Alguien a realizado una VPN con IPSec OpenBSD
uv negativa
uv.negativa en gmail.com
Lun Jul 31 10:06:34 CLT 2006
Buenas a todos tengo el siguiente problemita y es que trate de configurar
una VPN, el servidor es un OpenBSD 3.9 amd64 los archivos de configuracion
son los siguientes el cual copie de allar.nu
El servidor tiene una IP publica y una privada 192.168.1.3 y deseo que un
cliente windows se conecte a mi, cuando corro el script en el windows
este me funciona pero al hacer ping a una ip interna que esta comprendida
192.168.1.0 / 255.255.255.0 no me responde Ej. ping dedes el window a
192.168.1.1.
Yo creo que tengo un error en la configuracion del pf pero no se cual es?
pf.conf
ext_if="sis0"
int_if="sis3"
ext_ip="200.XX.XX.XX"
servicios_tcp = "{ ssh, smtp, domain, pop3, https, www, 2095, 2082, 5011,
5001, 2084, 8083, 8880, 7978 }"
servicios_udp = "domain"
set loginterface $ext_if
set block-policy drop
scrub in on ALL from any to any
pass in on $ext_if proto udp from any port = 500 to $ext_ip port = 500 keep
state
pass in on $ext_if proto esp from any to $ext_ip keep state
pass proto tcp from any to any port $servicios_tcp keep state
pass proto udp from any to any port $servicios_udp keep state
pass from any to 200.31.195.157 keep state
isakmpd.conf
#
# PGPnet - OpenBSD isakmpd configuration file.
#
# This is a configuration file that will get a PGPnet (a part of PGP
# version 6.5 and later) and OpenBSD to interoperate.
#
# This file works with OpenBSD 3.2 and later. In earlier versions of
# OpenBSD you need to add a lifetime description as well.
#
# The only thing that needs editing is the pre shared secret
# 'mekmitasdigoat'. The setting allows everyone who knows the correct
# pre shared secret to connect.
#
# Please mail me if you have any comments or bug-reports.
#
# Johan Allard < johan en allard.nu>
#
# ----------------
# Defaults section
# ----------------
[General]
Default-phase-1-lifetime= 3600,60:86400
Default-phase-2-lifetime= 3600,60:86400
# -----------
# Connections
# -----------
[Phase 1]
Default= ISAKMP-clients
[Phase 2]
Passive-Connections= IPsec-clients
# ---------------------
# Phase 1 peer sections
# ---------------------
[ISAKMP-clients]
Phase= 1
Transport= udp
Configuration= PGP-main-mode
Authentication= hello-world
# ----------------
# Phase 2 sections
# ----------------
[IPsec-clients]
Phase= 2
Configuration= PGP-quick-mode
Local-ID= default-route
Remote-ID= dummy-remote
# ------------------
# Client ID sections
# ------------------
[default-route]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[dummy-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
# ----------------------
# Transform descriptions
# ----------------------
# Some predefined section names are recognized by the daemon, voiding the
# need to fully specify the Main Mode transforms and Quick Mode suites,
# protocols and transforms.
#
# For Main Mode:
# {DES,BLF,3DES,CAST}-{MD5,SHA}[-GRP{1,2,5}][-{DSS,RSA_SIG}]
#
# For Quick Mode:
#
QM-{ESP,AH}[-TRP]-{DES,3DES,CAST,BLF,AES}[-{MD5,SHA,RIPEMD}][-PFS[-{GRP{1,2,5}}]]-SUITE
# -------------------------------------------------------------------------
# PGPnet note:
#
# The Transform values are the default values in PGPnet, if you change them
# you might have to change in all your clients aswell.
# -------------------------------------------------------------------------
[PGP-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2
[PGP-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
# -----------
# End of file
# -----------
isakmpd.policy
Comment: This policy accepts ESP SAs from a remote that uses the rigth
password.
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
Config windows
ipseccmd.exe -f 0=* -n ESP[3DES,SHA] -t ipPublicaServidor -a
PRESHARE:"hello-world" -1s 3DES-SHA-2
ipseccmd.exe -f *=0 -n ESP[3DES,SHA] -t ipPublicaClientewindows -a
PRESHARE:"hello-world" -1s 3DES-SHA-2
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: http://listas.inf.utfsm.cl/pipermail/bsd/attachments/20060731/cd1063d2/attachment.html
Más información sobre la lista de distribución BSD