Aktuelle Version vom 10. September 2023, 11:37 Uhr

ipsec.conf

Erklärung

/etc/ipsec.conf Erklärung

Datei

conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.81.1.10
     leftsubnet=192.168.10.0/24
     mobike=no
     right=10.81.1.11
     rightsubnet=192.168.11.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start

ipsec.secrets

ID Kombination mit Authentifizierungsmethodes

cat /etc/ipsec.secrets

10.81.1.10 10.81.1.11  : PSK "suxer"

Handling

Up

ipsec up s2s

Down

ipsec down s2s

Status

ipsec status s2s

Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
         s2s{4}:   10.82.243.0/24 === 10.82.244.0/24

TCPDump der Verbindung

tcpdump -ni eth0 port 500 or esp

Mehrere Subnetze

alice und tiazel

/etc/ipsec.conf

conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.81.1.10
     leftsubnet=192.168.10.0/24
     mobike=no
     right=10.81.1.11
     rightsubnet=192.168.11.0/24,192.168.33.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start

ipsec status

Links

https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html

@@ Zeile 1: / Zeile 1: @@
-=Konfiguration=
 ==ipsec.conf==
 ===Erklärung===
 */etc/[[ipsec.conf Erklärung]]
 ===Datei===
+[[Datei:Ikev2-prinzip.png|900px]]
 <pre>
 conn s2s
       authby=secret
       keyexchange=ikev2
-      left=10.82.227.12
+      left=10.81.1.10
-      leftsubnet=10.82.243.0/24
+      leftsubnet=192.168.10.0/24
       mobike=no
-      right=10.82.227.22
+      right=10.81.1.11
-      rightsubnet=10.82.244.0/24
+      rightsubnet=192.168.11.0/24
       ike=aes256-sha256-modp4096!
       esp=aes256-sha256-modp4096!
@@ Zeile 23: / Zeile 23: @@
 ;ID Kombination mit Authentifizierungsmethodes
 *cat /etc/ipsec.secrets
-.82.227.12 10.82.227.22  : PSK "suxer"
+.81.1.10 10.81.1.11  : PSK "suxer"
 =Handling=
 =Up=
 *ipsec up  s2s
-<pre>
-initiating IKE_SA s2s[2] to 10.82.227.22
-generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
-sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (720 bytes)
-received packet: from 10.82.227.22[500] to 10.82.227.12[500] (728 bytes)
-parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
-selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
-authentication of '10.82.227.12' (myself) with pre-shared key
-establishing CHILD_SA s2s{2}
-generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
-sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (256 bytes)
-received packet: from 10.82.227.22[500] to 10.82.227.12[500] (224 bytes)
-parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
-authentication of '10.82.227.22' with pre-shared key successful
-IKE_SA s2s[2] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
-scheduling reauthentication in 10119s
-maximum IKE_SA lifetime 10659s
-selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
-CHILD_SA s2s{2} established with SPIs cc16cb02_i c89d755d_o and TS 10.82.243.0/24 === 10.82.244.0/24
-connection 's2s' established successfully
-</pre>
 =Down=
 *ipsec down s2s
-<pre>
-deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
-sending DELETE for IKE_SA s2s[2]
-generating INFORMATIONAL request 2 [ D ]
-sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes)
-received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes)
-parsed INFORMATIONAL response 2 [ ]
-IKE_SA deleted
-IKE_SA [2] closed successfully
-</pre>
 =Status=
@@ Zeile 71: / Zeile 39: @@
            s2s{4}:   10.82.243.0/24 === 10.82.244.0/24
 =TCPDump der Verbindung=
 *tcpdump -ni eth0 port 500 or  esp
-;up
-<pre>
-tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
-listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
-listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
-:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I]
-:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R]
-:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  ikev2_auth[I]
-:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  ikev2_auth[R]
-</pre>
-down
-<pre>
-:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  inf2[I]
-:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  inf2[R]
-</pre>
 =Mehrere Subnetze=
@@ Zeile 96: / Zeile 48: @@
       authby=secret
       keyexchange=ikev2
-      left=10.82.227.12
+      left=10.81.1.10
-     leftid=10.82.227.12
+      leftsubnet=192.168.10.0/24
-      leftsubnet=10.82.243.0/24,192.168.20.0/24
       mobike=no
-      right=10.82.227.22
+      right=10.81.1.11
-      rightid=10.82.227.22
+      rightsubnet=192.168.11.0/24,192.168.33.0/24
-     rightsubnet=10.82.244.0/24
       ike=aes256-sha256-modp4096!
       esp=aes256-sha256-modp4096!
@@ Zeile 108: / Zeile 58: @@
 </pre>
 *ipsec status
-<pre>
-Security Associations (1 up, 0 connecting):
-         s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
-         s2s{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o
-         s2s{2}:   10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24
-</pre>
 =Links=
 *https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html

Strongswan zu strongswan psk ikev2 site to site: Unterschied zwischen den Versionen

Aktuelle Version vom 10. September 2023, 11:37 Uhr

Inhaltsverzeichnis

ipsec.conf

Erklärung

Datei

ipsec.secrets

Handling

Up

Down

Status

TCPDump der Verbindung

Mehrere Subnetze

alice und tiazel

Links

Navigationsmenü

Suche