Portál AbcLinuxu, 23. dubna 2024 21:24
spdadd 172.16.0.0/24 172.16.2.0/24 any -P in ipsec esp/transport/[ip-2]-[ip-1]/require ah/transport/[ip-2]-[ip-1]/require; spdadd 172.16.2.0/24 172.16.0.0/24 any -P out ipsec esp/transport/[ip-1]-[ip-2]/require ah/transport/[ip-1]-[ip-2]/require;Na druhe brane je konfigurace obdobna, ale se zamenenim in za out a naopak. A racoon je nakonfigurovan takto:
... remote 217.11.242.73 { exchange_mode main; my_identifier address [ip-1]; peers_identifier address [ip-2]; generate_policy on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 5; } } ...Po spusteni racoon v debug-modu a po pokusu o ping z brany 1 na IP adresu 172.16.0.1 vsak dojde ke smerovani pozadavku nikoliv zasifrovane po VPN siti, ale do internetu. Vystum racoonu vypada takto:
2007-09-13 12:16:24: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2007-09-13 12:16:24: INFO: @(#)This product linked OpenSSL 0.9.8e 23 Feb 2007 (http://www.openssl.org/) 2007-09-13 12:16:24: DEBUG: call pfkey_send_register for AH 2007-09-13 12:16:24: DEBUG: call pfkey_send_register for ESP 2007-09-13 12:16:24: DEBUG: call pfkey_send_register for IPCOMP 2007-09-13 12:16:24: DEBUG: reading config file /etc/racoon.conf 2007-09-13 12:16:24: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2007-09-13 12:16:24: DEBUG: filename: /etc/racoon/belgicka-omnicon-vpn.conf 2007-09-13 12:16:24: DEBUG: reading config file /etc/racoon/belgicka-omnicon-vpn.conf 2007-09-13 12:16:24: INFO: 10.0.0.2[4500] used as isakmp port (fd=5) 2007-09-13 12:16:24: INFO: 10.0.0.2[4500] used for NAT-T 2007-09-13 12:16:24: INFO: 10.0.0.2[500] used as isakmp port (fd=7) 2007-09-13 12:16:24: INFO: 10.0.0.2[500] used for NAT-T 2007-09-13 12:16:24: DEBUG: get pfkey X_SPDDUMP message 2007-09-13 12:16:24: DEBUG: get pfkey X_SPDDUMP message 2007-09-13 12:16:24: DEBUG: sub:0x7fa2da70: 172.16.2.0/24[0] 172.16.0.0/24[0] proto=any dir=out 2007-09-13 12:16:24: DEBUG: db :0x4b1210: 172.16.0.0/24[0] 172.16.2.0/24[0] proto=any dir=in 2007-09-13 12:16:24: DEBUG: get pfkey X_SPDDUMP message 2007-09-13 12:16:24: DEBUG: sub:0x7fa2da70: 172.16.0.0/24[0] 172.16.2.0/24[0] proto=any dir=fwd 2007-09-13 12:16:24: DEBUG: db :0x4b1210: 172.16.0.0/24[0] 172.16.2.0/24[0] proto=any dir=in 2007-09-13 12:16:24: DEBUG: sub:0x7fa2da70: 172.16.0.0/24[0] 172.16.2.0/24[0] proto=any dir=fwd 2007-09-13 12:16:24: DEBUG: db :0x4b1a78: 172.16.2.0/24[0] 172.16.0.0/24[0] proto=any dir=outMohl by byt tedy problem v nastaveni smerovani nebo v konfiguraci setkey / racoonu. Za kazdou radu budu velmi rad a predem dekuji! S pozdravem, Marek Siller
1. U transport modu se adresy gatewayí nezadávají. Pokud ale chcete propojit sítě, potřebujete tunnel mode.
2. Nevidím v té vaší konfiguraci řešení autentizace a nejsem si jistý, jaký je default.
3. Jak vypadá sainfo
sekce?
sainfo address 172.16.2.0/24 any address 172.16.0.0/24 any { pfs_group 5; lifetime time 1 hour; encryption_algorithm 3des, blowfish; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; }
Příklad, který by měl být funkční. setkey.conf
:
flush; spdflush; spdadd MY_IP PEER_IP any -P out ipsec esp/transport//require; spdadd PEER_IP MY_IP any -P in ipsec esp/transport//require; spdadd MY_NET PEER_NET any -P out ipsec esp/tunnel/MY_IP-PEER_IP/require; spdadd PEER_NET MY_NET any -P in ipsec esp/tunnel/PEER_IP-MY_IP/require;
racoon.conf:
path certificate "/etc/certs"; remote PEER_IP { exchange_mode main; my_identifier asn1dn; certificate_type x509 "MY_NAME.cert" "MY_NAME.key"; peers_certfile x509 "PEER_NAME.cert"; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method rsasig; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm aes, 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
Certifikáty vygenerujete např. takto:
#!/bin/bash host=`hostname -s` umask 077 mkdir -p /etc/certs cd /etc/certs || exit 1 rm -f ${host}.* openssl req -new -nodes -days 365 -newkey rsa:1024 \ -config /mnt/demo/lnx03/crypto/mkcert.conf \ -keyform PEM -keyout ${host}.key \ -outform PEM -out ${host}.req openssl x509 -req -days 365 -in ${host}.req \ -signkey ${host}.key -out ${host}.cert rm -f ${host}.req chmod 400 ${host}.key ${host}.cert
(pak si vyměníte /etc/certs/*.cert
)
Tiskni Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.