Re: [除錯] Site to Site VPN(更新資訊)
上週比較忙 沒辦法做lab
今天稍微喘口氣 測試了一下 看來是ok的
我是用Trust建VPN, 用Untrust當測試的網段
1.1.1.1/24-Untrust-5GT1-Trust-9.9.9.1---9.9.9.2-Trust-5GT2-Untrust-2.2.2.2/24
(vpnspoke) (vpnhub)
config of vpnspoke:
set interface trust ip 9.9.9.1/24
set interface untrust ip 1.1.1.1/24
set interface tunnel.1 ip unnumbered interface trust
set address "Untrust" "1.1.1.0/24" 1.1.1.0 255.255.255.0
set ike gateway "test" address 9.9.9.2 Main outgoing-interface "trust"
preshare "hashed" sec-level standard
set vpn "test" gateway "test" no-replay tunnel idletime 0 sec-level standard
set vpn "test" monitor
set vpn "test" id 1 bind interface tunnel.1
set policy id 1 from "Untrust" to "Trust" "1.1.1.0/24" "Any" "ANY" permit
log
set route 0.0.0.0/0 interface tunnel.1 preference 20 #這是重點#
#這裡沒加的是VPN Peer的route, 實際上接上Internet會需要一筆"host route"
config of vpnhub:
set interface trust ip 9.9.9.2/24
set interface untrust ip 2.2.2.2/24
set interface tunnel.1 ip unnumbered interface trust
set address "Trust" "1.1.1.0/24" 1.1.1.0 255.255.255.0
set ike gateway "test" address 9.9.9.1 Main outgoing-interface "trust"
preshare "hashed" sec-level standard
set vpn "test" gateway "test" no-replay tunnel idletime 0 sec-level standard
set vpn "test" monitor
set vpn "test" id 1 bind interface tunnel.1
set policy id 1 from "Trust" to "Trust" "1.1.1.0/24" "Any" "ANY" nat src
permit log
set route 0.0.0.0/0 interface trust gateway 9.9.9.254 #這裡就要加default#
set route 1.1.1.0/24 interface tunnel.1
從vpnspoke的policy log 可以看到1.1.1.2上 Internet時沒有NAT 正常存取
從vpnhub的policy log則看到1.1.1.2在上Internet時,source會變成9.9.9.2
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 203.70.214.8
※ 編輯: infosec 來自: 203.70.214.8 (01/17 17:09)
→
01/17 17:19, , 1F
01/17 17:19, 1F
討論串 (同標題文章)
完整討論串 (本文為第 2 之 2 篇):