Strongswan zu strongswan ikev2 site to site

Aus Xinux Wiki
Version vom 7. September 2017, 08:56 Uhr von Thomas (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=Strongswan= ==alice und tiazel== */etc/ipsec.conf <pre> conn s2s authby=secret keyexchange=ikev2 left=192.168.244.93 leftid=@alice le…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Strongswan

alice und tiazel

  • /etc/ipsec.conf
conn s2s
     authby=secret
     keyexchange=ikev2
     left=192.168.244.93
     leftid=@alice
     leftsubnet=172.16.93.0/24
     right=192.168.244.59
     rightid=@tiazel
     rightsubnet=172.16.59.0/24
     ike=aes256-sha1-modp1536
     esp=aes256-sha1-modp1536
     auto=start
  • /etc/ipsec.secrets
@tiazel @alice  : PSK "suxer"

alice

  • ipsec up s2s
initiating IKE_SA s2s[3] to 192.168.244.59
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.244.93[500] to 192.168.244.59[500] (1004 bytes)
received packet: from 192.168.244.59[500] to 192.168.244.93[500] (376 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
authentication of 'alice' (myself) with pre-shared key
establishing CHILD_SA s2s
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.244.93[4500] to 192.168.244.59[4500] (364 bytes)
received packet: from 192.168.244.59[4500] to 192.168.244.93[4500] (236 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
authentication of 'tiazel' with pre-shared key successful
IKE_SA s2s[3] established between 192.168.244.93[alice]...192.168.244.59[tiazel]
scheduling reauthentication in 9834s
maximum IKE_SA lifetime 10374s
connection 's2s' established successfully
  • tcpdump -ni eth0 port 500 or port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:03:13.883570 IP 192.168.244.93.500 > 192.168.244.59.500: isakmp: parent_sa ikev2_init[I]
11:03:13.892845 IP 192.168.244.59.500 > 192.168.244.93.500: isakmp: parent_sa ikev2_init[R]
11:03:13.903029 IP 192.168.244.93.4500 > 192.168.244.59.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:03:13.905576 IP 192.168.244.59.4500 > 192.168.244.93.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]

Mehrere Subnetze

alice und tiazel

  • /etc/ipsec.conf
conn s2s
     authby=secret
     keyexchange=ikev2
     left=192.168.244.93
     leftid=@alice
     leftsubnet=172.16.93.0/24,10.16.93.0/24
     right=192.168.244.59
     rightid=@tiazel
     rightsubnet=172.16.59.0/24,10.16.59.0/24
     ike=aes256-sha1-modp1536
     esp=aes256-sha1-modp1536
     auto=start
  • ipsec status
Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 80 seconds ago, 192.168.244.93[alice]...192.168.244.59[tiazel]
         s2s{4}:  INSTALLED, TUNNEL, ESP SPIs: c0087b2d_i c3cf4303_o
         s2s{4}:   172.16.93.0/24 10.16.93.0/24 === 172.16.59.0/24 10.16.59.0/24

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_zu_strongswan_ikev2_site_to_site&oldid=13856