1. Консоль cisco-like:
!
version 12.4
no service password-encryption
!
crypto ipsec df-bit copy
crypto isakmp identity dn
crypto isakmp fragmentation
crypto isakmp security-association lifetime delta 50
crypto isakmp initiator-sessions-max 100
crypto isakmp responder-sessions-max 100
crypto isakmp keepalive 3
crypto isakmp keepalive retry-count 5
username cscons privilege 15 secret 5 $6$tHtq8SR6$t3CWE6udI6L/ARr9jQowUYR7wEbOWZlx61OvL
i7goonOFUYhNSGV49BA.RDGEZ7oKXBA1aTRi20ElR4wtMXTl0
aaa new-model
!
!
hostname Spoke1
enable secret 5 PC9d7N5HlAyLrzuA3qRJvQ==
!
!
!
!
!
crypto isakmp policy 1
encr gost
hash gost341112-256-tc26
authentication gost-sig
group vko2
!
crypto ipsec transform-set GOST_ENCRYPT_AND_INTEGRITY esp-gost28147-4m-imit
!
ip access-list extended IPSEC_ACl_HUB1_AND_SPOKE1
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.254.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
crypto map VPN 1 ipsec-isakmp
match address IPSEC_ACl_HUB1_AND_SPOKE1
set transform-set GOST_ENCRYPT_AND_INTEGRITY
set peer 172.16.100.2
set dead-connection history off
!
interface GigabitEthernet0/0
ip address 172.16.1.2 255.255.255.0
crypto map VPN
!
interface GigabitEthernet0/1
no ip address
!
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
crypto pki trustpoint s-terra_technological_trustpoint
revocation-check crl
crl download group ROOTCA http://172.16.101.15/certcrl.crl
crl download time 60
crypto pki certificate chain s-terra_technological_trustpoint
certificate 58E026BFD6D625BE4582C16C6189C183
30820227308201D4A003020102021058E026BFD6D625BE4582C16C6189C18330
...
AD4F8901771632E0A0AF83
quit
!
end
2. Содержимое /etc/network/interfaces:
############################################################
# CAUTION: lines under special marker: ###netifcfg-*###
# contains autogenerated information. You can add/modify
# lines outside of those markers
############################################################
# loopback configuration
auto lo
iface lo inet loopback
auto eth1.10
iface eth1.10 inet static
mtu 1500
address 192.168.1.1
netmask 255.255.255.0
auto eth1.11
iface eth1.11 inet static
mtu 1500
address 192.168.2.1
netmask 255.255.255.0
###netifcfg-begin###
auto eth0
iface eth0 inet static
mtu 1500
address 172.16.1.2
netmask 255.255.255.0
broadcast 172.16.1.255
auto eth1
iface eth1 inet manual
mtu 1500
###netifcfg-end###
3. Конфигурация LSP:
# This is automatically generated LSP
#
# Conversion Date/Time: Fri Nov 29 14:17:34 2019
GlobalParameters(
Title = "This LSP was automatically generated by CSP Converter at Fri Nov 29 14:17:34 2019 (user: root)"
Version = LSP_4_3
CRLHandlingMode = ENABLE
PreserveIPsecSA = FALSE
)
RoutingTable(
Routes =
Route(
Destination = 0.0.0.0/0
Gateway = 172.16.1.1
)
)
FirewallParameters(
TCPSynSentTimeout = 30
TCPFinTimeout = 5
TCPClosedTimeout = 30
TCPSynRcvdTimeout = 30
TCPEstablishedTimeout = 3600
TCPHalfOpenLow = 400
TCPHalfOpenMax = 500
TCPSessionRateLow = 400
TCPSessionRateMax = 500
)
IKETransform crypto:isakmp:policy:1
(
CipherAlg = "G2814789CPRO1-K256-CBC-65534"
HashAlg = "GR341112_256TC26-65128"
GroupID = VKO2_1B
RestrictAuthenticationTo = GOST_SIGN
LifetimeSeconds = 86400
)
ESPProposal GOST_ENCRYPT_AND_INTEGRITY:ESP
(
Transform* = ESPTransform
(
CipherAlg* = "G2814789CPRO2-K288-CNTMAC-253"
LifetimeSeconds = 3600
LifetimeKilobytes = 4608000
)
)
IKEParameters(
FragmentSize = 576
SALifetimeDelta = 50
InitiatorSessionsMax = 100
ResponderSessionsMax = 100
)
AuthMethodGOSTSign GOST:Sign
(
LocalID = IdentityEntry( DistinguishedName* = USER_SPECIFIC_DATA )
SendRequestMode = ALWAYS
SendCertMode = ALWAYS
)
IKERule IKERule:VPN:1
(
IKEPeerIPFilter = 172.16.100.2
Transform = crypto:isakmp:policy:1
AggrModeAuthMethod = GOST:Sign
MainModeAuthMethod = GOST:Sign
DPDIdleDuration = 3
DPDResponseDuration = 2
DPDRetries = 5
Priority = 10
)
IPsecAction IPsecAction:VPN:1
(
TunnelingParameters = TunnelEntry(
PeerAddress = 172.16.100.2
DFHandling=COPY
Assemble=TRUE
)
ContainedProposals = ( GOST_ENCRYPT_AND_INTEGRITY:ESP )
NoDeadConnectionHistory = TRUE
IKERule = IKERule:VPN:1
)
FilterChain IPsecPolicy:VPN (
Filters = Filter (
ProtocolID = 17
SourcePort = 500, 4500
Action = PASS
PacketType = LOCAL_UNICAST, LOCAL_MISDIRECTED
),
Filter (
SourceIP = 192.168.1.0/24
DestinationIP = 192.168.100.0/24
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:VPN:1 >
LogEventID = "IPsec:Protect:VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1"
),
Filter (
SourceIP = 192.168.1.0/24
DestinationIP = 192.168.254.0/24
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:VPN:1 >
LogEventID = "IPsec:Protect:VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1"
),
Filter (
SourceIP = 192.168.1.0/24
DestinationIP = 192.168.2.0/24
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:VPN:1 >
LogEventID = "IPsec:Protect:VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1"
),
Filter (
SourceIP = 192.168.2.0/24
DestinationIP = 192.168.100.0/24
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:VPN:1 >
LogEventID = "IPsec:Protect:VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1"
),
Filter (
SourceIP = 192.168.2.0/24
DestinationIP = 192.168.254.0/24
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:VPN:1 >
LogEventID = "IPsec:Protect:VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1"
),
Filter (
SourceIP = 192.168.2.0/24
DestinationIP = 192.168.1.0/24
Action = PASS
ExtendedAction = ipsec< sa = IPsecAction:VPN:1 >
LogEventID = "IPsec:Protect:VPN:1:IPSEC_ACl_HUB1_AND_SPOKE1"
)
)
NetworkInterface (
LogicalName = "GigabitEthernet0/0"
IPsecPolicy = IPsecPolicy:VPN
)
4. Консоль FRR:
!
frr version 7.3
frr defaults traditional
hostname Spoke1
log syslog informational
service integrated-vtysh-config
!
interface eth1.10
pbr-policy PBR.10
!
interface eth1.11
pbr-policy PBR.11
!
pbr-map PBR.10 seq 1
match src-ip 192.168.1.0/24
set nexthop 172.16.1.1
!
pbr-map PBR.11 seq 1
match src-ip 192.168.2.0/24
set nexthop 172.16.1.1
!
line vty
!
end