|
|
Re: lug-bg: VPN route problem
- Subject: Re: lug-bg: VPN route problem
- From: "Stanimir Kabaivanov" <stanimir.kabaivanov@xxxxxxxxx>
- Date: Mon, 31 Jul 2006 11:21:26 +0300
- Delivered-to: lug-bg-list@xxxxxxxxxxxxxxxxxx
- Delivered-to: lug-bg@xxxxxxxxxxxxxxxxxx
С удоволствие:
/etc/racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
timer
{
counter 5; # maximum trying count to send.
interval 30 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 80 sec;
phase2 85 sec;
}
#ZyWall
remote q.w.e.r
{
exchange_mode main,aggressive,base;
lifetime time 24 hour;
proposal_check=obey;
nat_traversal on;
esp_frag 552;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 1;
}
}
#net-to-net
sainfo address 192.168.y.0
/24 any address 192.168.x.0/23 any
{
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
sainfo anonymous
{
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1,hmac_md5 ;
compression_algorithm deflate ;
}
и съответно setkey.sh
:
#/sbin/setkey -f
#flush
setkey -FP
setkey -F
#LOCAL_EXT_IP - Internet IP of eth0 - my gateway
LOCAL_EXT_IP=a.b.c.d
#REMOTE_EXT_IP - Internet IP of remote VPN gateway
REMOTE_EXT_IP=q.w.e.r
LOCAL_LAN=192.168.y.0
LOCAL_SUBNET_MASK=24
REMOTE_LAN=192.168.x.0
REMOTE_SUBNET_MASK=23
#Linux-racoon -> MyZwall and MyZwall -> Linux-racoon
setkey -c << END
spdadd $REMOTE_EXT_IP $LOCAL_EXT_IP any -P in ipsec esp/tunnel/$REMOTE_EXT_IP-$LOCAL_EXT_IP/unique;
spdadd $REMOTE_LAN/$REMOTE_SUBNET_MASK $LOCAL_LAN/$LOCAL_SUBNET_MASK any -P in ipsec esp/tunnel/$REMOTE_EXT_IP-$LOCAL_EXT_IP/unique;
spdadd $LOCAL_EXT_IP $REMOTE_EXT_IP any -P out ipsec esp/tunnel/$LOCAL_EXT_IP-$REMOTE_EXT_IP/unique;
spdadd $LOCAL_LAN/$LOCAL_SUBNET_MASK $REMOTE_LAN/$REMOTE_SUBNET_MASK any -P out ipsec esp/tunnel/$LOCAL_EXT_IP-$REMOTE_EXT_IP/unique;
END
#here comes the shitty part with iptables
iptables -A INPUT -p udp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 500 --j ACCEPT
iptables -A INPUT -p udp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 4500 --j ACCEPT
iptables -A INPUT -p esp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP -j ACCEPT
iptables -A INPUT -p ah -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP -j ACCEPT
iptables -A INPUT -p udp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 50 --j ACCEPT
iptables -A INPUT -p tcp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 50 --j ACCEPT
iptables -A INPUT -p tcp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 80 --j ACCEPT
#now the same with output
iptables -A OUTPUT -p udp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 500 --j ACCEPT
iptables -A OUTPUT -p udp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 4500 --j ACCEPT
iptables -A OUTPUT -p esp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP -j ACCEPT
iptables -A OUTPUT -p ah -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP -j ACCEPT
iptables -A OUTPUT -p udp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 50 --j ACCEPT
iptables -A OUTPUT -p tcp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 50 --j ACCEPT
iptables -A OUTPUT -p tcp -d $REMOVE_EXT_IP -s $LOCAL_EXT_IP --sport 80 --j ACCEPT
#if we use masquerade
iptables -t nat -I POSTROUTING 1 -p 50 -j ACCEPT
ip route add 192.168.x.0/23 via $LOCAL_EXT_IP src
192.168.y.1
Този последния скрипт, за момента го пускам ръчно (все пак съм в период на тестване) преди да пусна самия ракуун с "racoon -F -v".
T.e. пълната последователност за установяване на тунела е:
$/etc/racoon/setkey.sh
$racoon -F -v
On 7/31/06, Kamen Medarski <kamedarski@xxxxxxxxx> wrote:
Защо за всеки случай не пратиш и съдържанието на полиситата?
|
|
|