Line 203: |
Line 203: |
| HUB-HUB_c{3}: 0.0.0.0/0 === 10.20.30.1/32 | | HUB-HUB_c{3}: 0.0.0.0/0 === 10.20.30.1/32 |
| </pre> | | </pre> |
| + | |
| + | <pre> /tmp/ipsec/ipsec.conf </pre> command output: |
| + | <pre> |
| + | root@Teltonika-RUTX12:~# cat /tmp/ipsec/ipsec.conf |
| + | # generated by /etc/init.d/ipsec |
| + | version 2 |
| + | |
| + | conn HUB-HUB_c |
| + | left=%any |
| + | right=%any |
| + | leftfirewall=yes |
| + | rightfirewall=no |
| + | ikelifetime=3h |
| + | lifetime=1h |
| + | margintime=9m |
| + | keyingtries=3 |
| + | dpdaction=none |
| + | dpddelay=30s |
| + | dpdtimeout=90s |
| + | leftauth=psk |
| + | rightauth=psk |
| + | rightsourceip=10.20.30.0/24 |
| + | auto=start |
| + | leftsubnet=0.0.0.0/0 |
| + | rightdns=9.9.9.9 |
| + | aggressive=no |
| + | forceencaps=no |
| + | type=tunnel |
| + | keyexchange=ikev2 |
| + | esp=aes128-sha256-ecp521! |
| + | ike=aes256-sha512-ecp521! |
| + | </pre> |
| + | |
| + | ===RUT2 (SPOKE) side=== |
| + | ---- |
| + | |
| + | <pre> |
| + | root@Teltonika-RUT955:~# ipsec statusall |
| + | Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.229, mips): |
| + | uptime: 23 hours, since Mar 20 12:21:06 2023 |
| + | worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9 |
| + | loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic |
| + | Listening IP addresses: |
| + | 192.168.86.197 |
| + | 192.168.9.1 |
| + | fd35:98cd:61f0::1 |
| + | Connections: |
| + | passth_SPOKE_ph2_1_lan: %any...%any IKEv1/2 |
| + | passth_SPOKE_ph2_1_lan: local: uses public key authentication |
| + | passth_SPOKE_ph2_1_lan: remote: uses public key authentication |
| + | passth_SPOKE_ph2_1_lan: child: 192.168.9.0/24 === 192.168.9.0/24 PASS |
| + | SPOKE-SPOKE_c: %any...84.15.162.30 IKEv2 |
| + | SPOKE-SPOKE_c: local: uses pre-shared key authentication |
| + | SPOKE-SPOKE_c: remote: [84.15.162.30] uses pre-shared key authentication |
| + | SPOKE-SPOKE_c: child: dynamic === 0.0.0.0/0 TUNNEL |
| + | Shunted Connections: |
| + | passth_SPOKE_ph2_1_lan: 192.168.9.0/24 === 192.168.9.0/24 PASS |
| + | Security Associations (1 up, 0 connecting): |
| + | SPOKE-SPOKE_c[431]: ESTABLISHED 77 minutes ago, 192.168.86.197[192.168.86.197]...84.15.162.30[84.15.162.30] |
| + | SPOKE-SPOKE_c[431]: IKEv2 SPIs: ded11f31c20352dc_i* 58ebc8d96264c21e_r, pre-shared key reauthentication in 77 minutes |
| + | SPOKE-SPOKE_c[431]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521 |
| + | SPOKE-SPOKE_c{14}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7382615_i c27cb140_o |
| + | SPOKE-SPOKE_c{14}: AES_CBC_128/HMAC_SHA2_256_128/ECP_521, 136768 bytes_i (536 pkts, 6s ago), 235975 bytes_o (2169 pkts, 1s ago), rekeying in 13 minutes |
| + | SPOKE-SPOKE_c{14}: 10.20.30.1/32 === 0.0.0.0/0 |
| + | </pre> |
| + | |
| + | |
| + | <pre> |
| + | root@Teltonika-RUT955:~# cat /tmp/ipsec/ipsec.conf |
| + | # generated by /etc/init.d/ipsec |
| + | version 2 |
| + | |
| + | conn passth_SPOKE_ph2_1_lan |
| + | type=passthrough |
| + | leftsubnet=192.168.9.1/24 |
| + | rightsubnet=192.168.9.1/24 |
| + | auto=route |
| + | |
| + | conn SPOKE-SPOKE_c |
| + | left=%any |
| + | right=84.15.162.30 |
| + | leftsourceip=%config |
| + | leftfirewall=yes |
| + | rightfirewall=no |
| + | ikelifetime=3h |
| + | lifetime=1h |
| + | margintime=9m |
| + | keyingtries=3 |
| + | dpdaction=none |
| + | dpddelay=30s |
| + | dpdtimeout=90s |
| + | leftauth=psk |
| + | rightauth=psk |
| + | rightsubnet=0.0.0.0/0 |
| + | auto=start |
| + | aggressive=no |
| + | forceencaps=no |
| + | type=tunnel |
| + | keyexchange=ikev2 |
| + | esp=aes128-sha256-ecp521! |
| + | ike=aes256-sha512-ecp521! |
| + | </pre> |
| + | |
| | | |
| == See also == | | == See also == |
| | | |
| == External links == | | == External links == |