This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
wiki:site:obecne:ipsec [2013/03/11 15:04] root vytvořeno |
wiki:site:obecne:ipsec [2014/12/26 18:31] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== IPsec (Debian-Cisco) ====== | + | ====== IPsec (Debian-Cisco) |
==== Cisco: ==== | ==== Cisco: ==== | ||
Line 31: | Line 31: | ||
</ | </ | ||
+ | < | ||
+ | # enable IKE debugging | ||
+ | debug crypto isakmp | ||
+ | |||
+ | # enable IPSec debugging | ||
+ | debug crypto ipsec | ||
+ | |||
+ | # disable all debugging | ||
+ | no debug all | ||
+ | </ | ||
==== Debian: ==== | ==== Debian: ==== | ||
- | apt-get install racoon ipsec-tools | + | > **apt-get install racoon ipsec-tools** |
- | <file||/ | + | <file | / |
# | # | ||
Line 46: | Line 56: | ||
esp/ | esp/ | ||
</ | </ | ||
+ | |||
+ | <file | / | ||
+ | path pre_shared_key "/ | ||
+ | path certificate "/ | ||
+ | |||
+ | remote 10.20.30.40 { | ||
+ | exchange_mode main; | ||
+ | lifetime time 1 hour; | ||
+ | proposal { | ||
+ | encryption_algorithm 3des; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method pre_shared_key; | ||
+ | dh_group 2; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo anonymous | ||
+ | { | ||
+ | pfs_group 2; | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm 3des; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | <file | / | ||
+ | 10.20.30.40 YOURKEY | ||
+ | </ | ||
+ | |||
+ | > | ||
+ | > | ||
+ | |||
+ | < | ||
+ | # kontrola, jestli data jdou tunelem - mely by byt videt jako ESP pakety | ||
+ | tcpdump -i eth0 | ||
+ | |||
+ | # pro troubleshooting tunelu | ||
+ | tail -f / | ||
+ | |||
+ | # spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu) | ||
+ | racoon -d -v -F -f / | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ====== IPsec (Debian-Cisco) " | ||
+ | {{: | ||
+ | ==== Cisco: ==== | ||
+ | < | ||
+ | crypto isakmp policy 1 | ||
+ | encr 3des | ||
+ | | ||
+ | group 2 | ||
+ | | ||
+ | crypto isakmp key KEY-TEST address 192.168.100.2 no-xauth | ||
+ | ! | ||
+ | ! | ||
+ | crypto ipsec transform-set TS-TEST esp-3des esp-sha-hmac | ||
+ | ! | ||
+ | crypto map CRYPTOMAP-TEST 1 ipsec-isakmp | ||
+ | set peer 192.168.100.2 | ||
+ | set transform-set TS-TEST | ||
+ | set pfs group2 | ||
+ | match address ACL-TEST | ||
+ | ! | ||
+ | interface FastEthernet0/ | ||
+ | ip address 192.168.100.100 255.255.255.0 | ||
+ | | ||
+ | speed auto | ||
+ | | ||
+ | ! | ||
+ | interface Vlan1 | ||
+ | ip address 10.0.0.1 255.255.255.0 | ||
+ | ! | ||
+ | ! | ||
+ | ip access-list extended ACL-TEST | ||
+ | | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # enable IKE debugging | ||
+ | debug crypto isakmp | ||
+ | |||
+ | # enable IPSec debugging | ||
+ | debug crypto ipsec | ||
+ | |||
+ | # disable all debugging | ||
+ | no debug all | ||
+ | </ | ||
+ | |||
+ | ==== Debian: ==== | ||
+ | > **apt-get install racoon ipsec-tools** | ||
+ | |||
+ | <file | / | ||
+ | flush; | ||
+ | spdflush; | ||
+ | |||
+ | |||
+ | spdadd 192.168.100.2/ | ||
+ | | ||
+ | |||
+ | spdadd 10.0.0.2/32 192.168.100.2/ | ||
+ | | ||
+ | </ | ||
+ | |||
+ | <file | / | ||
+ | path pre_shared_key "/ | ||
+ | path certificate "/ | ||
+ | |||
+ | remote 192.168.100.100 { | ||
+ | exchange_mode main; | ||
+ | lifetime time 1 hour; | ||
+ | proposal { | ||
+ | encryption_algorithm 3des; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method pre_shared_key; | ||
+ | dh_group 2; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo address 192.168.100.2/ | ||
+ | pfs_group 2; | ||
+ | lifetime time 1 hour; | ||
+ | encryption_algorithm 3des; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | <file | / | ||
+ | 192.168.100.100 KEY-TEST | ||
+ | </ | ||
+ | |||
+ | > | ||
+ | > | ||
+ | |||
+ | < | ||
+ | # kontrola, jestli data jdou tunelem - mely by byt videt jako ESP pakety | ||
+ | tcpdump -i eth0 | ||
+ | |||
+ | # pro troubleshooting tunelu | ||
+ | tail -f / | ||
+ | |||
+ | # spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu) | ||
+ | racoon -d -v -F -f / | ||
+ | </ |