Differences

This shows you the differences between two versions of the page.

--- wiki:site:obecne:ipsec [2013/03/11 15:04]
root vytvořeno
+++ wiki:site:obecne:ipsec [2014/12/26 18:31] (current)
@@ Line 1: / Line 1: @@
-====== IPsec (Debian-Cisco) ======
+====== IPsec (Debian-Cisco) "Transportní mód" ======
 ==== Cisco: ====
@@ Line 31: / Line 31: @@
 </code>
+<code>
+# enable IKE debugging
+debug crypto isakmp
+# enable IPSec debugging
+debug crypto ipsec
+# disable all debugging
+no debug all
+</code>
 ==== Debian: ====
-apt-get install racoon ipsec-tools
+> **apt-get install racoon ipsec-tools**
-<file||/etc/ipsec-tools.conf>
+<file | /etc/ipsec-tools.conf>
 #!/usr/sbin/setkey -f
@@ Line 46: / Line 56: @@
   esp/transport//require;
 </file>
+<file | /etc/racoon/racoon.conf>
+path pre_shared_key "/etc/racoon/psk.txt";
+path certificate "/etc/racoon/certs";
+remote 10.20.30.40 {
+    exchange_mode main;
+    lifetime time 1 hour;
+    proposal {
+        encryption_algorithm 3des;
+        hash_algorithm sha1;
+        authentication_method pre_shared_key;
+        dh_group 2;
+    }
+}
+sainfo anonymous
+{
+    pfs_group 2;
+    lifetime time 1 hour;
+    encryption_algorithm 3des;
+    authentication_algorithm hmac_sha1;
+    compression_algorithm deflate;
+}
+</file>
+<file | /etc/racoon/psk.txt>
+.20.30.40 YOURKEY
+</file>
+>**/etc/init.d/setkey restart**
+>**/etc/init.d/racoon restart**
+<code>
+# kontrola, jestli data jdou tunelem - mely by byt videt jako ESP pakety
+tcpdump -i eth0
+# pro troubleshooting tunelu
+tail -f /var/log/daemon.log
+# spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu)
+racoon -d -v -F -f /etc/racoon/racoon.conf
+</code>
+====== IPsec (Debian-Cisco) "Tunnel mód" ======
+{{:wiki:site:obecne:vpn-lab.png?300|}}
+==== Cisco: ====
+<code>
+crypto isakmp policy 1
+ encr 3des
+ authentication pre-share
+ group 2
+ lifetime 3600
+crypto isakmp key KEY-TEST address 192.168.100.2 no-xauth
+!
+!
+crypto ipsec transform-set TS-TEST esp-3des esp-sha-hmac
+!
+crypto map CRYPTOMAP-TEST 1 ipsec-isakmp
+ set peer 192.168.100.2
+ set transform-set TS-TEST
+ set pfs group2
+ match address ACL-TEST
+!
+interface FastEthernet0/0
+ ip address 192.168.100.100 255.255.255.0
+ duplex auto
+ speed auto
+ crypto map CRYPTOMAP-TEST
+!
+interface Vlan1
+ ip address 10.0.0.1 255.255.255.0
+!
+!
+ip access-list extended ACL-TEST
+ permit ip host 10.0.0.2 host 192.168.100.2
+</code>
+<code>
+# enable IKE debugging
+debug crypto isakmp
+# enable IPSec debugging
+debug crypto ipsec
+# disable all debugging
+no debug all
+</code>
+==== Debian: ====
+> **apt-get install racoon ipsec-tools**
+<file | /etc/ipsec-tools.conf>
+flush;
+spdflush;
+spdadd 192.168.100.2/32 10.0.0.2/32  any -P out ipsec
+   esp/tunnel/192.168.100.2-192.168.100.100/require;
+spdadd 10.0.0.2/32 192.168.100.2/32 any -P in ipsec
+   esp/tunnel/192.168.100.100-192.168.100.2/require;
+</file>
+<file | /etc/racoon/racoon.conf>
+path pre_shared_key "/etc/racoon/psk.txt";
+path certificate "/etc/racoon/certs";
+remote 192.168.100.100 {
+        exchange_mode main;
+        lifetime time 1 hour;
+        proposal {
+                encryption_algorithm 3des;
+                hash_algorithm sha1;
+                authentication_method pre_shared_key;
+                dh_group 2;
+        }
+}
+sainfo address 192.168.100.2/32 any address 10.0.0.2/32 any {
+        pfs_group 2;
+        lifetime time 1 hour;
+        encryption_algorithm 3des;
+        authentication_algorithm hmac_sha1;
+        compression_algorithm deflate;
+}
+</file>
+<file | /etc/racoon/psk.txt>
+.168.100.100 KEY-TEST
+</file>
+>**/etc/init.d/setkey restart**
+>**/etc/init.d/racoon restart**
+<code>
+# kontrola, jestli data jdou tunelem - mely by byt videt jako ESP pakety
+tcpdump -i eth0
+# pro troubleshooting tunelu
+tail -f /var/log/daemon.log
+# spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu)
+racoon -d -v -F -f /etc/racoon/racoon.conf
+</code>

wiki.lkaplan.cz

User Tools

Site Tools

Differences

Page Tools