Saturday, 15 March 2014

linux - Site to Site VPN via Openswan -



linux - Site to Site VPN via Openswan -

i using openswan create p2p vpn between nodeswithout problem/ have tried configured site-to-site vpn next links:

http://www.shonalanguage.info/tech/vpn_ipsec.html https://gist.github.com/winhamwr/2871257

i have 2 machines each of them has 2 ethernet interfaces. configuration little bit different usual one. connection path should like

privatemachine1-lan1-router1----{internet}-----router2---lan2-privatemachine2

my case that: (privatemachine1+router1)----{internet}-----(router2+privatemachine2)

this means have 1 machine on left site, , 1 machine on right site. each machine has 2 ethernet interfaces on interface local, other 1 global ip

privatemachine1 eth0: 47.168.96.48 eth1: 10.10001.101

privatemachine2 eth0: 47.168.137.12 eth1: 10.100.2.101

ipsec.conf machine1:

conn linux-to-linux authby=secret auto=add left=47.168.96.48 leftnexthop=47.168.96.2 leftsubnet=10.100.1.0/24 right=47.168.137.12 rightnexthop=47.168.137.3 rightsubnet=10.100.2.0/24

ipsec.conf machine2

conn linux-to-linux authby=secret auto=add left=47.168.137.12 leftnexthop=47.168.137.3 leftsubnet=10.100.2.0/24 right=47.168.96.48 rightnexthop=47.168.96.2 rightsubnet=10.100.1.0/24

i have succesfully stated ipsec service , ipsec connection (linux-to-linux). not ping 1 private network other. have realised there no ipsec0 create looking ifconfig.

root@machine11:~# ipsec auto status ipsec auto: warning: obsolete command syntax used 000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 47.168.96.48 000 interface eth0/eth0 47.168.96.48 000 interface eth0:0/eth0:0 47.168.96.10 000 interface eth0:0/eth0:0 47.168.96.10 000 interface eth1/eth1 10.100.1.101 000 interface eth1/eth1 10.100.1.101 000 %myid = (none) 000 debug parsing+control 000 000 virtual_private (%priv): 000 - allowed 2 subnets: 10.0.0.0/8, 192.168.0.0/16 000 - disallowed 0 subnets: 000 warning: disallowed subnets in virtual_private= empty. if have 000 private address space in internal use, should excluded! 000 000 algorithm esp encrypt: id=2, name=esp_des, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm esp encrypt: id=3, name=esp_3des, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm esp encrypt: id=6, name=esp_cast, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm esp encrypt: id=7, name=esp_blowfish, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm esp encrypt: id=11, name=esp_null, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm esp encrypt: id=12, name=esp_aes, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=13, name=esp_aes_ctr, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm esp encrypt: id=14, name=esp_aes_ccm_a, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=15, name=esp_aes_ccm_b, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=16, name=esp_aes_ccm_c, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=18, name=esp_aes_gcm_a, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=19, name=esp_aes_gcm_b, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=20, name=esp_aes_gcm_c, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=22, name=esp_camellia, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=252, name=esp_serpent, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp encrypt: id=253, name=esp_twofish, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm esp auth attr: id=1, name=auth_algorithm_hmac_md5, keysizemin=128, keysizemax=128 000 algorithm esp auth attr: id=2, name=auth_algorithm_hmac_sha1, keysizemin=160, keysizemax=160 000 algorithm esp auth attr: id=5, name=auth_algorithm_hmac_sha2_256, keysizemin=256, keysizemax=256 000 algorithm esp auth attr: id=6, name=auth_algorithm_hmac_sha2_384, keysizemin=384, keysizemax=384 000 algorithm esp auth attr: id=7, name=auth_algorithm_hmac_sha2_512, keysizemin=512, keysizemax=512 000 algorithm esp auth attr: id=8, name=auth_algorithm_hmac_ripemd, keysizemin=160, keysizemax=160 000 algorithm esp auth attr: id=9, name=auth_algorithm_aes_cbc, keysizemin=128, keysizemax=128 000 algorithm esp auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm ike encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm ike encrypt: id=5, name=oakley_3des_cbc, blocksize=8, keydeflen=192 000 algorithm ike encrypt: id=7, name=oakley_aes_cbc, blocksize=16, keydeflen=128 000 algorithm ike hash: id=1, name=oakley_md5, hashsize=16 000 algorithm ike hash: id=2, name=oakley_sha1, hashsize=20 000 algorithm ike dh group: id=2, name=oakley_group_modp1024, bits=1024 000 algorithm ike dh group: id=5, name=oakley_group_modp1536, bits=1536 000 algorithm ike dh group: id=14, name=oakley_group_modp2048, bits=2048 000 algorithm ike dh group: id=15, name=oakley_group_modp3072, bits=3072 000 algorithm ike dh group: id=16, name=oakley_group_modp4096, bits=4096 000 algorithm ike dh group: id=17, name=oakley_group_modp6144, bits=6144 000 algorithm ike dh group: id=18, name=oakley_group_modp8192, bits=8192 000 algorithm ike dh group: id=22, name=oakley_group_dh22, bits=1024 000 algorithm ike dh group: id=23, name=oakley_group_dh23, bits=2048 000 algorithm ike dh group: id=24, name=oakley_group_dh24, bits=2048 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "linux-to-linux": 10.100.1.0/24===47.168.96.48<47.168.96.48>[+s=c]---47.168.96.2...47.168.137.3---47.168.137.12<47.168.137.12>[+s=c]===10.100.2.0/24; erouted; eroute owner: #5 000 "linux-to-linux": myip=unset; hisip=unset; 000 "linux-to-linux": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "linux-to-linux": policy: psk+encrypt+tunnel+pfs+ikev2allow+sareftrack+lkod+rkod; prio: 24,24; interface: eth0; 000 "linux-to-linux": newest isakmp sa: #4; newest ipsec sa: #5; 000 "linux-to-linux": ike algorithm newest: aes_cbc_128-sha1-modp2048 000 000 #5: "linux-to-linux":500 state_quick_r2 (ipsec sa established); event_sa_replace in 28266s; newest ipsec; eroute owner; isakmp#4; idle; import:not set 000 #5: "linux-to-linux" esp.60cda79a@47.168.137.12 esp.c8126eb9@47.168.96.48 tun.0@47.168.137.12 tun.0@47.168.96.48 ref=0 refhim=4294901761 000 #4: "linux-to-linux":500 state_main_r3 (sent mr3, isakmp sa established); event_sa_replace in 1773s; newest isakmp; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #2: "linux-to-linux":500 state_quick_r2 (ipsec sa established); event_sa_replace in 21108s; isakmp#1; idle; import:not set 000 #2: "linux-to-linux" esp.91c12e23@47.168.137.12 esp.7d9127f2@47.168.96.48 tun.0@47.168.137.12 tun.0@47.168.96.48 ref=0 refhim=4294901761 000 root@machine1:~# root@machine1:~# service ipsec status ipsec running - pluto pid: 5117 pluto pid 5117 1 tunnels eroutes exist

here nice document setup s-to-s vpn

building site-to-site vpn debian/ubuntu , openswan

linux ubuntu-12.04 vpn

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)