Имеем:1 Маршрутизатор Cisco 5510 ASA с реальным IP 1.1.1.1 (сеть XXX.XXX.0.0/24)
2. Маршрутизатор Linux CentOS 5.2 (ядро 2.6.18-92.el5) с установленным ipsec-tools-0.6.5-13.el5_3.1 и реальным IP 2.2.2.2 (сеть XXX.XXX.0.0/16)
++ Конфигурация на маршрутизаторе Cisco:
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
lifetime 3600
hash sha
!
crypto isakmp key SECRETKEY address 2.2.2.2
crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set GK esp-aes esp-sha-hmac
crypto map IPSec 7 ipsec-isakmp
set peer 2.2.2.2
set transform-set GK
set pfs group2
match address 666
!
interface GigabitEthernet0/0.1
ip address 1.1.1.1 255.255.255.224
crypto map IPSec
!
ip route XXX.XXX.0.0 255.255.255.0 2.2.2.2
access-list 666 remark asGK
access-list 666 permit ip XXX.XXX.0.0 0.0.255.255 XXX.XXX.0.0 0.0.0.255
access-list 666 deny ip any any
++ Конфигурация на машине с Linux CentOS:
/etc/sysconfig/network-scripts/ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
IKE_PSK=SECRETKEY
IKE_DHGROUP=2
ESP_PROTO=aes
AH_PROTO=none
AESP_PROTO=hmac-sha1
SRC=2.2.2.2
SRCGW=XXX.XXX.0.100
DSTGW=1.1.1.1
SRCNET=XXX.XXX.0.0/24
DSTNET=XXX.XXX.0/16
DST=1.1.1.1
/etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
log notify;
listen
{
isakmp 2.2.2.2 [500];
}
sainfo address XXX.XXX.0.0/24 any address XXX.XXX.0.0/16 any
{
pfs_group 2;
lifetime time 6400 sec;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
и не забываем про iptables!!
после настройки
#ifup ipsec0
после поднятия ipsec0 можно посмотреть есть ли туннель
#setkey -D
2.2.2.2 1.1.1.1
esp mode=tunnel spi=3839224802(0xe4d5ebe2) reqid=0(0x00000000)
E: aes-cbc c98674dd c1cda3a8 36f39eb5 84fd56b4 192e4acd 7ad470d7 0176919b c955cc38
A: hmac-sha1 d8e6305b 8b0352ab 249d125f 1515e6a8 136d8896
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul 8 10:19:23 2010 current: Jul 8 10:44:57 2010
diff: 1534(s) hard: 86400(s) soft: 69120(s)
last: Jul 8 10:19:27 2010 hard: 0(s) soft: 0(s)
current: 2160(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 18 hard: 0 soft: 0
sadb_seq=1 pid=8863 refcnt=0
1.1.1.1 2.2.2.2
esp mode=tunnel spi=111533039(0x06a5dbef) reqid=0(0x00000000)
E: aes-cbc 3e1f5040 cf6c15d2 8083dc28 aa6006ef df53337f 13b31da2 2782ef5c e46d3567
A: hmac-sha1 a9553dd3 e9b431a5 534baef8 a2b1f34b cc2b8867
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul 8 10:19:23 2010 current: Jul 8 10:44:57 2010
diff: 1534(s) hard: 86400(s) soft: 69120(s)
last: Jul 8 10:19:27 2010 hard: 0(s) soft: 0(s)
current: 833(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 18 hard: 0 soft: 0
sadb_seq=0 pid=8863 refcnt=0
Ссылки:
http://www.opennet.ru/base/cisco/cisco_ipsec_freebsd.txt.html (очень помогла эта статья)
http://netbsd.gw.com/cgi-bin/man-cgi?racoon++NetBSD-current
URL:
Обсуждается: http://www.opennet.ru/tips/info/2408.shtml