1. Консоль cisco-like:
!
version 12.4
no service password-encryption
!
crypto ipsec df-bit copy
crypto isakmp identity dn
crypto isakmp fragmentation
crypto isakmp security-association lifetime delta 50
crypto isakmp initiator-sessions-max 100
crypto isakmp responder-sessions-max 100
crypto isakmp keepalive 3
crypto isakmp keepalive retry-count 5
username cscons privilege 15 secret 5 $6$tHtq8SR6$t3CWE6udI6L/ARr9jQowUYR7wEbOWZlx61OvLi7goonOFUYhNSGV49BA.RDGEZ7oKXBA1aTRi20ElR4wt
MXTl0
aaa new-model
!
!
hostname Spoke1
enable secret 5 PC9d7N5HlAyLrzuA3qRJvQ==
!
!
!
!
!
crypto isakmp policy 1
encr gost
hash gost341112-256-tc26
authentication gost-sig
group vko2
!
crypto ipsec transform-set GOST_ENCRYPT_AND_INTEGRITY_MGM esp-gost341215k-mgm
!
crypto ipsec transform-set GOST_ENCRYPT_AND_INTEGRITY_IMIT esp-gost28147-4m-imit
!
ip access-list extended IPSEC_ACl_HUB1_AND_SPOKE1
remark EtherIP L2 tunnel
permit 97 host 172.16.1.2 host 172.16.100.2
!
ip access-list extended IPSEC_ACl_HUB1_AND_SPOKE1_MGMT
remark MGMT Networks
permit ip 192.168.254.0 0.0.0.255 192.168.253.0 0.0.0.255
!
!
crypto map L2VPN 1 ipsec-isakmp
match address IPSEC_ACl_HUB1_AND_SPOKE1
set transform-set GOST_ENCRYPT_AND_INTEGRITY_MGM
set security-association lifetime kilobytes 4294967295
set peer 172.16.100.2
set dead-connection history off
!
crypto map L3VPN 1 ipsec-isakmp
match address IPSEC_ACl_HUB1_AND_SPOKE1_MGMT
set transform-set GOST_ENCRYPT_AND_INTEGRITY_IMIT
set security-association lifetime kilobytes 4294967295
set peer 172.16.100.2
set dead-connection history off
!
interface DP0
crypto map L2VPN
crypto ipsec stream-id 1000
!
interface DP1
crypto map L2VPN
crypto ipsec stream-id 1001
!
interface DP2
crypto map L2VPN
crypto ipsec stream-id 1002
!
interface DP3
crypto map L2VPN
crypto ipsec stream-id 1003
!
interface DP4
crypto map L2VPN
crypto ipsec stream-id 1004
!
interface DP5
crypto map L2VPN
crypto ipsec stream-id 1005
!
interface DP6
crypto map L2VPN
crypto ipsec stream-id 1006
!
interface DP7
crypto map L2VPN
crypto ipsec stream-id 1007
!
interface DP8
crypto map L2VPN
crypto ipsec stream-id 1008
!
interface DP9
crypto map L2VPN
crypto ipsec stream-id 1009
!
interface DP10
crypto map L2VPN
crypto ipsec stream-id 1010
!
interface DP11
crypto map L2VPN
crypto ipsec stream-id 1011
!
interface DP12
crypto map L2VPN
crypto ipsec stream-id 1012
!
interface DP13
crypto map L2VPN
crypto ipsec stream-id 1013
!
interface DP14
crypto map L2VPN
crypto ipsec stream-id 1014
!
interface DP15
crypto map L2VPN
crypto ipsec stream-id 1015
!
interface DP16
crypto map L2VPN
crypto ipsec stream-id 1016
!
interface DP17
crypto map L2VPN
crypto ipsec stream-id 1017
!
interface DP18
crypto map L2VPN
crypto ipsec stream-id 1018
!
interface DP19
crypto map L2VPN
crypto ipsec stream-id 1019
!
interface DP20
crypto map L2VPN
crypto ipsec stream-id 1020
!
interface DP21
crypto map L2VPN
crypto ipsec stream-id 1021
!
interface DP22
crypto map L2VPN
crypto ipsec stream-id 1022
!
interface DP23
crypto map L2VPN
crypto ipsec stream-id 1023
!
interface DP24
crypto map L2VPN
crypto ipsec stream-id 1024
!
interface DP25
crypto map L2VPN
crypto ipsec stream-id 1025
!
interface DP26
crypto map L2VPN
crypto ipsec stream-id 1026
!
interface DP27
crypto map L2VPN
crypto ipsec stream-id 1027
!
interface DP28
crypto map L2VPN
crypto ipsec stream-id 1028
!
interface DP29
crypto map L2VPN
crypto ipsec stream-id 1029
!
interface DP30
crypto map L2VPN
crypto ipsec stream-id 1030
!
interface DP31
crypto map L2VPN
crypto ipsec stream-id 1031
!
interface DP32
crypto map L2VPN
crypto ipsec stream-id 1032
!
interface DP33
crypto map L2VPN
crypto ipsec stream-id 1033
!
interface DP34
crypto map L2VPN
crypto ipsec stream-id 1034
!
interface DP35
crypto map L2VPN
crypto ipsec stream-id 1035
!
interface vEthernet0
description WAN
ip address 172.16.1.2 255.255.255.0
crypto map L3VPN
mtu 9000
!
interface vEthernet1
no ip address
mtu 9000
!
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
crypto pki trustpoint s-terra_technological_trustpoint
revocation-check crl
crl download group ROOTCA http://172.16.101.15/certcrl.crl
crl download time 60
crypto pki certificate chain s-terra_technological_trustpoint
certificate 58E026BFD6D625BE4582C16C6189C183
...
AD4F8901771632E0A0AF83
quit
!
end
2. Конфигурация LSP:
# This is automatically generated LSP
#
# Conversion Date/Time: Mon Jun 8 19:34:10 2020
GlobalParameters(
Title = "This LSP was automatically generated by CSP Converter at Mon Jun 8 19:34:10 2020 (user: cscons)"
Version = LSP_4_3
CRLHandlingMode = ENABLE
PreserveIPsecSA = FALSE
)
RoutingTable(
Routes =
Route(
Destination = 0.0.0.0/0
Gateway = 172.16.1.1
)
)
FirewallParameters(
TCPSynSentTimeout = 30
TCPFinTimeout = 5
TCPClosedTimeout = 30
TCPSynRcvdTimeout = 30
TCPEstablishedTimeout = 3600
TCPHalfOpenLow = 400
TCPHalfOpenMax = 500
TCPSessionRateLow = 400
TCPSessionRateMax = 500
)
IKETransform crypto:isakmp:policy:1
(
CipherAlg = "G2814789CPRO1-K256-CBC-65534"
HashAlg = "GR341112_256TC26-65128"
GroupID = VKO2_1B
RestrictAuthenticationTo = GOST_SIGN
LifetimeSeconds = 86400
)
ESPProposal GOST_ENCRYPT_AND_INTEGRITY_MGM:ESP
(
Transform* = ESPTransform
(
CipherAlg* = "GR341215K-K352-MGM-251"
LifetimeSeconds = 3600
LifetimeKilobytes = 4294967295
)
)
ESPProposal GOST_ENCRYPT_AND_INTEGRITY_IMIT:ESP
(
Transform* = ESPTransform
(
CipherAlg* = "G2814789CPRO2-K288-CNTMAC-253"
LifetimeSeconds = 3600
LifetimeKilobytes = 4294967295
)
)
IKEParameters(
FragmentSize = 576
SALifetimeDelta = 50
InitiatorSessionsMax = 100
ResponderSessionsMax = 100
)
AuthMethodGOSTSign GOST:Sign
(
LocalID = IdentityEntry( DistinguishedName* = USER_SPECIFIC_DATA )
SendRequestMode = ALWAYS
SendCertMode = ALWAYS
)
IKERule IKERule:L2VPN:1$L3VPN:1
(
IKEPeerIPFilter = 172.16.100.2
Transform = crypto:isakmp:policy:1
AggrModeAuthMethod = GOST:Sign
MainModeAuthMethod = GOST:Sign
DPDIdleDuration = 3
DPDResponseDuration = 2
DPDRetries = 5
Priority = 10
)
IPsecAction IPsecAction:L2VPN:1
(
TunnelingParameters = TunnelEntry(
PeerAddress = 172.16.100.2
DFHandling=COPY
Assemble=TRUE
)
ContainedProposals = ( GOST_ENCRYPT_AND_INTEGRITY_MGM:ESP )
NoDeadConnectionHistory = TRUE
IKERule = IKERule:L2VPN:1$L3VPN:1
)
IPsecAction IPsecAction:L3VPN:1
(
TunnelingParameters = TunnelEntry(
PeerAddress = 172.16.100.2
DFHandling=COPY
Assemble=TRUE
)
ContainedProposals = ( GOST_ENCRYPT_AND_INTEGRITY_IMIT:ESP )
NoDeadConnectionHistory = TRUE
IKERule = IKERule:L2VPN:1$L3VPN:1
)
const IPsecPolicy:L2VPN = FilterChain (
Filters = Filter (
ProtocolID = 17
SourcePort = 500, 4500
Action = PASS
PacketType = LOCAL_UNICAST, LOCAL_MISDIRECTED
),
Filter (
SourceIP = 172.16.1.2
DestinationIP = 172.16.100.2
ProtocolID = 97
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:L2VPN:1 >
LogEventID = "IPsec:Protect:L2VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1"
)
)
FilterChain IPsecPolicy:L2VPN:1000 (
+IPsecPolicy:L2VPN
StreamID = 1000
)
FilterChain IPsecPolicy:L2VPN:1001 (
+IPsecPolicy:L2VPN
StreamID = 1001
)
FilterChain IPsecPolicy:L2VPN:1002 (
+IPsecPolicy:L2VPN
StreamID = 1002
)
FilterChain IPsecPolicy:L2VPN:1003 (
+IPsecPolicy:L2VPN
StreamID = 1003
)
FilterChain IPsecPolicy:L2VPN:1004 (
+IPsecPolicy:L2VPN
StreamID = 1004
)
FilterChain IPsecPolicy:L2VPN:1005 (
+IPsecPolicy:L2VPN
StreamID = 1005
)
FilterChain IPsecPolicy:L2VPN:1006 (
+IPsecPolicy:L2VPN
StreamID = 1006
)
FilterChain IPsecPolicy:L2VPN:1007 (
+IPsecPolicy:L2VPN
StreamID = 1007
)
FilterChain IPsecPolicy:L2VPN:1008 (
+IPsecPolicy:L2VPN
StreamID = 1008
)
FilterChain IPsecPolicy:L2VPN:1009 (
+IPsecPolicy:L2VPN
StreamID = 1009
)
FilterChain IPsecPolicy:L2VPN:1010 (
+IPsecPolicy:L2VPN
StreamID = 1010
)
FilterChain IPsecPolicy:L2VPN:1011 (
+IPsecPolicy:L2VPN
StreamID = 1011
)
FilterChain IPsecPolicy:L2VPN:1012 (
+IPsecPolicy:L2VPN
StreamID = 1012
)
FilterChain IPsecPolicy:L2VPN:1013 (
+IPsecPolicy:L2VPN
StreamID = 1013
)
FilterChain IPsecPolicy:L2VPN:1014 (
+IPsecPolicy:L2VPN
StreamID = 1014
)
FilterChain IPsecPolicy:L2VPN:1015 (
+IPsecPolicy:L2VPN
StreamID = 1015
)
FilterChain IPsecPolicy:L2VPN:1016 (
+IPsecPolicy:L2VPN
StreamID = 1016
)
FilterChain IPsecPolicy:L2VPN:1017 (
+IPsecPolicy:L2VPN
StreamID = 1017
)
FilterChain IPsecPolicy:L2VPN:1018 (
+IPsecPolicy:L2VPN
StreamID = 1018
)
FilterChain IPsecPolicy:L2VPN:1019 (
+IPsecPolicy:L2VPN
StreamID = 1019
)
FilterChain IPsecPolicy:L2VPN:1020 (
+IPsecPolicy:L2VPN
StreamID = 1020
)
FilterChain IPsecPolicy:L2VPN:1021 (
+IPsecPolicy:L2VPN
StreamID = 1021
)
FilterChain IPsecPolicy:L2VPN:1022 (
+IPsecPolicy:L2VPN
StreamID = 1022
)
FilterChain IPsecPolicy:L2VPN:1023 (
+IPsecPolicy:L2VPN
StreamID = 1023
)
FilterChain IPsecPolicy:L2VPN:1024 (
+IPsecPolicy:L2VPN
StreamID = 1024
)
FilterChain IPsecPolicy:L2VPN:1025 (
+IPsecPolicy:L2VPN
StreamID = 1025
)
FilterChain IPsecPolicy:L2VPN:1026 (
+IPsecPolicy:L2VPN
StreamID = 1026
)
FilterChain IPsecPolicy:L2VPN:1027 (
+IPsecPolicy:L2VPN
StreamID = 1027
)
FilterChain IPsecPolicy:L2VPN:1028 (
+IPsecPolicy:L2VPN
StreamID = 1028
)
FilterChain IPsecPolicy:L2VPN:1029 (
+IPsecPolicy:L2VPN
StreamID = 1029
)
FilterChain IPsecPolicy:L2VPN:1030 (
+IPsecPolicy:L2VPN
StreamID = 1030
)
FilterChain IPsecPolicy:L2VPN:1031 (
+IPsecPolicy:L2VPN
StreamID = 1031
)
FilterChain IPsecPolicy:L2VPN:1032 (
+IPsecPolicy:L2VPN
StreamID = 1032
)
FilterChain IPsecPolicy:L2VPN:1033 (
+IPsecPolicy:L2VPN
StreamID = 1033
)
FilterChain IPsecPolicy:L2VPN:1034 (
+IPsecPolicy:L2VPN
StreamID = 1034
)
FilterChain IPsecPolicy:L2VPN:1035 (
+IPsecPolicy:L2VPN
StreamID = 1035
)
FilterChain IPsecPolicy:L3VPN (
Filters = Filter (
ProtocolID = 17
SourcePort = 500, 4500
Action = PASS
PacketType = LOCAL_UNICAST, LOCAL_MISDIRECTED
),
Filter (
SourceIP = 192.168.254.0/24
DestinationIP = 192.168.253.0/24
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:L3VPN:1 >
LogEventID = "IPsec:Protect:L3VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1_MGMT"
)
)
NetworkInterface (
LogicalName = "DP0"
IPsecPolicy = IPsecPolicy:L2VPN:1000
)
NetworkInterface (
LogicalName = "DP1"
IPsecPolicy = IPsecPolicy:L2VPN:1001
)
NetworkInterface (
LogicalName = "DP2"
IPsecPolicy = IPsecPolicy:L2VPN:1002
)
NetworkInterface (
LogicalName = "DP3"
IPsecPolicy = IPsecPolicy:L2VPN:1003
)
NetworkInterface (
LogicalName = "DP4"
IPsecPolicy = IPsecPolicy:L2VPN:1004
)
NetworkInterface (
LogicalName = "DP5"
IPsecPolicy = IPsecPolicy:L2VPN:1005
)
NetworkInterface (
LogicalName = "DP6"
IPsecPolicy = IPsecPolicy:L2VPN:1006
)
NetworkInterface (
LogicalName = "DP7"
IPsecPolicy = IPsecPolicy:L2VPN:1007
)
NetworkInterface (
LogicalName = "DP8"
IPsecPolicy = IPsecPolicy:L2VPN:1008
)
NetworkInterface (
LogicalName = "DP9"
IPsecPolicy = IPsecPolicy:L2VPN:1009
)
NetworkInterface (
LogicalName = "DP10"
IPsecPolicy = IPsecPolicy:L2VPN:1010
)
NetworkInterface (
LogicalName = "DP11"
IPsecPolicy = IPsecPolicy:L2VPN:1011
)
NetworkInterface (
LogicalName = "DP12"
IPsecPolicy = IPsecPolicy:L2VPN:1012
)
NetworkInterface (
LogicalName = "DP13"
IPsecPolicy = IPsecPolicy:L2VPN:1013
)
NetworkInterface (
LogicalName = "DP14"
IPsecPolicy = IPsecPolicy:L2VPN:1014
)
NetworkInterface (
LogicalName = "DP15"
IPsecPolicy = IPsecPolicy:L2VPN:1015
)
NetworkInterface (
LogicalName = "DP16"
IPsecPolicy = IPsecPolicy:L2VPN:1016
)
NetworkInterface (
LogicalName = "DP17"
IPsecPolicy = IPsecPolicy:L2VPN:1017
)
NetworkInterface (
LogicalName = "DP18"
IPsecPolicy = IPsecPolicy:L2VPN:1018
)
NetworkInterface (
LogicalName = "DP19"
IPsecPolicy = IPsecPolicy:L2VPN:1019
)
NetworkInterface (
LogicalName = "DP20"
IPsecPolicy = IPsecPolicy:L2VPN:1020
)
NetworkInterface (
LogicalName = "DP21"
IPsecPolicy = IPsecPolicy:L2VPN:1021
)
NetworkInterface (
LogicalName = "DP22"
IPsecPolicy = IPsecPolicy:L2VPN:1022
)
NetworkInterface (
LogicalName = "DP23"
IPsecPolicy = IPsecPolicy:L2VPN:1023
)
NetworkInterface (
LogicalName = "DP24"
IPsecPolicy = IPsecPolicy:L2VPN:1024
)
NetworkInterface (
LogicalName = "DP25"
IPsecPolicy = IPsecPolicy:L2VPN:1025
)
NetworkInterface (
LogicalName = "DP26"
IPsecPolicy = IPsecPolicy:L2VPN:1026
)
NetworkInterface (
LogicalName = "DP27"
IPsecPolicy = IPsecPolicy:L2VPN:1027
)
NetworkInterface (
LogicalName = "DP28"
IPsecPolicy = IPsecPolicy:L2VPN:1028
)
NetworkInterface (
LogicalName = "DP29"
IPsecPolicy = IPsecPolicy:L2VPN:1029
)
NetworkInterface (
LogicalName = "DP30"
IPsecPolicy = IPsecPolicy:L2VPN:1030
)
NetworkInterface (
LogicalName = "DP31"
IPsecPolicy = IPsecPolicy:L2VPN:1031
)
NetworkInterface (
LogicalName = "DP32"
IPsecPolicy = IPsecPolicy:L2VPN:1032
)
NetworkInterface (
LogicalName = "DP33"
IPsecPolicy = IPsecPolicy:L2VPN:1033
)
NetworkInterface (
LogicalName = "DP34"
IPsecPolicy = IPsecPolicy:L2VPN:1034
)
NetworkInterface (
LogicalName = "DP35"
IPsecPolicy = IPsecPolicy:L2VPN:1035
)
NetworkInterface (
LogicalName = "vEthernet0"
IPsecPolicy = IPsecPolicy:L3VPN
)
3. Конфигурация сетевых интерфейсов ОС.
3.1. Файл /etc/network/interfaces:
############################################################
# CAUTION: lines under special marker: ###netifcfg-*###
# contains autogenerated information. You can add/modify
# lines outside of those markers
############################################################
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
# loopback configuration
auto lo
iface lo inet loopback
# Mgmt interface.
auto eth2
iface eth2 inet static
address 192.168.254.1
netmask 255.255.255.0
###netifcfg-begin###
###netifcfg-end###
4. Конфигурация L2 (data plane).
4.1. Файл (закомментированные параметры не приведены) /opt/VPNagent/etc/ipsm_dpdk.cfg:
[PERFORMANCE]
threads = 36
no_max_freq = yes
[EAL]
coremask = 0xfffffffffff
[MISC]
print_stats = yes
stats_file = /tmp/pkt_stats.txt
rte_log_file = /tmp/rte_log.txt
[PORT0]
pci_id = 03:00.0
outer = yes
l3_ip = 172.16.1.2
l3_mask = 24
gw_ip = 172.16.1.1
pair_port = 1
mtu = 9000
dp_frag_ip = 172.16.100.2
dp_frag_natt = yes
[PORT1]
pci_id = 0b:00.0
l2_src_ip = 172.16.1.2
l2_dst_ip = 172.16.100.2
pair_port = 0
mtu = 9000
pmtud = 8900
mssfix = 8860