VPN: Error de time up en fase 1
Hola a todos.
No estoy muy seguro de si este es el lugar adecuado, pero es que ando ya
desesperado y, de todas las listas de correo de Debian, no he encontrado
ninguna que pareciese la más adecuada para mi problema.
Estoy intentando configurar una VPN entre las dos oficinas de la empresa
en la que trabajo pero tengo un "time up error at phase 1" en los logs.
Ambos equipos son Debian Sarge que actúan como gateway y proxy-caché
conectados a routers ADSL y usando kernels 2.6.11.
[root@soun:~]# uname -a
Linux soun 2.6.11.10 #1 Wed May 18 16:21:28 CEST 2005 i686 GNU/Linux
[root@nabiki:~]# uname -a
Linux nabiki 2.6.11 #1 Mon Mar 7 12:16:19 CET 2005 i686 GNU/Linux
Estos son los pasos que he seguido:
1. apt-get install ipsec-tools racoon iproute iptables
(he seleccionado el método racoon-tool para crear el fichero)
2. He creado este fichero /etc/racoon/racoon-tool.conf en el gateway A:
------------------------------------ /etc/racoon/racoon-tool.conf A
global:
log: notify
peer(%default):
verify_identifier: on
hash_algorithm[0]: sha1
encryption_algorithm[0]: aes
connection(%default):
src_ip: 213.96.80.51
peer(80.36.214.182):
peers_identifier: address
connection(to-nabiki):
dst_ip: 80.36.214.182
src_range: 192.168.0.0/24
dst_range: 192.168.1.0/24
admin_status: enabled
-------------------------------------
Que me ha generado este fichero /etc/racoon/racoon.conf:
------------------------------------ /etc/racoon/racoon.conf A
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;
remote 80.36.214.182 {
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
verify_identifier on;
peers_identifier address;
exchange_mode main;
}
sainfo address 192.168.0.0/24[any] any address 192.168.1.0/24[any] any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
------------------------------------------------
Bueno, en realidad creó el fichero /var/lib/racoon/racoon.conf, pero lo
copié manualmente a /etc/racoon/ porque parece ser que es un bug del
paquete.
También añadí las siguientes entradas en /etc/racoon/psk.txt de ambas
máquinas.:
80.36.214.182 key1
213.96.80.51 key2
Donde ambas claves fueron generadas con:
$ dd if=/dev/random count=20 bs=1 | xxd -ps
El fichero /etc/racoon/racoon.conf del gateway B lo he generado de la
misma manera (empezando con /etc/racoon/racoon-tool.conf):
------------------------------------ /etc/racoon/racoon.conf B
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;
remote 213.96.80.51 {
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
verify_identifier on;
peers_identifier address;
exchange_mode main;
}
sainfo address 192.168.1.0/24[any] any address 192.168.0.0/24[any] any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
----------------------------------------------------
Entonces, al intentar arrancar los servidores esto es lo que obtengo:
$ cat /var/log/syslog
May 20 11:58:37 soun racoon-tool[6532]: loaded IPSEC/crypto modules.
May 20 11:58:37 soun racoon: INFO: @(#)ipsec-tools 0.5.2
(http://ipsec-tools.sourceforge.net)
May 20 11:58:37 soun racoon: INFO: @(#)This product linked OpenSSL
0.9.7e 25 Oct 2004 (http://www.openssl.org/)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=8)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=9)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: racoon started.
May 20 11:58:37 soun racoon-tool[6532]: flushed SAD and SPD.
May 20 11:58:37 soun racoon: INFO: unsupported PF_KEY message REGISTER
May 20 11:58:37 soun last message repeated 2 times
May 20 11:58:37 soun racoon-tool[6532]: loaded SAD and SPD.
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=11)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=12)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: configured racoon.
May 20 11:58:38 soun racoon: INFO: respond new phase 1 negotiation:
213.96.80.51[500]<=>80.36.214.182[500]
May 20 11:58:38 soun racoon: INFO: begin Identity Protection mode.
May 20 11:58:38 soun racoon: INFO: received Vendor ID: DPD
May 20 11:59:40 soun racoon: ERROR: phase1 negotiation failed due to
time up. 32 0bb0f9eaea575d:536714fe6ae3cdb5
------------------------------------------------------------
My firewall (iptables) está configurado de la misma manera que cuando
usaba FreeSWAN y funcionaba bien. De todos modos, he probado reiniciando
ambos servidores racoon tras bajar el firewall (/etc/init.d/iptables
clear) y los resultados son exactamente los mismos.
¿Alguna idea o consejo? Gracias por adelantado.
--
Jaume Sabater
http://linuxsilo.net/
"Ubi sapientas ibi libertas"
-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
Reply to: