Re: lug-bg: VPN route problem

Mon, 31 Jul 2006 01:25:18 -0700

С удоволствие:

/etc/racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

timer
{
        counter 5;              # maximum trying count to send.
        interval 30 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        phase1 80 sec;
        phase2 85 sec;
}

#ZyWall
remote q.w.e.r
{
    exchange_mode main,aggressive,base;
    lifetime time 24 hour;
    proposal_check=obey;
    nat_traversal on;
    esp_frag 552;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 1;
    }
}

#net-to-net
sainfo address 192.168.y.0 /24 any address 192.168.x.0/23 any
{
    lifetime time 1 hour;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1,hmac_md5;
    compression_algorithm deflate;
}

sainfo anonymous
{
    lifetime time 1 hour ;
    encryption_algorithm 3des, blowfish 448, rijndael ;
    authentication_algorithm hmac_sha1,hmac_md5 ;
    compression_algorithm deflate ;
}


и съответно setkey.sh :

#/sbin/setkey -f

#flush
setkey -FP
setkey -F

#LOCAL_EXT_IP - Internet IP of eth0 - my gateway
LOCAL_EXT_IP=a.b.c.d
#REMOTE_EXT_IP - Internet IP of remote VPN gateway
REMOTE_EXT_IP=q.w.e.r

LOCAL_LAN=192.168.y.0
LOCAL_SUBNET_MASK=24
REMOTE_LAN=192.168.x.0
REMOTE_SUBNET_MASK=23

#Linux-racoon -> MyZwall and MyZwall -> Linux-racoon
setkey -c << END
spdadd $REMOTE_EXT_IP $LOCAL_EXT_IP any -P in ipsec esp/tunnel/$REMOTE_EXT_IP-$LOCAL_EXT_IP/unique;
spdadd $REMOTE_LAN/$REMOTE_SUBNET_MASK $LOCAL_LAN/$LOCAL_SUBNET_MASK any -P in ipsec esp/tunnel/$REMOTE_EXT_IP-$LOCAL_EXT_IP/unique;
spdadd $LOCAL_EXT_IP $REMOTE_EXT_IP any -P out ipsec esp/tunnel/$LOCAL_EXT_IP-$REMOTE_EXT_IP/unique;
spdadd $LOCAL_LAN/$LOCAL_SUBNET_MASK $REMOTE_LAN/$REMOTE_SUBNET_MASK any -P out ipsec esp/tunnel/$LOCAL_EXT_IP-$REMOTE_EXT_IP/unique;
END


#here comes the shitty part with iptables
iptables -A INPUT -p udp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 500 --j ACCEPT
iptables -A INPUT -p udp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 4500 --j ACCEPT
iptables -A INPUT -p esp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP -j ACCEPT
iptables -A INPUT -p ah -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP -j ACCEPT

iptables -A INPUT -p udp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 50 --j ACCEPT
iptables -A INPUT -p tcp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 50 --j ACCEPT

iptables -A INPUT -p tcp -s $REMOTE_EXT_IP -d $LOCAL_EXT_IP --dport 80 --j ACCEPT
#now the same with output
iptables -A OUTPUT -p udp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 500 --j ACCEPT
iptables -A OUTPUT -p udp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 4500 --j ACCEPT
iptables -A OUTPUT -p esp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP -j ACCEPT
iptables -A OUTPUT -p ah -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP -j ACCEPT

iptables -A OUTPUT -p udp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 50 --j ACCEPT
iptables -A OUTPUT -p tcp -d $REMOTE_EXT_IP -s $LOCAL_EXT_IP --sport 50 --j ACCEPT

iptables -A OUTPUT -p tcp -d $REMOVE_EXT_IP -s $LOCAL_EXT_IP --sport 80 --j ACCEPT
#if we use masquerade
iptables -t nat -I POSTROUTING 1 -p 50 -j ACCEPT
ip route add 192.168.x.0/23 via $LOCAL_EXT_IP src 192.168.y.1

Този последния скрипт, за момента го пускам ръчно (все пак съм в период на тестване) преди да пусна самия ракуун с "racoon -F -v".

T.e. пълната последователност за установяване на тунела е:

$/etc/racoon/setkey.sh
$racoon -F -v



On 7/31/06, Kamen Medarski <[EMAIL PROTECTED]> wrote:
Защо за всеки случай не пратиш и съдържанието на полиситата?

Reply via email to