2010年6月16日水曜日

OpenswanとNetScreenとの接続

スズキです。

NetScreenは5GTで、OSのバージョンは"5.0.0r10.1"です。

Openswan側の設定(/etc/ipsec.conf)は、こんな感じです。

--------【ipsec.conf】--------
version 2.0

config setup
  nat_traversal=yes
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  oe=off
  protostack=netkey

conn netscreen
  authby=secret
  left=192.168.11.43
  leftsubnet=192.168.13.0/24
  leftnexthop=%defaultroute
  right=192.168.11.45
  rightsubnet=192.168.1.0/24
  rightnexthop=%defaultroute
  auto=start
  type=tunnel
  auth=esp
  ike=3des-sha1
  phase2alg=3des-sha1
  keyexchange=ike
  ikelifetime=28800s
  keylife=3600s
  pfs=no
--------

NetScreen側の設定は、こんな感じです。

ns5gt-> get config
--------
...
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Trust"
unset interface vlan1 ip
set interface trust ip 192.168.1.1/24
set interface trust route
set interface untrust ip 192.168.11.45/24
set interface untrust route
set interface tunnel.1 ip unnumbered interface trust
set interface untrust gateway 192.168.11.1
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage telnet
set interface untrust manage web
set interface trust dhcp server service
set interface trust dhcp server auto
set interface trust dhcp server option gateway 192.168.1.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server ip 192.168.1.10 to 192.168.1.20
set flow tcp-mss
set hostname ns5gt
set address "Trust" "192.168.1.0/24" 192.168.1.0 255.255.255.0
set address "Untrust" "192.168.13.0/24" 192.168.13.0 255.255.255.0
set ike gateway "Gateway for 192.168.13.0/24" address 192.168.11.43
Main outgoing-interface "untrust" preshare "XXXXXXXX" sec-level
compatible
unset ike policy-checking
set ike respond-bad-spi 1
set vpn "VPN for 192.168.13.0/24" gateway "Gateway for
192.168.13.0/24" replay tunnel idletime 0 sec-level compatible
set vpn "VPN for 192.168.13.0/24" id 1 bind interface tunnel.1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set policy id 3 from "Untrust" to "Trust" "192.168.13.0/24"
"192.168.1.0/24" "ANY" permit
set policy id 2 from "Trust" to "Untrust" "192.168.1.0/24"
"192.168.13.0/24" "ANY" permit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set vrouter "untrust-vr"
set vrouter "trust-vr"
unset add-default-route
set route 192.168.13.0/24 interface tunnel.1
...
--------

ポイントは"unset ike policy-checking"です。これをやっておかないと、
NetScreen側で下記のエラーが出力され、接続に失敗します。

Rejected an IKE packet on untrust from 192.168.11.43:500 to 192.168.11.45:500
with cookies xxxxxxxx and xxxxxxxx because the peer sent a proxy ID
that did not match the one in the SA config.

次はEC2上のOpenswanとの接続です…

--------
http://www.suz-lab.com

0 コメント: