{"id":64,"date":"2014-05-22T10:50:43","date_gmt":"2014-05-22T01:50:43","guid":{"rendered":"http:\/\/fsck.jp\/?p=64"},"modified":"2018-07-12T10:03:39","modified_gmt":"2018-07-12T01:03:39","slug":"linux%e3%82%b5%e3%83%bc%e3%83%90%e9%96%93ipsec%e6%8e%a5%e7%b6%9a","status":"publish","type":"post","link":"https:\/\/fsck.jp\/?p=64","title":{"rendered":"Linux \u30b5\u30fc\u30d0\u9593 IPsec \u63a5\u7d9a (strongswan)"},"content":{"rendered":"

Linux \u30b5\u30fc\u30d0\u540c\u58eb\u306e\u9593\u3067\u901a\u5e38\u306e IPsec \u3092\u63a5\u7d9a\u3057\u3066\u307f\u308b\u3002IPsec \u5b9f\u88c5\u3068\u3057\u3066 strongswan \u3068 libreswan \u306e\u3069\u3061\u3089\u3092\u4f7f\u3046\u304b\u306f\u597d\u307f\u306b\u3088\u308b\u304c\u3001\u3053\u306e\u9805\u3067\u306f strongswan \u3092\u5229\u7528\u3059\u308b\u3002libreswan<\/a>\u3001\u53e4\u3044 openswan \u3092\u4f7f\u3063\u305f\u3084\u308a\u65b9<\/a>\u306f\u5225\u8a18\u4e8b\u306b\u3066\u3002<\/p>\n

I. \u524d\u63d0<\/h2>\n

\u74b0\u5883\u306f\u4ee5\u4e0b\u306e\u901a\u308a\u3002
\n\"\"<\/a><\/p>\n

vpn1\u3001vpn2\u3001host1\u3001host2\u3001router1 OS\u306f\u5168\u3066Ubuntu 18.04\u3067\u3042\u308b\u3002<\/p>\n

vpn1\u2190\u2192vpn2\u306e\u9593\u3067\u3001strongswan\u3067\u30c8\u30f3\u30cd\u30eb\u30e2\u30fc\u30c9IPsec\u63a5\u7d9a\u3092\u3059\u308b\u300210.0.1.0\/24 \u304b\u3089 10.0.2.0\/24 \u3078\u306e\u30d1\u30b1\u30c3\u30c8\u3001\u307e\u305f\u305d\u306e\u9006\u65b9\u5411\u306e\u30d1\u30b1\u30c3\u30c8\u306f\u30c8\u30f3\u30cd\u30eb\u3078\u5165\u308b\u3088\u3046\u306b\u3059\u308b\u3002\u3064\u307e\u308a\u3001\u4f8b\u3048\u3070host1\u304b\u3089host2\u3078ping\u3092\u6253\u3064\u3068\u30c8\u30f3\u30cd\u30eb\u3092\u901a\u308b\u3053\u3068\u306b\u306a\u308b\u300210.0.1.0\/24\u308410.0.2.0\/24\u3078\u306e\u30b9\u30bf\u30c6\u30a3\u30c3\u30af\u30eb\u30fc\u30c8\u306frouter1\u306b\u8ffd\u52a0\u3057\u306a\u3044\u3088\u3046\u306b\u3057\u3066\u304a\u304f\u306e\u3067\u3001VPN\u30c8\u30f3\u30cd\u30eb\u304c\u51fa\u6765\u306a\u3051\u308c\u3070host1\u304b\u3089host2\u3078\u306eping\u306f\u5230\u9054\u3067\u304d\u306a\u3044\u3002<\/p>\n

vpn2\u5074\u306b\u81ea\u52d5\u63a5\u7d9a\u958b\u59cb\u306e\u8a2d\u5b9a\u3092\u5165\u308c\u308b\u3053\u3068\u3067\u3001VPN\u30c8\u30f3\u30cd\u30eb\u3092\u81ea\u52d5\u7684\u306b\u5f35\u308b\u3053\u3068\u306b\u3059\u308b\u3002<\/p>\n

II. \u8a2d\u5b9a<\/h2>\n

\u4ee5\u4e0b\u3001\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b(IP\u30a2\u30c9\u30ec\u30b9\u8a2d\u5b9a\u306a\u3069\u57fa\u672c\u7684\u306a\u3068\u3053\u308d\u306f\u7701\u7565)<\/p>\n

1. router1 \u306e\u8a2d\u5b9a:<\/h3>\n

\u901a\u904e\u30d1\u30b1\u30c3\u30c8\u3092\u8ee2\u9001\u3067\u304d\u308b\u3088\u3046\u306b\u3001\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u5909\u66f4\u3059\u308b\u3002
\nuser@router1:~$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n

net.ipv4.ip_forward=1  #28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059<\/pre>\n
\u4e0a\u8a18\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u6709\u52b9\u5316\u3059\u308b\u3002
\nuser@router1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n
2. vpn1\u306e\u8a2d\u5b9a:<\/h3>\n
strongswan \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\u3053\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u3067\u306f\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u306e apt install \u4e0d\u53ef\u306a\u306e\u3067\u3001\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u63a5\u7d9a\u53ef\u80fd\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u4e00\u6642\u7684\u306b\u63a5\u7d9a\u3057\u3066\u304a\u304f\u3002
\nuser@vpn1:~$ sudo apt install strongswan<\/code><\/p>\n
\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u7d42\u308f\u3063\u305f\u3089\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u3092\u691c\u8a3c\u7528\u306e\u69cb\u6210\u306b\u623b\u3059\u3002\u4ee5\u4e0b\u306e\u3088\u3046\u306b netplan \u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u7de8\u96c6\u3059\u308b\u3002
\nuser@vpn1:~$ vi \/etc\/netplan\/50-cloud-init.yaml<\/code><\/p>\n
\r\nnetwork:\r\n    version: 2\r\n    ethernets:\r\n        ens160:\r\n            addresses: [198.51.100.100\/24]\r\n            gateway4: 198.51.100.1\r\n        ens192:\r\n            addresses: [10.0.1.1\/24]<\/pre>\n
\u7de8\u96c6\u3057\u305f\u3089\u9069\u7528\u3059\u308b\u3002
\nuser@vpn1:~$ sudo netplan apply<\/code><\/p>\n
\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u8a2d\u5b9a\u3059\u308b\u3002
\nuser@vpn1:~$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n
net.ipv4.ip_forward=1\u3000\u3000#28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059<\/pre>\n
\u4e0a\u8a18\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u6709\u52b9\u5316\u3059\u308b\u3002
\nuser@vpn1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n
IPsec\u306e\u4e8b\u524d\u5171\u6709\u9375\u3092\u8a2d\u5b9a\u3059\u308b\u3002
\nuser@vpn1:~$ sudo vi \/etc\/ipsec.secrets<\/code><\/p>\n
# \u4ee5\u4e0b\u306e\u884c\u3092\u8ffd\u8a18\r\n: PSK \"mypresharedkey\"<\/pre>\n
IPsec\u306e\u63a5\u7d9a\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b\u3002\u30d5\u30a1\u30a4\u30eb\u306e\u6700\u5f8c\u3042\u305f\u308a\u306b\u8ffd\u8a18\u3059\u308b\u5f62\u306b\u3059\u308b\u3002
\nuser@vpn1:~$ sudo vi \/etc\/ipsec.conf<\/code><\/p>\n
conn linux-to-linux\r\n        authby=secret\t\t# \u5171\u6709\u9375\u8a8d\u8a3c\u3068\u3059\u308b\r\n        auto=add\t\t# \u3053\u3061\u3089\u5074\u304b\u3089\u306fVPN\u63a5\u7d9a\u3092\u81ea\u52d5\u958b\u59cb\u3057\u306a\u3044\r\n        closeaction=clear\r\n        dpdaction=clear\r\n        left=198.51.100.100\t# \u81ea\u30db\u30b9\u30c8\u306eIP\u30a2\u30c9\u30ec\u30b9\r\n        leftsubnet=10.0.1.0\/24\t# \u81ea\u5206\u5074\u306e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\r\n        right=203.0.113.100\t# \u5bfe\u5411\u5074\u30db\u30b9\u30c8\u306eIP\u30a2\u30c9\u30ec\u30b9\r\n        rightsubnet=10.0.2.0\/24\t# \u5bfe\u5411\u5074\u306e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af<\/pre>\n
\u30c7\u30fc\u30e2\u30f3\u3092\u518d\u8d77\u52d5\u3059\u308b\u3002
\nuser@vpn1:~$ sudo systemctl restart strongswan<\/code><\/p>\n
3. vpn2 \u306e\u8a2d\u5b9a:<\/h3>\n
vpn1 \u3068\u540c\u69d8\u306b\u3001strongswan \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\u691c\u8a3c\u69cb\u6210\u3067\u306f\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u306e apt install \u4e0d\u53ef\u306a\u306e\u3082 vpn1 \u3068\u540c\u69d8\u3067\u3042\u308b\u3002\u4e00\u6642\u7684\u306b\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u63a5\u7d9a\u53ef\u80fd\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u63a5\u7d9a\u3057\u3066\u304a\u304f\u3002
\nuser@vpn2:~$ sudo apt install strongswan<\/code><\/p>\n
\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u7d42\u308f\u3063\u305f\u3089\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u3092\u691c\u8a3c\u7528\u306e\u69cb\u6210\u306b\u623b\u3059\u3002
\nuser@vpn2:~$ vi \/etc\/netplan\/50-cloud-init.yaml<\/code><\/p>\n
network:\r\n    version: 2\r\n    ethernets:\r\n        ens160:\r\n            addresses: [203.0.113.100\/24]\r\n            gateway4: 203.0.113.1\r\n        ens192:\r\n            addresses: [10.0.2.1\/24]<\/pre>\n
\u7de8\u96c6\u3057\u305f\u3089\u9069\u7528\u3059\u308b\u3002
\nuser@vpn2:~$ sudo netplan apply<\/code><\/p>\n
\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u8a2d\u5b9a\u3059\u308b\u3002
\nuser@vpn2:~$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n
net.ipv4.ip_forward=1\u3000\u3000#28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059<\/pre>\n
\u4e0a\u8a18\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u6709\u52b9\u5316\u3059\u308b\u3002
\nuser@vpn2:~$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n
IPsec \u4e8b\u524d\u5171\u6709\u9375\u3092\u8a2d\u5b9a\u3059\u308b\u3002
\nuser@vpn2:~$ sudo vi \/etc\/ipsec.secrets<\/code><\/p>\n
# \u4ee5\u4e0b\u306e\u884c\u3092\u8ffd\u8a18\r\n: PSK \"mypresharedkey\"<\/pre>\n
IPsec\u306e\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b\u3002right\/left\u3092vpn1\u5074\u3068\u306f\u5165\u308c\u63db\u3048\u308b\u3002
\nuser@vpn2:~$ sudo vi \/etc\/ipsec.conf<\/code><\/p>\n
conn linux-to-linux\r\n        authby=secret\r\n        auto=start\t\t# \u3053\u3061\u3089\u5074\u304b\u3089VPN\u63a5\u7d9a\u3092\u81ea\u52d5\u958b\u59cb\u3059\u308b\r\n        closeaction=restart\r\n        dpdaction=restart\r\n        left=203.0.113.100\r\n        leftsubnet=10.0.2.0\/24\r\n        right=198.51.100.100\r\n        rightsubnet=10.0.1.0\/24<\/pre>\n
\u30c7\u30fc\u30e2\u30f3\u3092\u518d\u8d77\u52d5\u3059\u308b\u3002
\nuser@vpn2:~$ sudo systemctl restart strongswan<\/code><\/p>\n
\u3053\u308c\u3067\u5b8c\u6210\u3002<\/p>\n
III. \u78ba\u8a8d<\/h2>\n
ipsec status\u30b3\u30de\u30f3\u30c9\u3067\u3001\u63a5\u7d9a\u72b6\u6cc1\u3092\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n
user@vpn1:~$ sudo ipsec status
\nSecurity Associations (1 up, 0 connecting):
\nlinux-to-linux[1]: ESTABLISHED 7 minutes ago, 198.51.100.100[198.51.100.100]...203.0.113.100[203.0.113.100]
\nlinux-to-linux{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c90fad30_i c17db9d8_o
\nlinux-to-linux{1}:   10.0.1.0\/24 === 10.0.2.0\/24<\/code><\/p>\n
router1\u3067tcpdump\u3092\u4ed5\u639b\u3051\u3066\u304a\u304d\u3001host1\u304b\u3089host2\u3042\u3066\u306bping\u3092\u6253\u3063\u3066\u307f\u308b\u3002
\nuser@host1:~$ ping 10.0.2.100<\/code>
\nuser@router1:~$ sudo tcpdump -n -i ens192 not tcp port 22
\n15:15:46.146244 IP 198.51.100.100 > 203.0.113.100: ESP(spi=0xc17db9d8,seq=0x1d), length 136
\n15:15:46.146569 IP 203.0.113.100 > 198.51.100.100: ESP(spi=0xc90fad30,seq=0xd), length 136
\n15:15:47.169558 IP 198.51.100.100 > 203.0.113.100: ESP(spi=0xc17db9d8,seq=0x1e), length 136
\n15:15:47.170081 IP 203.0.113.100 > 198.51.100.100: ESP(spi=0xc90fad30,seq=0xe), length 136<\/code>
\nESP\u306b\u30ab\u30d7\u30bb\u30eb\u5316\u3055\u308c\u3066\u30d1\u30b1\u30c3\u30c8\u304c\u901a\u904e\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3067\u304d\u305f\u3002<\/p>\n
\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u30c8\u30f3\u30cd\u30eb\u306b\u5165\u308b\u304b\u5165\u3089\u306a\u3044\u304b\u306f\u3001IP \u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u3067\u306f\u306a\u304f xfrm \u30dd\u30ea\u30b7\u30fc\u306b\u3088\u3063\u3066\u6c7a\u307e\u3063\u3066\u3044\u308b\u3002
\nip xfrm policy \u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n
user@vpn1:~$ sudo ip xfrm policy\r\nsrc 10.0.1.0\/24 dst 10.0.2.0\/24\r\n        dir out priority 375423\r\n        tmpl src 198.51.100.100 dst 203.0.113.100\r\n                proto esp spi 0xc17db9d8 reqid 1 mode tunnel\r\nsrc 10.0.2.0\/24 dst 10.0.1.0\/24\r\n        dir fwd priority 375423\r\n        tmpl src 203.0.113.100 dst 198.51.100.100\r\n                proto esp reqid 1 mode tunnel\r\nsrc 10.0.2.0\/24 dst 10.0.1.0\/24\r\n        dir in priority 375423\r\n        tmpl src 203.0.113.100 dst 198.51.100.100\r\n                proto esp reqid 1 mode tunnel\r\n(snip)<\/pre>\n","protected":false},"excerpt":{"rendered":"
Linux \u30b5\u30fc\u30d0\u540c\u58eb\u306e\u9593\u3067\u901a\u5e38\u306e IPsec \u3092\u63a5\u7d9a\u3057\u3066\u307f\u308b\u3002IPsec \u5b9f\u88c5\u3068\u3057\u3066 strongswan \u3068 libreswan \u306e\u3069\u3061\u3089\u3092\u4f7f\u3046\u304b\u306f\u597d\u307f\u306b\u3088\u308b\u304c\u3001\u3053\u306e\u9805\u3067\u306f strongswan \u3092\u5229\u7528\u3059\u308b\u3002libr […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,9,12,7],"tags":[],"_links":{"self":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/64"}],"collection":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=64"}],"version-history":[{"count":0,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/64\/revisions"}],"wp:attachment":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=64"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=64"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}