×

IPsec-Tools之setkey

hqy hqy 发表于2019-05-07 15:20:00 浏览2174 评论0

抢沙发发表评论

setkey 命令,需要安装ipsec-tools


yum install ipsec-tools




主机A(172.16.113.173)和主机B(172.16.113.163)进行ipsec通信




 



一、主机A配置


 


1.创建setkey.conf配置文件


 


# vim /etc/setkey.conf


==============================setkey.conf================================


#flush SAD entries


flush;


 


#flush SPD entries


spdflush;


 


#add SA entries


add 172.16.113.173 172.16.113.163 esp 0x1234 -m transport -E 3des-cbc


0x84cc855d6892207565811df4edd6bff5cf53af9106b72461 -A hmac-sha1


0xb48408f4655000f588a1a22cc14697d1a4d259cd;


 


add 172.16.113.163 172.16.113.173 esp 0x5678 -m transport -E 3des-cbc


0x6df8e9fc37255c9ba467be460187abc29e20e808f17591aa -A hmac-sha1


0x760c7721c03cf906c7fd70d0c9b9afd5785a1548;


 


#add SP entries


spdadd 172.16.113.163 172.16.113.173 any -P in  ipsec esp/transport//require


esp/transport//require;


 


spdadd 172.16.113.173 172.16.113.163 any -P out ipsec esp/transport//require


esp/transport//require;


==============================setkey.conf================================


说明:


SA


 A->B


   使用ESP协议加密和认证,SPI=0X1234,传输模式,加密算法(3des-cbc)+key, 认证算法(hmac-sha1)+key


 B->A


   使用ESP协议加密和认证,SPI=0X5678,传输模式,加密算法(3des-cbc)+key, 认证算法(hmac-sha1)+key


 


2. 激活setkey.conf配置


# setkey -f  /etc/setkey.conf


 


二、主机B配置


 


1.创建setkey.conf配置文件


 


# vim /etc/setkey.conf


==============================setkey.conf================================


#flush SAD entries


flush;


 


#flush SPD entries


spdflush;


 


#add SA entries


add 172.16.113.173 172.16.113.163 esp 0x1234 -m transport -E 3des-cbc


0x84cc855d6892207565811df4edd6bff5cf53af9106b72461 -A hmac-sha1


0xb48408f4655000f588a1a22cc14697d1a4d259cd;


 


add 172.16.113.163 172.16.113.173 esp 0x5678 -m transport -E 3des-cbc


0x6df8e9fc37255c9ba467be460187abc29e20e808f17591aa -A hmac-sha1


0x760c7721c03cf906c7fd70d0c9b9afd5785a1548;


 


#add SP entries


spdadd 172.16.113.173 172.16.113.163 any -P in  ipsec esp/transport//require


esp/transport//require;


 


spdadd 172.16.113.163 172.16.113.173 any -P out ipsec esp/transport//require


esp/transport//require;


==============================setkey.conf================================


 


2. 激活setkey.conf配置


# setkey -f /etc/setkey.conf


 


三、测试


 


1. 在主机B上ping 主机A


# ping 172.16.113.173 -c 4


 


2. 主机A上抓包如下:


# tcpdump -i eth0 host 172.16.113.163 and esp


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode


listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes


09:36:11.163281 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x16), length 132


09:36:11.524023 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0xa), length


132


09:36:12.972743 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x18), length 132


09:36:12.972921 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0xc), length


132


09:36:14.784168 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x1a), length 132


09:36:14.784313 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0xe), length


132


09:36:16.624019 IP 172.16.113.163 > 172.16.113.173: ESP(spi=0x00005678,seq=0x1c), length 132


09:36:16.624154 IP 172.16.113.173 > 172.16.113.163: ESP(spi=0x00001234,seq=0x10), length 132


 


8 packets captured


8 packets received by filter


0 packets dropped by kernel


 


四、Disable SA and SP


1. disable SA


# setkey -F 


 


2. disable SP


# setkey -FP


 

--------------------- 

作者:zhangyang0402 

来源:CSDN 

原文:https://blog.csdn.net/zhangyang0402/article/details/5700525 

版权声明:本文为博主原创文章,转载请附上博文链接!


打赏

本文链接:https://www.kinber.cn/post/644.html 转载需授权!

分享到:


推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

 您阅读本篇文章共花了: 

群贤毕至

访客