{"id":48,"date":"2014-05-22T09:00:37","date_gmt":"2014-05-22T00:00:37","guid":{"rendered":"https:\/\/fsck.jp\/?p=48"},"modified":"2018-06-22T15:26:09","modified_gmt":"2018-06-22T06:26:09","slug":"linux-%e3%82%b5%e3%83%bc%e3%83%90%e9%96%93-ipsec-%e6%8e%a5%e7%b6%9a-openswan","status":"publish","type":"post","link":"https:\/\/fsck.jp\/?p=48","title":{"rendered":"Linux \u30b5\u30fc\u30d0\u9593 IPsec \u63a5\u7d9a (openswan)"},"content":{"rendered":"

\u203b\u672c\u8a18\u4e8b\u306f\u5185\u5bb9\u304c\u53e4\u304f\u306a\u3063\u3066\u3044\u307e\u3059\u3002Ubuntu 14.04 \u3068 openswan \u3092\u4f7f\u3063\u305f\u8a18\u4e8b\u306b\u306a\u308a\u307e\u3059\u3002\u53ef\u80fd\u306a\u3089\u3070\u6700\u65b0\u306e OS \u3068 strongswan \u307e\u305f\u306f libreswan \u3092\u5229\u7528\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u65b0\u3057\u3044\u8a18\u4e8b\u306f\u3053\u3061\u3089<\/a>\u3002<\/p>\n

Linux\u30b5\u30fc\u30d0\u540c\u58eb\u306e\u9593\u3067\u901a\u5e38\u306eIPsec\u3092\u63a5\u7d9a\u3057\u305f\u3053\u3068\u304c\u7121\u304b\u3063\u305f\u306e\u3067\u3001\u691c\u8a3c\u3057\u3066\u307f\u305f\u3002<\/p>\n

I. \u524d\u63d0<\/h2>\n

\u74b0\u5883\u306f\u4ee5\u4e0b\u306e\u901a\u308a\u3002
\n\"01\"<\/a><\/p>\n

vpn1\u3001vpn2\u3001host1\u3001host2\u3001router1 OS\u306f\u5168\u3066Ubuntu 14.04\u3067\u3042\u308b\u3002<\/p>\n

vpn1\u2190\u2192vpn2\u306e\u9593\u3067\u3001openswan\u3067\u30c8\u30f3\u30cd\u30eb\u30e2\u30fc\u30c9IPsec\u63a5\u7d9a\u3092\u3059\u308b\u300210.0.1.0\/24 \u304b\u3089 10.0.2.0\/24 \u3078\u306e\u30d1\u30b1\u30c3\u30c8\u3001\u307e\u305f\u305d\u306e\u9006\u65b9\u5411\u306e\u30d1\u30b1\u30c3\u30c8\u306f\u30c8\u30f3\u30cd\u30eb\u3078\u5165\u308b\u3088\u3046\u306b\u3059\u308b\u3002\u3064\u307e\u308a\u3001\u4f8b\u3048\u3070host1\u304b\u3089host2\u3078ping\u3092\u6253\u3064\u3068\u30c8\u30f3\u30cd\u30eb\u3092\u901a\u308b\u3053\u3068\u306b\u306a\u308b\u300210.0.1.0\/24\u308410.0.2.0\/24\u3078\u306e\u30b9\u30bf\u30c6\u30a3\u30c3\u30af\u30eb\u30fc\u30c8\u306frouter1\u306b\u8ffd\u52a0\u3057\u306a\u3044\u3088\u3046\u306b\u3057\u3066\u304a\u304f\u306e\u3067\u3001VPN\u30c8\u30f3\u30cd\u30eb\u304c\u51fa\u6765\u306a\u3051\u308c\u3070host1\u304b\u3089host2\u3078\u306eping\u306f\u5230\u9054\u3067\u304d\u306a\u3044\u3002<\/p>\n

vpn2\u5074\u306b\u81ea\u52d5\u63a5\u7d9a\u958b\u59cb\u306e\u8a2d\u5b9a\u3092\u5165\u308c\u308b\u3053\u3068\u3067\u3001VPN\u30c8\u30f3\u30cd\u30eb\u3092\u81ea\u52d5\u7684\u306b\u5f35\u308b\u3053\u3068\u306b\u3059\u308b\u3002<\/p>\n

II. \u8a2d\u5b9a<\/h2>\n

\u4ee5\u4e0b\u3001\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b(IP\u30a2\u30c9\u30ec\u30b9\u8a2d\u5b9a\u306a\u3069\u57fa\u672c\u7684\u306a\u3068\u3053\u308d\u306f\u7701\u7565)<\/p>\n

1. router1 \u306e\u8a2d\u5b9a:<\/h3>\n
\r\nrouter1:~$ sudo vi \/etc\/sysctl.conf\r\nnet.ipv4.ip_forward=1  #28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059\r\nrouter1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/pre>\n
2. vpn1\u306e\u8a2d\u5b9a:<\/h3>\n
\u30c7\u30d5\u30a9\u30eb\u30c8\u30eb\u30fc\u30c8\u306f router1 \u306b\u5411\u3051\u3066\u304a\u304f\u3002\u5411\u3044\u3066\u3044\u306a\u304b\u3063\u305f\u3089 \/etc\/network\/interfaces \u306a\u3069\u3092\u7de8\u96c6\u3057\u3066\u5909\u66f4\u3059\u308b\u3002<\/p>\n
\r\nvpn1$ ip route\r\ndefault via 1.2.3.1 dev eth1\r\n1.2.3.0\/24 dev eth1  proto kernel  scope link  src 1.2.3.4\r\n10.0.1.0\/24 dev eth0  proto kernel  scope link  src 10.0.1.1<\/pre>\n
OpenSWAN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo apt-get install openswan<\/pre>\n
\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo vi \/etc\/sysctl.conf\r\nnet.ipv4.ip_forward=1\u3000\u3000#28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059\r\n# \u4ee5\u4e0b\u3001\u8ffd\u8a18\u3059\u308b\r\nnet.ipv4.conf.default.send_redirects=0\r\nnet.ipv4.conf.all.send_redirects=0\r\nnet.ipv4.conf.eth0.accept_redirects=0\r\nnet.ipv4.conf.eth0.send_redirects=0\r\nnet.ipv4.conf.lo.accept_redirects=0\r\nnet.ipv4.conf.lo.send_redirects=0\r\nnet.ipv6.conf.eth0.accept_redirects=0\r\nnet.ipv6.conf.lo.accept_redirects=0\r\nvpn1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/pre>\n
IPsec\u306e\u4e8b\u524d\u5171\u6709\u9375\u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo vi \/etc\/ipsec.secrets\r\n# \u4ee5\u4e0b\u306e\u884c\u3092\u8ffd\u8a18\r\n: PSK \"passwordstring\"<\/pre>\n
IPsec\u306e\u63a5\u7d9a\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo vi \/etc\/ipsec.conf\r\nconfig setup\t# protostack\u4ee5\u5916\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u307e\u307e\r\n\tdumpdir=\/var\/run\/pluto\/\r\n\tnat_traversal=yes\r\n\tvirtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12,%v4:25.0.0.0\/8,%v6:fd00::\/8,%v6:fe80::\/10\r\n\toe=off\r\n\tprotostack=netkey\t# auto \u304b\u3089\u5909\u66f4\r\n# \u4ee5\u4e0b\u3001\u8ffd\u8a18\r\nconn linux-to-linux\r\n\tauthby=secret\t# \u5171\u6709\u9375\u8a8d\u8a3c\u3068\u3059\u308b\r\n\tleft=1.2.3.4\t# \u81ea\u30db\u30b9\u30c8\u306eIP\u30a2\u30c9\u30ec\u30b9\r\n\tleftsubnet=10.0.1.0\/24\t# \u81ea\u5206\u5074\u306e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\r\n\tright=5.6.7.8\t# \u5bfe\u5411\u5074\u30db\u30b9\u30c8\u306eIP\u30a2\u30c9\u30ec\u30b9\r\n\trightsubnet=10.0.2.0\/24\t# \u5bfe\u5411\u5074\u306e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\r\n\tauto=add\t# \u3053\u3061\u3089\u5074\u304b\u3089\u306fVPN\u63a5\u7d9a\u3092\u81ea\u52d5\u958b\u59cb\u3057\u306a\u3044<\/pre>\n
\u30c7\u30fc\u30e2\u30f3\u3092\u518d\u8d77\u52d5\u3059\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo service ipsec restart<\/pre>\n
3. vpn2 \u306e\u8a2d\u5b9a:<\/h3>\n
\u30c7\u30d5\u30a9\u30eb\u30c8\u30eb\u30fc\u30c8\u306f router1 \u306b\u5411\u3051\u3066\u304a\u304f\u3002\u5411\u3044\u3066\u3044\u306a\u304b\u3063\u305f\u3089 \/etc\/network\/interfaces \u306a\u3069\u3092\u7de8\u96c6\u3057\u3066\u5909\u66f4\u3059\u308b\u3002<\/p>\n
\r\nvpn1$ ip route\r\ndefault via 5.6.7.1 dev eth1\r\n5.6.7.0\/24 dev eth1  proto kernel  scope link  src 5.6.7.8\r\n10.0.2.0\/24 dev eth0  proto kernel  scope link  src 10.0.2.1<\/pre>\n
OpenSWAN\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo apt-get install openswan<\/pre>\n
\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u5909\u66f4\u3059\u308b\u3002<\/p>\n
\r\nvpn2:~$ sudo vi \/etc\/sysctl.conf\t# vpn1\u3068\u540c\u3058\u8a18\u8ff0\u3092\u3059\u308b\u3002\r\nvpn2:~$ sudo sysctl -p \/etc\/sysctl.conf<\/pre>\n
IPsec\u4e8b\u524d\u5171\u6709\u9375\u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
\r\nvpn2:~$ sudo vi \/etc\/ipsec.secrets\t# \u3053\u308c\u3082vpn1\u3068\u540c\u3058\u8a18\u8ff0\u3092\u3059\u308b\u3002<\/pre>\n
IPsec\u306e\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b\u3002<\/p>\n
\r\nvpn2:~$ sudo vi \/etc\/ipsec.conf\r\nconfig setup\t# protostack\u4ee5\u5916\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u307e\u307e\r\n\tdumpdir=\/var\/run\/pluto\/\r\n\tnat_traversal=yes\r\n\tvirtual_private=%v4:10.0.0.0\/8,%v4:192.168.0.0\/16,%v4:172.16.0.0\/12,%v4:25.0.0.0\/8,%v6:fd00::\/8,%v6:fe80::\/10\r\n\toe=off\r\n\tprotostack=netkey\t# auto \u304b\u3089\u5909\u66f4\r\n# \u4ee5\u4e0b\u3001\u8ffd\u8a18\u3059\u308b\u3002right\/left\u3092vpn1\u5074\u3068\u306f\u5165\u308c\u63db\u3048\u308b\u3002\r\nconn linux-to-linux\r\n\tauthby=secret\r\n\tleft=5.6.7.8\r\n\tleftsubnet=10.0.2.0\/24\r\n\tright=1.2.3.4\r\n\trightsubnet=10.0.1.0\/24\r\n\tauto=start\t# \u3053\u3061\u3089\u5074\u304b\u3089VPN\u63a5\u7d9a\u3092\u81ea\u52d5\u958b\u59cb\u3059\u308b<\/pre>\n
\u30c7\u30fc\u30e2\u30f3\u3092\u518d\u8d77\u52d5\u3059\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo service ipsec restart<\/pre>\n
\u3053\u308c\u3067\u5b8c\u6210\u3002<\/p>\n
III. \u78ba\u8a8d<\/h2>\n
ipsec verify \u3092\u5b9f\u884c\u3059\u308b\u3068 FAILED \u304c\u51fa\u308b\u304c\u3001\u6c17\u306b\u3057\u306a\u304f\u3066\u3088\u3044\u3002<\/p>\n
\r\nvpn1:~$ sudo ipsec verify\r\nTwo or more interfaces found, checking IP forwarding        [FAILED]<\/pre>\n
router1\u3067tcpdump\u3092\u4ed5\u639b\u3051\u3066\u304a\u304d\u3001host1\u304b\u3089host2\u3042\u3066\u306bping\u3092\u6253\u3063\u3066\u307f\u308b\u3002<\/p>\n
\r\nhost1:~$ ping 10.0.2.100<\/pre>\n
\r\nrouter1:~$ sudo tcpdump -n -i eth1 not tcp port 22\r\n10:49:22.294046 IP 1.2.3.4 > 5.6.7.8: ESP(spi=0x8f3ac7ea,seq=0x1), length 132\r\n10:49:22.294543 IP 5.6.7.8 > 1.2.3.4: ESP(spi=0x0293d289,seq=0x1), length 132\r\n10:49:23.295411 IP 1.2.3.4 > 5.6.7.8: ESP(spi=0x8f3ac7ea,seq=0x2), length 132\r\n10:49:23.295890 IP 5.6.7.8 > 1.2.3.4: ESP(spi=0x0293d289,seq=0x2), length 132<\/pre>\n
ESP\u306b\u30ab\u30d7\u30bb\u30eb\u5316\u3055\u308c\u3066\u30d1\u30b1\u30c3\u30c8\u304c\u901a\u904e\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3067\u304d\u305f\u3002<\/p>\n
\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u30c8\u30f3\u30cd\u30eb\u306b\u5165\u308b\u304b\u5165\u3089\u306a\u3044\u304b\u306f\u3001IP\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u3067\u306f\u306a\u304fxfrm\u30dd\u30ea\u30b7\u30fc\u306b\u3088\u3063\u3066\u6c7a\u307e\u3063\u3066\u3044\u308b\u3002
\nip xfrm state\u3001ip xfrm policy \u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n
\r\nvpn1:~$ sudo ip xfrm state\r\nsrc 1.2.3.4 dst 5.6.7.8\r\n\tproto esp spi 0x8f3ac7ea reqid 16385 mode tunnel\r\n\treplay-window 32 flag af-unspec\r\n\tauth-trunc hmac(sha1) 0xdbc2f99d8243e36fc8920c790c0b6b9d85c84a48 96\r\n\tenc cbc(aes) 0x506786cc1fbf21c272ddeab0c4deb739\r\nsrc 5.6.7.8 dst 1.2.3.4\r\n\tproto esp spi 0x0293d289 reqid 16385 mode tunnel\r\n\treplay-window 32 flag af-unspec\r\n\tauth-trunc hmac(sha1) 0x10110db5180fb3773d47cb538b29ae9371137ebd 96\r\n\tenc cbc(aes) 0xb29c28de3d0e40111f6f9720fddf117f<\/pre>\n
\r\nvpn1:~$ sudo ip xfrm policy\r\nsrc 10.0.1.0\/24 dst 10.0.2.0\/24 \r\n\tdir out priority 2344 \r\n\ttmpl src 1.2.3.4 dst 5.6.7.8\r\n\t\tproto esp reqid 16385 mode tunnel\r\nsrc 10.0.2.0\/24 dst 10.0.1.0\/24 \r\n\tdir fwd priority 2344 \r\n\ttmpl src 5.6.7.8 dst 1.2.3.4\r\n\t\tproto esp reqid 16385 mode tunnel\r\nsrc 10.0.2.0\/24 dst 10.0.1.0\/24 \r\n\tdir in priority 2344 \r\n\ttmpl src 5.6.7.8 dst 1.2.3.4\r\n\t\tproto esp reqid 16385 mode tunnel\r\n(snip)<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u203b\u672c\u8a18\u4e8b\u306f\u5185\u5bb9\u304c\u53e4\u304f\u306a\u3063\u3066\u3044\u307e\u3059\u3002Ubuntu 14.04 \u3068 openswan \u3092\u4f7f\u3063\u305f\u8a18\u4e8b\u306b\u306a\u308a\u307e\u3059\u3002\u53ef\u80fd\u306a\u3089\u3070\u6700\u65b0\u306e OS \u3068 strongswan \u307e\u305f\u306f libreswan \u3092\u5229\u7528\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u65b0\u3057\u3044\u8a18\u4e8b\u306f\u3053\u3061 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,9,12,7],"tags":[],"_links":{"self":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/48"}],"collection":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=48"}],"version-history":[{"count":0,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions"}],"wp:attachment":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}