====== IPsec (Debian-Cisco) "Transportní mód" ======
==== Cisco: ====
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key YOURKEY address 10.20.30.42 no-xauth
!
!
crypto ipsec transform-set hostb-transform esp-3des esp-sha-hmac
mode transport
!
crypto map hostb-cryptomap 1 ipsec-isakmp
set peer 10.20.30.42
set transform-set hostb-transform
set pfs group2
match address hostb-list
!
interface FastEthernet0/1
ip address 10.20.30.40 255.255.255.0
duplex auto
speed auto
crypto map hostb-cryptomap
!
ip access-list extended hostb-list
permit ip host 10.20.30.40 host 10.20.30.42
!
# enable IKE debugging
debug crypto isakmp
# enable IPSec debugging
debug crypto ipsec
# disable all debugging
no debug all
==== Debian: ====
> **apt-get install racoon ipsec-tools**
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 10.20.30.42 10.20.30.40 any -P out ipsec
esp/transport//require;
spdadd 10.20.30.40 10.20.30.42 any -P in ipsec
esp/transport//require;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 10.20.30.40 {
exchange_mode main;
lifetime time 1 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
10.20.30.40 YOURKEY
>**/etc/init.d/setkey restart**
>**/etc/init.d/racoon restart**
# kontrola, jestli data jdou tunelem - mely by byt videt jako ESP pakety
tcpdump -i eth0
# pro troubleshooting tunelu
tail -f /var/log/daemon.log
# spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu)
racoon -d -v -F -f /etc/racoon/racoon.conf
====== IPsec (Debian-Cisco) "Tunnel mód" ======
{{:wiki:site:obecne:vpn-lab.png?300|}}
==== Cisco: ====
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key KEY-TEST address 192.168.100.2 no-xauth
!
!
crypto ipsec transform-set TS-TEST esp-3des esp-sha-hmac
!
crypto map CRYPTOMAP-TEST 1 ipsec-isakmp
set peer 192.168.100.2
set transform-set TS-TEST
set pfs group2
match address ACL-TEST
!
interface FastEthernet0/0
ip address 192.168.100.100 255.255.255.0
duplex auto
speed auto
crypto map CRYPTOMAP-TEST
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
!
!
ip access-list extended ACL-TEST
permit ip host 10.0.0.2 host 192.168.100.2
# enable IKE debugging
debug crypto isakmp
# enable IPSec debugging
debug crypto ipsec
# disable all debugging
no debug all
==== Debian: ====
> **apt-get install racoon ipsec-tools**
flush;
spdflush;
spdadd 192.168.100.2/32 10.0.0.2/32 any -P out ipsec
esp/tunnel/192.168.100.2-192.168.100.100/require;
spdadd 10.0.0.2/32 192.168.100.2/32 any -P in ipsec
esp/tunnel/192.168.100.100-192.168.100.2/require;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 192.168.100.100 {
exchange_mode main;
lifetime time 1 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.100.2/32 any address 10.0.0.2/32 any {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
192.168.100.100 KEY-TEST
>**/etc/init.d/setkey restart**
>**/etc/init.d/racoon restart**
# kontrola, jestli data jdou tunelem - mely by byt videt jako ESP pakety
tcpdump -i eth0
# pro troubleshooting tunelu
tail -f /var/log/daemon.log
# spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu)
racoon -d -v -F -f /etc/racoon/racoon.conf