#VPN site-to-site cu Vyatta 6.1 Ionel Mocanu VPN site-to-site cu Vyatta 6.1 — Ionel Mocanu
Skip to content
 

VPN site-to-site cu Vyatta 6.1

Vyatta 6.1 foloseste strongSwan 4.3.2 ca si implementare IPsec.

Pe routerul EAST fisierul de configurare contine urmatoarele linii pentru serverul vpn ipsec site-to-site

vpn {
ipsec {
esp-group ESP-EAST{
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-EAST{
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 10.6.17.254 {
authentication {
mode pre-shared-secret
pre-shared-secret ionel
}
ike-group IKE-EAST
local-ip 10.0.8.10
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-EAST
local-subnet 172.16.40.24/29
remote-subnet 172.30.4.0/23
}
}
}
}

Pe routerul WEST avem urmatoare configuratie:

vpn {
ipsec {
esp-group ESP-WEST{
compression disable
lifetime 1800
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-WEST {
lifetime 3600
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 10.0.8.10 {
authentication {
mode pre-shared-secret
pre-shared-secret ionel
}
ike-group IKE-WEST
local-ip 10.6.17.254
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-WEST
local-subnet 172.30.4.0/23
remote-subnet 172.16.40.24/29
}
}
}
}

Comenzi folosite pentru monitorizarea VPN-ului:

ionel@EAST:~$ show vpn ipsec sa
Peer Tunnel# Dir SPI Encrypt Hash NAT-T A-Time L-Time
------- ------- --- --- ------- ---- ----- ------ ------
10.6.17.254 1 in 346c1a9d 3des md5 No 49 1800
10.6.17.254 1 out ff429e57 3des md5 No 49 1800

ionel@EAST:~$ show vpn ipsec status
IPSec Process Running PID: 3356
1 Active IPsec Tunnels
IPsec Interfaces :
eth0 (10.0.8.10)

ionel@EAST:~$ show vpn ike
rsa-keys sa secrets status

ionel@EAST:~$ show vpn ike secrets
Local Peer Secret
-------- ------- ------
10.0.8.10 10.6.17.254 "ionel"

ionel@EAST:~$ show vpn ike status
IKE Process Running
PID: 3356

ionel@EAST:~$ show vpn ike sa
Local Peer State Encrypt Hash NAT-T A-Time L-Time
-------- ------- ----- ------- ---- ----- ------ ------
10.0.8.10 10.6.17.254 up aes128 sha1 No 1072 3600

ionel@EAST:~$ show vpn debug
000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.0.8.10:500
000 interface eth1/eth1 172.16.40.25:500
000 %myid = (none)
000 loaded plugins: curl ldap random pubkey openssl hmac gmp
000 debug options: none
000
000 "peer-10.6.17.254-tunnel-1": 172.16.40.24/29===10.0.8.10...10.6.17.254===172.30.4.0/23; erouted; eroute owner: #2
000 "peer-10.6.17.254-tunnel-1": ike_life: 3600s; ipsec_life: 1800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-10.6.17.254-tunnel-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 29,23; interface: eth0;
000 "peer-10.6.17.254-tunnel-1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "peer-10.6.17.254-tunnel-1": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536
000 "peer-10.6.17.254-tunnel-1": ESP proposal: 3DES_CBC/HMAC_MD5/ 000
000 #2: "peer-10.6.17.254-tunnel-1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 293s; newest IPSEC; eroute owner
000 #2: "peer-10.6.17.254-tunnel-1" esp.346c1a9d@10.6.17.254 (0 bytes) esp.ff429e57@10.0.8.10 (0 bytes); tunnel
000 #1: "peer-10.6.17.254-tunnel-1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1852s; newest ISAKMP

2 Comments

  1. preghoata says:

    Excellent story over again! Thank you;)

  2. Jones says:

    Thank you ever so for you blog article.Thanks Again. Really Great.

Leave a Reply to preghoata