Portál AbcLinuxu, 12. května 2025 03:03
conn pokus
authby=secret
left=xxx.xxx.xxx.xxx
right=yyy.yyy.yyy.yyy
rightsubnet=zzz.zzz.zzz.zzz/24
ikelifetime=120m
keylife=3600s
pfs=no
keyingtries=0
disablearrivalcheck=yes
auth=esp
esp=3des-sha1
rekey=yes
compress=no
auto=start
pravidlo ve firewallu na stroji left:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to xxx.xxx.xxx.xxx
tcpdump ping na stroj v siti rightsubnet - zzz.zzz.zzz.zzz 1) ping primo z left - vse OK #ping zzz.zzz.zzz.zzz 64 bytes from zzz.zzz.zzz.zzz: icmp_seq=1 ttl=254 time=15.1 ms # tcpdump -i eth1 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 13:55:17.621575 IP xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy: ESP(spi=0x618b2837,seq=0x1f) 13:55:17.628497 IP yyy.yyy.yyy.yyy > xxx.xxx.xxx.xxx: ESP(spi=0xd688505a,seq=0x1f) 13:55:17.628497 IP zzz.zzz.zzz.zzz > xxx.xxx.xxx.xxx: icmp 64: echo reply seq 1 13:55:18.621786 IP xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy: ESP(spi=0x618b2837,seq=0x20) 13:55:18.627393 IP yyy.yyy.yyy.yyy > xxx.xxx.xxx.xxx: ESP(spi=0xd688505a,seq=0x20) 13:55:18.627393 IP zzz.zzz.zzz.zzz > xxx.xxx.xxx.xxx: icmp 64: echo reply seq 2 2) ping z pocitace za left - pakety nejdou tunelem #ping zzz.zzz.zzz.zzz From aaa.aaa.aaa.aaa icmp_seq=1 Packet filtered From aaa.aaa.aaa.aaa icmp_seq=2 Packet filtered aaa.aaa.aaa.aaa - nejake IP nesouvisejici s tunelem # tcpdump -i eth1 -n 13:56:45.989568 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: icmp 64: echo request seq 1 13:56:46.026350 IP aaa.aaa.aaa.aaa > xxx.xxx.xxx.xxx: icmp 36: host zzz.zzz.zzz.zzz unreachable - admin prohibited filter 13:56:46.994649 IP xxx.xxx.xxx.xxx > zzz.zzz.zzz.zzz: icmp 64: echo request seq 2 13:56:47.000502 IP aaa.aaa.aaa.aaa > xxx.xxx.xxx.xxx: icmp 36: host zzz.zzz.zzz.zzz unreachable - admin prohibited filter
Na otázku zatím nikdo bohužel neodpověděl.
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.