Начну по порядку.
Имеются три сети СЕТЬ№1(192.168.111.0),СЕТЬ№2(192.168.101.0),СЕТЬ№3(192.168.121.0) и их шлюзы ШЛЮЗ№1(89.A.A.A 192.168.111.2), ШЛЮЗ№2(89.B.B.B
192.168.101.2), ШЛЮЗ№3(89.C.C.C 192.168.121.2), на каждом шлюзе установлена FreeBSD 6.1
На данный момент СЕТЬ№1 и СЕТЬ№2 соеденены тунелем IPSec, всё настроено и прекрасно работает.
Необходимо соеденить такимже тунелем СЕТЬ№1 и СЕТЬ№3
Для этого я сделал:
на ШЛЮЗ№3 установил ipsec-tools
отредактировал файлы
rc.conf
- #cat /etc/rc.conf
......
gif_interfaces="gif0"
gifconfig_gif0="89.C.C.C 89.A.A.A"
ifconfig_gif0="192.168.121.2 192.168.111.2 netmask 0xffffffff"
static_routes="vpn"
route_vpn="192.168.111.0/24 192.168.111.2"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_enable="YES"
......
- #cat /etc/ipsec.conf
spdadd 192.168.121.0/24 192.168.111.0/24 any -P out ipsec esp/tunnel/89.C.C.C-89.A.A.A/require;
spdadd 192.168.111.0/24 192.168.121.0/24 any -P in ipsec esp/tunnel/89.A.A.A-89.C.C.C/require;
- #cat /usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
#path certificate "/usr/local/etc/cert" ;
log debug;
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen
{
isakmp 89.C.C.C [500];
}
timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote 89.A.A.A
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address 89.C.C.C;
peers_identifier address 89.A.A.A;
nonce_size 16;lifetime time 1 hour;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
- #cat /usr/local/etc/racoon/psk.txt
89.A.A.A password
- .....
${FwCMD} add allow ip from any to any via gif0
${FwCMD} add allow udp from 89.C.C.C to 89.A.A.A 500
${FwCMD} add allow udp from 89.A.A.A to 89.C.C.C 500
${FwCMD} add allow esp from 89.C.C.C to 89.A.A.A
${FwCMD} add allow esp from 89.A.A.A to 89.C.C.C
.....
rc.conf
- #cat /etc/rc.conf
.....
gif_interfaces="gif0 gif1"
gifconfig_gif0="89.A.A.A 89.B.B.B"
ifconfig_gif0="192.168.111.2 192.168.101.2 netmask 0xffffffff"
gifconfig_gif1="89.A.A.A 89.C.C.C"
ifconfig_gif1="192.168.111.2 192.168.121.2 netmask 0xffffffff"
static_routes="vpn opt"
route_vpn="192.168.101.0/24 192.168.101.2"
route_opt="192.168.121.0/24 192.168.121.2"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_enable="YES"
.....
- #cat /etc/ipsec.conf
spdadd 192.168.111.0/24 192.168.101.0/24 any -P out ipsec esp/tunnel/89.A.A.A-89.B.B.B/require;
spdadd 192.168.101.0/24 192.168.111.0/24 any -P in ipsec esp/tunnel/89.B.B.B-89.A.A.A/require;
spdadd 192.168.111.0/24 192.168.121.0/24 any -P out ipsec esp/tunnel/89.A.A.A-89.C.C.C/require;
spdadd 192.168.121.0/24 192.168.111.0/24 any -P in ipsec esp/tunnel/89.C.C.C-89.A.A.A/require;
- #cat /usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
#path certificate "/usr/local/etc/cert" ;
log debug;
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen
{
isakmp 89.A.A.A [500];
}
timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote 89.B.B.B
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address 89.A.A.A;
peers_identifier address 89.B.B.B;
nonce_size 16;lifetime time 1 hour;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
remote 89.C.C.C
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address 89.A.A.A;
peers_identifier address 89.C.C.C;
nonce_size 16;lifetime time 1 hour;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
- 89.B.B.B password
89.C.C.C password
- .....
${FwCMD} add allow ip from any to any via gif0
${FwCMD} add allow udp from 89.A.A.A to 89.B.B.B 500
${FwCMD} add allow udp from 89.B.B.B to 89.A.A.A 500
${FwCMD} add allow esp from 89.A.A.A to 89.B.B.B
${FwCMD} add allow esp from 89.B.B.B to 89.A.A.A
${FwCMD} add allow ip from any to any via gif1
${FwCMD} add allow udp from 89.A.A.A to 89.C.C.C 500
${FwCMD} add allow udp from 89.C.C.C to 89.A.A.A 500
${FwCMD} add allow esp from 89.A.A.A to 89.C.C.C
${FwCMD} add allow esp from 89.C.C.C to 89.A.A.A
.....
а СЕТЬ№1 и СЕТЬ№2 прекрасно работают.
подскажите в чем может быть проблема?