lug-bg: Re: lug-bg: Re[2]: lug-bg: Тунел между две мрежи
- Subject: lug-bg: Re: lug-bg: Re[2]: lug-bg: Тунел между две мрежи
- From: "Petar Markov" <pmarkov@xxxxxxxxxx>
- Date: Wed, 13 Aug 2003 22:20:25 +0200
Ако към това меко казано ЧУДЕСНО ръководство се добави и подобно подробно
описание как да се направи, така че изградения тунел между двете мрежи да е
security.... смятам че ще се получи едно наистина много добро ръководство!
:-)
----- Original Message -----
From: "Todor Lazarov" <todor.lazarov@xxxxxxxxxxxxxxxx>
To: <lug-bg@xxxxxxxxxxxxxxxxxx>
Sent: Sunday, February 09, 2003 6:16 PM
Subject: lug-bg: Re[2]: lug-bg: Тунел между две мрежи
>
>
>
> Hello Vesselin,
>
> Sunday, February 9, 2003, 3:23:25 PM, you wrote:
>
> Благодаря за изчерпателния отговор.
> По добро описание от това не съм въждал.
>
> VK> -----BEGIN PGP SIGNED MESSAGE-----
> VK> Hash: SHA1
>
> VK> Zadachata e dosta interesna. Az lichno ti predlagam da ia reshish
> VK> chrez izpolzvaneto na GRE tunel (za da ne tovarami routerite shte
> VK> priemem, che niama da se pravi vryzka chrez IPSec).
>
> VK> Predi da zapochnesh kakvoto i da e pravene na tunneli e nuzhno
> VK> da planirash mrezhovata arhitektura na tunnela. Az razbira se shte
> VK> deistvam samo s IP adresni prostranstva otdeleni za chastni tzeli,
> VK> no ti mozhesh mnogo lesno da prehvyrlish primera i vyrhu realni
> VK> mrezhi.
>
> VK> Eto otnovo shemata ti:
>
> VK> PC1 PC2 PC3
> VK> LanA----| |-------| |--------| |--------LanB
>
> VK> Eto primerno opisanie na routerite v chastta im za mrezhova
> VK> konfiguracia bez oshte da sme pusnali GRE tunnela:
>
>
> VK> ====================================================
> VK> PC1
>
> VK> vynshen interface: eth1
> VK> --> Uchastnik v IP edin mrezhov blok s interface eth1 na PC2
> VK> ---> IP adres: 192.168.3.1
> VK> ---> Mrezhova maska: 255.255.255.0
>
> VK> vytreshen interface: eth0
> VK> --> Uchastnik v mrezhovia blok na LanA
> VK> ---> IP adres: 192.168.80.1
> VK> ---> Mrezhova maska: 255.255.255.0
> VK> ====================================================
>
> VK> ====================================================
> VK> PC2
>
> VK> interface: eth1
> VK> --> Uchastnik v IP edin mrezhov blok s interface eth1 na PC1
> VK> ---> IP adres: 192.168.3.2
> VK> ---> Mrezhova maska: 255.255.255.0
>
> VK> interface: eth0
> VK> --> Uchastnik v IP edin mrezhov blok s interface eth0 na PC3
> VK> ---> IP adres: 192.168.6.1
> VK> ---> Mrezhova maska: 255.255.255.0
> VK> ====================================================
>
> VK> ====================================================
> VK> PC3
>
> VK> vynshen interface: eth0
> VK> --> Uchastnik v IP edin mrezhov blok s interface eth0 na PC2
> VK> ---> IP adres: 192.168.6.2
> VK> ---> Mrezhova maska: 255.255.255.0
>
> VK> vytreshen interface: eth1
> VK> --> Uchastnik v mrezhovia blok na LanB
> VK> ---> IP adres: 192.168.81.1
> VK> ---> Mrezhova maska: 255.255.255.0
> VK> ====================================================
>
>
> VK> Vnimanie. Sledvashtata stypka e da proverish dali routing tablicite na
> VK> routerite sa taka izgradeni, che paketite ot eth1 na PC1 da dostigat
> VK> do eth0 na PC3. Po princip, ako PC1 ima default route rezlichen ot
> VK> 192.168.3.2 shte traibva da ukazhesh, che mrezhata 192.168.6.0/24
> VK> se routira prez 192.168.3.2. Syshtata proverka traibva da napravish i
> VK> ot strana na PC3. Ako default route tam ne e 192.168.6.1 e nuzhno
> VK> specialno za celta da obiavish, che mrezha 192.168.3.0/24 e
> VK> dostypna prez gateway 192.168.6.1.
>
> VK> Primerno, vyrhu PC1 v takyv sluchai mozhesh da izpylnish slednoto:
>
> VK> ip route add 192.168.6.0/24 via 192.168.3.2 dev eth1 table main
>
> VK> a vyrhu PC3
>
> VK> ip route add 192.168.3.0/24 via 192.168.6.1 dev eth0 table main
>
> VK> Napravi taka, che tezi pravila da vlizat v sila sled reboot na
mashinata.
> VK> Naprimer opishi gi v otdelen script, a nego izvikvai ot inicirashtia
> VK> script. Inache sled reboot shte se vyrne staroto systoianie na
> VK> neshtata.
>
> VK> Proveri dali routinga raboti kato izpolzvash traceroute i ping. Ubedi
se,
> VK> che naistina vsichko e nared.
>
> VK> Sega veche mozhem da pristypim kym izgrzhdane na tunnela.
>
> VK> Ima edna dosta vazhna osobenost, koiato chesto pre propuska i to
> VK> v mnogo postingi i obiasnenia. A tia e , che za tunnela e nuzhno da
> VK> otdelish adresno prostranstvo. Shte sa ti nuzhni dva IP adresa ot edin
> VK> i sysht mrezhovi blok. Zashto e nuzhno tova, shte ti stane iasno
> VK> vednaga, sled kato ti pokazha shemata na tunnelnata vryzka
>
> VK> LanA --PC1--------------------------PC3--LanB
>
> VK> Vse edno PC1 i PC3 se vizhdat pomezhdu si taka, siakash sa
> VK> zakacheni na directna kabelna vryzka. Da, no za da ima vryzka e
> VK> nuzhno da ima interface-i. Tezi interfaci traibva da imat vyrhu
> VK> sebe si IP adresi ... inache prosto niama da ima vidimost mezhdu
> VK> PC1 i PC3. Az bih ti predlozhil za celta da izpolzvash slednoto
> VK> adresno prostranstvo
>
> VK> Network: 192.168.50.0
> VK> Netmask: 255.255.255.252 t.e. 30 bitova maska.
>
> VK> Neka 192.168.50.1 da e prednaznachen za kraia na tunnela v/u
> VK> PC1, a 192.168.50.2 da e prednaznachen za kraia na tunnela
> VK> v/u PC3.
>
> VK> Tezi IP adresi ne se postaviat na interface-ite eth0 ili eth1, a se
> VK> gradiat virtualni interfaci (tova e dosta uslovno kazano, no drug pyt
> VK> poveche za tezi terminologii).
>
> VK> Sega e vreme da vdignem tunnela. Tova stava kato pyrvo zaredish
> VK> modula ip_gre i na PC1 i na PC2
>
> VK> insmod ip_gre
>
> VK> sled tova se praviat slednite deistvia:
>
> VK> -- > PC1
> VK> ip tunnel add tun1 mode gre remote remote 192.168.6.2 local
192.168.3.1 ttl
> VK> 255
>
> VK> --> PC3
> VK> ip tunnel add tun1 mode gre remote remote 192.168.3.1 local
192.168.6.2 ttl
> VK> 255
>
> VK> S tova tunela e iniciran, no ne i ustanoven. Zabelezhi, che sled ip
tunnel add
> VK> e obiaveno imeto na virtualni device, na koito e zakachen tunnela. Za
da
> VK> napravish tozi device activen e nuzhno da izpylnish na vseki computer:
>
> VK> ip link set tun1 up
>
> VK> S tova tunnela e vdignat. No tova ne znachi, che prez nego ima
traffic. Za da
> VK> stane tova e nuzhno na virtualnite devaici da postavish ip adresite ot
systava
> VK> na mrezhata s 30-bitova maska, koiato ti opisah po-gore.
>
> VK> --> PC1
> VK> ip add addr
>
> VK> Kak da izgradish virtuialnite interfaci za tunnela? Stava mnogo lesno.
>
>
> VK> Etap 1: Definirane na virtualnia interface:
>
> VK> --> Vyrhu PC1
> VK> ip addr add 192.168.50.1/30 dev tun1
>
> VK> --> Vyrhu PC3
> VK> ip addr add 192.168.50.2/30 dev tun1
>
> VK> S tova veche ima vidimost m/u virtualnite interface-i. Imai prediv,
che
> VK> ako vsichko e nared sega, to shte mozhesh ot PC1 da pingnesh
> VK> 192.168.50.2, a ot PC3 da pingnesh 192.168.50.1.
>
> VK> Sled tova ostava samo da se nasochi routinga.
>
> VK> --> PC1
>
> VK> ip route add 192.168.81.0/24 via 192.168.50.2/30 dev tun1 table main
>
> VK> --> PC3
>
> VK> ip route add 192.168.80.0/24 via 192.168.50.1/30 dev tun1 table main
>
> VK> sled kato napravish tova, vseki host ot LanA bi traibvalo da vizhda
> VK> vseki host ot LanB (e razbira se stiga da sa vkliucheni v mrezhata)..
>
> VK> Tova e v obshti linii
>
> VK> Pozdravi
> VK> Vesselin Kolev
> VK> -----BEGIN PGP SIGNATURE-----
> VK> Version: GnuPG v1.2.1 (GNU/Linux)
>
> VK> iD8DBQE+RmRl+48lZPXaa+MRAsYZAJwPpp4jtIMo+ALyiX/lu98ROboqFwCgyD73
> VK> v7E5RbHMnj+SANmHVAx8OZw=
> VK> =jlNi
> VK> -----END PGP SIGNATURE-----
>
> VK>
============================================================================
> VK> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> VK> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara
Zagora
> VK> To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
> VK>
============================================================================
>
>
>
>
> --
> Best regards,
> Todor mailto:todor.lazarov@xxxxxxxxxxxxxxxx
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
============================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
> http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara
Zagora
> To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
>
============================================================================
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
- Относно:
- lug-bg:
- Изпратено от: todor.lazarov@xxxxxxxxxxxxxxxx (Todor Lazarov)
- Re: lug-bg:
- Изпратено от: vlk@xxxxxxxxxxxxxxxxx (Vesselin Kolev)
- lug-bg: Re[2]: lug-bg:
- Изпратено от: todor.lazarov@xxxxxxxxxxxxxxxx (Todor Lazarov)
|