This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
wiki:site:obecne:ipsec [2013/03/20 14:21] root [IPsec (Debian-Cisco) Tunnel mód] |
wiki:site:obecne:ipsec [2014/12/26 18:31] (current) |
||
---|---|---|---|
Line 95: | Line 95: | ||
# pro troubleshooting tunelu | # pro troubleshooting tunelu | ||
tail -f / | tail -f / | ||
+ | |||
+ | # spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu) | ||
+ | racoon -d -v -F -f / | ||
</ | </ | ||
+ | |||
+ | |||
+ | |||
====== IPsec (Debian-Cisco) " | ====== IPsec (Debian-Cisco) " | ||
{{: | {{: | ||
==== Cisco: ==== | ==== Cisco: ==== | ||
+ | < | ||
+ | crypto isakmp policy 1 | ||
+ | encr 3des | ||
+ | | ||
+ | group 2 | ||
+ | | ||
+ | crypto isakmp key KEY-TEST address 192.168.100.2 no-xauth | ||
+ | ! | ||
+ | ! | ||
+ | crypto ipsec transform-set TS-TEST esp-3des esp-sha-hmac | ||
+ | ! | ||
+ | crypto map CRYPTOMAP-TEST 1 ipsec-isakmp | ||
+ | set peer 192.168.100.2 | ||
+ | set transform-set TS-TEST | ||
+ | set pfs group2 | ||
+ | match address ACL-TEST | ||
+ | ! | ||
+ | interface FastEthernet0/ | ||
+ | ip address 192.168.100.100 255.255.255.0 | ||
+ | | ||
+ | speed auto | ||
+ | | ||
+ | ! | ||
+ | interface Vlan1 | ||
+ | ip address 10.0.0.1 255.255.255.0 | ||
+ | ! | ||
+ | ! | ||
+ | ip access-list extended ACL-TEST | ||
+ | | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # enable IKE debugging | ||
+ | debug crypto isakmp | ||
+ | |||
+ | # enable IPSec debugging | ||
+ | debug crypto ipsec | ||
+ | |||
+ | # disable all debugging | ||
+ | no debug all | ||
+ | </ | ||
+ | |||
==== Debian: ==== | ==== Debian: ==== | ||
> **apt-get install racoon ipsec-tools** | > **apt-get install racoon ipsec-tools** | ||
<file | / | <file | / | ||
- | # | ||
- | |||
flush; | flush; | ||
spdflush; | spdflush; | ||
- | spdadd 10.20.30.42 10.20.30.40 any -P out ipsec | ||
- | esp/ | ||
- | spdadd 10.20.30.40 10.20.30.42 any -P in ipsec | + | spdadd |
- | esp/transport//require; | + | |
+ | |||
+ | spdadd | ||
+ | | ||
</ | </ | ||
Line 120: | Line 167: | ||
path certificate "/ | path certificate "/ | ||
- | remote | + | remote |
- | exchange_mode main; | + | exchange_mode main; |
- | lifetime time 1 hour; | + | lifetime time 1 hour; |
- | proposal { | + | proposal { |
+ | encryption_algorithm 3des; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method pre_shared_key; | ||
+ | dh_group 2; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | sainfo address 192.168.100.2/ | ||
+ | pfs_group 2; | ||
+ | lifetime time 1 hour; | ||
encryption_algorithm 3des; | encryption_algorithm 3des; | ||
- | | + | authentication_algorithm hmac_sha1; |
- | authentication_method pre_shared_key; | + | compression_algorithm deflate; |
- | dh_group 2; | + | |
- | } | + | |
- | } | + | |
- | + | ||
- | sainfo anonymous | + | |
- | { | + | |
- | pfs_group 2; | + | |
- | lifetime time 1 hour; | + | |
- | encryption_algorithm 3des; | + | |
- | | + | |
- | compression_algorithm deflate; | + | |
} | } | ||
</ | </ | ||
<file | / | <file | / | ||
- | 10.20.30.40 YOURKEY | + | 192.168.100.100 KEY-TEST |
</ | </ | ||
Line 154: | Line 200: | ||
# pro troubleshooting tunelu | # pro troubleshooting tunelu | ||
tail -f / | tail -f / | ||
+ | |||
+ | # spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu) | ||
+ | racoon -d -v -F -f / | ||
</ | </ |