Skip to content

Instantly share code, notes, and snippets.

@shamun

shamun/gist:1046974

Created June 25, 2011 22:24
Show Gist options
  • Save shamun/1046974 to your computer and use it in GitHub Desktop.
Save shamun/1046974 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security_Guide/sect-Security_Guide-IPsec_Network_to_Network_Configuration-Manual_IPsec_Network_to_Network_Configuration.html
1)
cat /etc/sysconfig/network-scripts/ifcfg-vpn
ONBOOT=yes
IKE_METHOD=PSK
DSTGW=10.2.2.1
SRCGW=10.2.2.1
DSTNET=10.2.2.0/24
SRCNET=10.2.2.1/24
DST=98.0.0.1
TYPE=IPSEC
2)
cat /etc/sysconfig/network-scripts/keys-vpn
KEY_ESP=
KEY_AH=
IKE_PSK=ihateyou
3)
cat /etc/racoon/racoon.conf
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
sainfo anonymous
{
#pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
#remote <IP-of-Cisco-ASA>
#{
# exchange_mode main;
# my_identifier fqdn "host.name.of.vpn.client";
# certificate_type x509 "client.crt" "client.key";
# ca_type x509 "ca.crt";
# mode_cfg on;
# script "p1_up_down" phase1_up;
# script "p1_up_down" phase1_down;
# proposal
# {
# encryption_algorithm 3des;
# hash_algorithm sha1;
# authentication_method xauth_rsa_client;
# dh_group 2;
# }
#}
include "/etc/racoon/98.0.0.1.conf";
4)
[root@example ~]# vim /etc/sysctl.conf
[root@example ~]# sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
/proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
/proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
/proc/sys/net/bridge/bridge-nf-call-arptables: No such file or directory
[root@example ~]# ifup vpn
RTNETLINK answers: No such process
[root@example ~]#
Raw
gistfile2.txt
> show security ipsec security-associations
Total active tunnels: 0
Juniper settings:
======================
Generated Configuration (Route-based):
## Configure interface IP and route for tunnel traffic
set interfaces st0.0 family inet address 10.2.2.2/24
set routing-options static route 192.168.1.0/24 next-hop st0.0
set routing-options static route 192.168.3.0/24 next-hop st0.0
set routing-options static route 192.168.4.0/24 next-hop st0.0
## Configure security zones, assign interfaces to the zones & host-inbound services for each zone
set security zones security-zone vpn interfaces st0.0
#set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ike
## Configure address book entries for each zone
set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24
set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24
## Configure IKE policy for main mode
set security ike policy ike-policy-cfgr mode main
set security ike policy ike-policy-cfgr proposal-set standard
set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ihateyou"
## Configure IKE gateway with peer IP address, IKE policy and outgoing interface
set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr
set security ike gateway ike-gate-cfgr address 98.0.0.1
set security ike gateway ike-gate-cfgr external-interface ge-0/0/0
## Configure IPsec policy
set security ipsec policy ipsec-policy-cfgr proposal-set standard
set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr
set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr
set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0
#set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized
## Configure security policies for tunnel traffic in outbound direction
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any
set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit
## Configure security policies for tunnel traffic in inbound direction
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any
set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment