Strongswan zu strongswan psk ikev2 site to site

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen


Konfiguration

ipsec.conf

Erklärung

Datei

Ikev2-prinzip.png 

conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.81.1.10
     leftsubnet=192.168.10.0/24
     mobike=no
     right=10.81.1.11
     rightsubnet=192.168.11.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start

ipsec.secrets

ID Kombination mit Authentifizierungsmethodes
  • cat /etc/ipsec.secrets
10.81.1.10 10.81.1.11  : PSK "suxer"

Handling

Up

  • ipsec up s2s

Down

  • ipsec down s2s
deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
sending DELETE for IKE_SA s2s[2]
generating INFORMATIONAL request 2 [ D ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes)
parsed INFORMATIONAL response 2 [ ]
IKE_SA deleted
IKE_SA [2] closed successfully

Status

  • ipsec status s2s
Security Associations (1 up, 0 connecting):
         s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
         s2s{4}:   10.82.243.0/24 === 10.82.244.0/24

TCPDump der Verbindung

  • tcpdump -ni eth0 port 500 or esp
up
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I]
09:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R]
09:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  ikev2_auth[I]
09:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  ikev2_auth[R]

down 

09:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa  inf2[I]
09:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa  inf2[R]

Mehrere Subnetze

alice und tiazel

  • /etc/ipsec.conf
conn s2s
     authby=secret
     keyexchange=ikev2
     left=10.82.227.12
     leftid=10.82.227.12
     leftsubnet=10.82.243.0/24,192.168.20.0/24
     mobike=no
     right=10.82.227.22
     rightid=10.82.227.22
     rightsubnet=10.82.244.0/24
     ike=aes256-sha256-modp4096!
     esp=aes256-sha256-modp4096!
     auto=start
  • ipsec status
Security Associations (1 up, 0 connecting):
         s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
         s2s{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o
         s2s{2}:   10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24

Links

Abgerufen von „http://wiki.ixheim.de/index.php?title=Strongswan_zu_strongswan_psk_ikev2_site_to_site&oldid=49225