wiki:site:obecne:ipsec
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
wiki:site:obecne:ipsec [2013/03/20 14:14] root |
wiki:site:obecne:ipsec [2014/12/26 18:31] (current) |
||
|---|---|---|---|
| Line 95: | Line 95: | ||
| # pro troubleshooting tunelu | # pro troubleshooting tunelu | ||
| tail -f / | tail -f / | ||
| + | |||
| + | # spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu) | ||
| + | racoon -d -v -F -f / | ||
| </ | </ | ||
| + | |||
| + | |||
| + | |||
| ====== IPsec (Debian-Cisco) " | ====== IPsec (Debian-Cisco) " | ||
| + | {{: | ||
| ==== Cisco: ==== | ==== Cisco: ==== | ||
| + | < | ||
| + | crypto isakmp policy 1 | ||
| + | encr 3des | ||
| + | | ||
| + | group 2 | ||
| + | | ||
| + | crypto isakmp key KEY-TEST address 192.168.100.2 no-xauth | ||
| + | ! | ||
| + | ! | ||
| + | crypto ipsec transform-set TS-TEST esp-3des esp-sha-hmac | ||
| + | ! | ||
| + | crypto map CRYPTOMAP-TEST 1 ipsec-isakmp | ||
| + | set peer 192.168.100.2 | ||
| + | set transform-set TS-TEST | ||
| + | set pfs group2 | ||
| + | match address ACL-TEST | ||
| + | ! | ||
| + | interface FastEthernet0/ | ||
| + | ip address 192.168.100.100 255.255.255.0 | ||
| + | | ||
| + | speed auto | ||
| + | | ||
| + | ! | ||
| + | interface Vlan1 | ||
| + | ip address 10.0.0.1 255.255.255.0 | ||
| + | ! | ||
| + | ! | ||
| + | ip access-list extended ACL-TEST | ||
| + | | ||
| + | </ | ||
| + | |||
| + | < | ||
| + | # enable IKE debugging | ||
| + | debug crypto isakmp | ||
| + | |||
| + | # enable IPSec debugging | ||
| + | debug crypto ipsec | ||
| + | |||
| + | # disable all debugging | ||
| + | no debug all | ||
| + | </ | ||
| + | |||
| ==== Debian: ==== | ==== Debian: ==== | ||
| > **apt-get install racoon ipsec-tools** | > **apt-get install racoon ipsec-tools** | ||
| <file | / | <file | / | ||
| - | # | ||
| - | |||
| flush; | flush; | ||
| spdflush; | spdflush; | ||
| - | spdadd 10.20.30.42 10.20.30.40 any -P out ipsec | ||
| - | esp/ | ||
| - | spdadd 10.20.30.40 10.20.30.42 any -P in ipsec | + | spdadd |
| - | esp/transport//require; | + | |
| + | |||
| + | spdadd | ||
| + | | ||
| </ | </ | ||
| Line 119: | Line 167: | ||
| path certificate "/ | path certificate "/ | ||
| - | remote | + | remote |
| - | exchange_mode main; | + | exchange_mode main; |
| - | lifetime time 1 hour; | + | lifetime time 1 hour; |
| - | proposal { | + | proposal { |
| + | encryption_algorithm 3des; | ||
| + | hash_algorithm sha1; | ||
| + | authentication_method pre_shared_key; | ||
| + | dh_group 2; | ||
| + | } | ||
| + | } | ||
| + | |||
| + | sainfo address 192.168.100.2/ | ||
| + | pfs_group 2; | ||
| + | lifetime time 1 hour; | ||
| encryption_algorithm 3des; | encryption_algorithm 3des; | ||
| - | | + | authentication_algorithm hmac_sha1; |
| - | authentication_method pre_shared_key; | + | compression_algorithm deflate; |
| - | dh_group 2; | + | |
| - | } | + | |
| - | } | + | |
| - | + | ||
| - | sainfo anonymous | + | |
| - | { | + | |
| - | pfs_group 2; | + | |
| - | lifetime time 1 hour; | + | |
| - | encryption_algorithm 3des; | + | |
| - | | + | |
| - | compression_algorithm deflate; | + | |
| } | } | ||
| </ | </ | ||
| <file | / | <file | / | ||
| - | 10.20.30.40 YOURKEY | + | 192.168.100.100 KEY-TEST |
| </ | </ | ||
| Line 153: | Line 200: | ||
| # pro troubleshooting tunelu | # pro troubleshooting tunelu | ||
| tail -f / | tail -f / | ||
| + | |||
| + | # spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu) | ||
| + | racoon -d -v -F -f / | ||
| </ | </ | ||
wiki/site/obecne/ipsec.1363785270.txt.gz · Last modified: 2014/12/26 18:31 (external edit)
Page Tools
