On Mon, 2005-10-24 at 14:34 +0300, Serghei Amelian wrote:
> On Monday 24 October 2005 14:30, lonely wolf wrote:
> [...]
> > vezi ca unii besedisti traiesc cu impresia ca daca vrei tunel ipsec ai
> > nevoie si de un ipip (sau alt tunel - unii mai elite zic de gre) intii.
> > ceea ce e cit se poate de fals.
>
> Pai eu nu vreau doar sa criptez traficul intre doua host-uri. Eu trebuie sa
> leg intre ele doua LAN-uri. Pot sa fac asta doar cu ipsec?
>
hai si exemplu:
ai NET_1 in spatele lui IP_GW1 si NET_2 in spatele lui IP_GW2. Exemplul
de aici e pt prima retea, in partea cealalta faci invers. Exemplul e cu
psk, pentru certificate se modifica trivial, conform doacelor.
ipsec.conf
spdadd NET_1/MASK NET_2/MASK any -P in ipsec
esp/tunnel/IP_GW1-IP_GW2/require;
spdadd NET_2/MASK NET1_1/MASK any -P out ipsec
esp/tunnel/IP_GW2-IP_GW1/require;
racoon.confpath pre_shared_key "/etc/racoon/psk.txt";
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen { isakmp IP_GW1;}
timer {
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
########### conexiune catre NET2
remote IP_GW2 {
exchange_mode main,aggressive;
lifetime time 15 min;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address NET_1/MASK[any] any address NET_2/MASK[any] any {
lifetime time 15 min;
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
