2. Tech
  3. FREESWAN NET-TO-NET Configuration (Transcription 2004-12-15)

FREESWAN NET-TO-NET Configuration (Transcription 2004-12-15)

xiaoxiao2021-03-06  47

Reference: http://www.freeeswan.org/freeswan_trees/freeswan-2.04/doc/config.html Network Environment: LAN A - GW PC A --- Internet --- GW PC B --- Lan B

A and B GW have public IPLAN AIP = 192.168.0.0 / 24 gw = 192.168.0.1

LAN BIP = 192.168.1.0 / 24 gw = 192.168.1.1

GW PC alan if = eth0 IP = 192.168.0.1wan if = Eth1 IP = 202.100.100.100 gw = 202.100.100.254

GW PC Blan if = eth0 IP = 192.168.1.1wan if = Eth1 IP = 202.100.100.200 GW = 202.100.100.254

Installation: Two sides GW PC Install FreeS / WAN, recommended RPM installation (simple), source code compilation method I have no successful recommendation download address: http://download.freeswan.ca/Freeswan-x509/

IPsec.conf configuration: Do the same configuration vi /etc/ipsec.conf# on both sides VI /etc/ipsec.conf# Add the following information conn net-to-net left = 202.100.100.100 #GW PC A Eth1 IP LeftSubnet = 192.168.0.0 / 24 #lan a network leftid=@xy.example.com #GW PC A host name leftrsasigkey = 0s1lgr7 / oum ... #GW PC A Using IPsec ShowhostKey --left You can find this information leftnexThop =% DefaultRoute #GW PC A of the gateway Right = 202.100.100.200 #GW PC B's ip RightSubnet = 192.168.1.0 / 24 #lan B network Rightid=@ab.example.com #GW PC B hostname Rightrsasigkey = 0SAQOQH55O ... # Using IPsec ShowhostKey --right on GW PC B You can find this information right RightNexthop =% DefaultRoute #GW PC B Eth1 gateway auto = add # changed to auto = start The tunnel is starting at FREESWAN. Automatically complete

Start using: Perform the following command #service ipsec start # ipsec auto --up net-to-netiptables configuration (as GW needs to be NAT service, but the data of IPsec can not be lost) GW PC Aiptables -t nat -i postrol-e e1 -s 192.168.0.0/24 -d! 192.168.1.0/24 -j snat --to 202.100.100.100GW PC Biptables -t nat-iptrouting -o eth1 -s 192.168.1.0 / 24 -d! 192.168.0.0.0/24 -j Snat - TO 202.100.100.200 Check the tunnel is effective: Active host in the LAN A or LAN B PING other network use Tcpdump -i Eth1 to view the data stream of the interface Eth1 Information If there is information similar to the following, the tunnel establishment is successful 192.168.0.11> 192.168.1.11: ESP (SPI = 0x19d4cbe6, SEQ = 0x16)

转载请注明原文地址:https://www.9cbs.com/read-80434.html

9cbs

New Post(0)