ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file config setup conn %default authby=secret keyexchange=ikev1 mobike=no ike=aes128-sha1-modp1024 esp=aes128-sha1 left=172.16.9.21 leftsubnet=192.168.11.0/24 leftfirewall=yes conn RTX1000 right=172.16.9.22 rightsubnet=192.168.22.0/24 auto=start

ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file : PSK "abcd1234"

Yamaha config

console character ascii ip route default gateway 172.16.9.254 ip route 192.168.11.0/24 gateway tunnel 1 ip lan1 address 192.168.22.1/24 ip lan2 address 172.16.9.22/24 ip lan2 nat descriptor 1 tunnel select 1 ipsec tunnel 101 ipsec sa policy 101 1 esp aes-cbc sha-hmac ipsec ike group 1 modp1024 ipsec ike local address 1 172.16.9.22 ipsec ike pre-shared-key 1 text abcd1234 ipsec ike remote address 1 172.16.9.21 tunnel enable 1 tunnel select none nat descriptor type 1 masquerade nat descriptor address outer 1 172.16.9.22 nat descriptor address inner 1 192.168.22.1-192.168.22.254 nat descriptor masquerade static 1 1 172.16.9.22 udp 500 nat descriptor masquerade static 1 2 172.16.9.22 esp dhcp service server dhcp scope 1 192.168.22.100-192.168.22.254/24 dns server 8.8.8.8

iptables


雖然已經設定 leftfirewall=yes,strongSwan 會自動設定 firewall,但是還缺少一些設定。

  • iptables -t nat -I POSTROUTING 1 -s 192.168.11.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
  • iptables -A FORWARD -p icmp -j ACCEPT
  • iptables -A INPUT -p icmp -j ACCEPT
  • iptables -A INPUT -p esp -j ACCEPT
創作者介紹

邱小新の工作筆記

台南小新 發表在 痞客邦 PIXNET 留言(0) 人氣()