IPSec

stobbi stobbi at netmont.sk
Thu Mar 22 16:14:29 CET 2007


Zdravim,
mam nakonfigurovany funkcny IPSec tunel (lan-lan) Cisco router <-> FreeBSD
5.5p2. Problem nastal, ked bolo nutne na strane FreeBSD pridat dalsie dve
logicke IP siete (IP aliasing; 192.168.1.0/24, 192.168.2.0/24) a tie tiez
tunelovat. Po nakonfigurovani sa mi to sprava tak, ze tunel, ktory sa nahodi
ako prvy zafunguje, ostatne sa uz nenahodia, tzn. kto prvy pride, prvy melie
:)

CISCO je zrejme nakonfigurovane spravne, takze chyba je na mojej strane,
nakopnite spravnym smerom. Dik. Pali

###############################
FreeBSD:

bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=1a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::211:85ff:fec2:f80c%bge1 prefixlen 64 scopeid 0x2
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        ether 00:11:85:c2:f8:0c
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active

cat /etc/ipsec.conf
spdadd 192.168.0.0/24 172.16.0.0/24  any -P out ipsec
esp/tunnel/<FreeBSD>-<CISCO>/require;
spdadd 172.16.0.0/24  192.168.0.0/24 any -P in  ipsec
esp/tunnel/<CISCO>-<FreeBSD>/require;
spdadd 192.168.1.0/24 172.16.0.0/24  any -P out ipsec
esp/tunnel/<FreeBSD>-<CISCO>/require;
spdadd 172.16.0.0/24  192.168.1.0/24 any -P in  ipsec
esp/tunnel/<CISCO>-<FreeBSD>/require;
spdadd 192.168.2.0/24 172.16.0.0/24  any -P out ipsec
esp/tunnel/<FreeBSD>-<CISCO>/require;
spdadd 172.16.0.0/24  192.168.2.0/24 any -P in  ipsec
esp/tunnel/<CISCO>-<FreeBSD>/require;

cat /usr/local/etc/racoon/racoon.conf
remote <CISCO>
{
        exchange_mode main;
        doi ipsec_doi;
        lifetime time 24 hour ; # sec,min,hour
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
        proposal_check obey;
}

sainfo address 172.16.0.0/24 any address 192.168.0.0/24 any
{
        pfs_group 2;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

sainfo address 172.16.0.0/24 any address 192.168.1.0/24 any
{
       pfs_group 2;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}

sainfo address 172.16.0.0/24 any address 192.168.2.0/24 any
{
       pfs_group 2;
       encryption_algorithm 3des;
       authentication_algorithm hmac_md5;
       compression_algorithm deflate;
}

remote anonymous
{
        exchange_mode main;
        doi ipsec_doi;

        lifetime time 24 hour ; # sec,min,hour

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}

sainfo anonymous
{
        pfs_group 2;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

###############################
CISCO:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp key <pre-shared-key> address <FreeBSD>

crypto map CM-MAP 40 ipsec-isakmp
 set peer <FreeBSD>
 set transform-set BA
 match address 130
!

access-list 130 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 172.16.0.0 0.0.0.255 192.168.2.0 0.0.0.255 




More information about the Users-l mailing list