On Tuesday 12 August 2003 10:50, Balu Stefan wrote:
Salve
In primul rand ce versiune de ipsec folosesti? (1 sau 2)
De obicei la instalare se pun key-uri default. Incearca sa le regenerezi:
ipsec newhostkey --bits 1024 > /etc/ipsec.secrets
Pe ambele gw-uri folosesti acelasi fisier ( left-ul si right-ul raman
acelasi), se prine el cum tre' sa le puna.
Uite un ex:
conn defender-depozit
# Left security gateway, subnet behind it, next hop toward right.
left=10.x.y.2
leftsubnet=192.168.1.0/24
leftnexthop=10.x.y.1
# Right security gateway, subnet behind it, next hop toward left.
right=10.w.z.2
rightsubnet=192.168.2.0/24
rightnexthop=10.w.z.1
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
keyingtries=0
auth=ah
authby=rsasig
leftrsasigkey=...
rightrsasigkey=...
auto=start
> Am 2 gateway-uri cu ip-urile la internet 1.2.3.4 si 5.6.7.8
> Aceste 2 gw-uri au cate o subretea 10.0.1.0/24 si 10.0.2.0/24
> intre ele este internetul si acestea au ca default route un gateway al
> ISP1 si ISP2
>
> toate cele bune, ambele sunt Gentoo linux, cu kernel 2.4.20 cu suport de
> ipsec, si cu freeswan instalat.
>
> in /etc/ipsec/ipsec.conf avem:
>
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces=%defaultroute
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to control startup actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
>
>
> conn epower-mail
> # Left security gateway, subnet behind it, next hop toward right.
> left=192.168.0.1
> leftsubnet=10.0.0.0/24
> leftnexthop=%defaultroute
> [EMAIL PROTECTED]
> leftrsasigkey=0sAQN5KYwI4w.... (mi-am permis sa scot id-ul)
> # Right security gateway, subnet behind it, next hop toward left.
> right=192.168.0.2
> rightsubnet=10.0.1.0/24
> rightnexthop=%defaultroute
> [EMAIL PROTECTED]
> rightrsasigkey=0sAQPN2eLf9jli/m+h...(mi-am permis sa scot id-ul)
> auto=add
>
> key-urile le-am generat cu ipsec showhostkey --left pentru left
> si ipsec showhostkey --right pentru right
> ...so...ii dau pe ambele:
>
> #ipsec setup start
> #ipsec auto --up epower-mail
>
> si teoretic tre sa vad un SA established, or anything...
> dar mie-mi zice ca: retransmission; will wait 20s for response
>
> pe consola, mai zice ca no preshared key found for @epower.abc.com and
> @mail.efg.com ...
>
> wtf am I doing wrong?!
---
Detalii despre listele noastre de mail: http://www.lug.ro/
