Unifi라우터에서 Manual Ipsec Site to Site vpn1012; 구성1473;1077;니다.

A 사1060;트lj16; 공1064; ip를 0155;고 B 사1060;트lj16; 상단1032; 공유기에서 사설ip를 0155;습니다. (superDMZመ1; 공1064;IP할NJ17; 불가)

구글 ,160;색해보니 한1901;1032; WAN IP대역1060; 사설1060;여도 SITE TO SITE VPN1060; 가능고 Ȣ16;lj16;데 아래1032; 구성1004;/196;lj16; 현1116; 불가능Ȣ16;여 /196;그와 함께 첨ǥ12;합니다.. 

Ǻ12;디가 문1228;1064;,152;까요?

A사1060;트와 마찬가1648;/196; 공1064;IP를 0155;lj16; C사1060;트1032; 1109;비와lj16; AUTO/MANUAL  IPSEC VAN 성공했습니다.

#Site A(WAN: Public IP) /196;그

WAN : #.#.#.# / LAN : 192.168.1.1

ubnt@ubnt:~$ show vpn log tail

Dec 21 21:42:23 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64)

Dec 21 21:53:05 07[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[1] to @.@.@.@

Dec 21 21:53:07 04[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[1] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]

Dec 21 21:53:37 13[KNL] creating acquire job for policy #.#.#.#/32[ipencap] === @.@.@.@/32[ipencap] with reqid {4}

Dec 21 21:53:37 13[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[2] to @.@.@.@

Dec 21 21:53:39 03[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[2] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]

ubnt@ubnt:~$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):

  uptime: 12 minutes, since Dec 21 21:43:27 2022

  malloc: sbrk 376832, mmap 0, used 272000, free 104832

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:                                                                                                           0

  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x                                                                                                          509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr cc                                                                                                          m gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-ide                                                                                                          ntity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock

Listening IP addresses:

  #.#.#.#

  192.168.10.1

Connections:

peer-@.@.@.@-tunnel-vti:  #.#.#.#...@.@.@.@  IKEv1

peer-@.@.@.@-tunnel-vti:   local:  [#.#.#.#] uses pre-shared key                                                                                                           authentication

peer-@.@.@.@-tunnel-vti:   remote: [@.@.@.@] uses pre-shared key a                                                                                                          uthentication

peer-@.@.@.@-tunnel-vti:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL

remote-access:  #.#.#.#...%any  IKEv1, dpddelay=15s

remote-access:   local:  [#.#.#.#] uses pre-shared key authentication

remote-access:   remote: uses pre-shared key authentication

remote-access:   child:  dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction=                                                                                                          clear

Routed Connections:

peer-@.@.@.@-tunnel-vti{4}:  ROUTED, TUNNEL

peer-@.@.@.@-tunnel-vti{4}:   0.0.0.0/0 === 0.0.0.0/0

Security Associations (0 up, 0 connecting):

  none

show configuration commands

set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group ESP_@.@.@.@ compression disable

set vpn ipsec esp-group ESP_@.@.@.@ lifetime 3600

set vpn ipsec esp-group ESP_@.@.@.@ mode tunnel

set vpn ipsec esp-group ESP_@.@.@.@ pfs enable

set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 encryption aes128

set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 hash sha1

set vpn ipsec ike-group IKE_@.@.@.@ ikev2-reauth no

set vpn ipsec ike-group IKE_@.@.@.@ key-exchange ikev1

set vpn ipsec ike-group IKE_@.@.@.@ lifetime 28800

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 dh-group 14

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 encryption aes128

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 hash sha1

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec nat-traversal enable

set vpn ipsec site-to-site peer @.@.@.@ authentication mode pre-shared-secret

set vpn ipsec site-to-site peer @.@.@.@ authentication pre-shared-secret PASSWORD

set vpn ipsec site-to-site peer @.@.@.@ connection-type initiate

set vpn ipsec site-to-site peer @.@.@.@ ike-group IKE_@.@.@.@

set vpn ipsec site-to-site peer @.@.@.@ ikev2-reauth inherit

set vpn ipsec site-to-site peer @.@.@.@ local-address #.#.#.#

set vpn ipsec site-to-site peer @.@.@.@ vti bind vti64

set vpn ipsec site-to-site peer @.@.@.@ vti esp-group ESP_@.@.@.@

 

#Site B(WAN: Private IP) /196;그

WAN : @.@.@.@ / LAN : 192.168.1.1

show vpn log tail

Dec 21 21:24:56 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:04 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:12 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:19 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:27 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:36 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:43 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:51 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:59 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:07 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:15 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:23 08[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

show configuration commands

set vpn ipsec site-to-site peer #.#.#.# authentication id @.@.@.@

set vpn ipsec site-to-site peer #.#.#.# authentication mode pre-shared-secret

set vpn ipsec site-to-site peer #.#.#.# authentication pre-shared-secret PASSWORD

set vpn ipsec site-to-site peer #.#.#.# connection-type initiate

set vpn ipsec site-to-site peer #.#.#.# ike-group IKE_#.#.#.#

set vpn ipsec site-to-site peer #.#.#.# ikev2-reauth inherit

set vpn ipsec site-to-site peer #.#.#.# local-address @.@.@.@

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-nat-networks disable

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-public-networks disable

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 esp-group ESP_#.#.#.#

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 local prefix 192.168.1.0/24

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 remote prefix 192.168.10.0/24