Detailed description of IPsecVPN data transmission process

IPsecVPN data transmission process the following is a packet transmission process (such as ICMP packet) through the IPsecVPN tunnel ), when the PC in the subnet is protected by the VPN on the left to transmit data to the PC in the VPN on the right to protect the PC in the subnet, the data sent by the PC on the left is received by the left VPNeth1 port and the data needs to pass through the tunnel, data is transferred to the left ipsec0 port for encryption (tunnel, ESP or AH ),

IPsec VPN data transmission process

The following is a packet transmission process (such as ICMP packet) through the IPsecVPN tunnel. when the PC in the subnet is protected by the VPN on the left, when the data sent from the left PC is received by the left VPNeth1 inner port and it is found that the data needs to pass through the tunnel, the data is sent to the left ipsec0 port for encryption (tunnel, ESP or AH ), after the password is added, the left eth0 outer port is sent to the eth0 outer port of the right VPN, and the right eth0 outer port receives the data to be decrypted, after the password is decrypted by the ipsec0 port, it is forwarded to the right eth1 port or received by the local machine.

Encryption ====================================

Host: eth1 === ipsec0 <=> eth0 =============== eth0 <====> ipsec0 === eth1: host

Decrypt the ciphertext

Eth0 indicates the external port (negotiation port) and eth1 indicates the internal port.

Next, we can perform packet capture analysis after the IpsecVPN tunnel has been established. because the tunnel mode has encrypted the original source IP address and destination IP address, we cannot see the actual trend of the specific IP address ESP, the source and destination IP addresses in the transmission mode are not encrypted. Therefore, the transmission mode tunnel is used as an example.

Environment topology:

PC1 VPN1 =========== VPN2 PC2

184.0.0.2 184.0.0.1 (eth1)/192.168.95.164 (eth0) 192.168.95.195 (eth0)/185.0.0.1 (eth1) 185.0.0.2

An ICMP ping packet is sent from PC1 to PC2.TcpdumpCapture the package as follows, and add a special addition for viewing intuition.

/Tos/bin/ipsec-cmds # tcpdump-ni any host 184.0.0.2

Tcpdump: WARNING: Promiscuous mode not supported on the "any" device

Tcpdump: verbose output suppressed, use-v or-vv for fullprotocol decode

Listeningon any, link-type LINUX_SLL (Linux cooked), capturesize 68 bytes

11:26:39. 649389R @ eth1 IP 184.0.0.2> 185.0.0.2: ICMP echorequest, id 512, seq 12039, length 40 (eth1 in the left VPN port receives the PC1 ICMP plaintext packet)

11:26:39. 649411X @ ipsec0 IP 184.0.0.2> 185.0.0.2: ICMPechorequest, id 512, seq 12039, length 40 (after finding a route, it is encrypted by ipsec0)

11:26:39. 649485X @ eth0 IP 184.0.0.2> 185.0.0.2: ESP (spi = 0x30f18c51, seq = 0xc38), length 76

(The ESP package after encryption is sent by the external port eth0)

11:26:39. 656606R @ eth0 IP 185.0.0.2> 184.0.0.2: ESP (spi = 0xa6e0f4f2, seq = 0xb36), length 76

(Eth0 on the right VPN port receives the ESP encryption package)

11:26:39. 656606R @ ipsec0 IP 185.0.0.2> 184.0.0.2: ICMP echoreply, id 512, seq 12039, length 40 (decrypted by right ipsec0)

11:26:39. 656672X @ eth1 IP 185.0.0.2> 184.0.0.2: ICMP echoreply, id512, seq 12039, length 40

(The decrypted plaintext is sent to the inner port eth0 to PC2. at this time, the ICMP packet in one direction is transmitted completely)

11:26:40. 649357R @ eth1 IP 184.0.0.2> 185.0.0.2: ICMP echorequest, id 512, seq 12295, length40 (PC2 responds to ICMP to PC1, which is similar to the above analysis process .)