Strongswan zu strongswan: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) (Die Seite wurde geleert.) |
Thomas (Diskussion | Beiträge) |
||
| Zeile 1: | Zeile 1: | ||
| − | + | =Config is the same on both sites= | |
| + | ==ipsec.conf== | ||
| + | <pre> | ||
| + | conn s2s | ||
| + | authby=secret | ||
| + | keyexchange=ikev1 | ||
| + | left=10.84.252.32 | ||
| + | leftsubnet=10.83.32.0/24 | ||
| + | right=10.84.252.39 | ||
| + | rightsubnet=10.83.39.0/24 | ||
| + | ike=aes256-sha1-modp1536 | ||
| + | esp=aes256-sha1-modp1536 | ||
| + | auto=start | ||
| + | </pre> | ||
| + | ==ipsec.secrets== | ||
| + | 10.84.252.32 10.84.252.39 : PSK "suxer" | ||
| + | =Handling= | ||
| + | =Up= | ||
| + | *ipsec up s2s | ||
| + | <pre> | ||
| + | initiating Main Mode IKE_SA s2s[2] to 10.84.252.32 | ||
| + | generating ID_PROT request 0 [ SA V V V V V ] | ||
| + | sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (240 bytes) | ||
| + | received packet: from 10.84.252.32[500] to 10.84.252.39[500] (136 bytes) | ||
| + | parsed ID_PROT response 0 [ SA V V V ] | ||
| + | received XAuth vendor ID | ||
| + | received DPD vendor ID | ||
| + | received NAT-T (RFC 3947) vendor ID | ||
| + | generating ID_PROT request 0 [ KE No NAT-D NAT-D ] | ||
| + | sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (308 bytes) | ||
| + | received packet: from 10.84.252.32[500] to 10.84.252.39[500] (308 bytes) | ||
| + | parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] | ||
| + | generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] | ||
| + | sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (108 bytes) | ||
| + | received packet: from 10.84.252.32[500] to 10.84.252.39[500] (76 bytes) | ||
| + | parsed ID_PROT response 0 [ ID HASH ] | ||
| + | IKE_SA s2s[2] established between 10.84.252.39[10.84.252.39]...10.84.252.32[10.84.252.32] | ||
| + | scheduling reauthentication in 10049s | ||
| + | maximum IKE_SA lifetime 10589s | ||
| + | generating QUICK_MODE request 1407118356 [ HASH SA No KE ID ID ] | ||
| + | sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (380 bytes) | ||
| + | received packet: from 10.84.252.32[500] to 10.84.252.39[500] (380 bytes) | ||
| + | parsed QUICK_MODE response 1407118356 [ HASH SA No KE ID ID ] | ||
| + | CHILD_SA s2s{2} established with SPIs c166893e_i c6f6489e_o and TS 10.83.39.0/24 === 10.83.32.0/24 | ||
| + | connection 's2s' established successfully | ||
| + | </pre> | ||
| + | =Down= | ||
| + | *ipsec down s2s | ||
| + | <pre> | ||
| + | closing CHILD_SA s2s{2} with SPIs c166893e_i (0 bytes) c6f6489e_o (0 bytes) and TS 10.83.39.0/24 === 10.83.32.0/24 | ||
| + | sending DELETE for ESP CHILD_SA with SPI c166893e | ||
| + | generating INFORMATIONAL_V1 request 3593237135 [ HASH D ] | ||
| + | sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (76 bytes) | ||
| + | deleting IKE_SA s2s[2] between 10.84.252.39[10.84.252.39]...10.84.252.32[10.84.252.32] | ||
| + | sending DELETE for IKE_SA s2s[2] | ||
| + | generating INFORMATIONAL_V1 request 592265543 [ HASH D ] | ||
| + | sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (92 bytes) | ||
| + | IKE_SA [2] closed successfully | ||
| + | </pre> | ||
Version vom 1. November 2017, 09:35 Uhr
Config is the same on both sites
ipsec.conf
conn s2s
authby=secret
keyexchange=ikev1
left=10.84.252.32
leftsubnet=10.83.32.0/24
right=10.84.252.39
rightsubnet=10.83.39.0/24
ike=aes256-sha1-modp1536
esp=aes256-sha1-modp1536
auto=start
ipsec.secrets
10.84.252.32 10.84.252.39 : PSK "suxer"
Handling
Up
- ipsec up s2s
initiating Main Mode IKE_SA s2s[2] to 10.84.252.32
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (240 bytes)
received packet: from 10.84.252.32[500] to 10.84.252.39[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (308 bytes)
received packet: from 10.84.252.32[500] to 10.84.252.39[500] (308 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (108 bytes)
received packet: from 10.84.252.32[500] to 10.84.252.39[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA s2s[2] established between 10.84.252.39[10.84.252.39]...10.84.252.32[10.84.252.32]
scheduling reauthentication in 10049s
maximum IKE_SA lifetime 10589s
generating QUICK_MODE request 1407118356 [ HASH SA No KE ID ID ]
sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (380 bytes)
received packet: from 10.84.252.32[500] to 10.84.252.39[500] (380 bytes)
parsed QUICK_MODE response 1407118356 [ HASH SA No KE ID ID ]
CHILD_SA s2s{2} established with SPIs c166893e_i c6f6489e_o and TS 10.83.39.0/24 === 10.83.32.0/24
connection 's2s' established successfully
Down
- ipsec down s2s
closing CHILD_SA s2s{2} with SPIs c166893e_i (0 bytes) c6f6489e_o (0 bytes) and TS 10.83.39.0/24 === 10.83.32.0/24
sending DELETE for ESP CHILD_SA with SPI c166893e
generating INFORMATIONAL_V1 request 3593237135 [ HASH D ]
sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (76 bytes)
deleting IKE_SA s2s[2] between 10.84.252.39[10.84.252.39]...10.84.252.32[10.84.252.32]
sending DELETE for IKE_SA s2s[2]
generating INFORMATIONAL_V1 request 592265543 [ HASH D ]
sending packet: from 10.84.252.39[500] to 10.84.252.32[500] (92 bytes)
IKE_SA [2] closed successfully