Documente Academic
Documente Profesional
Documente Cultură
#chkconfig ipsec on
Disable /proc/sys/net/ipv4/conf/*/accept_redirects
#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"
Enable IP Forwarding
#nano /etc/sysctl.conf
Set:
net/ipv4/ip_forward = 1
Check if IPSec package is happy with your settings. Mine are copied after IpSec is established.
IPSEC CONFIGURATIONS
#nano /etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=all #enable debugging
plutodebug=all
protostack=netkey
conn net2
type=tunnel #tunnel mode ipsec
left=10.100.100.6 #the IP address of your OpenSWAN endpoint
leftnexthop=%defaultroute #default gateway
leftsubnet=10.100.100.0/24 # network behind your endpoint
right=119.yy.yXz.134 # Your IP, or %any for a road-warrior setup
rightnexthop=%defaultroute #defaultroute for road warrior unknown
rightsubnet=192.168.150.0/24 #network behind the PIX
auth=esp
esp=3des-sha1 #esp: 3des, hmac: sha1
keyexchange=ike #use regular ike
authby=secret #pre-shared secret, you can also use rsa nounces
pfs=no #use perfect forward secrecy
auto=start #don't initiate tunnel, but allow incoming
Format of ipsec.secrets
<IP of VPN Server{left}><SPACE><IP of CISCO Router{right}> : "<PreShared Key>"
#nano /etc/ipsec.secrets
10.100.100.6 119.yy.yXz.134 : PSK "$#@$@%$$FDSF#$@#$@#"
CISCO Configurations
ip access-list extended VPN-LHR-KHI
permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255
permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255
crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address 210.x.yyy.231 no-xauth
crypto ipsec transform-set VPN-LHR-KHI-set esp-3des esp-md5-hmac
crypto map i2cPakLhr 13 ipsec-isakmp
set peer 210.x.yyy.231
set transform-set VPN-LHR-KHI-set
match address VPN-LHR-KHI-set
NETWORK DESIGN
IPSec Commands
Restart Service
Start/up a tunnel
Disconnect/down a tunnel
THE END