Site to site VPN Ipsec 관련

이희주   
   조회 5688   추천 0    

Unifi라우터에서 Manual Ipsec Site to Site vpn을 구성중입니다.


A 사이트는 공인 ip를 받고 B 사이트는 상단의 공유기에서 사설ip를 받습니다. (superDMZ등 공인IP할당 불가)


구글 검색해보니 한쪽의 WAN IP대역이 사설이여도 SITE TO SITE VPN이 가능고 하는데 아래의 구성으로는 현재 불가능하여 로그와 함께 첨부합니다.. 


어디가 문제인걸까요?

A사이트와 마찬가지로 공인IP를 받는 C사이트의 장비와는 AUTO/MANUAL  IPSEC VAN 성공했습니다.


#Site A(WAN: Public IP) 로그

WAN : #.#.#.# / LAN : 192.168.1.1


ubnt@ubnt:~$ show vpn log tail

Dec 21 21:42:23 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64)

Dec 21 21:53:05 07[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[1] to @.@.@.@

Dec 21 21:53:07 04[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[1] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]

Dec 21 21:53:37 13[KNL] creating acquire job for policy #.#.#.#/32[ipencap] === @.@.@.@/32[ipencap] with reqid {4}

Dec 21 21:53:37 13[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[2] to @.@.@.@

Dec 21 21:53:39 03[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[2] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]



ubnt@ubnt:~$ sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):

  uptime: 12 minutes, since Dec 21 21:43:27 2022

  malloc: sbrk 376832, mmap 0, used 272000, free 104832

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:                                                                                                           0

  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x                                                                                                          509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr cc                                                                                                          m gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-ide                                                                                                          ntity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock

Listening IP addresses:

  #.#.#.#

  192.168.10.1

Connections:

peer-@.@.@.@-tunnel-vti:  #.#.#.#...@.@.@.@  IKEv1

peer-@.@.@.@-tunnel-vti:   local:  [#.#.#.#] uses pre-shared key                                                                                                           authentication

peer-@.@.@.@-tunnel-vti:   remote: [@.@.@.@] uses pre-shared key a                                                                                                          uthentication

peer-@.@.@.@-tunnel-vti:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL

remote-access:  #.#.#.#...%any  IKEv1, dpddelay=15s

remote-access:   local:  [#.#.#.#] uses pre-shared key authentication

remote-access:   remote: uses pre-shared key authentication

remote-access:   child:  dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction=                                                                                                          clear

Routed Connections:

peer-@.@.@.@-tunnel-vti{4}:  ROUTED, TUNNEL

peer-@.@.@.@-tunnel-vti{4}:   0.0.0.0/0 === 0.0.0.0/0

Security Associations (0 up, 0 connecting):

  none




show configuration commands


set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group ESP_@.@.@.@ compression disable

set vpn ipsec esp-group ESP_@.@.@.@ lifetime 3600

set vpn ipsec esp-group ESP_@.@.@.@ mode tunnel

set vpn ipsec esp-group ESP_@.@.@.@ pfs enable

set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 encryption aes128

set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 hash sha1

set vpn ipsec ike-group IKE_@.@.@.@ ikev2-reauth no

set vpn ipsec ike-group IKE_@.@.@.@ key-exchange ikev1

set vpn ipsec ike-group IKE_@.@.@.@ lifetime 28800

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 dh-group 14

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 encryption aes128

set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 hash sha1

set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec nat-traversal enable

set vpn ipsec site-to-site peer @.@.@.@ authentication mode pre-shared-secret

set vpn ipsec site-to-site peer @.@.@.@ authentication pre-shared-secret PASSWORD

set vpn ipsec site-to-site peer @.@.@.@ connection-type initiate

set vpn ipsec site-to-site peer @.@.@.@ ike-group IKE_@.@.@.@

set vpn ipsec site-to-site peer @.@.@.@ ikev2-reauth inherit

set vpn ipsec site-to-site peer @.@.@.@ local-address #.#.#.#

set vpn ipsec site-to-site peer @.@.@.@ vti bind vti64

set vpn ipsec site-to-site peer @.@.@.@ vti esp-group ESP_@.@.@.@

 

#Site B(WAN: Private IP) 로그

WAN : @.@.@.@ / LAN : 192.168.1.1

show vpn log tail


Dec 21 21:24:56 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:04 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:12 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:19 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:27 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:36 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:43 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:51 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:25:59 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:07 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:15 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#

Dec 21 21:26:23 08[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#



show configuration commands


set vpn ipsec site-to-site peer #.#.#.# authentication id @.@.@.@

set vpn ipsec site-to-site peer #.#.#.# authentication mode pre-shared-secret

set vpn ipsec site-to-site peer #.#.#.# authentication pre-shared-secret PASSWORD

set vpn ipsec site-to-site peer #.#.#.# connection-type initiate

set vpn ipsec site-to-site peer #.#.#.# ike-group IKE_#.#.#.#

set vpn ipsec site-to-site peer #.#.#.# ikev2-reauth inherit

set vpn ipsec site-to-site peer #.#.#.# local-address @.@.@.@

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-nat-networks disable

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-public-networks disable

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 esp-group ESP_#.#.#.#

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 local prefix 192.168.1.0/24

set vpn ipsec site-to-site peer #.#.#.# tunnel 0 remote prefix 192.168.10.0/24

짧은글 일수록 신중하게.


QnA
제목Page 3356/5704
2015-12   1656768   백메가
2014-05   5121428   정은준1
2012-03   5650   김대익
2012-03   5650   2CPU최주희
2008-12   5651   윤치열
2011-10   5651   우야노
2018-06   5651   통통9
2016-06   5651   wdm42
2006-06   5651   이윤석
2008-01   5651   송화식
2014-09   5651  
2011-10   5651   방o효o문
2011-10   5651   승후니도쿄
2016-10   5651   미수맨
2007-11   5651   정은준
2013-02   5651   박종대
2005-05   5651   박성만
2016-10   5651   별이쨔잔
2006-02   5651   박준용
2012-07   5651   김건우
2008-09   5651   오상훈
2014-05   5651   2c장규식