2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24
##########################################################3
### Cisco ###
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
set peer 10.66.66.2
set transform-set tunnel
set pfs group2
match address MY-ACL
!
!
!
!
!
interface Loopback1
ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.66.66.1 255.255.255.0
duplex auto
speed auto
crypto map TEST
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 3.3.3.0 255.255.255.0 10.66.66.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MY-ACL
permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
deny ip any any
!
######################################
######## Мониторинг
root@debian:/etc# racoonctl -ll ss isakmp
Source Destination Cookies ST S V E Created Phase2
10.66.66.2.500 10.66.66.1.500 2f884599e608cee3:69f1cc4a2e88d065 9 I 10 M 2016-07-01 09:12:30 1
root@debian:/etc# tail -f /var/log/syslog | grep racoon
Jul 1 09:06:56 debian racoon: [10.66.66.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Jul 1 09:12:29 debian racoon: WARNING: attribute has been modified.
Jul 1 09:12:29 debian racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Jul 1 09:12:29 debian racoon: INFO: @(#)This product linked OpenSSL 1.0.1k 8 Jan 2015 (http://www.openssl.org/)
Jul 1 09:12:29 debian racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Jul 1 09:12:31 debian racoon: WARNING: attribute has been modified.
##########################################################3
### Cisco ###
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
set peer 10.66.66.2
set transform-set tunnel
set pfs group2
match address MY-ACL
!
!
!
!
!
interface Loopback1
ip address 2.2.2.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.66.66.1 255.255.255.0
duplex auto
speed auto
crypto map TEST
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip route 3.3.3.0 255.255.255.0 10.66.66.2
no ip http server
no ip http secure-server
!
!
!
ip access-list extended MY-ACL
permit ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
deny ip any any
!
##############################################
### Debian8 ###
root@debian:/etc/init.d# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff
inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fea6:d5e4/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff
inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1
valid_lft forever preferred_lft forever
inet 3.3.3.1/24 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe6c:e82/64 scope link
valid_lft forever preferred_lft forever
root@debian:/etc/racoon# cat /etc/racoon/psk.txt
# IPv4/v6 addresses
10.66.66.1 test
root@debian:/etc/racoon# cat /etc/racoon/racoon.conf
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 10.66.66.1 {
exchange_mode main,aggressive;
lifetime time 28800 sec;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 3.3.3.0/24 any address 2.2.2.0/24 any {
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
root@debian:/etc# cat /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 3.3.3.0/24 2.2.2.0/24 any -P out ipsec
esp/tunnel/10.66.66.2-10.66.66.1/require;
spdadd 2.2.2.0/24 3.3.3.0/24 any -P in ipsec
esp/tunnel/10.66.66.1-10.66.66.2/require;
######################################
######## Мониторинг
root@debian:/etc# racoonctl -ll ss isakmp
Source Destination Cookies ST S V E Created Phase2
10.66.66.2.500 10.66.66.1.500 2f884599e608cee3:69f1cc4a2e88d065 9 I 10 M 2016-07-01 09:12:30 1
root@debian:/etc# tail -f /var/log/syslog | grep racoon
Jul 1 09:06:56 debian racoon: [10.66.66.1] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
Jul 1 09:12:29 debian racoon: WARNING: attribute has been modified.
Jul 1 09:12:29 debian racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
Jul 1 09:12:29 debian racoon: INFO: @(#)This product linked OpenSSL 1.0.1k 8 Jan 2015 (http://www.openssl.org/)
Jul 1 09:12:29 debian racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Jul 1 09:12:31 debian racoon: WARNING: attribute has been modified.
Комментариев нет:
Отправить комментарий