#52 IPSec on many IP ranges from one subnet

open
nobody
5
2011-09-22
2011-09-22
Danila St
No

There is the initial configuration for Zyxel Zywall 35: multiple VPN channels in the same subnet, connected to the partial range on a different subnet to the following:

server
192.168.1.0/24--------------------------------------------- --------- 192.168.7.1-192.168.7.5 (Client 1)
| |
| ------------------------------------------------- -------------- 192.168.7.6-192.168.7.10 (Client 2)
|
-------------------------------------------------- -------------------- 192.168.7.11-192.168.7.15 (Client 3)

How many are not searched the internet and could not find how to implement this configuration. As I understand the configuration of IPSec on ​​Linux can not ask idapazon IP, located on the same subnet. You can only specify a subnet completely. Are there any implementation of IPSec support this possibility? Does it your product and how it is implemented?

Temporarily decided to forwarding an entire subnet for each client. Here is a diagram:

server
192.168.1.0/24------------------------------------------------------192.168.7.0/24 (клиент 1)
| |
| ---------------------------------------------------------------192.168.7.0/24 (клиент 2)
|
----------------------------------------------------------------------192.168.7.0/24 (клиент 3)

Below are the configuration files:

racoon:

path pre_shared_key "/etc/racoon/psk.txt";

remote 192.168.5.10 {
exchange_mode_main;

# Gateway(ike) proposal
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp768;
}
}

remote 192.168.5.11 {
exchange_mode_main;

# Gateway(ike) proposal
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp768;
}
}

remote 192.168.5.12 {
exchange_mode_main;

# Gateway(ike) proposal
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp768;
}
}

sainfo address 192.168.1.0/24 any address 192.168.7.0/24 any {
encryption_algorithm des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

ipsec.conf:

#!/usr/sbin/setkey -f
#
#flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd 192.168.1.0/24 192.168.7.0/24 any -P out ipsec
esp/tunnel/192.168.5.1-192.168.5.10/require;

spdadd 192.168.7.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/192.168.5.10-192.168.5.1/require;

spdadd 192.168.1.0/24 192.168.7.0/24 any -P out ipsec
esp/tunnel/192.168.5.1-192.168.5.11/require;

spdadd 192.168.7.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/192.168.5.11-192.168.5.1/require;

spdadd 192.168.1.0/24 192.168.7.0/24 any -P out ipsec
esp/tunnel/192.168.5.1-192.168.5.12/require;

spdadd 192.168.7.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/192.168.5.12-192.168.5.1/require;

After restarting racoon came the following errors:

# /etc/init.d/racoon restart
* Stopping racoon ... [ ok ]
* Flushing policy entries ... [ ok ]
* Loading ipsec policies from /etc/ipsec.conf.
The result of line 23: File exists.
The result of line 26: File exists.
The result of line 26: File exists.
The result of line 33: File exists.

Realizable if the scheme? It is possible that either I am doing wrong? Advise how to?

Discussion