provlhma me ipsec vpn

Theo Vassiliadis cosmostation at gmail.com
Fri Jul 22 14:28:39 EEST 2005


Exw ena PC (hermes) F.C.1 me 2.4.22-1.2199.nptl kai FreeS/WAN IPsec
2.06 me tis e3hs kartes diktyoy:
eth0 : x.x.x.x (external)
eth1: 10.35.2.102 (internal)
To LAN mou einai 10.35.2.0/24 kai moirazw internet me forwarding/iptables

Sthn apenanti pleyra exoun kapoio Cisco vpn concentrator.
Oi ry8miseis pou mou zhthsan einai aytes:

VPN Type: Net-to-Net
Encription,Authentication: 3des-md5-96
IP at our side: y.y.y.y
Network at our side: 192.168.88.26/32
IP at your side: x.x.x.x
Network at your side: 10.11.31.0/24
Preshared key

Epeidh h allh pleyra perimenei data apo to 10.11.31.0/24, pros8esa mia
akoma IP sto GW: eth0:1 me IP 10.11.31.100 kai sto mhxanhma sto lan
pou 8a milaei me thn apenanti pleyra (uranus) edwsa thn IP 10.11.31.1
me default gateway to 10.11.31.100

H syndesh fainetai na ginetai kanonika

Kata to ipsec auto --up AG:

104 "AG" #1: STATE_MAIN_I1: initiate
106 "AG" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "AG" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "AG" #1: STATE_MAIN_I4: ISAKMP SA established
112 "AG" #2: STATE_QUICK_I1: initiate
004 "AG" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x5f675b38 <0x9790dd09}

apo to ipsec auto --status:

000 "AG": 10.11.31.0/24===x.x.x.x---x.x.x.y...y.y.y.y===192.168.88.26/32;
erouted; eroute owner: #2


To 192.168.88.26/32 fainetai sto routing table kanonika (mesw ipsec0)

To provlhma einai oti den pairnw apanthsh apo to ping sto allo diktyo
(isws ta kovoun), alla oute kai telnet stis anoixtes portes pou
ypoti8etai oti doulevoun sigoura. Me iptraf sto gw-box vlepw oti to
10.11.31.1 zhtaei connection (SYN) apo to 192.168.88.26 kai ta UDP
packets apo th dikia mou ext. IP sth dikh tous, alla tzifos.

8elw na 3erw an ftaiei kati sto diko mou setup, prin tous parw
thlefwno kai tous klaftw oti de doulevei to olo kolpo. Ka8e voh8eia
eyprosdekth.

Akolou8oun ta rules tou hermes (internet gateway):

# Generated by iptables-save v1.2.9 on Thu Jul 21 21:59:12 2005
*nat
:PREROUTING ACCEPT [1467:113615]
:POSTROUTING ACCEPT [1349:73839]
:OUTPUT ACCEPT [671:44345]
-A POSTROUTING -s 10.35.2.106 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.35.2.104 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.35.2.103 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Jul 21 21:59:12 2005
# Generated by iptables-save v1.2.9 on Thu Jul 21 21:59:12 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [15695:4142969]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -s a.b.c.d -p tcp -m tcp --dport 15555 -j ACCEPT
-A INPUT -s a.c.d.e -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s w.x.y.z/255.255.255.240 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -s 192.168.88.26 -d 10.11.31.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 10.11.31.0/255.255.255.0 -d 192.168.88.26 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i ipsec0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jul 21 21:59:12 2005



Kai ayto einai to ipsec.conf:

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=all
        # plutodebug=dns
# Add connections here.
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

conn AG
    left=x.x.x.x
    leftsubnet=10.11.31.0/24
    leftnexthop=%defaultroute
    right=y.y.y.y
    rightsubnet=192.168.88.26/32
    pfs=no
    auto=add
    authby=secret
    esp=3des-md5-96
    auth=esp

-- 
Labor and Joy




More information about the Linux-greek-users mailing list