IPsec bez gif tunelu
Petr Rehor
prehor at gmail.com
Wed Apr 20 22:15:29 CEST 2005
Zaujala me diskuze o IPsecu s vyuzitim gif tunelu a nevim jestli mi
neco neunika. Zajimalo by me, jakou vyhodu to ma proti primemu baleni
paketu do ESP tunelu:
Strana A:
- A.A.A.A/24 - interni sit
- X.X.X.X - verejna IP adresa
Strana B:
- B.B.B.B/24 - interni sit
- Y.Y.Y.Y - verejna IP adresa
Strana A: /etc/ipsec.conf
spdadd A.A.A.A/24 B.B.B.B/24 any -P out ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd B.B.B.B/24 A.A.A.A/24 any -P in ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/require;
Strana B: /etc/ipsec.conf (pouze prehozene in a out)
spdadd A.A.A.A/24 B.B.B.B/24 any -P in ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd B.B.B.B/24 A.A.A.A/24 any -P out ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/require;
Na obou stranach racoon se sekcemi
- remote <remote verejna IP>
- sainfo address <moje interni sit> any address <vzdalena interni sit> any
a nakonfigurovanymi klici v psk.txt
Na obou routrech je nastavena pouze default route do Internetu, v IPWF
pravidlech nebylo kvuli tomuto provozu treba delat zadne specialni
vylomeniny - ESP pakety s verejnymi IP adresami dorazi na externi
interfejs a rozbalene s internimi IP adresami odejdou internim
interfejsem.
P.
More information about the Users-l
mailing list