четверг, 30 июня 2016 г.

IPSEC (mode tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24

##########################################################3
### Cisco ###

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
 set peer 10.66.66.2
 set transform-set tunnel
 set pfs group2
 match address MY-ACL
!
!
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 duplex auto
 speed auto
 crypto map TEST
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.66.66.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MY-ACL
 permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
 deny   ip any any
!

##############################################
### Debian8 ###

root@debian:/etc/init.d# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff
    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff
    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet 3.3.3.1/24 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe6c:e82/64 scope link
       valid_lft forever preferred_lft forever


root@debian:/etc/racoon# cat /etc/racoon/psk.txt
# IPv4/v6 addresses
10.66.66.1      test


root@debian:/etc/racoon# cat /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";


remote 10.66.66.1 {
        exchange_mode main,aggressive;
        lifetime time 28800 sec;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 3.3.3.0/24 any address 2.2.2.0/24 any {
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}

root@debian:/etc# cat /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 3.3.3.0/24 2.2.2.0/24 any -P out ipsec
           esp/tunnel/10.66.66.2-10.66.66.1/require;
spdadd 2.2.2.0/24 3.3.3.0/24 any -P in ipsec
           esp/tunnel/10.66.66.1-10.66.66.2/require;

######################################
######## Мониторинг
root@debian:/etc# racoonctl -ll ss isakmp
Source                                        Destination                                   Cookies                           ST S  V E Created             Phase2
10.66.66.2.500                                10.66.66.1.500                                2f884599e608cee3:69f1cc4a2e88d065  9 I 10 M 2016-07-01 09:12:30      1

root@debian:/etc# tail -f /var/log/syslog | grep racoon
Jul  1 09:06:56 debian racoon: [10.66.66.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Jul  1 09:12:29 debian racoon: WARNING: attribute has been modified.
Jul  1 09:12:29 debian racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Jul  1 09:12:29 debian racoon: INFO: @(#)This product linked OpenSSL 1.0.1k 8 Jan 2015 (http://www.openssl.org/)
Jul  1 09:12:29 debian racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Jul  1 09:12:31 debian racoon: WARNING: attribute has been modified.


Автор: на Комментариев нет:
Ярлыки: , , ,

среда, 15 июня 2016 г.

Ipsec Cisco + Mikrotik

Cisco 2811

!
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp key SeCrEtKeY address 99.251.150.181
!
crypto ipsec transform-set PEER1 esp-aes 256 esp-md5-hmac
!
crypto map OUT 11 ipsec-isakmp
 set peer 99.251.150.181
 set security-association lifetime seconds 28800
 set transform-set PEER1
 set pfs group2
 match address 112
!
access-list 112 permit ip host 192.168.45.254 192.168.66.0 0.0.0.255

Cisco2811#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 3
        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               28800 seconds, no volume limit



Mikrotik RB450G v6.27

/ip address
add address=192.168.66.1/24 interface=ether2-master-local network=\
    192.168.66.0
add address=99.251.150.181/24 interface=ether1 network=\
    99.251.150.0

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-256-cbc  lifetime=8h

/ip ipsec peer
add address=212.66.129.54/32 enc-algorithm=des exchange-mode=aggressive \
    hash-algorithm=md5 lifetime=8h nat-traversal=no secret=SeCrEtKeY
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.45.0/24 sa-dst-address=212.66.129.54 sa-src-address=\
    99.251.150.181 src-address=192.168.66.0/24 tunnel=yes

Автор: на Комментариев нет:
Подписаться на: Сообщения (Atom)