пятница, 1 июля 2016 г.

IPSEC ( GRE tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24
                                       10.0.0.1<---------GRE--------->10.0.0.2

#########################################################
### Cisco ###
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
 set transform-set tunnel
 set pfs group2
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.0
 tunnel source 10.66.66.1
 tunnel destination 10.66.66.2
 tunnel protection ipsec profile VPN
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 ip access-group 100 in
 ip access-group 101 out
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.0.0.2
!
!
!
access-list 100 permit gre host 10.66.66.2 host 10.66.66.1
access-list 100 permit esp host 10.66.66.2 host 10.66.66.1
access-list 100 permit ahp host 10.66.66.2 host 10.66.66.1
access-list 100 permit udp host 10.66.66.2 host 10.66.66.1eq isakmp
access-list 100 deny   ip any any
access-list 101 permit gre host 10.66.66.1host 10.66.66.2 
access-list 101 permit esp host 10.66.66.1host 10.66.66.2 
access-list 101 permit ahp host 10.66.66.1host 10.66.66.2 
access-list 101 permit udp host 10.66.66.1host 10.66.66.2 eq isakmp
access-list 101 deny   ip any any
!




##############################################
### Debian8 ###

modprobe gre
ip tunnel add tun1 mode gre remote 10.66.66.1 local 10.66.66.2
ifconfig tun1 10.0.0.2 pointopoint 10.0.0.1 up

или

auto tun1
iface tun1 inet tunnel
        address 10.0.0.2
        netmask 255.255.255.252
        dstaddr 10.0.0.1
        local 10.66.66.2
        endpoint 10.66.66.1
        mode gre


root@debian:/home/tuhvatov# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff
    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff
    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet 3.3.3.1/24 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe6c:e82/64 scope link
       valid_lft forever preferred_lft forever
4: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default
    link/gre 0.0.0.0 brd 0.0.0.0
5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: tun1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default
    link/gre 10.66.66.2 peer 10.66.66.1
    inet 10.0.0.2 peer 10.0.0.1/32 scope global tun1
       valid_lft forever preferred_lft forever
    inet6 fe80::5efe:a42:4202/64 scope link
       valid_lft forever preferred_lft forever


/etc/racoon/racoon.conf
remote 10.66.66.1 {
        exchange_mode main,aggressive;
        lifetime time 28800 sec;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo address 10.66.66.2/32 47 address 10.66.66.1/32 47 {
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}

/etc/ipsec-tools.conf

flush;

spdflush;

spdadd 10.66.66.2/32 10.66.66.1/32 47 -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;



spdadd 10.66.66.1/32 10.66.66.2/32 47 -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

iptables -P INPUT     DROP
iptables -P FORWARD   DROP
iptables -P OUTPUT    ACCEPT
iptables -t filter -A INPUT -i tun1 -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p gre -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p esp -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT

https://www.altlinux.org/VPN_c_%D0%B4%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%BE%D0%B9_%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B5%D0%B9_(GRE_Racoon_OSPF)

http://www.rhd.ru/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-host2host.html

Комментариев нет:

Отправить комментарий