{"id":972,"date":"2018-07-04T15:32:20","date_gmt":"2018-07-04T06:32:20","guid":{"rendered":"https:\/\/fsck.jp\/?p=972"},"modified":"2019-10-21T14:51:59","modified_gmt":"2019-10-21T05:51:59","slug":"linux-%e3%82%b5%e3%83%bc%e3%83%90%e9%96%93-ipsec-%e6%8e%a5%e7%b6%9a-libreswan","status":"publish","type":"post","link":"https:\/\/fsck.jp\/?p=972","title":{"rendered":"Linux \u30b5\u30fc\u30d0\u9593 IPsec \u63a5\u7d9a (libreswan)"},"content":{"rendered":"\n

Linux \u30b5\u30fc\u30d0\u540c\u58eb\u306e\u9593\u3067 libreswan \u3092\u4f7f\u3063\u3066 IPsec \u3092\u63a5\u7d9a\u3057\u3066\u307f\u308b\u3002strongswan \u3092\u4f7f\u3063\u305f\u3084\u308a\u65b9\u306f\u5225\u8a18\u4e8b<\/a>\u306b\u3066\u3002<\/p>\n\n\n\n

I. \u524d\u63d0<\/h2>\n\n\n\n

\u74b0\u5883\u306f\u4ee5\u4e0b\u306e\u901a\u308a\u3002<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

vpn1\u3001vpn2\u3001host1\u3001host2\u3001router1 OS\u306f\u5168\u3066Ubuntu 18.04\u3067\u3042\u308b\u3002<\/p>\n\n\n\n

vpn1\u2190\u2192vpn2\u306e\u9593\u3067\u3001libreswan\u3067\u30c8\u30f3\u30cd\u30eb\u30e2\u30fc\u30c9IPsec\u63a5\u7d9a\u3092\u3059\u308b\u300210.0.1.0\/24 \u304b\u3089 10.0.2.0\/24 \u3078\u306e\u30d1\u30b1\u30c3\u30c8\u3001\u307e\u305f\u305d\u306e\u9006\u65b9\u5411\u306e\u30d1\u30b1\u30c3\u30c8\u306f\u30c8\u30f3\u30cd\u30eb\u3078\u5165\u308b\u3088\u3046\u306b\u3059\u308b\u3002\u3064\u307e\u308a\u3001\u4f8b\u3048\u3070host1\u304b\u3089host2\u3078ping\u3092\u6253\u3064\u3068\u30c8\u30f3\u30cd\u30eb\u3092\u901a\u308b\u3053\u3068\u306b\u306a\u308b\u300210.0.1.0\/24\u308410.0.2.0\/24\u3078\u306e\u30b9\u30bf\u30c6\u30a3\u30c3\u30af\u30eb\u30fc\u30c8\u306frouter1\u306b\u8ffd\u52a0\u3057\u306a\u3044\u3088\u3046\u306b\u3057\u3066\u304a\u304f\u306e\u3067\u3001VPN\u30c8\u30f3\u30cd\u30eb\u304c\u51fa\u6765\u306a\u3051\u308c\u3070host1\u304b\u3089host2\u3078\u306eping\u306f\u5230\u9054\u3067\u304d\u306a\u3044\u3002<\/p>\n\n\n\n

vpn2\u5074\u306b\u81ea\u52d5\u63a5\u7d9a\u958b\u59cb\u306e\u8a2d\u5b9a\u3092\u5165\u308c\u308b\u3053\u3068\u3067\u3001VPN\u30c8\u30f3\u30cd\u30eb\u3092\u81ea\u52d5\u7684\u306b\u5f35\u308b\u3053\u3068\u306b\u3059\u308b\u3002<\/p>\n\n\n\n

II. \u8a2d\u5b9a<\/h2>\n\n\n\n

\u4ee5\u4e0b\u3001\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b(IP\u30a2\u30c9\u30ec\u30b9\u8a2d\u5b9a\u306a\u3069\u57fa\u672c\u7684\u306a\u3068\u3053\u308d\u306f\u7701\u7565)<\/p>\n\n\n\n

1. router1 \u306e\u8a2d\u5b9a:<\/h3>\n\n\n\n

\u901a\u904e\u30d1\u30b1\u30c3\u30c8\u3092\u8ee2\u9001\u3067\u304d\u308b\u3088\u3046\u306b\u3001\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u5909\u66f4\u3059\u308b\u3002
user@router1:~$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n\n\n\n

net.ipv4.ip_forward=1  #28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059<\/pre>\n\n\n\n
\u4e0a\u8a18\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u6709\u52b9\u5316\u3059\u308b\u3002
user@router1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n\n\n\n
2. vpn1\u306e\u8a2d\u5b9a:<\/h3>\n\n\n\n
libreswan \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\u3053\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u3067\u306f\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u306e apt install \u4e0d\u53ef\u306a\u306e\u3067\u3001\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u63a5\u7d9a\u53ef\u80fd\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u4e00\u6642\u7684\u306b\u63a5\u7d9a\u3057\u3066\u304a\u304f\u3002
user@vpn1:~$ sudo apt install libreswan<\/code><\/p>\n\n\n\n
\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u7d42\u308f\u3063\u305f\u3089\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u3092\u691c\u8a3c\u7528\u306e\u69cb\u6210\u306b\u623b\u3059\u3002\u4ee5\u4e0b\u306e\u3088\u3046\u306b netplan \u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u7de8\u96c6\u3059\u308b\u3002
user@vpn1:~$ vi \/etc\/netplan\/50-cloud-init.yaml<\/code><\/p>\n\n\n\n
network:\n    version: 2\n    ethernets:\n        ens160:\n            addresses: [198.51.100.100\/24]\n            gateway4: 198.51.100.1\n        ens192:\n            addresses: [10.0.1.1\/24]<\/pre>\n\n\n\n
\u7de8\u96c6\u3057\u305f\u3089\u9069\u7528\u3059\u308b\u3002
user@vpn1:~$ sudo netplan apply<\/code><\/p>\n\n\n\n
\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u8a2d\u5b9a\u3059\u308b\u3002
user@vpn1:~$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n\n\n\n
net.ipv4.ip_forward=1\u3000\u3000#28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059<\/pre>\n\n\n\n
\u4e0a\u8a18\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u6709\u52b9\u5316\u3059\u308b\u3002
user@vpn1:~$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n\n\n\n
IPsec\u306e\u4e8b\u524d\u5171\u6709\u9375\u3092\u8a2d\u5b9a\u3059\u308b\u3002
user@vpn1:~$ sudo vi \/etc\/ipsec.d\/linux-to-linux.secrets<\/code><\/p>\n\n\n\n
: PSK \"mypresharedkey\"<\/pre>\n\n\n\n
\u4e00\u822c\u30e6\u30fc\u30b6\u3067\u8aad\u3081\u306a\u3044\u3088\u3046\u30d1\u30fc\u30df\u30c3\u30b7\u30e7\u30f3\u3092\u5909\u3048\u3066\u304a\u304f\u3002
user@vpn1:~$ sudo chmod 600 \/etc\/ipsec.d\/linux-to-linux.secrets<\/code><\/p>\n\n\n\n
IPsec\u306e\u63a5\u7d9a\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b\u3002
user@vpn1:~$ sudo vi \/etc\/ipsec.d\/linux-to-linux.conf<\/code><\/p>\n\n\n\n
conn linux-to-linux\n        authby=secret\t\t# \u5171\u6709\u9375\u8a8d\u8a3c\u3068\u3059\u308b\n        auto=add\t\t# \u3053\u3061\u3089\u5074\u304b\u3089\u306fVPN\u63a5\u7d9a\u3092\u81ea\u52d5\u958b\u59cb\u3057\u306a\u3044\n        dpdaction=clear\n        left=198.51.100.100\t# \u81ea\u30db\u30b9\u30c8\u306eIP\u30a2\u30c9\u30ec\u30b9\n        leftsubnet=10.0.1.0\/24\t# \u81ea\u5206\u5074\u306e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\n        right=203.0.113.100\t# \u5bfe\u5411\u5074\u30db\u30b9\u30c8\u306eIP\u30a2\u30c9\u30ec\u30b9\n        rightsubnet=10.0.2.0\/24\t# \u5bfe\u5411\u5074\u306e\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af<\/pre>\n\n\n\n
\u30c7\u30fc\u30e2\u30f3\u3092\u8d77\u52d5\u3059\u308b\u3002
user@vpn1:~$ sudo systemctl enable ipsec
\nuser@vpn1:~$ sudo systemctl start ipsec<\/code><\/p>\n\n\n\n
3. vpn2 \u306e\u8a2d\u5b9a:<\/h3>\n\n\n\n
vpn1 \u3068\u540c\u69d8\u306b\u3001libreswan \u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3002\u691c\u8a3c\u69cb\u6210\u3067\u306f\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u304b\u3089\u306e apt install \u4e0d\u53ef\u306a\u306e\u3082 vpn1 \u3068\u540c\u69d8\u3067\u3042\u308b\u3002\u4e00\u6642\u7684\u306b\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u63a5\u7d9a\u53ef\u80fd\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u63a5\u7d9a\u3057\u3066\u304a\u304f\u3002
user@vpn2:~$ sudo apt install libreswan<\/code><\/p>\n\n\n\n
\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c\u7d42\u308f\u3063\u305f\u3089\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u3092\u691c\u8a3c\u7528\u306e\u69cb\u6210\u306b\u623b\u3059\u3002
user@vpn2:~$ vi \/etc\/netplan\/50-cloud-init.yaml<\/code><\/p>\n\n\n\n
network:\n    version: 2\n    ethernets:\n        ens160:\n            addresses: [203.0.113.100\/24]\n            gateway4: 203.0.113.1\n        ens192:\n            addresses: [10.0.2.1\/24]<\/pre>\n\n\n\n
\u7de8\u96c6\u3057\u305f\u3089\u9069\u7528\u3059\u308b\u3002
user@vpn2:~$ sudo netplan apply<\/code><\/p>\n\n\n\n
\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u8a2d\u5b9a\u3059\u308b\u3002
user@vpn2:~$ sudo vi \/etc\/sysctl.conf<\/code><\/p>\n\n\n\n
net.ipv4.ip_forward=1\u3000\u3000#28\u884c\u76ee\u306e\u30b3\u30e1\u30f3\u30c8\u3092\u5916\u3059<\/pre>\n\n\n\n
\u4e0a\u8a18\u30ab\u30fc\u30cd\u30eb\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u6709\u52b9\u5316\u3059\u308b\u3002
user@vpn2:~$ sudo sysctl -p \/etc\/sysctl.conf<\/code><\/p>\n\n\n\n
IPsec \u4e8b\u524d\u5171\u6709\u9375\u3092\u8a2d\u5b9a\u3059\u308b\u3002
user@vpn2:~$ sudo vi \/etc\/ipsec.d\/linux-to-linux.secrets<\/code><\/p>\n\n\n\n
: PSK \"mypresharedkey\"<\/pre>\n\n\n\n
\u4e00\u822c\u30e6\u30fc\u30b6\u3067\u8aad\u3081\u306a\u3044\u3088\u3046\u30d1\u30fc\u30df\u30c3\u30b7\u30e7\u30f3\u3092\u5909\u3048\u3066\u304a\u304f\u3002
user@vpn2:~$ sudo chmod 600 \/etc\/ipsec.d\/linux-to-linux.secrets<\/code><\/p>\n\n\n\n
IPsec \u306e\u8a2d\u5b9a\u3092\u8a18\u8ff0\u3059\u308b\u3002right\/left \u3092 vpn1 \u5074\u3068\u306f\u5165\u308c\u63db\u3048\u308b\u3002
user@vpn2:~$ sudo vi \/etc\/ipsec.d\/linux-to-linux.conf<\/code><\/p>\n\n\n\n
conn linux-to-linux\n        authby=secret\n        auto=start\t\t# \u3053\u3061\u3089\u5074\u304b\u3089 VPN \u63a5\u7d9a\u3092\u81ea\u52d5\u958b\u59cb\u3059\u308b\n        dpdaction=restart\n        left=203.0.113.100\n        leftsubnet=10.0.2.0\/24\n        right=198.51.100.100\n        rightsubnet=10.0.1.0\/24<\/pre>\n\n\n\n
\u30c7\u30fc\u30e2\u30f3\u3092\u8d77\u52d5\u3059\u308b\u3002
user@vpn2:~$ sudo systemctl enable ipsec
\nuser@vpn2:~$ sudo systemctl start ipsec<\/code><\/p>\n\n\n\n
\u3053\u308c\u3067\u5b8c\u6210\u3002<\/p>\n\n\n\n
III. \u78ba\u8a8d<\/h2>\n\n\n\n
ipsec status \u30b3\u30de\u30f3\u30c9\u3067\u3001\u63a5\u7d9a\u72b6\u6cc1\u3092\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n\n\n\n
user@vpn1:~$ sudo ipsec status
\n(snip)
\n000 #3: \"linux-to-linux\":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3326s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
\n000 #4: \"linux-to-linux\":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28526s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
\n000 #4: \"linux-to-linux\" esp.a61da06f@203.0.113.100 esp.53ec235d@198.51.100.100 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B<\/code><\/p>\n\n\n\n
router1 \u3067 tcpdump \u3092\u4ed5\u639b\u3051\u3066\u304a\u304d\u3001host1 \u304b\u3089 host2 \u3042\u3066\u306b ping \u3092\u6253\u3063\u3066\u307f\u308b\u3002
user@host1:~$ ping 10.0.2.100<\/code>
user@router1:~$ sudo tcpdump -n -i ens192 not tcp port 22
\n15:27:34.103230 IP 198.51.100.100 > 203.0.113.100: ESP(spi=0xa61da06f,seq=0x1), length 132
\n15:27:34.103475 IP 203.0.113.100 > 198.51.100.100: ESP(spi=0x53ec235d,seq=0x1), length 132
\n15:27:35.131026 IP 198.51.100.100 > 203.0.113.100: ESP(spi=0xa61da06f,seq=0x2), length 132
\n15:27:35.131271 IP 203.0.113.100 > 198.51.100.100: ESP(spi=0x53ec235d,seq=0x2), length 132<\/code>
ESP\u306b\u30ab\u30d7\u30bb\u30eb\u5316\u3055\u308c\u3066\u30d1\u30b1\u30c3\u30c8\u304c\u901a\u904e\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3067\u304d\u305f\u3002<\/p>\n\n\n\n
\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u30c8\u30f3\u30cd\u30eb\u306b\u5165\u308b\u304b\u5165\u3089\u306a\u3044\u304b\u306f\u3001IP \u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u3067\u306f\u306a\u304f xfrm \u30dd\u30ea\u30b7\u30fc\u306b\u3088\u3063\u3066\u6c7a\u307e\u3063\u3066\u3044\u308b\u3002
ip xfrm policy \u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n\n\n\n
user@vpn1:~$ sudo ip xfrm policy\nsrc 10.0.1.0\/24 dst 10.0.2.0\/24\n        dir out priority 2344\n        tmpl src 198.51.100.100 dst 203.0.113.100\n                proto esp reqid 16389 mode tunnel\nsrc 10.0.2.0\/24 dst 10.0.1.0\/24\n        dir fwd priority 2344\n        tmpl src 203.0.113.100 dst 198.51.100.100\n                proto esp reqid 16389 mode tunnel\nsrc 10.0.2.0\/24 dst 10.0.1.0\/24\n        dir in priority 2344\n        tmpl src 203.0.113.100 dst 198.51.100.100\n                proto esp reqid 16389 mode tunnel\n(snip)<\/pre>\n","protected":false},"excerpt":{"rendered":"
Linux \u30b5\u30fc\u30d0\u540c\u58eb\u306e\u9593\u3067 libreswan \u3092\u4f7f\u3063\u3066 IPsec \u3092\u63a5\u7d9a\u3057\u3066\u307f\u308b\u3002strongswan \u3092\u4f7f\u3063\u305f\u3084\u308a\u65b9\u306f\u5225\u8a18\u4e8b\u306b\u3066\u3002 I. \u524d\u63d0 \u74b0\u5883\u306f\u4ee5\u4e0b\u306e\u901a\u308a\u3002 vpn1\u3001vpn2\u3001host1\u3001host2\u3001ro […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,9,15,12,7],"tags":[],"_links":{"self":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/972"}],"collection":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=972"}],"version-history":[{"count":0,"href":"https:\/\/fsck.jp\/index.php?rest_route=\/wp\/v2\/posts\/972\/revisions"}],"wp:attachment":[{"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fsck.jp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}