4. on vm1
a)
root@localhost:/root> ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 2.1.1.2/24 scope global eth0
b)
root@localhost:/root> ip r s
2.1.1.0/24 dev eth0 proto kernel scope link src 2.1.1.2
c)
root@localhost:/root> cat /etc/ipsec/0/ike1/racoon.conf
#!/usr/sbin/racoon
path pre_shared_key "/etc/ipsec/0/ike1/secret.psk"; # please note that the preshared key in this case is 12345
remote 2.1.1.1
{
exchange_mode main;
my_identifier address 2.1.1.2;
nat_traversal off ;
script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
lifetime time 600 secs;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 2.1.1.2 any address 2.1.1.1 any
{
lifetime time 300 secs;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
listen {
adminsock "/etc/ipsec/0/ike1/.racoon_admin";
isakmp 2.1.1.2 [500];
}
d)
root@localhost:/root> cat /etc/ipsec/0/ike1/secret.psk
2.1.1.1 12345
f)
root@localhost:/root> cat /etc/ipsec/0/ike1.add
# FlexiPlatform: IPSec policy rule configuration
spdadd 2.1.1.2/32 2.1.1.1/32 any
-P out
prio 2147480968 ipsec ah/tunnel/2.1.1.2-2.1.1.1/unique;
spdadd 2.1.1.1/32 2.1.1.2/32 any
-P in
prio 2147480968 ipsec ah/tunnel/2.1.1.1-2.1.1.2/unique;
g)
root@localhost:/root> setkey -DP
2.1.1.1[any] 2.1.1.2[any] 255
fwd prio high + 1073739144 ipsec
ah/tunnel/2.1.1.1-2.1.1.2/require
created: May 20 07:39:17 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=34 seq=1 pid=976
refcnt=1
2.1.1.1[any] 2.1.1.2[any] 255
in prio high + 1073739144 ipsec
ah/tunnel/2.1.1.1-2.1.1.2/unique#16385
created: May 20 07:39:17 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=24 seq=2 pid=976
refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
out prio high + 1073739144 ipsec
ah/tunnel/2.1.1.2-2.1.1.1/unique#16384
created: May 20 07:39:17 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=17 seq=3 pid=976
5. on vm2
a)
root@localhost:/root> ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 2.1.1.1/24 scope global eth0
b)
root@localhost:/root> ip r s
2.1.1.0/24 dev eth0 proto kernel scope link src 2.1.1.1
c)
root@localhost:/root> cat /etc/ipsec/0/ike1/racoon.conf
#!/usr/sbin/raccoon
path pre_shared_key "/etc/ipsec/0/ike1/secret.psk"; # please note that the preshared key in this case is 12345
remote 2.1.1.2
{
exchange_mode main;
my_identifier address 2.1.1.1;
nat_traversal off ;
script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
lifetime time 600 secs;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 2.1.1.1 any address 2.1.1.2 any
{
lifetime time 300 secs;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
listen {
adminsock "/etc/ipsec/0/ike1/.racoon_admin";
isakmp 2.1.1.1 [500];
}
d)
root@localhost:/root> cat /etc/ipsec/0/ike1/secret.psk
2.1.1.2 12345
f)
root@localhost:/root> cat /etc/ipsec/0/ike1.add
# FlexiPlatform: IPSec policy rule configuration
spdadd 2.1.1.2/32 2.1.1.1/32 any
-P in
prio 2147480968 ipsec ah/tunnel/2.1.1.2-2.1.1.1/unique;
spdadd 2.1.1.1/32 2.1.1.2/32 any
-P out
prio 2147480968 ipsec ah/tunnel/2.1.1.1-2.1.1.2/unique;
g)
root@localhost:/root> setkey -DP
2.1.1.1[any] 2.1.1.2[any] 255
out prio high + 1073739144 ipsec
ah/tunnel/2.1.1.1-2.1.1.2/unique#16385
created: May 20 07:40:18 2015 lastused: May 20 07:47:17 2015
lifetime: 0(s) validtime: 0(s)
spid=33 seq=1 pid=984
refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
fwd prio high + 1073739144 ipsec
ah/tunnel/2.1.1.2-2.1.1.1/require
created: May 20 07:40:18 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=26 seq=2 pid=984
refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
in prio high + 1073739144 ipsec
ah/tunnel/2.1.1.2-2.1.1.1/unique#16384
created: May 20 07:40:18 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=16 seq=3 pid=984
refcnt=1
a)
root@localhost:/root> ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 2.1.1.2/24 scope global eth0
b)
root@localhost:/root> ip r s
2.1.1.0/24 dev eth0 proto kernel scope link src 2.1.1.2
c)
root@localhost:/root> cat /etc/ipsec/0/ike1/racoon.conf
#!/usr/sbin/racoon
path pre_shared_key "/etc/ipsec/0/ike1/secret.psk"; # please note that the preshared key in this case is 12345
remote 2.1.1.1
{
exchange_mode main;
my_identifier address 2.1.1.2;
nat_traversal off ;
script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
lifetime time 600 secs;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 2.1.1.2 any address 2.1.1.1 any
{
lifetime time 300 secs;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
listen {
adminsock "/etc/ipsec/0/ike1/.racoon_admin";
isakmp 2.1.1.2 [500];
}
d)
root@localhost:/root> cat /etc/ipsec/0/ike1/secret.psk
2.1.1.1 12345
f)
root@localhost:/root> cat /etc/ipsec/0/ike1.add
# FlexiPlatform: IPSec policy rule configuration
spdadd 2.1.1.2/32 2.1.1.1/32 any
-P out
prio 2147480968 ipsec ah/tunnel/2.1.1.2-2.1.1.1/unique;
spdadd 2.1.1.1/32 2.1.1.2/32 any
-P in
prio 2147480968 ipsec ah/tunnel/2.1.1.1-2.1.1.2/unique;
g)
root@localhost:/root> setkey -DP
2.1.1.1[any] 2.1.1.2[any] 255
fwd prio high + 1073739144 ipsec
ah/tunnel/2.1.1.1-2.1.1.2/require
created: May 20 07:39:17 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=34 seq=1 pid=976
refcnt=1
2.1.1.1[any] 2.1.1.2[any] 255
in prio high + 1073739144 ipsec
ah/tunnel/2.1.1.1-2.1.1.2/unique#16385
created: May 20 07:39:17 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=24 seq=2 pid=976
refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
out prio high + 1073739144 ipsec
ah/tunnel/2.1.1.2-2.1.1.1/unique#16384
created: May 20 07:39:17 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=17 seq=3 pid=976
refcnt=1
5. on vm2
a)
root@localhost:/root> ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 2.1.1.1/24 scope global eth0
b)
root@localhost:/root> ip r s
2.1.1.0/24 dev eth0 proto kernel scope link src 2.1.1.1
c)
root@localhost:/root> cat /etc/ipsec/0/ike1/racoon.conf
#!/usr/sbin/raccoon
path pre_shared_key "/etc/ipsec/0/ike1/secret.psk"; # please note that the preshared key in this case is 12345
remote 2.1.1.2
{
exchange_mode main;
my_identifier address 2.1.1.1;
nat_traversal off ;
script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
lifetime time 600 secs;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 2.1.1.1 any address 2.1.1.2 any
{
lifetime time 300 secs;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
listen {
adminsock "/etc/ipsec/0/ike1/.racoon_admin";
isakmp 2.1.1.1 [500];
}
d)
root@localhost:/root> cat /etc/ipsec/0/ike1/secret.psk
2.1.1.2 12345
f)
root@localhost:/root> cat /etc/ipsec/0/ike1.add
# FlexiPlatform: IPSec policy rule configuration
spdadd 2.1.1.2/32 2.1.1.1/32 any
-P in
prio 2147480968 ipsec ah/tunnel/2.1.1.2-2.1.1.1/unique;
spdadd 2.1.1.1/32 2.1.1.2/32 any
-P out
prio 2147480968 ipsec ah/tunnel/2.1.1.1-2.1.1.2/unique;
g)
root@localhost:/root> setkey -DP
2.1.1.1[any] 2.1.1.2[any] 255
out prio high + 1073739144 ipsec
ah/tunnel/2.1.1.1-2.1.1.2/unique#16385
created: May 20 07:40:18 2015 lastused: May 20 07:47:17 2015
lifetime: 0(s) validtime: 0(s)
spid=33 seq=1 pid=984
refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
fwd prio high + 1073739144 ipsec
ah/tunnel/2.1.1.2-2.1.1.1/require
created: May 20 07:40:18 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=26 seq=2 pid=984
refcnt=1
2.1.1.2[any] 2.1.1.1[any] 255
in prio high + 1073739144 ipsec
ah/tunnel/2.1.1.2-2.1.1.1/unique#16384
created: May 20 07:40:18 2015 lastused:
lifetime: 0(s) validtime: 0(s)
spid=16 seq=3 pid=984
refcnt=1
h) chmod 400 /etc/ipsec/0/ike1/secret.psk