IPSEC tunel julie.mixi.cz ⇒ USG

Commands

Debug, vše na julii jako root.

ipsec statusall
ip route list table 220
systemctl status strongswan
iptables -L

Setup

UXG

Dokumentace: https://help.ui.com/hc/en-us/articles/7983431932439-UniFi-Gateway-Site-to-Site-IPsec-VPN-with-Third-Party-Gateways-Advanced Unifi Network → settings → VPN → Site-to-Site VPN: - Pre-Shared Key - stejný jako PSK na serveru v /etc/ipsec.secrets - Local IP - veřejná IP domácí sítě (78.80.47.34) - Remote IP - veřejná IP julie (89.187.142.93) - VPN Type - route based - Tunnel IP - off - Remote Networks - 192.168.128.0/24 - Advanced: - KEX version - IKEv2 - IKE+ESP - AES-256 + SHA256 - PFS - ano - Local Auth ID - home.mixi.cz - Remote Auth ID - julie.mixi.cz

julie.mixi.cz

/etc/ipsec.conf

config setup  
#    charondebug="ike 2, knl 2, cfg 2"  

conn %default  
   keyexchange=ikev2  
   ike=aes256-sha256-modp1024,aes256-sha1-modp2048  
   esp=aes256-sha256-modp1024,aes256-sha1-modp2048  
   dpdaction=restart  
   dpddelay=30s  
   rekey=no  
   leftauth=psk  
   rightauth=psk  
   left=%any  
   right=%any  

conn site-to-site  
   auto=start  
   pfs=yes  
   left=%any  
   leftid=@julie.mixi.cz  
   leftsourceip=89.187.142.93      # Debian server's public IP address  
   leftsubnet=192.168.128.0/24  
   leftfirewall=yes  
   right=78.80.47.34                # USG's public IP address  
   rightid=@home.mixi.cz  
   rightsubnet=192.168.1.0/24        # Local network behind the USG

/etc/ipsec.secrets

: PSK <pre-shared_key>

/etc/network/interfaces

# This file describes the network interfaces available on your system  
# and how to activate them. For more information, see interfaces(5).  

source /etc/network/interfaces.d/*  

# The loopback network interface  
auto lo  
iface lo inet loopback  

# The primary network interface  
allow-hotplug eth0  
iface eth0 inet dhcp  

# Virtual IP for IPSEC tunnel  
iface eth0 inet static  
       address 192.168.128.1  
       netmask 255.255.255.0