Created
June 26, 2011 09:15
-
-
Save shamun/1047432 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1) Goal screen shot: http://i.imgur.com/LMTcz.png | |
| 2) Fedora (Site 4 trying to connect Site 1) failed: | |
| [root@example ~]# ip route | |
| 98.0.0.0/24 dev em1 proto kernel scope link src 98.0.0.2 metric 1 | |
| 81.164.40.0/21 dev wlan0 proto kernel scope link src 81.164.44.90 metric 2 | |
| default via 98.0.0.1 dev em1 proto static | |
| [root@example ~]# ip addr | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 | |
| link/ether 00:19:b9:85:96:c5 brd ff:ff:ff:ff:ff:ff | |
| inet 98.0.0.2/24 brd 98.0.0.255 scope global em1 | |
| inet6 fe80::219:b9ff:fe85:96c5/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 | |
| link/ether 00:19:7e:a7:f8:76 brd ff:ff:ff:ff:ff:ff | |
| inet 81.164.44.90/21 brd 81.164.47.255 scope global wlan0 | |
| inet6 fe80::219:7eff:fea7:f876/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 4: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 | |
| link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff | |
| [root@example ~]# ifup vpn | |
| RTNETLINK answers: No such process | |
| [root@example ~]# cat /etc/sysconfig/network-scripts/ifcfg-vpn | |
| ONBOOT=yes | |
| IKE_METHOD=PSK | |
| DSTGW=10.2.2.1 | |
| SRCGW=10.2.3.1 | |
| DSTNET=10.2.2.0/24 | |
| SRCNET=10.2.3.1/24 | |
| DST=98.0.0.1 | |
| TYPE=IPSEC | |
| You have mail in /var/spool/mail/root | |
| [root@example ~]# ifup vpn | |
| RTNETLINK answers: No such process | |
| [root@example ~]# ping 10.2.2.2 | |
| PING 10.2.2.2 (10.2.2.2) 56(84) bytes of data. | |
| 64 bytes from 10.2.2.2: icmp_req=1 ttl=63 time=0.531 ms | |
| 64 bytes from 10.2.2.2: icmp_req=2 ttl=63 time=0.482 ms | |
| ^C | |
| --- 10.2.2.2 ping statistics --- | |
| 2 packets transmitted, 2 received, 0% packet loss, time 1001ms | |
| rtt min/avg/max/mdev = 0.482/0.506/0.531/0.033 ms | |
| [root@example ~]# ping 98.0.0.1 | |
| PING 98.0.0.1 (98.0.0.1) 56(84) bytes of data. | |
| 64 bytes from 98.0.0.1: icmp_req=1 ttl=64 time=0.518 ms | |
| ^C | |
| --- 98.0.0.1 ping statistics --- | |
| 1 packets transmitted, 1 received, 0% packet loss, time 0ms | |
| rtt min/avg/max/mdev = 0.518/0.518/0.518/0.000 ms | |
| [root@example ~]# traceroute 98.0.0.1 | |
| traceroute to 98.0.0.1 (98.0.0.1), 30 hops max, 60 byte packets | |
| 1 * * * | |
| 2 * * * | |
| 3 * * * | |
| 4 * * * | |
| 5 * * * | |
| 6 * * * | |
| 7 * * * | |
| 8 * * * | |
| 9 * * * | |
| 10 * * * | |
| 11 * * * | |
| 12 * * * | |
| 13 * * * | |
| 14 * * * | |
| 15 * * * | |
| 16 * * * | |
| 17 * * * | |
| 18 * * * | |
| 19 * * * | |
| 20 * * * | |
| 21 * * * | |
| 22 * * * | |
| 23 * * * | |
| 24 * * * | |
| 25 * * * | |
| 26 * * * | |
| 27 * * * | |
| 28 * * * | |
| 29 * * * | |
| 30 * * * | |
| You have mail in /var/spool/mail/root | |
| [root@example ~]# | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Generated Configuration (Route-based): | |
| ## Configure interface IP and route for tunnel traffic | |
| set interfaces st0.0 family inet address 10.2.2.2/24 | |
| set routing-options static route 192.168.1.0/24 next-hop st0.0 | |
| set routing-options static route 192.168.3.0/24 next-hop st0.0 | |
| set routing-options static route 192.168.4.0/24 next-hop st0.0 | |
| ## Configure security zones, assign interfaces to the zones & host-inbound services for each zone | |
| set security zones security-zone vpn interfaces st0.0 | |
| #set security zones security-zone trust host-inbound-traffic system-services all | |
| set security zones security-zone untrust host-inbound-traffic system-services ike | |
| ## Configure address book entries for each zone | |
| set security zones security-zone trust address-book address net-cfgr_192-168-2-0--24 192.168.2.0/24 | |
| set security zones security-zone vpn address-book address net-cfgr_192-168-1-0--24 192.168.1.0/24 | |
| set security zones security-zone vpn address-book address net-cfgr_192-168-3-0--24 192.168.3.0/24 | |
| set security zones security-zone vpn address-book address net-cfgr_192-168-4-0--24 192.168.4.0/24 | |
| ## Configure IKE policy for main mode | |
| set security ike policy ike-policy-cfgr mode main | |
| set security ike policy ike-policy-cfgr proposal-set standard | |
| set security ike policy ike-policy-cfgr pre-shared-key ascii-text "ihateyou" | |
| ## Configure IKE gateway with peer IP address, IKE policy and outgoing interface | |
| set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr | |
| set security ike gateway ike-gate-cfgr address 98.0.0.2 | |
| set security ike gateway ike-gate-cfgr external-interface ge-0/0/0 | |
| ## Configure IPsec policy | |
| set security ipsec policy ipsec-policy-cfgr proposal-set standard | |
| set security ipsec vpn ipsec-vpn-cfgr ike gateway ike-gate-cfgr | |
| set security ipsec vpn ipsec-vpn-cfgr ike ipsec-policy ipsec-policy-cfgr | |
| set security ipsec vpn ipsec-vpn-cfgr bind-interface st0.0 | |
| #set security ipsec vpn ipsec-vpn-cfgr vpn-monitor optimized | |
| ## Configure security policies for tunnel traffic in outbound direction | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match source-address net-cfgr_192-168-2-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-1-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-3-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match destination-address net-cfgr_192-168-4-0--24 | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr match application any | |
| set security policies from-zone trust to-zone vpn policy trust-vpn-cfgr then permit | |
| ## Configure security policies for tunnel traffic in inbound direction | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-1-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-3-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match source-address net-cfgr_192-168-4-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match destination-address net-cfgr_192-168-2-0--24 | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr match application any | |
| set security policies from-zone vpn to-zone trust policy vpn-trust-cfgr then permit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment