Site to site VPN Ipsec

   
   ȸ 5522   õ 0    

Unifi라우터에서 Manual Ipsec Site to Site vpn을 구성중입니다.


A 사이트는 공인 ip를 받고 B 사이트는 상단의 공유기에서 사설ip를 받습니다. (superDMZ등 공인IP할당 불가)


구글 검색해보니 한쪽의 WAN IP대역이 사설이여도 SITE TO SITE VPN이 가능고 하는데 아래의 구성으로는 현재 불가능하여 로그와 함께 첨부합니다.. 


어디가 문제인걸까요?

A사이트와 마찬가지로 공인IP를 받는 C사이트의 장비와는 AUTO/MANUAL  IPSEC VAN 성공했습니다.


#Site A(WAN: Public IP) 로그

WAN : #.#.#.# / LAN : 192.168.1.1


ubnt@ubnt:~$ show vpn log tail

Dec 21 21:42:23 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64)

Dec 21 21:53:05 07[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[1] to @.@.@.@

Dec 21 21:53:07 04[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[1] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]

Dec 21 21:53:37 13[KNL] creating acquire job for policy #.#.#.#/32[ipencap] === @.@.@.@/32[ipencap] with reqid {4}

Dec 21 21:53:37 13[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[2] to @.@.@.@

Dec 21 21:53:39 03[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[2] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]



ubnt@ubnt:~$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):

  uptime: 12 minutes, since Dec 21 21:43:27 2022

  malloc: sbrk 376832, mmap 0, used 272000, free 104832

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:                                                                                                           0

  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x                                                                                                          509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr cc                                                                                                          m gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-ide                                                                                                          ntity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock

Listening IP addresses:

  #.#.#.#

  192.168.10.1

Connections:

peer-@.@.@.@-tunnel-vti:  #.#.#.#...@.@.@.@  IKEv1

peer-@.@.@.@-tunnel-vti:   local:  [#.#.#.#] uses pre-shared key                                                                                                           authentication

peer-@.@.@.@-tunnel-vti:   remote: [@.@.@.@] uses pre-shared key a                                                                                                          uthentication

peer-@.@.@.@-tunnel-vti:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL

remote-access:  #.#.#.#...%any  IKEv1, dpddelay=15s

remote-access:   local:  [#.#.#.#] uses pre-shared key authentication

remote-access:   remote: uses pre-shared key authentication

remote-access:   child:  dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction=                                                                                                          clear

Routed Connections:

peer-@.@.@.@-tunnel-vti{4}:  ROUTED, TUNNEL

peer-@.@.@.@-tunnel-vti{4}:   0.0.0.0/0 === 0.0.0.0/0

Security Associations (0 up, 0 connecting):

  none




show configuration commands


set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group ESP_@.@.@.@ compression disable

set vpn ipsec esp-group ESP_@.@.@.@ lifetime 3600

set vpn ipsec esp-group ESP_@.@.@.@ mode tunnel

set vpn ipsec esp-group ESP_@.@.@.@ pfs enable

set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 encryption aes128

set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 hash sha1

set vpn ipsec ike-group IKE_@.@.@.@ ikev2-reauth no

set vpn ipsec ike-group IKE_@.@.@.@ key-exchange ikev1

set vpn ipsec ike-group IKE_@.@.@.@ lifetime 28800

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 dh-group 14

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 encryption aes128

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 hash sha1

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec nat-traversal enable

set vpn ipsec site-to-site peer @.@.@.@ authentication mode pre-shared-secret

set vpn ipsec site-to-site peer @.@.@.@ authentication pre-shared-secret PASSWORD

set vpn ipsec site-to-site peer @.@.@.@ connection-type initiate

set vpn ipsec site-to-site peer @.@.@.@ ike-group IKE_@.@.@.@

set vpn ipsec site-to-site peer @.@.@.@ ikev2-reauth inherit

set vpn ipsec site-to-site peer @.@.@.@ local-address #.#.#.#

set vpn ipsec site-to-site peer @.@.@.@ vti bind vti64

set vpn ipsec site-to-site peer @.@.@.@ vti esp-group ESP_@.@.@.@

 

#Site B(WAN: Private IP) 로그

WAN : @.@.@.@ / LAN : 192.168.1.1

show vpn log tail


Dec 21 21:24:56 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:04 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:12 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:19 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:27 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:36 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:43 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:51 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:59 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:07 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:15 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:23 08[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#



show configuration commands


set vpn ipsec site-to-site peer #.#.#.# authentication id @.@.@.@

set vpn ipsec site-to-site peer #.#.#.# authentication mode pre-shared-secret

set vpn ipsec site-to-site peer #.#.#.# authentication pre-shared-secret PASSWORD

set vpn ipsec site-to-site peer #.#.#.# connection-type initiate

set vpn ipsec site-to-site peer #.#.#.# ike-group IKE_#.#.#.#

set vpn ipsec site-to-site peer #.#.#.# ikev2-reauth inherit

set vpn ipsec site-to-site peer #.#.#.# local-address @.@.@.@

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-nat-networks disable

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-public-networks disable

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 esp-group ESP_#.#.#.#

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 local prefix 192.168.1.0/24

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 remote prefix 192.168.10.0/24

ª ϼ ϰ.


QnA
Page 2368/5689
2014-05   5010901   1
2015-12   1546565   ް
2008-06   5524  
2018-10   5524   dragoune
2005-10   5524  
2006-03   5524  
2005-08   5524   ̼ȣ
2015-01   5524   ʺ
2008-10   5524   â
2016-02   5524  
2005-08   5524  
2006-05   5524   ر
2005-12   5523  
2006-01   5523   ȯ
2006-03   5523  
2005-07   5523  
2016-10   5523   ŶƮ
2007-06   5523   ȣ
2022-12   5523  
2012-02   5523   ̱
2007-10   5523  
2014-06   5523   ũ