2.6.16 + Racoon + ipsec-tools

To: Debian Russian List <debian-russian@lists.debian.org>
Subject: 2.6.16 + Racoon + ipsec-tools
From: Peter Teslenko <smartchecker@gmail.com>
Date: Wed, 26 Jul 2006 16:27:50 +0400
Message-id: <[🔎] 44C75FC6.1030101@gmail.com>

Привет, коллеги.

Какая-то странная фигня получается.

с одной стороны debian testing/unstable на ядре 2.6.16
поднят vpn через racoon + ipsec-tools в режиме tunnel

Это на стороне дебиана.

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.7.0/24 192.168.1.0/24 any
        -P out ipsec esp/tunnel/194.150.125.xxx-194.150.127.xxx/require;

spdadd 192.168.1.0/24 192.168.7.0/24 any
        -P in ipsec esp/tunnel/194.150.127.xxx-194.150.125.xxx/require;


Кусок /etc/racoon/racoon.conf

listen
{
        isakmp 194.150.125.xxx [500];
        isakmp_natt 194.150.125.xxx [4500];
}

remote 194.150.127.xxx {
        exchange_mode main;
        nat_traversal on;
        doi ipsec_doi;
        situation identity_only;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 192.168.7.0/24 any address 192.168.1.0/24 any {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

После всего этого в из сети 192.168.1.0/24 в сеть 192.168.7.0/24 ping'и летят на ура, а вот из сети в обратную сторону какая-тостранная картинка.


16:19:40.026458 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 33054, length 40
16:19:41.028270 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 33310, length 40
16:19:42.029866 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 33566, length 40
16:19:42.032486 IP 81.23.96.46 > 192.168.7.10: ICMP host 192.168.1.1 unreachable - admin prohibited filter, length 36
16:19:43.030519 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 33822, length 40
16:19:43.033166 IP 81.23.96.46 > 192.168.7.10: ICMP host 192.168.1.1 unreachable - admin prohibited filter, length 36
16:19:44.032162 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 34078, length 40
16:19:44.322058 IP 192.168.7.10.1631 > 231.0.0.1.2371: UDP, length 0
16:19:45.033951 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 34334, length 40
16:19:46.035561 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 34590, length 40
16:19:46.038890 IP 81.23.96.46 > 192.168.7.10: ICMP host 192.168.1.1 unreachable - admin prohibited filter, length 36
16:19:47.036313 IP 192.168.7.10 > 192.168.1.1: ICMP echo request, id 512, seq 34846, length 40
16:19:47.038980 IP 81.23.96.46 > 192.168.7.10: ICMP host 192.168.1.1 unreachable - admin prohibited filter, length 36

Такое ощущение что проваливается мимо vpn'а.
В чем причина вообще не понимаю.

--
Peter Teslenko

begin:vcard
fn:Peter Teslenko
n:Teslenko;Peter
org:;IT Dept
adr:;;;Saint-Petersburg;;;Russia
email;internet:smartchecker@gmail.com
title:Sysadmin
x-mozilla-html:FALSE
version:2.1
end:vcard

Reply to:

Follow-Ups:
- Re: 2.6.16 + Racoon + ipsec-tools
  - From: SVV <vasily_s@inbox.ru>

Prev by Date: не запускаются хаки xscreensaver'a в xdm
Next by Date: USB-Ethernet card (посоветуйте)
Previous by thread: не запускаются хаки xscreensaver'a в xdm
Next by thread: Re: 2.6.16 + Racoon + ipsec-tools
Index(es):
- Date
- Thread