Всем привет!
Пожалуйста, помогите разобраться с racoon-ом, вернее с настройкой маршрутизации сеть-сеть...
Racoon поднят на Debian 8, к нему должны подключаться айфоны/айподы (с разных ip-адресов), и получать доступ в локалку. На данный момент туннель строится, но я не могу разобраться как настроить маршрутизацию сеть-сеть. Ifconfig:
eth0 Link encap:Ethernet HWaddr 8a:85:f0:63:35:7a
inet addr:192.168.1.27 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5862267372 errors:0 dropped:1864661 overruns:0 frame:0
TX packets:9753166765 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1207956402035 (1.0 TiB) TX bytes:4706909668675 (4.2 TiB)
eth1 Link encap:Ethernet HWaddr 2e:59:58:7f:ac:4a
inet addr:X.X.X.X Bcast:X.X.X.X Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3894842503 errors:0 dropped:9197 overruns:0 frame:0
TX packets:2744930295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4055692420475 (3.6 TiB) TX bytes:1017668824807 (947.7 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:78554 errors:0 dropped:0 overruns:0 frame:0
TX packets:78554 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14041767 (13.3 MiB) TX bytes:14041767 (13.3 MiB)
# set syslog level and pre-shared key file
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
adminsock disabled; #do not listen on the admin socket
isakmp X.X.X.X [500]; #address for ISAKMP
isakmp_natt X.X.X.X [4500]; #address for ISAKMP NAT-Traversal
strict_address; #strictly bind these addresses
}
remote anonymous { #anonymous matches ANY ipsec client
exchange_mode main; #ISAKMP phase 1 exchange mode
ph1id 16; #phase 1 proposal identifier
proposal_check claim; #claim our own lifetime value
lifetime time 12 hour;#phase 1 lifetime
mode_cfg on; #gather network information through ISAKMP
generate_policy on; #generate ipsec policy from initiator SA payload
nat_traversal on; #enable use of NAT-Traversal extension
dpd_delay 3600; #enable dead peer detection and set time at 3600 secs
proposal { #phase 1 proposal
encryption_algorithm aes; #phase 1 encryption algorithm
hash_algorithm sha1; #phase 1 hash algorithm
authentication_method xauth_psk_server; #use xauth pre-shared key method
dh_group 2; #use diffie-hellman group 2 (modp1024)
}
}
# specific mode configuration
mode_cfg {
auth_source system; #user auth source (system=Unix user)
conf_source local; #user local pool information below
network4 192.168.28.2; #base/first address in VPN pool
netmask4 255.255.255.0; #VPN pool network mask
pool_size 50; #VPN pool size
dns4 192.168.254.221; #VPN pool DNS server
default_domain "domain.tld";#optional VPN pool domain suffix
#banner "/etc/racoon/motd"; #optional VPN pool message of the day
}
# security association info
sainfo anonymous { #anonymous matches any/all SA
encryption_algorithm aes; #phase 2 encryption algorithm(s)
authentication_algorithm hmac_sha1; #phase 2 authentication hash
compression_algorithm deflate; #phase 2 compression
remoteid 16; #phase 2 remoteid to match phase 1
}
Содержимое ipsec-tools.conf:
spdadd 192.168.0.0/16 192.168.28.0/24 udp -P out
ipsec esp/transport//require;
spdadd 192.168.28.0/24 192.168.0.0/16 udp -P in
ipsec esp/transport//require;
