VPN für TK-Anlage
-
Hallo
ich habe folgende Herausforderung: Für aktuelle Alcatel Anlage gibt es eine Möglichkeit, die Anlage dazu zu bringen ein VPN abgehend aufzubauen. Dazu kann ich folgendes einstellen.
http://imgur.com/3YotO65Als Referenzanleitung für die Gegenstelle bei mir gibt es leider nur eine Anleitung für Fortigate, ich habe versucht die mit pfSense abzubilden, was auch gehen muss, da ich dies bereits gehört habe, von dort aber keine Infos bekomme. Auszug der Anleitung für PSK:
Ich kann auch gerne die komplette PDF bereitstellen, allerdings geht das nicht als Attachment, bei Bedarf stelle ich nen Link zur Verfügung.
config system interface edit "wan1" set vdom "root" set ip 10.0.0.2 255.255.255.0 set allowaccess ping set type physical next edit "internal" set vdom "root" set ip 172.26.190.2 255.255.255.0 set allowaccess ping https ssh set type physical next edit "oxovpn" set vdom "root" set ip 0.0.0.0 255.255.255.255 set allowaccess ping set type tunnel set interface "wan1" next end config user group edit "oxovpnusers" set member "user1" next end config user local edit "user1" set type password set passwd user1_password next end config router static edit 1 set device "wan1" set gateway 10.0.0.1 next end config vpn ipsec phase1-interface edit "oxovpn" set type dynamic set interface "wan1" set keylife 14400 set xauthtype auto set mode aggressive set mode-cfg enable set proposal aes256-sha256 set localid "30.0.0.1" set dhgrp 14 set authusrgrp "oxovpnusers" set ipv4-start-ip 10.215.0.1 set ipv4-end-ip 10.215.0.255 set ipv4-netmask 255.255.255.0 set psksecret presharedkey set keepalive 30 next end config vpn ipsec phase2-interface edit "oxovpnp2" set keepalive enable set phase1name "oxovpn" set proposal aes256-sha256 set keylifeseconds 12000 set dhgrp 14 next end config firewall vip edit "oxo2forti" set extip 30.0.0.1 set extintf "oxovpn" set mappedip 10.0.0.2 next end config firewall ippool edit "natr" set endip 30.0.0.1 set startip 30.0.0.1 set arp-reply disable next end config firewall address edit “oxovpn_range” set type iprange set start-ip 10.215.0.1 set end-ip 10.215.0.255 next edit “ws_range” set associated-interface “internal” set subnet 172.26.190.0 255.255.255.0 set allow-routing enable next end config firewall policy edit 1 set srcintf "internal" set dstintf "oxovpn" set srcaddr "ws_range" set dstaddr "oxovpn_range" set action accept set schedule "always" set service "HTTPS" set nat enable set ippool enable set poolname "natr" next edit 2 set srcintf "oxovpn" set dstintf "wan1" set srcaddr "oxovpn_range" set dstaddr "oxo2forti" set action accept set schedule "always" set service "ALL_ICMP" next end
999.999.999.999 ist meine öffentliche IP
111.111.111.111 ist die dynamische IP des Internetanschlusses, hinter dem die TK-Anlage ist.meine ipsec.conf
conn con2 fragmentation = yes keyexchange = ike reauth = yes forceencaps = yes mobike = yes rekey = no installpolicy = yes type = tunnel dpdaction = none auto = add left = 999.999.999.999 right = %any leftid = "pfsense" ikelifetime = 14400s lifetime = 12000s rightsourceip = 10.1.254.10/24 ike = aes256-sha256-modp2048! esp = aes256-sha256-modp2048! leftauth = psk rightauth = psk aggressive = yes leftsubnet = 10.1.254.0/24
und hier der LOG eines Einwahlversuchs…
Aug 29 12:27:55 charon 15[NET] <1> received packet: from 111.111.111.111[798] to 999.999.999.999[500] (448 bytes) Aug 29 12:27:55 charon 15[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Aug 29 12:27:55 charon 15[CFG] <1> looking for an ike config for 999.999.999.999...111.111.111.111 Aug 29 12:27:55 charon 15[CFG] <1> candidate: 999.999.999.999...%any, prio 1048 Aug 29 12:27:55 charon 15[CFG] <1> found matching ike config: 999.999.999.999...%any with prio 1048 Aug 29 12:27:55 charon 15[IKE] <1> 111.111.111.111 is initiating an IKE_SA Aug 29 12:27:55 charon 15[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING Aug 29 12:27:55 charon 15[CFG] <1> selecting proposal: Aug 29 12:27:55 charon 15[CFG] <1> proposal matches Aug 29 12:27:55 charon 15[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 29 12:27:55 charon 15[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 29 12:27:55 charon 15[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 29 12:27:55 charon 15[IKE] <1> remote host is behind NAT Aug 29 12:27:55 charon 15[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] Aug 29 12:27:55 charon 15[NET] <1> sending packet: from 999.999.999.999[500] to 111.111.111.111[798] (456 bytes) Aug 29 12:27:56 charon 09[NET] <1> received packet: from 111.111.111.111[55227] to 999.999.999.999[4500] (288 bytes) Aug 29 12:27:56 charon 09[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Aug 29 12:27:56 charon 09[CFG] <1> looking for peer configs matching 999.999.999.999[999.999.999.999]...111.111.111.111[OXO] Aug 29 12:27:56 charon 09[CFG] <1> no matching peer config found Aug 29 12:27:56 charon 09[IKE] <1> processing INTERNAL_IP4_ADDRESS attribute Aug 29 12:27:56 charon 09[IKE] <1> processing INTERNAL_IP4_DNS attribute Aug 29 12:27:56 charon 09[IKE] <1> peer supports MOBIKE Aug 29 12:27:56 charon 09[ENC] <1> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Aug 29 12:27:56 charon 09[NET] <1> sending packet: from 999.999.999.999[4500] to 111.111.111.111[55227] (80 bytes) Aug 29 12:27:56 charon 09[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING