|
ru.unix.bsd
- RU.UNIX.BSD ------------------------------------------------------------------
From : Vitaly Gonchar 2:5020/400 25 Mar 2003 16:59:23
To : All
Subject : FreeBSD+Cisco
--------------------------------------------------------------------------------
Привет всем,
хочется поднять IPSec между Cisco2620 (C2600-IK9S-M), Version 12.2(13)) и
FreeBSD 4.7
схема такая:
LAN(10.0.101.0/24)-->CiscoF0/0 (10.0.101.220)-CiscoS0/0.16
(A.A.A.A)<--Internet..>BSD (B.B.B.B)-BSD192.168.30.149<--LAN 192.168.30.0/24
Hа БСД поставлен racoon. Конфиги ниже. Проблема как обычно, нет связи ;-)
Причем в логе Ракуна вижу:
IPsec-SA established: ESP/Tunnel A.A.A.A->B.B.B.B
Hа Циско в логах дебага ничего подозрительного. по sh crypto isakmp sa вижу
созданный sa
Что я недосмотрел?
crypto isakmp policy 100
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key mysecret address B.B.B.B
!
!
crypto ipsec transform-set CCU esp-des esp-md5-hmac
!
crypto map IPSec_VPN 100 ipsec-isakmp
set peer B.B.B.B
set transform-set CCU
set pfs group2
match address CRYPTO_ACL_IPSec_CCU
interface Serial0/0.16 point-to-point
ip address A.A.A.A 255.255.255.252
crypto map IPSec_VPN
ip access-list extended CRYPTO_ACL_IPSec_CCU
permit ip 10.0.101.0 0.0.0.255 192.168.30.0 0.0.0.255
permit icmp 10.0.101.0 0.0.0.255 192.168.30.0 0.0.0.255
Hа БСД
#!/bin/sh
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd 10.0.101.0/24 192.168.30.0/24 any -P in ipsec
esp/tunnel/A.A.A.A-B.B.B.B/require;
spdadd 192.168.30.0/24 10.0.101.0/24 any -P out ipsec
esp/tunnel/B.B.B.B-A.A.A.A/require;
EOF
####racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp B.B.B.B [500];
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 15 sec;
phase2 30 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
lifetime time 3600 sec;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 1;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
--
With best regards,
Vitaly Gonchar
IT-Manager
ICQ:#95041222, homepage: http://www.geocities.com/vitalka_ua/
--- ifmail v.2.15dev5
* Origin: Infopulse Ukraine news (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
FreeBSD+Cisco |
Vitaly Gonchar |
25 Mar 2003 16:59:23 |
|
|
