Strongswan zu strongswan ikev2 site to site: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(→Up) |
(→Down) |
||
| Zeile 54: | Zeile 54: | ||
*ipsec down s2s | *ipsec down s2s | ||
<pre> | <pre> | ||
| − | + | deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22] | |
| − | + | sending DELETE for IKE_SA s2s[2] | |
| − | + | generating INFORMATIONAL request 2 [ D ] | |
| − | + | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes) | |
| − | deleting IKE_SA s2s[ | + | received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes) |
| − | sending DELETE for IKE_SA s2s[ | + | parsed INFORMATIONAL response 2 [ ] |
| − | generating | + | IKE_SA deleted |
| − | sending packet: from 10.82.227.12[500] to 10.82.227.22[500] ( | + | IKE_SA [2] closed successfully |
| − | IKE_SA [ | + | |
</pre> | </pre> | ||
| + | |||
=Status= | =Status= | ||
*ipsec status s2s | *ipsec status s2s | ||
Version vom 5. September 2022, 09:03 Uhr
Config is the same on both sites
ipsec.conf
Erklärung
Datei
conn s2s
authby=secret
keyexchange=ikev2
left=10.82.227.12
leftid=10.82.227.12
leftsubnet=10.82.243.0/24
mobike=no
right=10.82.227.22
rightid=10.82.227.22
rightsubnet=10.82.244.0/24
ike=aes256-sha256-modp4096!
esp=aes256-sha256-modp4096!
auto=start
ipsec.secrets
- ID Kombination mit Authentifizierungsmethodes
10.82.227.12 10.82.227.22 : PSK "suxer"
Handling
Up
- ipsec up s2s
initiating IKE_SA s2s[2] to 10.82.227.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (720 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (728 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
authentication of '10.82.227.12' (myself) with pre-shared key
establishing CHILD_SA s2s{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (256 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (224 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of '10.82.227.22' with pre-shared key successful
IKE_SA s2s[2] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
scheduling reauthentication in 10119s
maximum IKE_SA lifetime 10659s
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA s2s{2} established with SPIs cc16cb02_i c89d755d_o and TS 10.82.243.0/24 === 10.82.244.0/24
connection 's2s' established successfully
Down
- ipsec down s2s
deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22] sending DELETE for IKE_SA s2s[2] generating INFORMATIONAL request 2 [ D ] sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes) received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes) parsed INFORMATIONAL response 2 [ ] IKE_SA deleted IKE_SA [2] closed successfully
Status
- ipsec status s2s
Security Associations (1 up, 0 connecting):
s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
s2s{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
s2s{4}: 10.82.243.0/24 === 10.82.244.0/24
TCPDump der Verbindung
- tcpdump -ni eth0 port 500 or esp
- up
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 08:37:31.702968 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident 08:37:31.707296 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident 08:37:31.764500 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident 08:37:31.888131 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident 08:37:31.945758 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 1 I ident[E] 08:37:31.949075 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 1 R ident[E] 08:37:32.018782 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E] 08:37:32.128716 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: phase 2/others R oakley-quick[E] 08:37:32.193586 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I oakley-quick[E]
down
08:38:13.527180 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E] 08:38:13.527950 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: phase 2/others I inf[E]
Mehrere Subnetze
alice und tiazel
- /etc/ipsec.conf
conn s2s
authby=secret
keyexchange=ikev2
left=192.168.244.93
leftid=@alice
leftsubnet=172.16.93.0/24,10.16.93.0/24
right=192.168.244.59
rightid=@tiazel
rightsubnet=172.16.59.0/24,10.16.59.0/24
ike=aes256-sha1-modp1536
esp=aes256-sha1-modp1536
auto=start
- ipsec status
Security Associations (1 up, 0 connecting):
s2s[4]: ESTABLISHED 80 seconds ago, 192.168.244.93[alice]...192.168.244.59[tiazel]
s2s{4}: INSTALLED, TUNNEL, ESP SPIs: c0087b2d_i c3cf4303_o
s2s{4}: 172.16.93.0/24 10.16.93.0/24 === 172.16.59.0/24 10.16.59.0/24