Ambiente:
Matriz Filial
(Debian Squeeze) (IP da SimNet) (GW da SimNet) (Internet) (GW da Speedy) (IP da Speedy) (Cisco RV042)
192.168.0.0/24 <--> 200.148.x.x <--> 200.148.x.1 ------------------ 200.204.x.1 <--> 201.92.x.x <--> 192.168.200.0/24
# apt-get install openswan
Nao é preciso criar a chave x509
Os 2 principais arquivos sao:
/etc/ipsec.conf
/etc/ipsec.secrets
Primeiro faça um backup e depois troque todo o conteudo:
cp /etc/ipsec.conf /etc/ipsec.conf.old
vim /etc/ipsec.conf
-----Inicio------
version 2.0
config setup
nat_traversal=yes
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
conn cisco
type= tunnel
authby= secret
left=200.148.x.x
leftsubnet=192.168.0.0/24
leftsourceip=192.168.0.1
right=201.92.x.x
rightsubnet=192.168.200.0/24
leftsourceip=192.168.0.1
auto=start
-----Fim------
Editar o ipsec.secrets
vim /etc/ipsec.secrets
e acrescente a seguinte linha:
201.92.x.x 200.148.x.x: PSK "1234567890"
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.6rc3/K2.6.16-1.2115_FC4 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
# for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Troque de:
iptables -D POSTROUTING -t nat -o eth1 -s 192.168.0.0/24 -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth1 -s 192.168.0.0/24 ! -d 192.168.200.0/24 -j MASQUERADE
Reinicie o serviço:
/etc/init.d/ipsec restart
Subindo a vpn e ja criando a rota:
ipsec auto --up cisco
route add -net 192.168.200.0 netmask 255.255.255.0 dev eth1
Nenhum comentário:
Postar um comentário