Strongswan zu strongswan ikev2 site to site
Zur Navigation springen
Zur Suche springen
Config is the same on both sites
ipsec.conf
Erklärung
Datei
conn s2s
authby=secret
keyexchange=ikev2
left=10.82.227.12
leftid=10.82.227.12
leftsubnet=10.82.243.0/24
mobike=no
right=10.82.227.22
rightid=10.82.227.22
rightsubnet=10.82.244.0/24
ike=aes256-sha256-modp4096!
esp=aes256-sha256-modp4096!
auto=start
ipsec.secrets
- ID Kombination mit Authentifizierungsmethodes
10.82.227.12 10.82.227.22 : PSK "suxer"
Handling
Up
- ipsec up s2s
initiating IKE_SA s2s[2] to 10.82.227.22
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (720 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (728 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
authentication of '10.82.227.12' (myself) with pre-shared key
establishing CHILD_SA s2s{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (256 bytes)
received packet: from 10.82.227.22[500] to 10.82.227.12[500] (224 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of '10.82.227.22' with pre-shared key successful
IKE_SA s2s[2] established between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
scheduling reauthentication in 10119s
maximum IKE_SA lifetime 10659s
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA s2s{2} established with SPIs cc16cb02_i c89d755d_o and TS 10.82.243.0/24 === 10.82.244.0/24
connection 's2s' established successfully
Down
- ipsec down s2s
deleting IKE_SA s2s[2] between 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22] sending DELETE for IKE_SA s2s[2] generating INFORMATIONAL request 2 [ D ] sending packet: from 10.82.227.12[500] to 10.82.227.22[500] (80 bytes) received packet: from 10.82.227.22[500] to 10.82.227.12[500] (80 bytes) parsed INFORMATIONAL response 2 [ ] IKE_SA deleted IKE_SA [2] closed successfully
Status
- ipsec status s2s
Security Associations (1 up, 0 connecting):
s2s[4]: ESTABLISHED 7 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
s2s{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef198fc_i c4de821a_o
s2s{4}: 10.82.243.0/24 === 10.82.244.0/24
TCPDump der Verbindung
- tcpdump -ni eth0 port 500 or esp
- up
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 09:03:46.060570 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: parent_sa ikev2_init[I] 09:03:46.173147 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: parent_sa ikev2_init[R] 09:03:46.230911 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa ikev2_auth[I] 09:03:46.234449 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa ikev2_auth[R]
down
09:04:02.224802 IP 10.82.227.12.500 > 10.82.227.22.500: isakmp: child_sa inf2[I] 09:04:02.228834 IP 10.82.227.22.500 > 10.82.227.12.500: isakmp: child_sa inf2[R]
Mehrere Subnetze
alice und tiazel
- /etc/ipsec.conf
conn s2s
authby=secret
keyexchange=ikev2
left=10.82.227.12
leftid=10.82.227.12
leftsubnet=10.82.243.0/24,192.168.20.0/24
mobike=no
right=10.82.227.22
rightid=10.82.227.22
rightsubnet=10.82.244.0/24
ike=aes256-sha256-modp4096!
esp=aes256-sha256-modp4096!
auto=start
- ipsec status
Security Associations (1 up, 0 connecting):
s2s[2]: ESTABLISHED 5 seconds ago, 10.82.227.12[10.82.227.12]...10.82.227.22[10.82.227.22]
s2s{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cda686f1_i c7f9fce6_o
s2s{2}: 10.82.243.0/24 192.168.20.0/24 === 10.82.244.0/24