[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ipsec + racoon problem

День добрый.

Собственно исходные данные:
Две машины (ради эксперимента использовал внешние ИП адреса в одном
блоке). Первая (beta) - 82.140.78.114, вторая (delta) 82.140.78.116.

Локальная сеть слева: 192.168.1.0/24, локальная сеть справа: 192.168.4.0/24.

Создал сертификаты, обменял файлы *.public между шлюзами.


Настроил файл ipsec-tools.conf на beta:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 82.140.78.114/29 82.140.78.116/29 ipencap -P out ipsec
esp/tunnel/82.140.78.114-82.140.78.116/require;
spdadd 82.140.78.116/29 82.140.78.114/29 ipencap -P in ipsec
esp/tunnel/82.140.78.116-82.140.78.114/require;


Настроил файл ipsec-tools.conf на delta:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 82.140.78.116/29 82.140.78.114/29 ipencap -P out ipsec
esp/tunnel/82.140.78.116-82.140.78.114/require;
spdadd 82.140.78.114/29 82.140.78.116/29 ipencap -P in ipsec
esp/tunnel/82.140.78.114-82.140.78.116/require;


/etc/racoon/racoon.conf на beta:
path include "/etc/racoon";
path certificate "/etc/racoon/certs";

log debug2;

padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}

listen
{
isakmp 82.140.78.114 [500];
}

timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}

remote 82.140.78.116
{
exchange_mode aggressive,main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "beta.auto.local.public" "beta.auto.local.private";
peers_certfile x509 "delta.auto.local.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 5;
lifetime time 60 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}




/etc/racoon/racoon.conf на delta:
path include "/etc/racoon";
path certificate "/etc/racoon/certs";

log debug2;

padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}

listen
{
isakmp 82.140.78.116 [500];
}

timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}

remote 82.140.78.114
{
exchange_mode aggressive,main;
certificate_type x509 "delta.auto.local.public" "delta.auto.local.private";
peers_certfile x509 "beta.auto.local.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 5;
lifetime time 60 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}



После запуска racoon в /var/log/daemon.log пишет следующее:
Feb 6 11:15:55 beta racoon: INFO: @(#)ipsec-tools 0.7.1
(http://ipsec-tools.sourceforge.net)
Feb 6 11:15:55 beta racoon: INFO: @(#)This product linked OpenSSL 0.9.8g
19 Oct 2007 (http://www.openssl.org/)
Feb 6 11:15:55 beta racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf"
Feb 6 11:15:55 beta racoon: INFO: Resize address pool from 0 to 255
Feb 6 11:15:55 beta racoon: DEBUG2: lifetime = 28800
Feb 6 11:15:55 beta racoon: DEBUG2: lifebyte = 0
Feb 6 11:15:55 beta racoon: DEBUG2: encklen=0
Feb 6 11:15:55 beta racoon: DEBUG2: p:1 t:1
Feb 6 11:15:55 beta racoon: DEBUG2: 3DES-CBC(5)
Feb 6 11:15:55 beta racoon: DEBUG2: SHA(2)
Feb 6 11:15:55 beta racoon: DEBUG2: 1024-bit MODP group(2)
Feb 6 11:15:55 beta racoon: DEBUG2: RSA signatures(3)
Feb 6 11:15:55 beta racoon: DEBUG2:
Feb 6 11:15:55 beta racoon: DEBUG: hmac(modp1024)
Feb 6 11:15:55 beta racoon: DEBUG: compression algorithm can not be
checked because sadb message doesn't support it.
Feb 6 11:15:55 beta racoon: DEBUG: getsainfo params: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='NULL', id=0
Feb 6 11:15:55 beta racoon: DEBUG: getsainfo pass #2
Feb 6 11:15:55 beta racoon: DEBUG2: parse successed.
Feb 6 11:15:55 beta racoon: DEBUG: open /var/run/racoon/racoon.sock as
racoon management.
Feb 6 11:15:55 beta racoon: INFO: 82.140.78.114[500] used as isakmp port
(fd=7)
Feb 6 11:15:55 beta racoon: INFO: 82.140.78.114[500] used for NAT-T
Feb 6 11:15:55 beta racoon: DEBUG: pk_recv: retry[0] recv()
Feb 6 11:15:55 beta racoon: DEBUG: get pfkey X_SPDDUMP message
Feb 6 11:15:55 beta racoon: DEBUG2: #01202120000 1c000100 01000000
6a0f0000 03000500 041d0000 02000000 528c4e74#01200000000 00000000
03000600 041d0000 02000000 528c4e72 00000000 00000000#01204000300
00000000 00000000 00000000 00000000 00000000 00000000
00000000#01204000400 00000000 00000000 00000000 00000000 00000000
00000000 00000000#01204000200 00000000 00000000 00000000 23216d4b
00000000 00000000 00000000#01208001200 02000300 1a1a0000 00000000
30003200 02020000 00000000 00000000#01202000000 528c4e74 00000000
00000000 02000000 528c4e72 00000000 00000000
Feb 6 11:15:55 beta racoon: DEBUG: pk_recv: retry[0] recv()
Feb 6 11:15:55 beta racoon: DEBUG: get pfkey X_SPDDUMP message
Feb 6 11:15:55 beta racoon: DEBUG2: #01202120000 1c000100 02000000
6a0f0000 03000500 041d0000 02000000 528c4e74#01200000000 00000000
03000600 041d0000 02000000 528c4e72 00000000 00000000#01204000300
00000000 00000000 00000000 00000000 00000000 00000000
00000000#01204000400 00000000 00000000 00000000 00000000 00000000
00000000 00000000#01204000200 00000000 00000000 00000000 23216d4b
00000000 00000000 00000000#01208001200 02000100 101a0000 00000000
30003200 02020000 00000000 00000000#01202000000 528c4e74 00000000
00000000 02000000 528c4e72 00000000 00000000
Feb 6 11:15:55 beta racoon: DEBUG: sub:0xff946228: 82.140.78.116/29[0]
82.140.78.114/29[0] proto=4 dir=in
Feb 6 11:15:55 beta racoon: DEBUG: db :0x83d7880: 82.140.78.116/29[0]
82.140.78.114/29[0] proto=4 dir=fwd
Feb 6 11:15:55 beta racoon: DEBUG: pk_recv: retry[0] recv()
Feb 6 11:15:55 beta racoon: DEBUG: get pfkey X_SPDDUMP message
Feb 6 11:15:55 beta racoon: DEBUG2: #01202120000 1c000100 00000000
6a0f0000 03000500 041d0000 02000000 528c4e72#01200000000 00000000
03000600 041d0000 02000000 528c4e74 00000000 00000000#01204000300
00000000 00000000 00000000 00000000 00000000 00000000
00000000#01204000400 00000000 00000000 00000000 00000000 00000000
00000000 00000000#01204000200 00000000 00000000 00000000 23216d4b
00000000 00000000 00000000#01208001200 02000200 091a0000 00000000
30003200 02020000 00000000 00000000#01202000000 528c4e72 00000000
00000000 02000000 528c4e74 00000000 00000000
Feb 6 11:15:55 beta racoon: DEBUG: sub:0xff946228: 82.140.78.114/29[0]
82.140.78.116/29[0] proto=4 dir=out
Feb 6 11:15:55 beta racoon: DEBUG: db :0x83d7880: 82.140.78.116/29[0]
82.140.78.114/29[0] proto=4 dir=fwd
Feb 6 11:15:55 beta racoon: DEBUG: sub:0xff946228: 82.140.78.114/29[0]
82.140.78.116/29[0] proto=4 dir=out
Feb 6 11:15:55 beta racoon: DEBUG: db :0x83d7ac8: 82.140.78.116/29[0]
82.140.78.114/29[0] proto=4 dir=in


На второй машине инфа примерно идентичная. Firewall отключен.
tcpdump -p esp ничего не показывает. Что нетак?
||
Reply to: