wiki.lkaplan.cz

User Tools

Site Tools

Trace:
wiki:site:obecne:ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:site:obecne:ipsec [2013/03/20 14:27]
root [Cisco:] 		wiki:site:obecne:ipsec [2014/12/26 18:31] (current)
Line 95: Line 95:
 # pro troubleshooting tunelu # pro troubleshooting tunelu
 tail -f /var/log/daemon.log tail -f /var/log/daemon.log
 +
 +# spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu)
 +racoon -d -v -F -f /etc/racoon/racoon.conf
 </code> </code>
 +
 +
 +
  
 ====== IPsec (Debian-Cisco) "Tunnel mód" ====== ====== IPsec (Debian-Cisco) "Tunnel mód" ======
Line 106: Line 112:
  group 2  group 2
  lifetime 3600  lifetime 3600
-crypto isakmp key TEST address 192.168.100.2 no-xauth+crypto isakmp key KEY-TEST address 192.168.100.2 no-xauth
 ! !
 ! !
Line 130: Line 136:
  permit ip host 10.0.0.2 host 192.168.100.2  permit ip host 10.0.0.2 host 192.168.100.2
 </code> </code>
 +
 +<code>
 +# enable IKE debugging
 +debug crypto isakmp
 +
 +# enable IPSec debugging
 +debug crypto ipsec
 +
 +# disable all debugging
 +no debug all
 +</code>
 +
 ==== Debian: ==== ==== Debian: ====
 > **apt-get install racoon ipsec-tools** > **apt-get install racoon ipsec-tools**
  
 <file | /etc/ipsec-tools.conf> <file | /etc/ipsec-tools.conf>
-#!/usr/sbin/setkey -f 
- 
 flush; flush;
 spdflush; spdflush;
  
-spdadd 10.20.30.42 10.20.30.40 any -P out ipsec 
-  esp/transport//require; 
  
-spdadd 10.20.30.40 10.20.30.42 any -P in ipsec +spdadd 192.168.100.2/32 10.0.0.2/32  any -P out ipsec 
-  esp/transport//require;+   esp/tunnel/192.168.100.2-192.168.100.100/require; 
 + 
 +spdadd 10.0.0.2/32 192.168.100.2/32 any -P in ipsec 
 +   esp/tunnel/192.168.100.100-192.168.100.2/require;
 </file> </file>
  
Line 150: Line 167:
 path certificate "/etc/racoon/certs"; path certificate "/etc/racoon/certs";
  
-remote 10.20.30.40 +remote 192.168.100.100 
-    exchange_mode main; +        exchange_mode main; 
-    lifetime time 1 hour; +        lifetime time 1 hour; 
-    proposal {+        proposal { 
 +                encryption_algorithm 3des; 
 +                hash_algorithm sha1; 
 +                authentication_method pre_shared_key; 
 +                dh_group 2; 
 +        } 
 +
 +  
 +sainfo address 192.168.100.2/32 any address 10.0.0.2/32 any { 
 +        pfs_group 2; 
 +        lifetime time 1 hour;
         encryption_algorithm 3des;         encryption_algorithm 3des;
-        hash_algorithm sha1; +        authentication_algorithm hmac_sha1; 
-        authentication_method pre_shared_key; +        compression_algorithm deflate;
-        dh_group 2; +
-    } +
-+
- +
-sainfo anonymous +
-+
-    pfs_group 2; +
-    lifetime time 1 hour; +
-    encryption_algorithm 3des; +
-    authentication_algorithm hmac_sha1; +
-    compression_algorithm deflate;+
 } }
 </file> </file>
  
 <file | /etc/racoon/psk.txt> <file | /etc/racoon/psk.txt>
-10.20.30.40 YOURKEY+192.168.100.100 KEY-TEST
 </file> </file>
  
Line 184: Line 200:
 # pro troubleshooting tunelu # pro troubleshooting tunelu
 tail -f /var/log/daemon.log tail -f /var/log/daemon.log
 +
 +# spuštění racoonu v popředí v debug módu (před tím je dobré zastavit službu)
 +racoon -d -v -F -f /etc/racoon/racoon.conf
 </code> </code>
wiki/site/obecne/ipsec.1363786073.txt.gz · Last modified: 2014/12/26 18:31 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki