -FP
---------------------
作者:zhangyang0402
来源:CSDN
原文:https://blog.csdn.net/zhangyang0402/article/details/5700525
版权声明:本文为博主原创文章,转载请附上博文链接!
本文链接:https://www.kinber.cn/post/644.html 转载需授权!
推荐本站淘宝优惠价购买喜欢的宝贝: