WL-500gP: IPSEC & VPNC

[Electro]

Óâàæàåìûå ãóðó, ìîé ìîñê ñëîìàí, íåò áîåå ñèë áîðîòüñÿ, ïîýòîìó îáðàùàþñü ê âàì ñ âîïðîñîì:

Íà àñóñå çàïóùåí VPNC (òóíåëü íà ôàéåðâîë íà ðàáîòå) è ïðîèçâîäèòñÿ íàò íà èíòåðôåñå tun0. Íàò ðàáîòàåò â îáå ñòîðîíû, òåëåôîí ïèíãóåòñÿ èç ñåòè íà ðàáîòå, è èç äîìà ïèíãóåòñÿ âñÿ ðàáî÷àÿ ñåòü (10.128.0.0/255.192.0.0). Íî íà Call manager'å òåëåôîí ðåãèñòðèðóåòñÿ ñ IP àäðåñîì èç ìîåé äîìàøíåé ñåòè. Ñîîòâåòñòâåííî ãëàâíûé âîïðîñ, êàê ñêðûòü âíóòðåííèé IP àäðåñ îò ñåòè çà òóíåëåì. Íóæíî ÷òîáû òåëåôîí ðåãèñòðèðîâàëñÿ â CCM ñ àäðåñîì íà èíòåðôåéñå tun0. Äèàãðàììà è ìîé òåêóùèé ôàéë post-firewall ïðèëîæåíû.

Î÷åíü ïðîøó ïîïìîùè, ÿ ñàì áîëüøå ïî öèñêå, ÷åì ïî ëèíóêñó, è óæå âçîðâàë ñâîé ìîñê.

[Basile]

Ìîå ìíåíèå, íóæíî îñòàâèòü â ðàçäåëå nat òîëüêî ñòðîêó

Code:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Òàêæå âûêèíóòü âñå ôîðâàðäû, ïðåðîóòèíãè è îñòàëüíûå ñòðîêè ñ SNAT.
 áðèäæ íå ñòîèò äîáàâëÿòü tun0.
ß áû îñòàâèë ïðèìåðíî òàê:

Code:

#!/bin/sh
iptables -I INPUT -p tcp --dport 51777 -j ACCEPT
iptables -I INPUT -p tcp --dport 9091 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 41427 -j ACCEPT
iptables -I INPUT -i tun0 -p udp --dport 16384-32768 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 69 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 2000 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 2443 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Åñëè âû õîòèòå ôîðâàðäèòü êàêèå-òî ïîðòû, òî ïîèçó÷àéòå ôàéëèê /tmp/nat_rules, ïîñìîòðèòå êàê ðîóòåð íàñòðàèâàåò ïðàâèëà

[Electro]

Ìîå ìíåíèå, íóæíî îñòàâèòü â ðàçäåëå nat òîëüêî ñòðîêó

Code:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Òàêæå âûêèíóòü âñå ôîðâàðäû, ïðåðîóòèíãè è îñòàëüíûå ñòðîêè ñ SNAT.
 áðèäæ íå ñòîèò äîáàâëÿòü tun0.
ß áû îñòàâèë ïðèìåðíî òàê:

Code:

#!/bin/sh
iptables -I INPUT -p tcp --dport 51777 -j ACCEPT
iptables -I INPUT -p tcp --dport 9091 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p tcp --dport 41427 -j ACCEPT
iptables -I INPUT -i tun0 -p udp --dport 16384-32768 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 69 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 2000 -j ACCEPT
iptables -I INPUT -i tun0 -p tcp --dport 2443 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

Åñëè âû õîòèòå ôîðâàðäèòü êàêèå-òî ïîðòû, òî ïîèçó÷àéòå ôàéëèê /tmp/nat_rules, ïîñìîòðèòå êàê ðîóòåð íàñòðàèâàåò ïðàâèëà

Ñïàñèáî çà îòâåò, Basile!

Óáðàë âñå ëèøíåå, âðîäå õóæå íå ñòàëî, íî è ëó÷øå òîæå. Ò.å. ìàñêàðàä íå ïðîèñõîäèò.  Call Manager òåëåôîí âñå ðàâíî ðåãèñòðèðóåòñÿ ïîä IP èç ëîêàëêè. È ñîîòâåòñòâåííî ãîëîñ íå èäåò. Ìåíÿ ñëûøíî, à ÿ íè êîãî íå ñëûøó. Ìîæåò åñòü êàêèå-òî åùå èäåè, ÷òî ìîæíî ïîïðîáîâàòü ? ß ïî÷èòàë ìàíóàë ê iptables è ïîíÿë, ÷òî SNAT âðîäå êàê äîëæåí êîíêðåòíî ïðîïèñûâàòü â çàãîëîâîê ïàêåòà òîò àäðåñ, êîòîðûé óêàçàí â ïðàâèëå. Ìîæåò ñ ýòèì êàê-òî ïîýêñïåðèìåíòèðîâàòü ?

Ñïàñèáî.

[Electro]

Âñå, ñïàñèáî, Basile!

Çàðàáîòàëî. ß òàê ïîíÿë, ÷òî âàøå ïðîåäëîæåíèå ïî îïòèìèçàöèè iptables î÷åíü ïðàâèëüíîå, íî ôèøêà â òîì, ÷òî íàò è ìàñêàðàä ïðàâèëüíî îòðàáàòûâàëñÿ è ðàíüøå, à òåëåôîí ðåãèñòðèðîâàëñÿ ïîä IP èç ëîêàëêè èç-çà òîãî ÷òî îí ñîîáùàë ñâîé àäðåñ íå â çàãàëîâêå IP ïàêåòà, à âûøå, íà óðîâíå skinny. ß ýòî îáîøåë äîáàâèâ ñòàòè÷åñêîå ïðàâèëî íà ASA, êîòîðîå æåñòêî ìàïèò 192.168.1.214 (òåëåôîí) â 10.146.80.6 (tun0) íà èíòåôåéñå Inside. Ïðèøëîñü åùå ñ VPN ïîêîëäîâàòü, ÷òîáû ìîåìó ÀÑÓÑó âñåãäà íàçíà÷àëñÿ èìåííòî ýòîò àäðåñ.  îáùåì âñå òåïåðü ðàáîòàåò. Ìîæíî ýòî âñå êðàñèâî ðàñïèñàòü (ñàì ÿ íå óìåþ ) è îôîðìèòü êàê ãîòîâîå ðåøåíèå.

[angelexe]

Äîáðûé äåíü óâàæàåìûå ôîðóì÷àíå, ñàìè ìû ìåñòíûå, ÿâëÿþñü ñ÷àñòëèâûì îáëàäàòåëåì wl-500gP v1.
Èñïîëüçóåòñÿ êàê äîìàøíèé wi-fi ìàðøðóòèðèçàòîð ñ ïîäêëþ÷ííûì ê íåìó 300 ãèãàáàéòíûì âèíòîì è ïðèíòåðîì. Íà í¸ì ñòîèò ïîñëåäíÿÿ ïðîøèâêà îòñþäà http://code.google.com/p/wl500g/ (çà íå¸ îòäåëüíûé ðåñïåêò ) è êðóòèòñÿ transmission, samba, lighttpd, proftpd, íàñòðîåí vpn ñåðâåð è åù¸ ìíîãî ÷åãî.
Ïîÿâèëàñü íåîáõîäèìîñòü íàñòðîèòü ñîåäèíåíèå ñ cisco. Áûë âûáðàí, óñòàíîâëåí è íàñòðîåí vpnc.
Òåïåðü ñàìà ïðîáëåìà:
Vpnc ïîäíèìàåò ñîåäèíåíèå è â ifconfige ïîÿâëÿåòñÿ íîâûé èíòåðôåéñ tun0.
Íî åñëè ìàëåíüêàÿ ïðîáëåìà, ìîé ïðîâàéäåð êîðáèíà è âíóòðåíÿÿ ñåòü ó íåãî èìååò äèàïàçîí 10.0.0.0, òî÷íî òàêîé æå äèàïàçîí ó ñåòè ê êîòîðîé ÿ êîííåê÷óñü ïî vpnc  ñâÿçè ñ ÷åì äîñòóïà â ñåòü ÷åðåç tun0 íåò.

Âîò âûâîä ifconfig ïîñëå ïîäíÿòèÿ èíòåðôåéñà:

Code:

br0       Link encap:Ethernet  HWaddr 00:22:15:36:26:EB
          inet addr:192.168.168.1  Bcast:192.168.168.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2950688 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5215556 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:246331315 (234.9 MiB)  TX bytes:2370167440 (2.2 GiB)

eth0      Link encap:Ethernet  HWaddr 00:22:15:36:26:EB
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:97032205 errors:2795 dropped:0 overruns:257 frame:257
          TX packets:128361943 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4096278061 (3.8 GiB)  TX bytes:1558083620 (1.4 GiB)
          Interrupt:4 Base address:0x1000

eth1      Link encap:Ethernet  HWaddr 00:22:15:36:26:EB
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2322635 errors:0 dropped:0 overruns:0 frame:14395514
          TX packets:4197226 errors:229 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:247358982 (235.8 MiB)  TX bytes:711656391 (678.6 MiB)
          Interrupt:12 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:1069426 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1069426 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:97594254 (93.0 MiB)  TX bytes:97594254 (93.0 MiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:95.24.6.X  P-t-P:85.21.0.255  Mask:255.255.255.255
          UP POINTOPOINT RUNNING MULTICAST  MTU:1460  Metric:1
          RX packets:3012862 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5097785 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:481675564 (459.3 MiB)  TX bytes:155183592 (147.9 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                             -00
          inet addr:10.86.X.X  P-t-P:10.86.X.X  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:504 (504.0 B)  TX bytes:15074 (14.7 KiB)

vlan0     Link encap:Ethernet  HWaddr 00:22:15:36:26:EB
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:628919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1854463 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:34444354 (32.8 MiB)  TX bytes:2016592654 (1.8 GiB)

vlan1     Link encap:Ethernet  HWaddr 00:22:15:36:26:EB
          inet addr:10.188.X.X  Bcast:10.188.X.255  Mask:255.255.248.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:96403283 errors:0 dropped:0 overruns:0 frame:0
          TX packets:126507480 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2315253589 (2.1 GiB)  TX bytes:3836458262 (3.5 GiB)

route -n

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
85.21.88.130    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
10.80.0.2       10.86.0.136     255.255.255.255 UGH   0      0        0 tun0
85.21.192.3     10.188.0.1      255.255.255.255 UGH   1      0        0 vlan1
195.14.50.16    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
217.118.84.213  10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
85.21.52.254    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
194.67.1.13     10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
194.67.1.14     10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
194.67.18.19    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
195.14.50.21    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
195.14.50.26    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
10.80.1.33      10.86.0.136     255.255.255.255 UGH   0      0        0 tun0
194.67.1.115    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
85.21.0.255     10.188.0.1      255.255.255.255 UGH   2      0        0 vlan1
89.179.135.67   10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
213.234.192.8   10.188.0.1      255.255.255.255 UGH   1      0        0 vlan1
195.14.50.93    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
194.67.18.72    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
194.67.1.130    10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
217.118.84.249  10.188.0.1      255.255.255.255 UGH   0      0        0 vlan1
78.107.235.4    10.188.0.1      255.255.255.252 UG    0      0        0 vlan1
85.21.72.80     10.188.0.1      255.255.255.240 UG    0      0        0 vlan1
78.107.51.0     10.188.0.1      255.255.255.240 UG    0      0        0 vlan1
85.21.108.16    10.188.0.1      255.255.255.240 UG    0      0        0 vlan1
83.102.231.32   10.188.0.1      255.255.255.240 UG    0      0        0 vlan1
85.21.138.208   10.188.0.1      255.255.255.240 UG    0      0        0 vlan1
83.102.146.96   10.188.0.1      255.255.255.224 UG    0      0        0 vlan1
233.32.240.0    10.188.7.47     255.255.255.0   UG    0      0        0 vlan1
85.21.90.0      10.188.0.1      255.255.255.0   UG    0      0        0 vlan1
192.168.168.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
78.107.23.0     10.188.0.1      255.255.255.0   UG    0      0        0 vlan1
85.21.79.0      10.188.0.1      255.255.255.0   UG    0      0        0 vlan1
78.107.196.0    10.188.0.1      255.255.252.0   UG    0      0        0 vlan1
10.188.0.0      0.0.0.0         255.255.248.0   U     0      0        0 vlan1
10.0.0.0        10.86.0.136     255.0.0.0       UG    0      0        0 tun0
10.0.0.0        10.188.0.1      255.0.0.0       UG    0      0        0 vlan1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         85.21.0.255     0.0.0.0         UG    0      0        0 ppp0
0.0.0.0         10.188.0.1      0.0.0.0         UG    1      0        0 vlan1

Õîòåëîñü áû ÷òî ïîñëå ïîäíÿòèÿ èíòåðôåéñà tun0 âåñü òðàôèê ê ñåòè 10.0.0.0 øåë ÷åðåç íåãî. Ïîäñêàæèòå êàê

[Electro]

Óâàæàåìûå ãóðó, ïðîøó ïîìîùè ïî àäàïòàöèè ñêðèïòà äëÿ àâòî-ðåêîííåêòà VPNC îò DD-WRT, êîòîðûé îïóáëèêîâàí òóò: http://www.dd-wrt.com/wiki/index.php/VPNC .

Ó òîâàðèùà íà Ëèíêñèñ îí îòëè÷íî ðàáîòàåò, à íà Àñóñå êàê åñòü íå çàïóñêàåòñÿ.

Ïîìîãèòå ïîæàëóéñòà åãî ïåðåäåëàòü.

Ñïàñèáî.

Âîò ñàì ñêðèïò:

Code:

=========================================================
mkdir /tmp/etc/vpnc
rm -f /tmp/etc/vpnc/vpnc.sh
echo '
#!/bin/sh 
vpn_concentrator="host" ##enter ip or hostname of your Ipsec vpn concentrator
vpn_keepalive_host1="keepalive1"        ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_keepalive_host2="keepalive2"        ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_groupname="grid"  ##enter the group name here
vpn_grouppasswd="grppasswd"   ##enter the group password here
vpn_username="username"       ##enter your username here
vpn_password="password"        ##enter your password here

#--do not edit this--
#Written by Alain R. 28.Sep.2007
vpnc-disconnect
rm -f /tmp/etc/vpnc/vpn.conf
echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
" >> /tmp/etc/vpnc/vpn.conf


pingtest1 () {
 ping -q -c1 $param1 >> /dev/null
 if [ "$?" == "0" ]; then
       echo 0 #reachable 
	
 else
	echo 1 #not reachable
 fi
}

pingtest2 () {
 ping -q -c2 $param2 >> /dev/null
 if [ "$?" == "0" ]; then
       echo 0 #reachable 
	
 else
	echo 1 #not reachable
 fi
}

while [ true ]; do
	param1=$vpn_concentrator;
	if [ "`pingtest1`" == "0" ]; then  #Vpn concentrator reachable
		doloop=1;
		while [ $doloop -gt 0 ]; do
			param1=$vpn_keepalive_host1;
			
			if [ "`pingtest1`" == "0" ]; then
				sleep 300
			else
				param2=$vpn_keepalive_host2;
				if [ "`pingtest2`" == "0" ]; then
					sleep 300
				else
					doloop=0;
					vpnc-disconnect
					vpnc /tmp/etc/vpnc/vpn.conf --dpd-idle 0
					sleep 1
					if [ "`pingtest1`" != "0" ]; then
						sleep 10
					fi
					tundev="`ifconfig |grep tun |cut -b 1-4`"
					iptables -A FORWARD -o $tundev -j ACCEPT
					iptables -A FORWARD -i $tundev -j ACCEPT
					iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
					sleep 9
				fi
			fi
		done
	else
	sleep 10;
	fi
     
done

return 0;
' >> /tmp/etc/vpnc/vpnc.sh
chmod 700 /tmp/etc/vpnc/vpnc.sh
/tmp/etc/vpnc/vpnc.sh&
======================================================

[angelexe]

à çàïóñòèòü ñêðèïò è óçíàòü ÷åãî åìó íå õâàòàåò ðåëèãèÿ íå ïîçâîëÿåò?
ß êàê òî ïûòàëñÿ íàñòðîèòü vpnc íà ðîóòåðå, ñêàæó òàê, ÿ ýòî ñäåëà íî èç-çà ïåðåñåêàþùèõñÿ ñåòåé ðàáîòàòü ñ íèì íå ñìîã, ïîýòîìó ïðèøëîñü ñíåñòè.
Ïåðâûì äåëîì âàì íóæåí ìîäóëü tun â ÿäðå, âòîðîå ýòî óñòàíîâèòü ñàì vpnc, à òàì äàëüøå çàïóñòèòå ñêðèïò â êîíñîëå è óâèäèòå íà ÷òî îí ðóãàåòñÿ.
Ñêðèïò äîëæåí âûãëÿäåòü êàê òî òàê:

Code:

mkdir /opt/tmp/etc/vpnc
rm -f /opt/tmp/etc/vpnc/vpnc.sh
echo '
#!/bin/sh
vpn_concentrator="host" ##Ip cisco øëþçà
vpn_keepalive_host1="keepalive1" ##1 Ip çà öèñêî ïî êîòîðîìó ìîæíî òåñòèòü ñîåäèíåíèå.
vpn_keepalive_host2="keepalive2" ##2 Ip çà öèñêî ïî êîòîðîìó ìîæíî òåñòèòü ñîåäèíåíèå.
vpn_groupname="grid" ##Èìÿ ãðóïïû
vpn_grouppasswd="grppasswd" ##Ïàðîëü ãðóïïû
vpn_username="username" ##ëîãèí 
vpn_password="password" ##ïàðîëü

#--do not edit this--
#Written by Alain R. 28.Sep.2007
vpnc-disconnect
rm -f /opt/tmp/etc/vpnc/vpn.conf
echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
" >> /opt/tmp/etc/vpnc/vpn.conf


pingtest1 () {
ping -q -c1 $param1 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable

else
echo 1 #not reachable
fi
}

pingtest2 () {
ping -q -c2 $param2 >> /dev/null
if [ "$?" == "0" ]; then
echo 0 #reachable

else
echo 1 #not reachable
fi
}

while [ true ]; do
param1=$vpn_concentrator;
if [ "`pingtest1`" == "0" ]; then #Vpn concentrator reachable
doloop=1;
while [ $doloop -gt 0 ]; do
param1=$vpn_keepalive_host1;

if [ "`pingtest1`" == "0" ]; then
sleep 300
else
param2=$vpn_keepalive_host2;
if [ "`pingtest2`" == "0" ]; then
sleep 300
else
doloop=0;
vpnc-disconnect
vpnc /opt/tmp/etc/vpnc/vpn.conf --dpd-idle 0
sleep 1
if [ "`pingtest1`" != "0" ]; then
sleep 10
fi
tundev="`ifconfig |grep tun |cut -b 1-4`"
iptables -A FORWARD -o $tundev -j ACCEPT
iptables -A FORWARD -i $tundev -j ACCEPT
iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
sleep 9
fi
fi
done
else
sleep 10;
fi

done

return 0;
' >> /opt/tmp/etc/vpnc/vpnc.sh
chmod 700 /tmp/etc/vpnc/vpnc.sh
/opt/tmp/etc/vpnc/vpnc.sh&

[Electro]

Äûê ó ìåíÿ óæå ðàáîòàåò VPNC, ïðè÷åì ïðåêðàñíî âñå ïàøåò è íè÷å íå ïåðåñåêàåòñÿ. Íî ïðîñòî ÷åðåç íåêîòîðîå âðåìÿ îòâàëèâàåòñÿ. Ïîýòìó ÿ è õîòåë èñïîëüçîâàòü ðåøåíèå îò ÂÐÒ. Ñïàñèáî çà îòâåò. Ïîïðîáóþ. Âîïðîñ: ïîñëå âûïîëíåíèÿ ýòîãî ñêðèïòà ìíå çàïèñàòü âñå âî ôëýø è ïîòîì çàïóñêàòü vpnc ïðè ñòàðòå òåì ñêðèïòîì ÷òî ïîëó÷èëñÿ íà âûõîäå ?

Ïîïðîáîâàë. Íå ðàáîòàåò ( íå ñîçäàåò íè÷å è íå ïàøåò. Ïðîñòèòå, ÿ â ëèíóõå ñëàá (

[Electro]

Òóò è ïîñåðüåçíåå çàäà÷è ðåøàëè!

[AndreyUA]

Èìååòñÿ óäàëåííàÿ ñåòêà, ê êîòîðîé íóæíî ïîäêëþ÷àòüñÿ ÷åðåç l2tp ipsec. Èìååòñÿ àéïè, ëîãèí, ïàðîëü è preshared key äëÿ äîñòóïà. Ïîä âèíäîâîé ìàøèíîé íàñòðîèòü ýòî ïîäêëþ÷åíèå íå ñîñòàâëÿåò îñîáîãî òðóäà. Ïîãóãëèâ, ÿ íå íàøåë êàêîé-ëèáî âðàçóìèòåëüíîé èíôû íà ýòîò ñ÷åò äëÿ ëèíóõà. Ìîæåò ó êîãî åñòü îïûò ïîäêëþ÷åíèÿ ðîóòåðà/ëèíóõîâîé_ìàøèíû ïîäîáíûì ñïîñîáîì? È âîîáùå, âîçìîæíî ëè çàìóòèòü ïîäîáíîå íà ðîóòåðå?

[sergeime]

Ó ìåíÿ âîò òàê ðàáîòàåò íà wl500gp2

Code:

#!/bin/sh
vpn_concentrator="xx.xx.xx.xx" ##enter ip or hostname of your Ipsec vpn concentrator
vpn_keepalive_host1="192.168.1.74"        ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_keepalive_host2="192.168.1.75"        ##enter the ip or hostname of a computer that is only reachable if vpn connection is established.
vpn_groupname="xxxx"  ##enter the group name here
vpn_grouppasswd="yyyy"   ##enter the group password here
vpn_username="xxxx"       ##enter your username here
vpn_password="yyyy"        ##enter your password here

LOG="/usr/bin/logger -t cisco-vpn"

mkdir /tmp/etc/vpnc

#--do not edit this--
#Written by Alain R. 28.Sep.2007
vpnc-disconnect
rm -f /tmp/etc/vpnc/vpn.conf
echo "
IPSec gateway $vpn_concentrator
IPSec ID $vpn_groupname
IPSec secret $vpn_grouppasswd
Xauth username $vpn_username
Xauth password $vpn_password
" >> /tmp/etc/vpnc/vpn.conf


pingtest1 () {
 if ping -q -c 1 $param1 >> /dev/null; then
        echo 0 #reachable
 else
        echo 1 #not reachable
 fi
}

pingtest2 () {
 if ping -q -c 1 $param2 >> /dev/null; then
        echo 0
 else
        echo 1
 fi
}

while [ true ]; do
        param1=$vpn_concentrator;
        if [ "`pingtest1`" = "0" ]; then  #Vpn concentrator reachable
                doloop=1;
                while [ $doloop -gt 0 ]; do
                        param1=$vpn_keepalive_host1;

                        if [ "`pingtest1`" = "0" ]; then
                                sleep 300
                        else
                                param2=$vpn_keepalive_host2;
                                if [ "`pingtest2`" = "0" ]; then
                                        sleep 300
                                else
                                        $LOG "Cisco VPN connection is dead, restarting"
                                        doloop=0;
                                        vpnc-disconnect
                                        vpnc /tmp/etc/vpnc/vpn.conf --dpd-idle 0
                                        sleep 1
                                        if [ "`pingtest1`" != "0" ]; then
                                                sleep 10
                                        fi
                                        tundev="`ifconfig |grep tun |cut -b 1-4`"
                                        iptables -A FORWARD -o $tundev -j ACCEPT
                                        iptables -A FORWARD -i $tundev -j ACCEPT
                                        iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE
                                        sleep 9
                                fi
                        fi
                done
        else
        sleep 10;
        fi

done

return 0;

[ser9ey]

Ïðèñîåäèíÿþñü
Åñòü ëè êàêèå-òî ïàêåòû äëÿ ïîäíÿòèÿ IPSec?
Ñóäÿ ïî âñåìó, ïîääåðæêà â ÿäðå åñòü

[YVM]

Ïðèñîåäèíÿþñü ê âîïðîñó. Õîòÿáû êëèåíò óñòàíîâèòü.

[lly]

Ïîñêîëüêó íà google âñåõ, âèäèìî, çàáàíèëè, ïîèñê â ôîðóìå îòìåíèëè, îòâå÷ó êðàòêî çäåñü.

Êëþ÷åâîå ñëîâî - OpenSWAN, íî åìó òðåáóåòñÿ åùå ìîäóëü ÿäðà êîòîðûé:

• íà ÿäðà 2.4.20 (1.9.2.7-10) ñïîðòèðîâàòü íåðåàëüíî
• íà ÿäðà 2.4.37 (1.9.2.7-d) ñïîðòèðîâàòü ðåàëüíî, íî ïîòðóäèòüñÿ ïðèä¸òñÿ
• åñòü íà ÿäðàõ 2.6 (OpenWRT)

Ïîñêîëüêó æåëàþùèõ ïîðòèðîâàòü è ñîáèðàòü òåñòîâûé ñòåíä íåò, òî íàìè ýòà çàäà÷à çàäâèíóòà â äàëüíèé óãîë.

[Hohmach]

À êàê æå FreeS/WAN ?

Íàïðèìåð â GPL Source Code îò WD NetCenter îí åñòü, à òàì 2.4.20 .