在局域网上建立Ubuntu12.04两台PC之间的IPSEC隧道

Question

我有两个ubuntu12.04 32位个人电脑，我希望IPSec隧道之间的设置。我已经在两个系统中安装了ipsec，而且ipsec verify在这两个系统上运行都很好。由于我没有以前的经验开放，我发现它很难设置配置文件。

下面是ipsec.config的片段

config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn linux-to-linux
#       # Left security gateway, subnet behind it, nexthop toward right.
        left=192.168.58.17
#       leftsubnet=172.16.0.0/24
#       leftnexthop=10.22.33.44
#       # Right security gateway, subnet behind it, nexthop toward left.
        right=192.168.58.32
#       rightsubnet=192.168.0.0/24
#       rightnexthop=10.101.102.103
#       # To authorize this connection, but not actually start it, 
#       # at startup, uncomment this.
        auto=start

查询：

1. 现在基于我的网络的给定拓扑(见图)，上面的配置对两台PC都是正确的。
2. 左右电脑都是一样的吗？
3. 设置完毕后，如何确认安全隧道是否正常工作，检查正在使用的标识和数据包内容的最佳工具是什么。
4. 在局域网内部，安全的ipsec隧道称为主机对主机的隧道，而站点到站点的连接是指VPN启动时的连接，对吗？

​

​

Answer 1

Quse 1)现在基于我的网络的给定拓扑(见图)，上面的配置对两台PC都是正确的。)您必须提供ipsec.secrets文件和像PSK/RSA这样的身份验证方法

问题2)它必须是相同的左和右的个人电脑。( Ans)左和右应该互换。

Quse 3)设置完毕后，如何确认安全隧道是否正常工作，检查正在使用的标志和数据包内容的最佳工具是什么。尝试在中央站点上的任何系统平平。

问题4)在局域网内部，安全的ipsec隧道称为主机对主机的隧道，而站点到站点的连接是指VPN启动时的连接，对吗？不，主机到主机的站点到站点是两种不同的VPN配置，取决于网络拓扑结构。