Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # ipsec.conf - strongSwan IPsec configuration file
- config setup
- # strictcrlpolicy=yes
- # uniqueids = no
- charondebug="dmn 2, mgr 2, ike 2, chd 2, cfg 2, knl 2, net 2, esp 2"
- conn tun1
- auto=start
- authby=secret
- left=%defaultroute
- leftid=<STRONGSWAN_HOST_PUBLIC_IP>
- right=<CISCO_ASA_PUBLIC_IP>
- type=tunnel
- leftauth=psk
- rightauth=psk
- keyexchange=ikev1
- ike=aes256-sha1-modp1024
- ikelifetime=86400s
- keylife=240m
- #rekeymargin=3m
- esp=aes256-sha1
- lifetime=28800s
- keyingtries=%forever
- leftsubnet=<VPN_EIP_ADDRESS>/32
- rightsubnet=<SITE_B_NETWORK>/29
- dpddelay=10s
- dpdtimeout=30s
- dpdaction=restart
- mark=100
- Chain PREROUTING (policy ACCEPT)
- target prot opt source destination
- DNAT all -- anywhere <VPN_EIP_ADDRESS> to:172.31.1.202
- Chain INPUT (policy ACCEPT)
- target prot opt source destination
- Chain OUTPUT (policy ACCEPT)
- target prot opt source destination
- Chain POSTROUTING (policy ACCEPT)
- target prot opt source destination
- SNAT all -- <SITE_A_MSG_SERVER> <SITE_B_MSG_SERVER> to:<VPN_EIP_ADDRESS>
- SNAT all -- 172.31.0.39 <SITE_B_MSG_SERVER> to:<VPN_EIP_ADDRESS>
- eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
- inet 172.31.0.39 netmask 255.255.255.0 broadcast 172.31.0.255
- inet6 fe80::10f4:6ff:fe3a:97b2 prefixlen 64 scopeid 0x20<link>
- ether 12:f4:06:3a:97:b2 txqueuelen 1000 (Ethernet)
- RX packets 25214495 bytes 7356353946 (6.8 GiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 23561604 bytes 2610819486 (2.4 GiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
- inet 127.0.0.1 netmask 255.0.0.0
- inet6 ::1 prefixlen 128 scopeid 0x10<host>
- loop txqueuelen 1000 (Local Loopback)
- RX packets 90620 bytes 5506216 (5.2 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 90620 bytes 5506216 (5.2 MiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- tun1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1419
- inet 172.31.0.0 netmask 255.255.255.0 destination <SITE_B_NETWORK>
- inet6 fe::5e:ac:27 prefixlen 64 scopeid 0x20<link>
- tunnel txqueuelen 1000 (IPIP Tunnel)
- RX packets 26213 bytes 5770610 (5.5 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 17158 bytes 1304176 (1.2 MiB)
- TX errors 1012692 dropped 0 overruns 0 carrier 1012692 collisions 0
- # IP Links
- sudo ip link add tun1 type vti local 172.31.0.39 remote <CISCO_PUB_IP> key 100
- sudo ip addr add 172.31.0.0/16 remote <SITE_B_NETWORK>/29 dev tun1
- sudo ip link set tun1 up mtu 1419
- # Forwarding
- sudo iptables -t mangle -A FORWARD -o tun1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- sudo iptables -t mangle -A INPUT -p esp -s <CISCO_IP> -d <STRONGSWAN_PUBLIC_IP> -j MARK --set-xmark 100
- # NAT
- sudo iptables -t nat -A PREROUTING -d <VPN_EIP_ADDRESS>/32 -j DNAT --to-destination <SITE_A_MSG_SERVER>
- sudo iptables -t nat -A POSTROUTING -s <SITE_A_MSG_SERVER>/32 -d <SITE_B_DEVICE>/32 -j SNAT --to-source <VPN_EIP_ADDRESS>
- sudo iptables -t nat -A POSTROUTING -s 172.31.0.39/32 -d <SITE_B_DEVICE>/32 -j SNAT --to-source <VPN_EIP_ADDRESS>
- # Add Routes
- sudo ip route add <SITE_B_NETWORK>/29 dev tun1 metric 100
- net.ipv4.ip_forward = 1
- net.ipv4.conf.eth0.disable_xfrm = 1
- net.ipv4.conf.eth0.disable_policy = 1
- net.ipv4.conf.tun1.rp_filter = 2
- net.ipv4.conf.tun1.disable_policy = 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement