Assume we have two servers in different subnets that we want to connect through IPsec.
# Alice 206.36.46.56 10.20.10.10 # local IP
# Bob 207.37.47.57 10.20.20.10 # local IP
Setup tunnel using GRE
We will run tunnel from Alice and connect to it from Bob. On Alice machinevim /etc/network/interfaceand add the following lines:
auto tun0
iface tun0 inet static
address 10.10.10.1
netmask 255.255.255.0
broadcast 10.10.10.255
up ifconfig tun0 multicast
pre-up iptunnel add tun0 mode gre remote 207.37.47.57 local 206.36.46.56 ttl 225
pointopoint 10.10.10.2
post-down iptunnel del tun0
Turn the tunnel on
# ifup tun0On Bob machine
vim /etc/network/interfaceand add the following block:
auto gre1
iface gre1 inet tunnel
mode gre
netmask 255.255.255.255
address 10.10.10.2
dstaddr 10.10.10.1
endpoint 206.36.46.56
local 207.37.47.57
ttl 255
up ip route add 10.20.20.0/24 via 10.10.10.1 src 10.10.10.2 || true
Turn the interface on
ifup gre1Note, that you can't use the name 'gre0' for the interface, because it's the 'base device'.
Install necessary software for secure tunnel
apt-get install racoon ipsec-tools
Config IPsec
On both servers:vim /etc/racoon/racoon.confAnd config it the following way, allowing anonymous access
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address;
nat_traversal force;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 2 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Setup the key for initial servers communication
Edit the file on both servers:vim /etc/racoon/psk.txtComment out all the lines and add:
# on Alice server 207.37.47.57 super_secure_random_string_here
# on Bob server 206.36.46.56 same_super_secure_random_string
Setup security policies
Edit the file on both servers:vim /etc/ipsec-tools.confAnd add the following configuration
# on Alice:
flush;
spdflush;
spdadd 206.36.46.56 207.37.47.57[500] udp -P out none;
spdadd 206.36.46.56 207.37.47.57[4500] udp -P out none;
spdadd 206.36.46.56 207.37.47.57[500] 50 -P out none;
spdadd 206.36.46.56 207.37.47.57[500] 51 -P out none;
spdadd 207.37.47.57 206.36.46.56[500] udp -P in none;
spdadd 207.37.47.57 206.36.46.56[4500] udp -P in none;
spdadd 207.37.47.57 206.36.46.56[500] 50 -P in none;
spdadd 207.37.47.57 206.36.46.56[500] 51 -P in none;
spdadd 206.36.46.56 207.37.47.57 gre -P out ipsec
esp/tunnel/206.36.46.56[4500]-207.37.47.57[4500]/require;
spdadd 207.37.47.57 206.36.46.56 gre -P in ipsec
esp/tunnel/207.37.47.57[4500]-206.36.46.56[4500]/require;
# same on Bob swapping the addresses:
flush;
spdflush;
spdadd 207.37.47.57 206.36.46.56[500] udp -P out none;
spdadd 207.37.47.57 206.36.46.56[4500] udp -P out none;
spdadd 207.37.47.57 206.36.46.56[500] 50 -P out none;
spdadd 207.37.47.57 206.36.46.56[500] 51 -P out none;
spdadd 206.36.46.56 207.37.47.57[500] udp -P in none;
spdadd 206.36.46.56 207.37.47.57[4500] udp -P in none;
spdadd 206.36.46.56 207.37.47.57[500] 50 -P in none;
spdadd 206.36.46.56 207.37.47.57[500] 51 -P in none;
spdadd 207.37.47.57 206.36.46.56 gre -P out ipsec
esp/tunnel/207.37.47.57[4500]-206.36.46.56[4500]/require;
spdadd 206.36.46.56 207.37.47.57 gre -P in ipsec
esp/tunnel/206.36.46.56[4500]-207.37.47.57[4500]/require;
Setup firewall access
On Bob server:iptables -A INPUT -s 206.36.46.56/32 -d 207.37.47.57/32 -p udp -m udp --dport 500 -j ACCEPT iptables -A INPUT -s 206.36.46.56/32 -d 207.37.47.57/32 -p udp -m udp --dport 4500 -j ACCEPT iptables -A INPUT -s 206.36.46.56/32 -d 207.37.47.57/32 -p esp -j ACCEPT iptables -A INPUT -s 206.36.46.56/32 -d 207.37.47.57/32 -p ah -j ACCEPT iptables -A INPUT -s 206.36.46.56/32 -d 207.37.47.57/32 -p gre -j ACCEPT
Restart IPsec services on both servers
/etc/init.d/setkey restart /etc/init.d/racoon restart
Комментариев нет:
Отправить комментарий