Aller à :navigation, rechercher
Wiki































De.png
En.png
Fr.png






12.6.2
  • (v12.6.1)
  • (v12.6.1)
  • (v12.5)
VPN







[[Datei: ]] 1
Name: IPSec S2S [[Datei: ]]
2
IKE Version: IKE v1 ()IKE v2 Default

  
Local Gateway ID:     [[Datei: ]]
3
|| Pre-Shared Key ||
Pre-Shared Key
'
   
X.509 :
'

|| »192.168.122.0/24 ||
Remote Gateway: 192.0.2.192 [[Datei: ]]
4
Remote Gateway ID: 192.0.2.192
|| »192.168.192.0/24 ||


  • IKEv1


    Step-by-step.png






























    De.png
    En.png
    Fr.png


    Phase 1
    VPN Phase 1

    [[Datei: ]]
    [[Datei: ]]
    [[Datei:]] [[Datei:]]

    Default
    Outgoing
    Incoming
    Route
    Route
    Ignore
    notempty
    v12.4

    '
  • 30Link=
  • 10Link=

    Default
    Default-Werte UTM Default-Werte NCP-Client [[Datei:]]
    1
    [[Datei:]]
    2
    Verschlüsselung: »aes128 AES 128 Bit
    Authentifizierung: »sha2_256 Hash: SHA2 256 Bit
    »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: notempty
    v12.6
    aes128-sha2_256-ecp521
     :
    Strict:
    3Link=
    1
    notempty
    : v12.4
    2Link=
    notempty




    ike_lifetime = 2
    ike_rekeytime = 0


    ike_lifetime = 0
    ike_rekeytime = 2

    ----


    ike_lifetime = 2
    ike_rekeytime = 1


    ike_lifetime =2
    ike_rekeytime = 1
      
      

    Phase 2
    VPN Phase 2

    :

    Default-Werte UTM Default-Werte NCP-Client [[Datei: ]]
    / IKEv1 / Roadwarrior
    [[Datei: ]]
    / IKEv2 / Roadwarrior
    [[Datei:]] / IKEv1 / S2S [[Datei:]] / IKEv2 / S2S
    »aes128 AES 128 Bit
    »sha2_256 SHA2 256 Bit
    »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    » IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: notempty
    v12.6
    aes128-sha2_256-ecp521
    Schlüssel-Lebensdauer: 8
    Austausch-Modus Main Mode (nicht konfigurierbar) Aggressive Mode (IKEv1)
  • :


  • [[Datei: ]]
       

       

    '



  • root@firewall:~# swanctl --list-conns

    IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
     local:  %any
     remote: 192.0.2.192
     local pre-shared key authentication:
       id: 192.168.175.218
     remote pre-shared key authentication:
       id: 192.0.2.192
     IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24 192.168.219.0/24
       remote: 192.168.192.0/24 192.168.193.0/24
    



    root@firewall:~# swanctl --list-conns

     IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
       local:  %any
       remote: 192.0.2.192
       local pre-shared key authentication:
         id: 192.168.175.218
       remote pre-shared key authentication:
         id: 192.0.2.192
       IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.218.0/24
         remote: 192.168.192.0/24
       IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.218.0/24
         remote: 192.168.193.0/24
       IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.219.0/24
         remote: 192.168.192.0/24
       IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.219.0/24
         remote: 192.168.193.0/24
    

    [[Datei: ]]
    '


    root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s

     local:  %any
     remote: 192.0.2.192
     local pre-shared key authentication:
       id: 192.168.175.218
     remote pre-shared key authentication:
       id: 192.0.2.192
     IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24 192.168.219.0/24
       remote: 192.168.192.0/24 192.168.193.0/24
    



    root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s

     local:  %any
     remote: 192.0.2.192
     local pre-shared key authentication:
       id: 192.168.175.218
     remote pre-shared key authentication:
       id: 192.0.2.192
     IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24
       remote: 192.168.192.0/24
     IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24
       remote: 192.168.193.0/24
     IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.219.0/24
       remote: 192.168.192.0/24
    

    [[Datei: ]]



    IKEv2

    Step-by-step.png






























    De.png
    En.png
    Fr.png


    Phase 1
    VPN Phase 1

    [[Datei: ]]
    [[Datei: ]]
    [[Datei:]] [[Datei:]]

    Default
    Outgoing
    Incoming
    Route
    Route
    Ignore
    notempty
    v12.4

    '
  • 30Link=
  • 10Link=

    Default
    Default-Werte UTM Default-Werte NCP-Client [[Datei:]]
    1
    [[Datei:]]
    2
    Verschlüsselung: »aes128 AES 128 Bit
    Authentifizierung: »sha2_256 Hash: SHA2 256 Bit
    »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: notempty
    v12.6
    aes128-sha2_256-ecp521
     :
    Strict:
    3Link=
    1
    notempty
    : v12.4
    2Link=
    notempty




    ike_lifetime = 2
    ike_rekeytime = 0


    ike_lifetime = 0
    ike_rekeytime = 2

    ----


    ike_lifetime = 2
    ike_rekeytime = 1


    ike_lifetime =2
    ike_rekeytime = 1
      
      

    Phase 2
    VPN Phase 2

    :

    Default-Werte UTM Default-Werte NCP-Client [[Datei: ]]
    / IKEv1 / Roadwarrior
    [[Datei: ]]
    / IKEv2 / Roadwarrior
    [[Datei:]] / IKEv1 / S2S [[Datei:]] / IKEv2 / S2S
    »aes128 AES 128 Bit
    »sha2_256 SHA2 256 Bit
    »ecp521 IKE DH-Gruppe: DH2 (modp1024)
    » IKE DH-Gruppe: DH2 (modp1024)
    Aktuelle Kombinationen: notempty
    v12.6
    aes128-sha2_256-ecp521
    Schlüssel-Lebensdauer: 8
    Austausch-Modus Main Mode (nicht konfigurierbar) Aggressive Mode (IKEv1)
  • :


  • [[Datei: ]]
       

       

    '



  • root@firewall:~# swanctl --list-conns

    IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
     local:  %any
     remote: 192.0.2.192
     local pre-shared key authentication:
       id: 192.168.175.218
     remote pre-shared key authentication:
       id: 192.0.2.192
     IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24 192.168.219.0/24
       remote: 192.168.192.0/24 192.168.193.0/24
    



    root@firewall:~# swanctl --list-conns

     IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s
       local:  %any
       remote: 192.0.2.192
       local pre-shared key authentication:
         id: 192.168.175.218
       remote pre-shared key authentication:
         id: 192.0.2.192
       IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.218.0/24
         remote: 192.168.192.0/24
       IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.218.0/24
         remote: 192.168.193.0/24
       IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.219.0/24
         remote: 192.168.192.0/24
       IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart
         local:  192.168.219.0/24
         remote: 192.168.193.0/24
    

    [[Datei: ]]
    '


    root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s

     local:  %any
     remote: 192.0.2.192
     local pre-shared key authentication:
       id: 192.168.175.218
     remote pre-shared key authentication:
       id: 192.0.2.192
     IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24 192.168.219.0/24
       remote: 192.168.192.0/24 192.168.193.0/24
    



    root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s

     local:  %any
     remote: 192.0.2.192
     local pre-shared key authentication:
       id: 192.168.175.218
     remote pre-shared key authentication:
       id: 192.0.2.192
     IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24
       remote: 192.168.192.0/24
     IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.218.0/24
       remote: 192.168.193.0/24
     IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart
       local:  192.168.219.0/24
       remote: 192.168.192.0/24
    

    [[Datei: ]]





    [[Datei: ]]


  • Name: IPSec-S2S [[Datei: ]]
    ||     ||
    || 192.168.192.0/24 ||
    Zone: vpn-ipsec
    ||     ||

    '
    || internal-network ||
    [[Datei: ]]
    ||     ||
    || benötigter Dienst ||
    NAT: Hidenat Exclude
    || external-interface ||
    '
    ||     ||
    || internal-network ||
    || benötigter Dienst ||
    NAT:










    [[Datei: ]]



    Troubleshooting


































    '


    Connection Rate Limit.png
    Connection Rate Limit Access.png


    extc-
    CONNECTION_RATE_LIMIT_TCP 0
    CONNECTION_RATE_LIMIT_TCP_PORTS
    CONNECTION_RATE_LIMIT_UDP 20 / 0
      
    CONNECTION_RATE_LIMIT_UDP_PORTS

    extc value get application securepoint_firewall

    spcli extc value get application securepoint_firewall | grep RATE

    application |variable |value --------------------+-------------------------------+----- securepoint_firewall |… |… |CONNECTION_RATE_LIMIT_TCP |0 |CONNECTION_RATE_LIMIT_TCP_PORTS| |CONNECTION_RATE_LIMIT_UDP |20 |CONNECTION_RATE_LIMIT_UDP_PORTS|

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    system update rule
  • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0
    system update rule
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    system update rule

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ]
    system update rule

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    system update rule

  • extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0
    system update rule
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ]
    system update rule

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule

    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ]
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20
    extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ]
    system update rule