divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb.git
Log | Files | Refs | README | LICENSE

commit 3b3452dbf9d7797d5498b013c378d2fa84c1701d
parent 6d6b94bdf5163d2d8f932842bf205d78e7da54a9
Author: lostd <lostd@2f30.org>
Date:   Fri May  2 13:47:47 +0300

Configuration testing commands

Diffstat:
guides/ipsec.md | 34++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+), 0 deletions(-)
diff --git a/guides/ipsec.md b/guides/ipsec.md @@ -15,6 +15,9 @@ key management daemon and have IPsec enabled and allowed through PF. pass quick on egress proto {esp, ah} pass in quick on egress proto udp to port {isakmp, ipsec-nat-t} +The next part shows how we run mail message submission and POP version 3 +services through IPsec tunnels. + #### Server configuration @@ -54,6 +57,37 @@ for key management. pass out on egress proto udp from any port isakmp to any port isakmp \ nat-to (egress) port 5000 + +#### Testing the setup + +If all went OK, from a client you should see something like the following, +when the server's IP address is 1.2.3.4 while the client's IP address is +5.6.7.8. + + $ ipsecctl -s flow + FLOWS: + flow esp in proto tcp from 1.2.3.4 port pop3 to 5.6.7.8 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type use + flow esp out proto tcp from 5.6.7.8 to 1.2.3.4 port pop3 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type require + flow esp in proto tcp from 1.2.3.4 port submission to 5.6.7.8 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type use + flow esp out proto tcp from 5.6.7.8 to 1.2.3.4 port submission peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type require + + $ route -n show -encap + Routing tables + + Encap: + Source Port Destination Port Proto SA(Address/Proto/Type/Direction) + 1.2.3.4/32 110 5.6.7.8/32 0 6 1.2.3.4/esp/use/in + 5.6.7.8/32 0 1.2.3.4/32 110 6 1.2.3.4/esp/require/out + 1.2.3.4/32 587 5.6.7.8/32 0 6 1.2.3.4/esp/use/in + 5.6.7.8/32 0 1.2.3.4/32 587 6 1.2.3.4/esp/require/out + + $ nc -v server.example.org 587 + Connection to server.example.org 587 port [tcp/submission] succeeded! + $ nc -v server.example.org 110 + Connection to server.example.org 110 port [tcp/pop3] succeeded! + +OK + + #### Notes There is no actual server and client in the protocol, however in this