IPSec íàñòðîéêà ìàðøðóòèçàöèè



  • Ïîìîãèòå íàñòðîèòü ìàðøðóòèçàöèþ ìåæäó îôèñàìè.
    Ê ïðèìåðó åñòü òðè îôèñà
    1. Îôèñ1 ipnet 192.168.100.0/24
    2. Îôèñ2 ipnet 192.168.101.0/24
    2. Îôèñ3 ipnet 192.168.103.0/24
    Íàñòðîåí IPSec Îôèñ1<=>Îôèñ2 è Îôèñ1<=>Îôèñ3

    Êàê íàñòðîèòü ìàðøðóòèçàöèþ ìåæäó Îôèñ2 è Îôèñ3 áåç ïîäíÿòèÿ ìåæäó íèìè òîíåëÿ?



  • íà øëþçå â îôèñ3 ïðîïèñàòü ñòàòè÷åñêèé ìàðøðóò â îôèñ2 ÷åðåç îôèñ1
    íà øëþçå â îôèñ2 ïðîïèñàòü ñòàòè÷åñêèé ìàðøðóò â îôèñ3 ÷åðåç îôèñ1

    íà øëþçå â îôèñ1 ïðîïèñàòü ñòàòè÷åñêèå ìàðøðóòû â ñåòè îôèñ2 è îôèñ3 ÷åðåç ñîîòâåòñòâóþùèå àäðåñà

    íó è â ôàéðâîëå åñòåñòâåííî ðàçðåøèòü íà èíòåðôåéñàõ LAN  è IPSEC ñîîòâåòñòâóþùèå ñåòè, â êàæäîì èç îôèñîâ

    âîò êàê òî òàê :)



  • Íå ðàáîòàåò.
    ×òî ïîëó÷àåòñÿ:

    • c îôèñà2 ïèíãóþòñÿ âñå êîìïáþòåðû ñåòè Îôèñ1
    • ïðîïèñàë ìàðøðóò c îôèñà íà Îôèñ3 (192.168.103.0/24) ÷åðåç ôîèñ1(192.168.100.6)

    Ïðè àíàëèçå ïàêåòîâ, ïîëó÷àåòñÿ, ÷òî ïèíãè ïðîñòî èäóò íà âíåøíèé IP îôèñ2, ò.å. â èíòåðíåò!!!  ÷åì òðàáë?



  • â îôèñ1 åñòü ñòàòè÷åñêèå ìàðøðóòû?
    êóäà îíè óêàçûâàþò?
    ñ îôèñ2 è îôèñ3 øëþçîì äîëæåí áûòü LAN èï îôèñ1
    ñîîòâåòñòâåííî ñåòè â îôèñ2 è îôèñ3 äîëæíû áûòü äîñòóïíû ÷åðåç ñâîé LAN èï



  • Òîëüêî ïî÷åìó òî â îôîèñ2 nestat -r  íå ïîêàçûâàåò ïðîïèñàííôé ìíîþ ìàðøðóò??

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            195.5.5.203        UGS        0  459251    ng0
    209-80-113-92.pool lo0                UHS        0        0    lo0
    localhost          localhost          UH          0        0    lo0
    192.168.102.0      link#1            UC          0        0    rl0
    195.5.5.203        209-80-113-92.pool UH          1    2940    ng0

    À êîãäà ÿ èçìåíèë ìàðøðóò äëÿ ïîäñåòè 192.168.106.0.24 íà IP 192.168.102.7, òî ìàðøðóò ïðîïèñàëñÿ.
    Âûõîäèò, ÷òî îí íå çíàåò êóäà ïðâÿçàòü ìàðøðóòèçàöèþ äëÿ IP Îôèñ1 192.168.100.6

    Õîòÿ ïèíãè ñ ïîäñåòè îôèñ2 èäóò íà ïîäñåòü îôèñ1.






  • íàïèøèòå àäðåñà âîò ïî ýòîé ñõåìå
    Îôèñ1, LAN IP, LAN NET/MASK, IPSEC Remote subnet, IPSEC Remote gateway



  • Îôèñ1 - IP: 192.168.100.5, Net: 192.168.100.0/24, IPSec Remote Subnet 192.168.102.0/24 IPSec Remote GateWay xxx.xxx.xxx.xxx (âíåøíèé IP îôèñà2)
    Îôèñ2 - IP: 192.168.102.5, Net: 192.168.102.0/24, IPSec Remote Subnet 192.168.100.0/24 IPSec Remote GateWay yyy.yyy.yyy.yyy (âíåøíèé IP îôèñà1)



  • íàñòðîêè Îôèñ1
    System: Static Routes
      Destination network: 192.168.102.0/24
      Gateway: 192.168.100.5

    íàñòðîêè Îôèñ2
    System: Static Routes
      Destination network: 192.168.100.0/24
      Gateway: 192.168.102.5

    ÿ òàê ïîíèìàþ â ôàéðâîëå âñå îòêðûòî?



  • Äîáàâëþ

    íàñòðîêè Îôèñ1
    Lan IP: 192.168.100.6
    IPsec:
      Remote Subnet: 192.168.102.0/24  Remote GateWay: xxx.xxx.xxx.xxx
      Remote Subnet: 192.168.104.0/24  Remote GateWay: zzz.zzz.zzz.zzz
    System: Static Routes
      Destination network: 192.168.102.0/24  Gateway: 192.168.102.5
      Destination network: 192.168.104.0/24  Gateway: 192.168.104.5

    íàñòðîêè Îôèñ2
      Lan IP: 192.168.102.5
    IPsec:
      Remote Subnet: 192.168.100.0/24  Remote GateWay: yyy.yyy.yyy.yyy
    System: Static Routes
      Destination network: 192.168.104.0/24  Gateway: 192.168.100.6

    íàñòðîêè Îôèñ4
      Lan IP: 192.168.104.5
    IPsec:
      Remote Subnet: 192.168.100.0/24  Remote GateWay: yyy.yyy.yyy.yyy
    System: Static Routes
      Destination network: 192.168.102.0/24  Gateway: 192.168.100.6

    Ñâÿçü ìåæäó Îôèñ1<=>Îôèñ2 è Îôèñ1<=>Îôèñ4 åñòü.
    À âîò íàñòðîèòü ìàðøðóòèçàöèþ ìåæäó Îôèñ2 è Îôèñ4 íå ïîëó÷åñòñÿ.
    Åñëè ïèíãîâàòü ñ Îôèñ2 íà Îôèñ4, òî â trafshow âèäíû ïèíãè èäóùèå ñ âíåøíåãî IP íà 192.168.104.5.
    netstat -r - â Îôèñ2 íå ïîêàçûâàåò ïðîïèñàííûé ìíîé ìàðøðóò Destination network: 192.168.104.0/24  Gateway: 192.168.100.6, õîòÿ â web îí ïðèïèñàí.



  • À âû ðàçâå íå âèäèòå ðàçíèöû
    ÿ âåäü ñïåöèàëüíî íàïèñàë ÷òî äîëæíî áûòü â ñòàòè÷åñêèõ ìàðøðóòàõ âíèìàòåëüíî ñìîòðèòå íà øëþç



  • Ïîìåíÿë íàñòðîéêè. Òåïåðü îíè âûãëÿäÿò âîò òàê:
    íàñòðîéêè Îôèñ1
    Lan IP: 192.168.100.6
    IPsec:
     Remote Subnet: 192.168.102.0/24  Remote GateWay: xxx.xxx.xxx.xxx
     Remote Subnet: 192.168.104.0/24  Remote GateWay: zzz.zzz.zzz.zzz
    System: Static Routes
     Destination network: 192.168.102.0/24  Gateway: 192.168.102.5
     Destination network: 192.168.104.0/24  Gateway: 192.168.104.5

    íàñòðîéêè Îôèñ2
     Lan IP: 192.168.102.5
    IPsec:
     Remote Subnet: 192.168.100.0/24  Remote GateWay: yyy.yyy.yyy.yyy
    System: Static Routes
     Destination network: 192.168.100.0/24  Gateway: 192.168.102.5
     Destination network: 192.168.104.0/24  Gateway: 192.168.100.6

    íàñòðîéêè Îôèñ4
     Lan IP: 192.168.104.5
    IPsec:
     Remote Subnet: 192.168.100.0/24  Remote GateWay: yyy.yyy.yyy.yyy
    System: Static Routes
     Destination network: 192.168.100.0/24  Gateway: 192.168.104.5
     Destination network: 192.168.102.0/24  Gateway: 192.168.100.6

    Ïèíãè c Îôèñ2 íà 192.168.168.104.5 íå èäóò. Îøèáêà - Çàäàííûé óçåë íå äîñòóïåí
    è îøèáêè â ëîãàõ
    Dec 22 14:21:12 kernel: arpresolve: can't allocate route for 192.168.100.6
    Dec 22 14:21:12 kernel: arplookup 192.168.100.6 failed: host is not on local network



  • traceroute èç îôèñ2 íà 192.168.100.6, 192.168.104.5

    è â îôèñ2, îôèñ4
    System: Static Routes
      Destination network: 192.168.0.0/16  Gateway: LAN IP



  • Òðàññèðîâêà ñ PF

    traceroute 192.168.100.4

    traceroute to 192.168.100.4 (192.168.100.4), 64 hops max, 40 byte packets
    1  dprouter (192.168.102.5)  0.679 ms  0.584 ms  0.498 ms
    2  * * *
    3  192.168.100.4 (192.168.100.4)  76.914 ms  57.086 ms  58.720 ms

    traceroute 192.168.100.6

    traceroute to 192.168.100.6 (192.168.100.6), 64 hops max, 40 byte packets
    1  dprouter (192.168.102.5)  0.655 ms  0.607 ms  0.450 ms
    2  * * *
    3  * * *
    4  * * *
    5  * * *
    6  *^C

    traceroute 192.168.104.5

    traceroute to 192.168.104.5 (192.168.104.5), 64 hops max, 40 byte packets
    traceroute: sendto: Invalid argument
    1 traceroute: wrote 192.168.104.5 40 chars, ret=-1
    *traceroute: sendto: Invalid argument

    Òðàññèðîâêà ñ ñåòè Îôèñ2
    C:>tracert 192.168.100.6
    Òðàññèðîâêà ìàðøðóòà ê 192.168.100.6 ñ ìàêñèìàëüíûì ÷èñëîì ïðûæêîâ 30
      1    1 ms    1 ms    1 ms  192.168.102.5
      2    56 ms    55 ms    55 ms  192.168.100.6
    Òðàññèðîâêà çàâåðøåíà.
    C:>tracert 192.168.104.5
    Òðàññèðîâêà ìàðøðóòà ê 192.168.104.5 ñ ìàêñèìàëüíûì ÷èñëîì ïðûæêîâ 30
      1    1 ms    1 ms    1 ms  192.168.102.5
      2  192.168.102.5  ñîîáùàåò: Çàäàííûé óçåë íåäîñòóïåí.
    Òðàññèðîâêà çàâåðøåíà.
    C:>ping 192.168.104.5 /n 500
    Îáìåí ïàêåòàìè ñ 192.168.104.5 ïî ñ 32 áàéò äàííûõ:
    Îòâåò îò 192.168.102.5: Çàäàííûé óçåë íåäîñòóïåí.



  • Никак.


Log in to reply