IPsec VPN data transmission process

IPsec VPN data transmission process

The following is a packet transmission process (such as ICMP packet) through the IPsecVPN tunnel. When the PC in the subnet is protected by the VPN on the left, if the data sent from the left PC is received by the Left VPN eth1 port and needs to pass through the tunnel, the data is sent to the left ipsec0 port for encryption (tunnel, ESP or AH ), after the password is added, the left eth0 outer port is sent to the eth0 outer port of the right VPN, and the right eth0 outer port receives the data to be decrypted, after the password is decrypted by the ipsec0 port, it is forwarded to the right eth1 port or received by the local machine.
Www.2cto.com
Encryption ====================================

Host: eth1 === ipsec0 <=> eth0 =============== eth0 <====> ipsec0 === eth1: host

Decrypt the ciphertext
Eth0 indicates the external port (negotiation port) and eth1 indicates the internal port.
Next, we can perform packet capture analysis after an Ipsec VPN tunnel has been established. Because the tunnel mode has encrypted the original source IP address and destination IP address, we cannot see the actual trend of the specific IP address ESP, the source and destination IP addresses in the transmission mode are not encrypted. Therefore, the transmission mode tunnel is used as an example.
Environment topology:
PC1 VPN1 =========== VPN2 PC2
184.0.0.2 184.0.0.1 (eth1)/192.168.95.164 (eth0) 192.168.95.195 (eth0)/185.0.0.1 (eth1) 185.0.0.2
 
The ICMP ping packet is sent from PC1 to PC2. The tcpdump packet capture on VPN1 is as follows.
/Tos/bin/ipsec-cmds # tcpdump-ni any host 184.0.0.2
Tcpdump: WARNING: Promiscuous mode not supported on the "any" device
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listeningon any, link-type LINUX_SLL (Linux cooked), capture size 68 bytes
11:26:39. 649389R @ eth1 IP 184.0.0.2> 185.0.0.2: ICMP echo request, id 512, seq 12039, length 40 (eth1 in the left VPN port receives PC1 ICMP plaintext packet)
11:26:39. 649411X @ ipsec0 IP 184.0.0.2> 185.0.0.2: ICMP echorequest, id 512, seq 12039, length 40)
11:26:39. 649485X @ eth0 IP 184.0.0.2> 185.0.0.2: ESP (spi = 0x30f18c51, seq = 0xc38), length 76
(The ESP package after encryption is sent by the external port eth0)
11:26:39. 656606R @ eth0 IP 185.0.0.2> 184.0.0.2: ESP (spi = 0xa6e0f4f2, seq = 0xb36), length 76
(Eth0 on the right vpn port receives the ESP encryption package)
11:26:39. 656606R @ ipsec0 IP 185.0.0.2> 184.0.0.2: ICMP echo reply, id 512, seq 12039, length 40 (decrypted by right ipsec0)
11:26:39. 656672X @ eth1 IP 185.0.0.2> 184.0.0.2: ICMP echo reply, id512, seq 12039, length 40
(The decrypted plaintext is sent to the Inner Port eth0 to PC2. At this time, the ICMP packet in one direction is transmitted completely)
11:26:40. 649357R @ eth1 IP 184.0.0.2> 185.0.0.2: ICMP echo request, id 512, seq 12295, length 40 (PC2 responds to ICMP to PC1, which is similar to the above analysis process .)


Source http://blog.csdn.net/rosetta