IPSec
stobbi
stobbi at netmont.sk
Thu Mar 22 16:14:29 CET 2007
Zdravim,
mam nakonfigurovany funkcny IPSec tunel (lan-lan) Cisco router <-> FreeBSD
5.5p2. Problem nastal, ked bolo nutne na strane FreeBSD pridat dalsie dve
logicke IP siete (IP aliasing; 192.168.1.0/24, 192.168.2.0/24) a tie tiez
tunelovat. Po nakonfigurovani sa mi to sprava tak, ze tunel, ktory sa nahodi
ako prvy zafunguje, ostatne sa uz nenahodia, tzn. kto prvy pride, prvy melie
:)
CISCO je zrejme nakonfigurovane spravne, takze chyba je na mojej strane,
nakopnite spravnym smerom. Dik. Pali
###############################
FreeBSD:
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::211:85ff:fec2:f80c%bge1 prefixlen 64 scopeid 0x2
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
ether 00:11:85:c2:f8:0c
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
cat /etc/ipsec.conf
spdadd 192.168.0.0/24 172.16.0.0/24 any -P out ipsec
esp/tunnel/<FreeBSD>-<CISCO>/require;
spdadd 172.16.0.0/24 192.168.0.0/24 any -P in ipsec
esp/tunnel/<CISCO>-<FreeBSD>/require;
spdadd 192.168.1.0/24 172.16.0.0/24 any -P out ipsec
esp/tunnel/<FreeBSD>-<CISCO>/require;
spdadd 172.16.0.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/<CISCO>-<FreeBSD>/require;
spdadd 192.168.2.0/24 172.16.0.0/24 any -P out ipsec
esp/tunnel/<FreeBSD>-<CISCO>/require;
spdadd 172.16.0.0/24 192.168.2.0/24 any -P in ipsec
esp/tunnel/<CISCO>-<FreeBSD>/require;
cat /usr/local/etc/racoon/racoon.conf
remote <CISCO>
{
exchange_mode main;
doi ipsec_doi;
lifetime time 24 hour ; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
proposal_check obey;
}
sainfo address 172.16.0.0/24 any address 192.168.0.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address 172.16.0.0/24 any address 192.168.1.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address 172.16.0.0/24 any address 192.168.2.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
remote anonymous
{
exchange_mode main;
doi ipsec_doi;
lifetime time 24 hour ; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
###############################
CISCO:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <pre-shared-key> address <FreeBSD>
crypto map CM-MAP 40 ipsec-isakmp
set peer <FreeBSD>
set transform-set BA
match address 130
!
access-list 130 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 172.16.0.0 0.0.0.255 192.168.2.0 0.0.0.255
More information about the Users-l
mailing list