[Linux]實現簡單IPSEC：使用Transport Mode

原文網址：http://lvsheat.blog.51cto.com/431185/135706

要在節點192.168.1.146和192.168.1.145之間進行IPSEC加密通訊

以下這兩台電腦上要設定的文件，通常叫做setkey.conf，沒有故定要放的位置


=====================================================================
在主机192.168.1.146上设置/etc/setkey.conf
=====================================================================
# cat /etc/setkey.conf
#!/usr/sbin/setkey -f
# Configuration for 192.168.1.146
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 192.168.1.146 192.168.1.145 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.1.145 192.168.1.146 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.146 192.168.1.145 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.1.145 192.168.1.146 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 192.168.1.146 192.168.1.145 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.1.145 192.168.1.146 any -P in ipsec
esp/transport//require
ah/transport//require;
=====================================================================
在主机192.168.1.145上设置/etc/setkey.conf
=====================================================================
# cat /etc/setkey.conf
#!/usr/sbin/setkey -f
# Configuration for 192.168.1.145
# Flush the SAD and SPD
flush;
spdflush;
# Attention: Use this keys only for testing purposes!
# Generate your own keys!
# AH SAs using 128 bit long keys
add 192.168.1.146 192.168.1.145 ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.1.145 192.168.1.146 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 192.168.1.146 192.168.1.145 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 192.168.1.145 192.168.1.146 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;
# Security policies
spdadd 192.168.1.146 192.168.1.145 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 192.168.1.145 192.168.1.146 any -P out ipsec
esp/transport//require
ah/transport//require;
=====================================================================
設定與確認
=====================================================================
分別在192.168.1.146與192.168.1.145上面執行以下指令
#setkey -f /etc/setkey.conf(setkey.conf的確切位置)
#setkey -D
#setkey -DP
=====================================================================
測試
=====================================================================
在主機192.168.1.146上dump下來192.168.1.145上的封包
#tcpdump host 192.168.1.145
11:37:38.428225 IP 192.168.1.146 > 192.168.1.145: AH(spi=0x00000200,seq=0x90): ESP(spi=0x00000201,seq=0x90), length 72
11:37:38.428481 IP 192.168.1.145 > 192.168.1.146: AH(spi=0x00000300,seq=0x94): ESP(spi=0x00000301,seq=0x94), length 56
11:37:38.428501 IP 192.168.1.145 > 192.168.1.146: AH(spi=0x00000300,seq=0x95): ESP(spi=0x00000301,seq=0x95), length 64
11:37:38.428529 IP 192.168.1.146 > 192.168.1.145: AH(spi=0x00000200,seq=0x91): ESP(spi=0x00000201,seq=0x91), length 56
11:37:38.428572 IP 192.168.1.146 > 192.168.1.145: AH(spi=0x00000200,seq=0x92): ESP(spi=0x00000201,seq=0x92), length 88
11:37:38.428782 IP 192.168.1.145 > 192.168.1.146: AH(spi=0x00000300,seq=0x96): ESP(spi=0x00000301,seq=0x96), length 72
看到AH信息嗎？！