Cisco global IP - xxx.xxx.xxx.xxx
Cisco ipinip IP - 10.1.252.5/30
Linux global IP - yyy.yyy.yyy.yyy
Linux ipinip IP - 10.1.252.6/30
/etc/ipsec-tools.conf:
Cisco ipinip IP - 10.1.252.5/30
Linux global IP - yyy.yyy.yyy.yyy
Linux ipinip IP - 10.1.252.6/30
IPIP
host
sudo ip tunnel add tun0 mode ipip remote xxx.xxx.xxx.xxx local yyy.yyy.yyy.yyy
sudo ip addr add 10.1.252.6/30 dev tun0
sudo ip link set up dev tun0
router
interface Tunnel173
ip address 10.1.252.5 255.255.255.252
tunnel source xxx.xxx.xxx.xxx
tunnel destination yyy.yyy.yyy.yyy
tunnel mode ipip
keepalive 15
exit
IPSec
host
/etc/racoon/racoon.conf:log debug;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;
}
remote xxx.xxx.xxx.xxx {
exchange_mode main;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address yyy.yyy.yyy.yyy/32 4 address xxx.xxx.xxx.xxx/32 4 {
lifetime time 1800 seconds;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group 2;
}
/etc/ipsec-tools.conf:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd yyy.yyy.yyy.yyy/32 xxx.xxx.xxx.xxx/32 ipencap -P out ipsec
esp/transport/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd xxx.xxx.xxx.xxx/32 yyy.yyy.yyy.yyy/32 ipencap -P in ipsec
esp/transport/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
router
crypto isakmp key keymaster address yyy.yyy.yyy.yyy
crypto map VPN-CM 173 ipsec-isakmp
set peer yyy.yyy.yyy.yyy
set transform-set VPN
set pfs group2
match address IPSEC-173
exit
ip access-list extended IPSEC-173
permit ipinip host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy
end
Комментариев нет:
Отправить комментарий