Код: Выделить всё
In a site-to-site setup a system administrator logged into the local gateway often would like to access the peer gateway or a server in the subnet behind the peer gateway over a secure IPsec tunnel.Since IP packets leaving a gateway via the outer network interface carry the IP address of this NIC, four IPsec Security Associations (SAs) must be set up to achieve full connectivity. The example below shows how this can be done without much additional typing work , using the "also" macro which includes connection definitions defined farther down in the ipsec.conf file.
10.1.0.0/16 -- | 192.168.0.1 | === | 192.168.0.2 | -- 10.2.0.0/16
moon-net moon sun sun-net
Configuration on gateway moon:
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.d/certs/moonCert.pem
/etc/ipsec.secrets:
: RSA moonKey.pem "<optional passphrase>"
/etc/ipsec.conf:
conn net-net
leftsubnet=10.1.0.0/16
rightsubnet=10.2.0.0/16
also host-host
conn net-host
leftsubnet=10.1.0.0/16
also host-host
conn host-net
rightsubnet=10.2.0.0/16
also host-host
conn host-host
left=defaultroute
leftcert=moonCert.pem
right=192.168.0.2
rightid="C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
auto=start
Configuration on gateway sun:
/etc/ipsec.d/cacerts/strongswanCert.pem
/etc/ipsec.d/certs/sunCert.pem
/etc/ipsec.secrets:
: RSA sunKey.pem "<optional passphrase>"
/etc/ipsec.conf:
conn net-net
leftsubnet=10.2.0.0/16
rightsubnet=10.1.0.0/16
also=host-host
conn net-host
leftsubnet=10.2.0.0/16
also=host-host
conn host-net
rightsubnet=10.1.0.0/16
also=host-host
conn host-host
left=defaultroute
leftcert=sunCert.pem
right=192.168.0.1
rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
auto=start
Или я что-то упустил ?
