- проблема с Freebsd 5.4 и IPSec,
 Z_M, 10:47 , 25-Июл-06 (1)если пинг ходит значит айпи работает,попробуй телнетом пробиться и покажи реальный фаервол
`ipfw l`>Есть две удаленных сетки, провайдер в обоих сетях один и тот же.
>
>Задача связать две сетки по IPSec по внутренней сети провайдера
>Туннель IPSec подымается на ура, на машинах шлюзы прописаны, ping из одной
>сети в другую идет.
>ось freebsd 5.4
>
>Проблема в следующем
>Если пытаюсь из офиса обратится к терминалу на складе результат отрицательный
>Одним словом идет только ping.
>Как заставить пропускать весь трафик из сетки в сетку
>
>Настройки приведены ниже
>
>
>настройки офис
>10.151.194.14 внешний ip
>255.255.255.0
>10.151.194.253 шлюз по умолчанию
>192.168.30.13 внутренний ip
>255.255.255.0
>
>/etc/rc.conf
>gateway_enable="YES"
>firewall_enable="YES"
>firewall_script="/etc/ipfw.rules"
>natd_enable="YES"
>natd_interface="rl0"
>natd_flags="-f /etc/natd.conf"
>
>
>gif_interfaces="gif0"
>gifconfig_gif0="10.151.194.14 10.148.111.12"
>ifconfig_gif0="inet 192.168.30.13 192.168.33.3 netmask 255.255.255.0"
>static_routes="vpn"
>route_vpn="192.168.33.0/24 192.168.33.3"
>export route_vpn
>ipsec_enable="YES"
>ipsec_file="/etc/ipsec.conf"
>racoon_enable="YES"
>
>
>/etc/ipsec.conf
>flush;
>spdflush;
>spdadd 192.168.30.0/24 192.168.33.0/24 any -P out ipsec esp/tunnel/10.151.194.14-10.148.111.12/require;
>spdadd 192.168.33.0/24 192.168.30.0/24 any -P in ipsec esp/tunnel/10.148.111.12-10.151.194.14/require;
>
>
>/etc/ipfw.rules
>lan_if="rl1"
>lan_ip="192.168.30.13"
>lan_net="192.168.30.0/24"
>wan_if="vr0"
>wan_ip="10.151.194.14"
>od=10.151.194.14
>sd=10.148.111.12
>
>${fwcmd} add 100 divert natd all from any to any via ${wan_ip}
>
>
>${fwcmd} add 1 allow udp from ${od} to ${sd} isakmp
>${fwcmd} add 1 allow udp from ${sd} to ${od} isakmp
>${fwcmd} add 1 allow esp from ${od} to ${sd}
>${fwcmd} add 1 allow esp from ${sd} to ${od}
>${fwcmd} add 1 allow ipencap from ${od} to ${sd}
>${fwcmd} add 1 allow ipencap from ${sd} to ${od}
>
>
>setkey -D
>10.151.194.14 10.148.111.12
>esp mode=tunnel spi=171670616(0x0a3b7c58) reqid=0(0x00000000)
>E: 3des-cbc ac0ecde7 420d7f19 30ba258f 46a9b978 2b5787d3 24702e0f
>A: hmac-sha1 91fdf821 0a57e44d 613fca7a 93f61080 229c2554
>seq=0x0000029b replay=4 flags=0x00000000 state=mature
>created: Jul 24 18:06:50 2006 current: Jul 24 22:30:01 2006
>diff: 15791(s) hard: 28800(s) soft: 23040(s)
>last: Jul 24 22:28:55 2006 hard: 0(s) soft: 0(s)
>current: 91528(bytes) hard: 0(bytes) soft: 0(bytes)
>allocated: 667 hard: 0 soft: 0
>sadb_seq=1 pid=1051 refcnt=2
>10.148.111.12 10.151.194.14
>esp mode=tunnel spi=32119505(0x01ea1ad1) reqid=0(0x00000000)
>E: 3des-cbc 168753a0 e02101f7 610d4ce8 390570db a74d01de 827a8004
>A: hmac-sha1 4edb9281 d1776ee0 a11129b5 5b7c02f0 cfa56b21
>seq=0x000002c7 replay=4 flags=0x00000000 state=mature
>created: Jul 24 18:06:50 2006 current: Jul 24 22:30:01 2006
>diff: 15791(s) hard: 28800(s) soft: 23040(s)
>last: Jul 24 22:28:55 2006 hard: 0(s) soft: 0(s)
>current: 86960(bytes) hard: 0(bytes) soft: 0(bytes)
>allocated: 711 hard: 0 soft: 0
>sadb_seq=0 pid=1051 refcnt=1
>
>
>
>настройки склада
>10.148.111.12 внешний ip
>255.255.255.0
>10.148.111.253 шлюз по умолчанию
>192.168.33.3 внутренний ip
>255.255.255.0
>
>
>/etc/rc.conf
>firewall_enable="YES"
>firewall_script="/etc/ipfw.rules"
>natd_enable="YES"
>natd_interface="rl1"
>natd_flags="-f /etc/natd.conf"
>
>
>gif_interfaces="gif0"
>gifconfig_gif0="10.148.111.12 10.151.194.14"
>ifconfig_gif0="inet 192.168.33.3 192.168.30.13 netmask 255.255.255.0"
>static_routes="vpn"
>route_vpn="192.168.30.0/24 192.168.30.13"
>export route_vpn
>ipsec_enable="YES"
>ipsec_file="/etc/ipsec.conf"
>racoon_enable="YES"
>
>/etc/ipsec.conf
>flush;
>spdflush;
>spdadd 192.168.33.0/24 192.168.30.0/24 any -P out ipsec esp/tunnel/10.148.111.12-10.151.194.14/require;
>spdadd 192.168.30.0/24 192.168.33.0/24 any -P in ipsec esp/tunnel/10.151.194.14-10.148.111.12/require;
>
>/etc/ipfw.rules
>lan_if="rl0"
>lan_ip="192.168.33.3"
>lan_net="192.168.33.0/24"
>wan_if="rl1"
>wan_ip="10.148.111.12"
>od=10.151.194.14
>sd=10.148.111.12
>
>
>${fwcmd} add 100 divert natd all from any to any via ${wan_ip}
>
>
>ipfw add 1 allow udp from ${sd} to ${od} isakmp
>ipfw add 1 allow udp from ${od} to ${sd} isakmp
>ipfw add 1 allow esp from ${sd} to ${od}
>ipfw add 1 allow esp from ${od} to ${sd}
>ipfw add 1 allow ipencap from ${sd} to ${od}
>ipfw add 1 allow ipencap from ${od} to ${sd}
>
>
>
>setkey -D
>10.148.111.12 10.151.194.14
>esp mode=tunnel spi=32119505(0x01ea1ad1) reqid=0(0x00000000)
>E: 3des-cbc 168753a0 e02101f7 610d4ce8 390570db a74d01de 827a8004
>A: hmac-sha1 4edb9281 d1776ee0 a11129b5 5b7c02f0 cfa56b21
>seq=0x000002ec replay=4 flags=0x00000000 state=mature
>created: Jul 24 18:06:50 2006 current: Jul 24 22:30:35 2006
>diff: 15825(s) hard: 28800(s) soft: 23040(s)
>last: Jul 24 22:30:35 2006 hard: 0(s) soft: 0(s)
>current: 132176(bytes) hard: 0(bytes) soft: 0(bytes)
>allocated: 748 hard: 0 soft: 0
>sadb_seq=1 pid=1088 refcnt=2
>10.151.194.14 10.148.111.12
>esp mode=tunnel spi=171670616(0x0a3b7c58) reqid=0(0x00000000)
>E: 3des-cbc ac0ecde7 420d7f19 30ba258f 46a9b978 2b5787d3 24702e0f
>A: hmac-sha1 91fdf821 0a57e44d 613fca7a 93f61080 229c2554
>seq=0x000002c5 replay=4 flags=0x00000000 state=mature
>created: Jul 24 18:06:50 2006 current: Jul 24 22:30:35 2006
>diff: 15825(s) hard: 28800(s) soft: 23040(s)
>last: Jul 24 22:30:35 2006 hard: 0(s) soft: 0(s)
>current: 61550(bytes) hard: 0(bytes) soft: 0(bytes)
>allocated: 709 hard: 0 soft: 0
>sadb_seq=0 pid=1088 refcnt=1
- проблема с Freebsd 5.4 и IPSec, l2amid, 11:03 , 25-Июл-06 (2)
офис
fwcmd="/sbin/ipfw"
${fwcmd} -f flushlan_if="rl1"
lan_ip="192.168.30.13"
lan_net="192.168.30.0/24"
wan_if="vr0"
wan_ip="10.151.194.14" od=10.151.194.14
sd=10.148.111.12 udp_ports="53, 123"
out_tcp="20, 21, 22, 80, 443"
ftp_p="49152-65535"
${fwcmd} add 100 divert natd all from any to any via ${wan_ip}
${fwcmd} add 1 allow ip from any to any via gif0
${fwcmd} add 1 allow udp from ${od} to ${sd} isakmp
${fwcmd} add 1 allow udp from ${sd} to ${od} isakmp
${fwcmd} add 1 allow esp from ${od} to ${sd}
${fwcmd} add 1 allow esp from ${sd} to ${od}
${fwcmd} add 1 allow ipencap from ${od} to ${sd}
${fwcmd} add 1 allow ipencap from ${sd} to ${od} ${fwcmd} add 200 check-state ${fwcmd} add 300 pass icmp from any to any icmptype 0, 3, 8, 11
${fwcmd} add 301 pass udp from ${wan_ip} to any 33434-33525 keep-state
${fwcmd} add 302 pass udp from ${wan_ip} to any ${udp_port} keep-state
${fwcmd} add 303 pass tcp from ${wan_ip} to any ${out_tcp} keep-state
${fwcmd} add 304 pass tcp from ${wan_ip} ${ftp_p} to any setup keep-state
склад
fwcmd="/sbin/ipfw"
${fwcmd} -f flush
lan_if="rl0"
lan_ip="192.168.33.3"
lan_net="192.168.33.0/24"
wan_if="rl1"
wan_ip="10.148.111.12" od=10.151.194.14
sd=10.148.111.12 udp_ports="53, 123"
in_tcp="22, 3389"
out_tcp="20, 21, 22, 80, 443, 3389"
ftp_p="49152-65535" ${fwcmd} add 100 divert natd all from any to any via ${wan_ip} ipfw add 1 allow ip from any to any via gif0
ipfw add 1 allow udp from ${sd} to ${od} isakmp
ipfw add 1 allow udp from ${od} to ${sd} isakmp
ipfw add 1 allow esp from ${sd} to ${od}
ipfw add 1 allow esp from ${od} to ${sd}
ipfw add 1 allow ipencap from ${sd} to ${od}
ipfw add 1 allow ipencap from ${od} to ${sd} ${fwcmd} add 200 check-state ${fwcmd} add 300 pass icmp from any to any icmptype 0, 3, 8, 11
${fwcmd} add 301 pass udp from ${wan_ip} to any 33434-33525 keep-state
${fwcmd} add 302 pass udp from ${wan_ip} to any ${udp_port} keep-state
${fwcmd} add 303 pass tcp from ${wan_ip} to any ${out_tcp} keep-state
${fwcmd} add 304 pass tcp from ${wan_ip} ${ftp_p} to any setup keep-state
- проблема с Freebsd 5.4 и IPSec, l2amid, 11:09 , 25-Июл-06 (3)
Извени попутал
офис
00001 allow ip from any to any via gif0
00001 allow udp from 10.151.194.14 to 10.148.111.12 dst-port 500
00001 allow udp from 10.148.111.12 to 10.151.194.14 dst-port 500
00001 allow esp from 10.151.194.14 to 10.148.111.12
00001 allow esp from 10.148.111.12 to 10.151.194.14
00001 allow ipencap from 10.151.194.14 to 10.148.111.12
00001 allow ipencap from 10.148.111.12 to 10.151.194.14
00100 divert 8668 ip from any to any via 10.151.194.14
00200 check-state
00300 allow icmp from any to any icmptypes 0,3,8,11
00301 allow udp from 10.151.194.14 to any dst-port 33434-33525 keep-state
00302 allow udp from 10.151.194.14 to any keep-state
00303 allow tcp from 10.151.194.14 to any dst-port 20,21,22,80,443 keep-state
00304 allow tcp from 10.151.194.14 49152-65535 to any setup keep-state
00600 allow ip from 192.168.30.0/24 to 192.168.30.13 keep-state
00601 allow ip from 192.168.30.13 to 192.168.30.0/24 keep-state
65535 deny ip from any to anyсклад
00001 allow ip from any to any via gif0
00001 allow udp from 10.148.111.12 to 10.151.194.14 dst-port 500
00001 allow udp from 10.151.194.14 to 10.148.111.12 dst-port 500
00001 allow esp from 10.148.111.12 to 10.151.194.14
00001 allow esp from 10.151.194.14 to 10.148.111.12
00001 allow ipencap from 10.148.111.12 to 10.151.194.14
00001 allow ipencap from 10.151.194.14 to 10.148.111.12
00100 divert 8668 ip from any to any via 10.148.111.12
00200 check-state
00300 allow icmp from any to any icmptypes 0,3,8,11
00301 allow udp from 10.148.111.12 to any dst-port 33434-33525 keep-state
00302 allow udp from 10.148.111.12 to any keep-state
00303 allow tcp from 10.148.111.12 to any dst-port 20,21,22,80,443,3389 keep-state
00304 allow tcp from 10.148.111.12 49152-65535 to any setup keep-state
00305 allow tcp from any to 10.148.111.12 dst-port 3389 keep-state
00600 allow ip from 192.168.33.0/24 to 192.168.33.3 keep-state
00601 allow ip from 192.168.33.3 to 192.168.33.0/24 keep-state
65535 deny ip from any to any - проблема с Freebsd 5.4 и IPSec, Z_M, 11:19 , 25-Июл-06 (4)
самый простой способ прописать на обоих рутерах
${fwcmd} add xxx pass tcp from any to any
но правило надо сужать до конкретных айпишников,
остается открытым вопрос кто должен инициализировать тисипи сессию, или нужно в обе стороны открывать.
я бы вместо 303 и 304 правил написал${fwcmd} add 303 allow tcp from $wan_ip to any $out_tcp
${fwcmd} add 303 allow tcp from any $out_tcp to $wan_ip ${fwcmd} add 304 allow tcp from any to ${wan_ip} ${ftp_p}
${fwcmd} add 304 allow tcp from ${wan_ip} ${ftp_p} to any и в офисе соответственно также, а вообще имхо лучше определиться кто куда конкретно будет ходить и от этого плясать, и вместо всех anyпрописать конкретно сети/ip можно продолжить эту тему :) >офис
>fwcmd="/sbin/ipfw"
>${fwcmd} -f flush
>
>lan_if="rl1"
>lan_ip="192.168.30.13"
>lan_net="192.168.30.0/24"
>wan_if="vr0"
>wan_ip="10.151.194.14"
>
>od=10.151.194.14
>sd=10.148.111.12
>
>udp_ports="53, 123"
>out_tcp="20, 21, 22, 80, 443"
>ftp_p="49152-65535"
>
>
>${fwcmd} add 100 divert natd all from any to any via ${wan_ip}
>
>
>${fwcmd} add 1 allow ip from any to any via gif0
>${fwcmd} add 1 allow udp from ${od} to ${sd} isakmp
>${fwcmd} add 1 allow udp from ${sd} to ${od} isakmp
>${fwcmd} add 1 allow esp from ${od} to ${sd}
>${fwcmd} add 1 allow esp from ${sd} to ${od}
>${fwcmd} add 1 allow ipencap from ${od} to ${sd}
>${fwcmd} add 1 allow ipencap from ${sd} to ${od}
>
>${fwcmd} add 200 check-state
>
>${fwcmd} add 300 pass icmp from any to any icmptype 0, 3,
>8, 11
>${fwcmd} add 301 pass udp from ${wan_ip} to any 33434-33525 keep-state
>${fwcmd} add 302 pass udp from ${wan_ip} to any ${udp_port} keep-state
>${fwcmd} add 303 pass tcp from ${wan_ip} to any ${out_tcp} keep-state
>${fwcmd} add 304 pass tcp from ${wan_ip} ${ftp_p} to any setup keep-state
>
>
>
>склад
>fwcmd="/sbin/ipfw"
>${fwcmd} -f flush
>
>lan_if="rl0"
>lan_ip="192.168.33.3"
>lan_net="192.168.33.0/24"
>wan_if="rl1"
>wan_ip="10.148.111.12"
>
>od=10.151.194.14
>sd=10.148.111.12
>
>udp_ports="53, 123"
>in_tcp="22, 3389"
>out_tcp="20, 21, 22, 80, 443, 3389"
>ftp_p="49152-65535"
>
>${fwcmd} add 100 divert natd all from any to any via ${wan_ip}
>
>
>ipfw add 1 allow ip from any to any via gif0
>ipfw add 1 allow udp from ${sd} to ${od} isakmp
>ipfw add 1 allow udp from ${od} to ${sd} isakmp
>ipfw add 1 allow esp from ${sd} to ${od}
>ipfw add 1 allow esp from ${od} to ${sd}
>ipfw add 1 allow ipencap from ${sd} to ${od}
>ipfw add 1 allow ipencap from ${od} to ${sd}
>
>${fwcmd} add 200 check-state
>
>${fwcmd} add 300 pass icmp from any to any icmptype 0, 3,
>8, 11
>${fwcmd} add 301 pass udp from ${wan_ip} to any 33434-33525 keep-state
>${fwcmd} add 302 pass udp from ${wan_ip} to any ${udp_port} keep-state
>${fwcmd} add 303 pass tcp from ${wan_ip} to any ${out_tcp} keep-state
>${fwcmd} add 304 pass tcp from ${wan_ip} ${ftp_p} to any setup keep-state
>
- проблема с Freebsd 5.4 и IPSec, l2amid, 12:14 , 25-Июл-06 (5)
в офисе
${fwcmd} add 602 pass ip from 192.168.30.0/24 to 192.168.33.0/24
${fwcmd} add 603 pass ip from 192.168.33.0/24 to 192.168.30.0/24на складе
${fwcmd} add 602 pass ip from 192.168.33.0/24 to 192.168.30.0/24
${fwcmd} add 603 pass ip from 192.168.30.0/24 to 192.168.33.0/24 и все пучком
|
Версия для распечатки
проблема с Freebsd 5.4 и IPSec, 
