| Информация | ||||
| ||||
| Мой t-cards.ru | ||||
| ||||
| Разное | ||||
|
|
|||||||
|
| Сообщения в теме: "Cisco-FreeBSD по IPSEC..." |
 14.06.2006 11:08 |
|
|
Admin
Регистрация: 19.04.2006
Проживание: Калуга
Сообщения: 57
|
 Cisco-FreeBSD по IPSEC
Конфиг ядра:
options IPSEC options IPSEC_ESP options IPSEC_DEBUG /etc/rc.conf ipsec_enable="YES" gif_interfaces="gif0 gifN" gifconfig_gif0="real.ip.so real.ip.de" gifconfig_gifN="x.x.x.x y.y.y.y" ifconfig_gif0="inet ip.so ip.de netmask 255.255.255.252" ifconfig_gifN="..." /etc/ipsec.conf flush; spdflush; spdadd ip.so ip.de any -P out ipsec esp/tunnel/real.ip.so-real.ip.de/require; spdadd ip.de ip.so any -P in ipsec esp/tunnel/real.ip.de-real.ip.so/require; /usr/local/etc/racoon/psk.txt real.ip.de secret /usr/local/etc/racoon/racoon.conf path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug2; padding { maximum_length 20;# maximum padding length. randomize off;# enable randomize length. strict_check off;# enable strict check. exclusive_tail off;# extract last one octet. } listen { isakmp real.ip.so [500]; } timer { counter 5;# maximum trying count to send. interval 20 sec;# maximum interval to resend. persend 1;# the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min;# sec,min,hour initial_contact on; support_mip6 on; proposal_check obey;# obey, strict or claim proposal { lifetime time 3600 sec;# sec,min,hour encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1 ; } } sainfo anonymous { pfs_group 1; lifetime time 3600 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } cisco 1841: ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 3600 crypto isakmp key hardsecret address real.ip.de ! ! crypto ipsec transform-set ts1 esp-des esp-md5-hmac mode transport ! ! crypto map NAME 1 ipsec-isakmp set peer real.ip.de set transform-set ts1 set pfs group1 match address 100 ! ! interface Tunnel0 description tun_name ip address ip.so 255.255.255.252 tunnel source real.ip.so tunnel destination real.ip.de tunnel mode ipip crypto map NAME ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address real.ip.so mask no ip proxy-arp ip virtual-reassembly duplex auto speed auto crypto map NAME ! access-list 100 permit ip host ip.so host ip.de ! после этого любой трафик, направленный в туннель, вызовет обмен ключами, после чего должна восстановиться связь между точками. если что-то не вышло: debug crypto ipsec debug crypto engine debug crypto pki server terminal monitor |