Strongswan zu strongswan psk ikev2 site to site: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(3 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
  
  
=Konfiguration=
 
{{#drawio:vpn-11}}
 
 
==ipsec.conf==
 
==ipsec.conf==
 
===Erklärung===
 
===Erklärung===
Zeile 41: Zeile 39:
 
           s2s{4}:  10.82.243.0/24 === 10.82.244.0/24
 
           s2s{4}:  10.82.243.0/24 === 10.82.244.0/24
 
=TCPDump der Verbindung=
 
=TCPDump der Verbindung=
*tcpdump -ni eth0 port 500 or  esp  
+
*tcpdump -ni eth0 port 500 or  esp
;up
 
<pre>
 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
 
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 
09:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I]
 
09:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R]
 
09:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  ikev2_auth[I]
 
09:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  ikev2_auth[R]
 
 
 
</pre>
 
down
 
<pre>
 
09:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  inf2[I]
 
09:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  inf2[R]
 
</pre>
 
  
 
=Mehrere Subnetze=
 
=Mehrere Subnetze=
Zeile 66: Zeile 48:
 
     authby=secret
 
     authby=secret
 
     keyexchange=ikev2
 
     keyexchange=ikev2
     left=10.82.227.12
+
     left=10.81.1.10
    leftid=10.82.227.12
+
     leftsubnet=192.168.10.0/24
     leftsubnet=10.82.243.0/24,192.168.20.0/24
 
 
     mobike=no
 
     mobike=no
     right=10.82.227.22
+
     right=10.81.1.11
     rightid=10.82.227.22
+
     rightsubnet=192.168.11.0/24,192.168.33.0/24
    rightsubnet=10.82.244.0/24
 
 
     ike=aes256-sha256-modp4096!
 
     ike=aes256-sha256-modp4096!
 
     esp=aes256-sha256-modp4096!
 
     esp=aes256-sha256-modp4096!
Zeile 78: Zeile 58:
 
</pre>
 
</pre>
 
*ipsec status
 
*ipsec status
<pre>
 
Security Associations (1 up, 0 connecting):
 
        s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
 
        s2s{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o
 
        s2s{2}:  10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24
 
</pre>
 
  
 
=Links=
 
=Links=
 
*https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html
 
*https://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html

Aktuelle Version vom 10. September 2023, 11:37 Uhr


ipsec.conf

Erklärung

Datei

Ikev2-prinzip.png 

conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.81.1.10
     leftsubnet=192.168.10.0/24
     mobike=no
     right=10.81.1.11
     rightsubnet=192.168.11.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start

ipsec.secrets

ID Kombination mit Authentifizierungsmethodes
  • cat /etc/ipsec.secrets
10.81.1.10 10.81.1.11  : PSK "suxer"

Handling

Up

  • ipsec up s2s

Down

  • ipsec down s2s

Status

  • ipsec status s2s
Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
         s2s{4}:   10.82.243.0/24 === 10.82.244.0/24

TCPDump der Verbindung

  • tcpdump -ni eth0 port 500 or esp

Mehrere Subnetze

alice und tiazel

  • /etc/ipsec.conf
conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.81.1.10
     leftsubnet=192.168.10.0/24
     mobike=no
     right=10.81.1.11
     rightsubnet=192.168.11.0/24,192.168.33.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start
  • ipsec status

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_zu_strongswan_psk_ikev2_site_to_site&oldid=49237