Вот мои фаилы FreeBSD:
----------------
/etc/rc.conf
Код: Выделить всё
defaultrouter="91.151.199.96"
gateway_enable="YES"
hostname="router.fd.local"
ifconfig_em0="inet 91.151.199.95 netmask 255.255.255.0"
ifconfig_em1="inet 192.168.250.1 netmask 255.255.255.0"
inetd_enable="YES"
keymap="ru.koi8-r"
router="/sbin/routed"
router_enable="YES"
router_flags="-s"
racoon_flags="-l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
/usr/local/etc/racoon/racoon.conf
Код: Выделить всё
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
#path pre_shared_key "/etc/psk.txt" ;
# "log" specifies logging level. It is followed by either "notify", "de
# or "debug2".
log notify;
# "padding" defines some parameter of padding. You should not touch the
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
isakmp 99.151.199.95 [500];
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5;# maximum trying count to send.
interval 20 sec;# maximum interval to resend.
persend 1;# the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote 91.151.199.162
{
exchange_mode main;
#exchange_mode aggressive;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 60 min;
initial_contact on;
support_proxy on;
proposal_check obey;# obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo subnet 192.168.250.0/24 any address 10.10.0.0/24 any {
pfs_group 2;
lifetime time 24 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/usr/local/etc/racoon/psk.txt
Код: Выделить всё
91.151.199.162 Qw12345678
/etc/ipsec.conf
Код: Выделить всё
flush;
spdflush;
spdadd 192.168.250.0/24 10.10.0.0/24 any -P out ipsec esp/tunnel/91.151.199.95-91.151.199.162/unique;
spdadd 10.10.0.0/24 192.168.250.0/24 any -P in ipsec esp/tunnel/91.151.199.162-91.151.199.95/unique;
Настройка Cisco (IOS ver.12)
Код: Выделить всё
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp identity address
crypto isakmp key Qw12345678 address 91.151.199.95
crypto ipsec transform-set MY_MAP esp-aes esp-sha-hmac
crypto map TUNMAP 1 ipsec-isakmp
set peer 10.2.8.2
set security-association lifetime seconds 86400
set transform-set TUNMAP
set pfs group2
match address 150
interface Tunnel0
description Office
ip address Unnembered FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
crypto map TUNMAP
access-list 150 permit ip 10.10.0.0 0.0.0.255 192.168.250.0 0.0.0.255
ip route 192.168.250.0 255.255.255.0 91.151.199.95
Вот что выдает Cisco после настройки: cat#show interface
Код: Выделить всё
Ethernet0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is 000d.28dc.ad77 (bia 000d.28dc.ad77)
Internet address is 91.151.199.162/30
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 27/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10BaseT
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1076000 bits/sec, 128 packets/sec
5 minute output rate 35000 bits/sec, 68 packets/sec
122386 packets input, 136045026 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
70026 packets output, 5273502 bytes, 0 underruns
0 output errors, 14896 collisions, 1 interface resets
0 babbles, 0 late collision, 4191 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
FastEthernet0 is up, line protocol is up
Hardware is PQUICC_FEC, address is 000c.857f.86d2 (bia 000c.857f.86d2)
Internet address is 10.10.0.1/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 2/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 38000 bits/sec, 66 packets/sec
5 minute output rate 1076000 bits/sec, 126 packets/sec
68197 packets input, 5411501 bytes
Received 134 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
121321 packets output, 135963558 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
NVI0 is up, line protocol is up
Hardware is NVI
Interface is unnumbered. Using address of NVI0 (0.0.0.0)
MTU 1514 bytes, BW 10000000 Kbit, DLY 0 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Tunnel0 is up, line protocol is down
Hardware is Tunnel
Description: artk
Interface is unnumbered. Using address of FastEthernet0 (10.10.0.1)
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source UNKNOWN, destination UNKNOWN
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
