Skip to content

Instantly share code, notes, and snippets.

@alanyoshida

alanyoshida/ipsec.md

Last active February 10, 2017 20:03
Show Gist options
  • Save alanyoshida/ebfc59c228ad5c8760e7 to your computer and use it in GitHub Desktop.
Save alanyoshida/ebfc59c228ad5c8760e7 to your computer and use it in GitHub Desktop.
Download ZIP
IPSEC
Raw
ipsec.md

IPSEC

Inicia o serviço

service ipsec start

Restarta o serviço

service ipsec restart

Faz releitura do arquivo secrets

ipsec auto --rereadsecrets

Adiciona Tunnel

ipsec auto --add <nomedotunnel>

Subir Tunnel

ipsec auto --up <nomedotunnel>

Verifica se o tunel subiu

service ipsec status

Mostra status de tentativa de conexao do tunnel

ipsec auto --status

Verifica se tem algum erro

ipsec verify

Verificar logs a cada 2 segundos e mostrar na tela

watch tail -n 100 /var/log/pluto.log

Verificar ultimas 1000 linhas do log

tail -n 1000 /var/log/pluto.log | less

Outros logs

/var/log/auth.log /var/log/syslog

Arquivos de configuração

/etc/ipsec.conf /etc/ipsec.secrets

Configuração do sistema

/etc/sysctl.conf

Deixar essas opções:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

RELOAD do sysctl.conf

sysctl -p

2 Comandos para verificar rotas

ip route route

FIREWALL

LISTAR REGRAS DA TABELA FILTER

iptables -nL

LISTAR REGRAS DA TABELA NAT (REDIRECIONAMENTO)

iptables -nL -t nat

APAGA REGRAS DA TABELA FILTER

iptables -F

APAGA REGRAS DA TABELA NAT

iptables -t nat -F

APAGA REGRAS DA TABELA MANGLE

iptables -t mangle -F

MUDA REGRA PADRAO PARA ACEITAR TUDO NAS CHAINS INPUT, FORWARD, OUTPUT

iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT

SCRIPT PARA LIBERAR O REDIRECT NO LINUX

#!/bin/bash
for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
done

SCRIPT PARA LIBERAR O FIREWALL

#!/bin/bash
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

siteAprivatesubnet=192.168.1.0/24
siteBprivatesubnet=192.168.0.0/24
siteApublicip=987.654.321.123

iptables -t nat -A POSTROUTING -s $siteAprivatesubnet -d $siteBprivatesubnet -j SNAT --to $siteApublicip

SCRIPT VIVAOLINUX PARA LIBERAR O FIREWALL

#!/bin/bash

rede1=192.168.10.0/25 # é a subrede de uma das pontas da VPN
rede2=10.0.0.0/25 # subrede de outra ponta da vpn

modprobe ip_nat_ftp
modprobe iptable_nat

if [ "$#" = 0 ]
then
echo "Sintaxe: rc.nat start ou rc.nat stop"
exit 2
fi

if [ "$1" = start ]
then


### Fornece acesso a internet. Esse é o "X" da questão. Só vai mascarar o que não for para $rede1

iptables -t nat -A POSTROUTING -d ! $rede1 -o eth1 -j MASQUERADE

## Habilita as portas do IPSEC
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
iptables -A INPUT -p tcp --sport 2020 --dport 2020 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2020 --dport 2020 -j ACCEPT

exit 0
fi

if [ "$1" = stop ]
then
iptables -t nat -F
exit 0
fi

TUTORIAIS

http://www.systutorials.com/816/port-forwarding-using-iptables/ http://www.vivaolinux.com.br/artigo/VPN-com-Openswan-e-Iptables-(fazendo-NAT)?pagina=2 http://xmodulo.com/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment