Re: IKED and encapsulated peers

Mon, 05 Oct 2015 04:04:08 -0700 

On 3 October 2015 at 14:40, Jason Tubnor <[email protected]> wrote:

> Hi,
>
> Based on man 5 iked.conf the following should setup technically 4 flows
> (reversing and setting active on the corresponding peer):
>
>
>
Solved!

Main gateway:

# cat /etc/iked.conf
ikev2 esp from 192.168.232.128 to 192.168.232.129 \
        from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 psk
"HelloWorld"

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.232.129 to 192.168.232.128 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.232.128 to 192.168.232.129 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth
hmac-sha2-256 enc aes-256

----

Remote gateway (that initiates connection):

# cat /etc/iked.conf
ikev2 active esp from 192.168.232.129 to 192.168.232.128 \
        from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128 psk
"HelloWorld"

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.232.128 to 192.168.232.129 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use
flow esp out from 192.168.232.129 to 192.168.232.128 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require
flow esp in from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use
flow esp out from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth
hmac-sha2-256 enc aes-256

------

I have attached a man 5 iked.conf patch that clears up an example used in
the man page.


Cheers,

Jason.

[demime 1.01d removed an attachment of type application/x-gzip which had a name 
of iked.conf.5.patch.gz]

Reply via email to