Strongswan mit vti-Interfaces: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=ipsec-Routing deaktivieren= *vi /etc/strongswan.conf <pre> charon { load_modular = yes install_routes = no plugins { i…“) |
|||
(Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
Zeile 43: | Zeile 43: | ||
*ip tunnel add vti0 local 10.84.252.43 remote 10.84.252.44 mode vti key 100 | *ip tunnel add vti0 local 10.84.252.43 remote 10.84.252.44 mode vti key 100 | ||
*ip link set vti0 up | *ip link set vti0 up | ||
− | *ip addr add 10.2.2.1 | + | *ip addr add 10.2.2.1 remote 10.2.2.2 dev vti0 |
==Rechner 2== | ==Rechner 2== | ||
*ip tunnel add vti0 local 10.84.252.44 remote 10.84.252.43 mode vti key 100 | *ip tunnel add vti0 local 10.84.252.44 remote 10.84.252.43 mode vti key 100 | ||
*ip link set vti0 up | *ip link set vti0 up | ||
− | *ip addr add 10.2.2.2 | + | *ip addr add 10.2.2.2 remote 10.2.2.1 dev vti0 |
=rp-filter, policy und xfrm einstellen= | =rp-filter, policy und xfrm einstellen= |
Aktuelle Version vom 15. Dezember 2017, 09:46 Uhr
ipsec-Routing deaktivieren
- vi /etc/strongswan.conf
charon { load_modular = yes install_routes = no plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf
ipsec.conf und ipsec.secrets einrichten
- vi /etc/ipsec.conf
conn routed-vpn right=10.84.252.44 left=10.84.252.43 leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 ike=aes256-sha256-modp2048 ikelifetime=3600s esp=aes256-sha256-modp2048 keylife=1800s rekeymargin=540s type=tunnel compress=no authby=secret mark=100 auto=start keyingtries=%forever
- vi /etc/ipsec.secrets
10.84.252.43 10.84.252.44 : PSK "suxer"
vti-interface einrichten
Rechner 1
- ip tunnel add vti0 local 10.84.252.43 remote 10.84.252.44 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.1 remote 10.2.2.2 dev vti0
Rechner 2
- ip tunnel add vti0 local 10.84.252.44 remote 10.84.252.43 mode vti key 100
- ip link set vti0 up
- ip addr add 10.2.2.2 remote 10.2.2.1 dev vti0
rp-filter, policy und xfrm einstellen
- echo 0 > /proc/sys/net/ipv4/conf/vti0/rp_filter
- echo 1 > /proc/sys/net/ipv4/conf/vti0/disable_policy
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_xfrm
- echo 1 > /proc/sys/net/ipv4/conf/ens7/disable_policy
Routing-Tabelle 220 leeren
- ip route flush table 220
Routen setzen
Rechner 1
- ip route add 10.83.44.0/24 via 10.2.2.1
Rechner 2
- ip route add 10.83.43.0/24 via 10.2.2.2