The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

IPSec туннель между OpenBSD и Cisco (eng) (openbsd cisco vpn tunnel ipsec)


<< Предыдущая ИНДЕКС Правка src Установить закладку Перейти на закладку Следующая >>
Ключевые слова: openbsd, cisco, vpn, tunnel, ipsec,  (найти похожие документы)
From: <osipAT[NOSPAM]mikunis.net> Date: Mon, 2 Mar 2005 18:21:07 +0000 (UTC) Subject: IPSec туннель между OpenBSD и Cisco (eng) Оригинал: http://www.mikunis.net/vpn.html Mini How-to: OpenBSD to Cisco VPN Here is my first attemt to share the results of my experiments in establishing a secure tunnel between OpenBSD and Cisco router. Any corrections, suggestions and questions are welcome to: osipAT[NOSPAM]mikunis.net (please remove [NOSPAM] from the address and replace AT with @) What is given Cisco 2600 router with 48 MB DRAM, 16 MB Flash, AIM-VPN card, IOS version 12.1(6) with IPSec 3DES and Firewall Features Set. It serves as a firewall/gateway for a middle-size brunch office network. Any other Cisco router with IPSec features in IOS will presumably work. An old 486 IBM PC with 1 Mbit ADSL connection to Internet. It runs OpenBSD 2.9 release with IPFilter/NAT. It serves as a firewall/gateway for a home network of several PC's. Any box running OpenBSD 2.9 release and an Internet connection will presumably work. Public network 150.150.150.0/23 is connected to the ethernet interface of the Cisco router with the IP address 150.150.150.1. Cisco is connected to the Internet through it's serial interface. Private network 192.169.100.0/24 is connected to the internal inerface of the OpenBSD box. External inerface of this box has public address 80.80.80.80/28. Configurations OpenBSD Changes to /etc/sysctl.conf: net.inet.ip.forwarding=1 net.inet.esp.enable=1 Changes to /etc/rc.conf: ipfilter=YES ipnat=YES isakmpd_flags="" Changes to /etc/ipnat.rules: map ep0 192.168.100.0/24 -> 0/32 proxy port ftp ftp/tcp map ep0 192.168.100.0/24 -> 0/32 portmap tcp/udp 40000:60000 map ep0 192.168.100.0/24 -> 0/32 Changes to /etc/ipf.rules: # All outgoing traffic is allowed # Incoming filters for IPSec pass in quick on ep0 proto udp from 150.150.250.1 to any port = isakmp pass in quick on ep0 proto esp from 150.150.250.1 to any # Passing encrypted traffic pass in quick on enc0 Changes to /etc/isakmpd/isakmpd.policy: KeyNote-Version: 2 Comment: This policy accepts ESP SAs from a remote that uses the right password Authorizer: "POLICY" Licensees: "passphrase:my_secret_password" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; Changes to /etc/isakmpd/isakmpd.conf: [General] Retransmits= 5 Exchange-max-time= 120 Listen-on= 80.80.80.80 [Phase 1] 150.150.250.1= ISAKMP-peer-east [Phase 2] Connections= IPsec-east-west [ISAKMP-peer-east] Phase= 1 Transport= udp Local-address= 80.80.80.80 Address= 150.150.250.1 Configuration= Default-main-mode Authentication= my_secret_password [IPsec-east-west] Phase= 2 ISAKMP-peer= ISAKMP-peer-east Configuration= Default-quick-mode Local-ID= Net-west Remote-ID= Net-east [Net-west] ID-type= IPV4_ADDR_SUBNET Network= 192.168.100.0 Netmask= 255.255.255.0 [Net-east] ID-type= IPV4_ADDR_SUBNET Network= 150.150.150.0 Netmask= 255.255.254.0 # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5 # Main mode transforms [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED #AUTHENTICATION_METHOD= HMAC_MD5 GROUP_DESCRIPTION= MODP_768 Life= LIFE_3600_SECS # Quick mode description [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-PFS-SUITE # Quick mode protection suites [QM-ESP-3DES-MD5-PFS-SUITE] Protocols= QM-ESP-3DES-MD5-PFS [QM-ESP-3DES-MD5] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-MD5-XF [QM-ESP-3DES-MD5-PFS] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-3DES-MD5-PFS-XF # Quick mode transforms [QM-ESP-3DES-MD5-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 Life= LIFE_3600_SECS [QM-ESP-3DES-MD5-PFS-XF] TRANSFORM_ID= 3DES ENCAPSULATION_MODE= TUNNEL AUTHENTICATION_ALGORITHM= HMAC_MD5 GROUP_DESCRIPTION= MODP_768 Life= LIFE_3600_SECS [LIFE_3600_SECS] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,1800:7200 # end To check the working connections: # netstat -rn -f encap Routing tables Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 150.150.150/23 0 192.168.100/24 0 0 150.150.250.1/50/require/in 192.168.100/24 0 150.150.150/23 0 0 150.150.250.1/50/require/out Cisco ! Create new policy crypto isakmp policy 10 encr 3des hash md5 authentication pre-share lifetime 3600 ! define pre-shared key with peer crypto isakmp key my_secret_password address 80.80.80.80 ! define transforms crypto ipsec transform-set msvpn esp-3des esp-md5-hmac ! define local IPSec endpoint crypto map ToOBSD local-address Loopback0 ! Define crypto map crypto map ToOBSD 1 ipsec-isakmp set peer 80.80.80.80 set transform-set msvpn set pfs group1 match address 103 ! Define loopback interface as an end-point interface Loopback0 ip address 150.150.250.1 255.255.255.255 crypto map ToOBSD ! add incoming filters to pass IPSec traffic through incoming access list permit udp host 80.80.80.80 host 150.150.250.1 eq isakmp permit esp host 80.80.80.80 host 150.150.250.1 ! define "interesting" traffic for encryption access-list 103 permit ip 150.150.150.0 0.0.1.255 192.168.100.0 0.0.0.255 ! add routing for the remote private network ip route 0.0.0.0 0.0.0.0 Serial0/0 ip route 192.168.100.0 255.255.255.0 Loopback0 end To check the configuration and working connections: # sh crypto isakmp pol Protection suite of priority 10 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 3600 seconds, no volume limit # sh crypto isakmp sa dst src state conn-id slot 150.150.250.1 80.80.80.80 QM_IDLE 6 0 # sh crypto ipsec sa interface: Loopback0 Crypto map tag: ToOBSD, local addr. 150.150.250.1 local ident (addr/mask/prot/port): (150.150.150.0/255.255.254.0/0/0) remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) current_peer: 80.80.80.80 PERMIT, flags={origin_is_acl,} #pkts encaps: 8295, #pkts encrypt: 8295, #pkts digest 8295 #pkts decaps: 5504, #pkts decrypt: 5504, #pkts verify 5504 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 9, #recv errors 0 local crypto endpt.: 150.150.250.1, remote crypto endpt.: 80.80.80.80 path mtu 1514, media mtu 1514 current outbound spi: 48C53C91 inbound esp sas: spi: 0x8161F80(135667584) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2004, flow_id: 5, crypto map: ToOBSD sa timing: remaining key lifetime (k/sec): (4607989/628) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x48C53C91(1220885649) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2005, flow_id: 6, crypto map: ToOBSD sa timing: remaining key lifetime (k/sec): (4607987/628) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: # sh crypto map Interfaces using crypto map ToOBSD: Crypto Map: "ToOBSD" idb: Loopback0 local address: 150.150.250.1 Crypto Map "ToOBSD" 1 ipsec-isakmp Peer = 80.80.80.80 Extended IP access list 103 access-list 103 permit ip 150.150.150.0 0.0.1.255 192.168.100.0 0.0.0.255 Current peer: 80.80.80.80 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): Y DH group: group1 Transform sets={ msvpn, openbsd, } Interfaces using crypto map ToOBSD: Loopback0

<< Предыдущая ИНДЕКС Правка src Установить закладку Перейти на закладку Следующая >>

 Добавить комментарий
Имя:
E-Mail:
Заголовок:
Текст:




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру