IPsec bez gif tunelu

Petr Rehor prehor at gmail.com
Wed Apr 20 22:15:29 CEST 2005

Previous message: hardware pro server na amd64 podruhe
Next message: IPsec bez gif tunelu
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zaujala me diskuze o IPsecu s vyuzitim gif tunelu a nevim jestli mi
neco neunika. Zajimalo by me, jakou vyhodu to ma proti primemu baleni
paketu do ESP tunelu:

Strana A:
- A.A.A.A/24 - interni sit
- X.X.X.X - verejna IP adresa

Strana B:
- B.B.B.B/24 - interni sit
- Y.Y.Y.Y - verejna IP adresa

Strana A: /etc/ipsec.conf
spdadd A.A.A.A/24 B.B.B.B/24 any -P out ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd B.B.B.B/24 A.A.A.A/24 any -P in  ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/require;

Strana B: /etc/ipsec.conf (pouze prehozene in a out)
spdadd A.A.A.A/24 B.B.B.B/24 any -P in  ipsec
esp/tunnel/X.X.X.X-Y.Y.Y.Y/require;
spdadd B.B.B.B/24 A.A.A.A/24 any -P out  ipsec
esp/tunnel/Y.Y.Y.Y-X.X.X.X/require;

Na obou stranach racoon se sekcemi
- remote <remote verejna IP>
- sainfo address <moje interni sit> any address <vzdalena interni sit> any
a nakonfigurovanymi klici v psk.txt

Na obou routrech je nastavena pouze default route do Internetu, v IPWF
pravidlech nebylo kvuli tomuto provozu treba delat zadne specialni
vylomeniny - ESP pakety s verejnymi IP adresami dorazi na externi
interfejs a rozbalene s internimi IP adresami odejdou internim
interfejsem.

P.

Previous message: hardware pro server na amd64 podruhe
Next message: IPsec bez gif tunelu
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list