Enc: [4linux-br] VPN KAME e OPENSWAN usando PSK
GATEWAYS NAO CONVERSAM !
Estou enviando o conteudo dos arquivos:
- ipsec.conf (openswan),
- racoon.conf(kame) e racoon.log.
Estou quebrando a cabeça a alguns dias,
mas não sai disso.
ah, conn openswan-openswan está funcionando
OK !
Valeu
###GATEWAY OPENSWAN:##############################################################
/etc/ipsec.conf
#version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
conn %default
esp=3des-md5-96
authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
conn openswan-openswan
left=200.111.111.1
leftid=@FW
leftsubnet=10.90.0.0/16
leftnexthop=200.111.111.2
leftrsasigkey=0sAQOJJQOy2Cn0O...
right=200.XXX.XXX.XXX
rightid=@CL
rightsubnet=10.118.0.0/16
rightnexthop=200.222.222.2
rightrsasigkey=0sAQOdmIUpi...
authby=rsasig
auto=start
conn openswan-kame
type=tunnel
esp=sha1
#keyexchange=ike
#esp=des-md5
#ike=3des-md5-96
#compress=no
#pfs=no
auth=esp
authby=secret
auto=start
left=200.111.111.1
leftid=@FW
leftsubnet=10.90.0.0/16
leftnexthop=200.111.111.2
right=200.333.333.1
rightid=@LE
rightsubnet=192.168.1.0/24
rightnexthop=200.333.333.2
###GATEWAY KAME:##############################################################
/etc/racoon/racoon.conf
listen {
isakmp 200.333.333.1
[500];
strict_address;
}
remote 200.111.111.1 {
exchange_mode
main;
lifetime
time 24 hour;
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.1.0[any] any
address 10.90.0.0/16[any] any {
#pfs_group
modp768;
encryption_algorithm
3des;
authentication_algorithm
hmac_md5;
compression_algorithm
deflate;
}
### RACOON.LOG ##############################################################
/var/log/racoon.log
2005-07-20 09:42:03: INFO: @(#)ipsec-tools
0.5.2 (http://ipsec-tools.sourceforge.net)
2005-07-20 09:42:03: INFO: @(#)This
product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/)
2005-07-20 09:42:03: INFO: 200.333.333.1[500]
used as isakmp port (fd=6)
2005-07-20 09:42:03: INFO: 200.333.333.1[500]
used for NAT-T
2005-07-20 09:42:10: INFO: respond new
phase 1 negotiation: 200.333.333.1[500]<=>200.111.111.1[500]
2005-07-20 09:42:10: INFO: begin Identity
Protection mode.
2005-07-20 09:42:10: ERROR: ignore information
because the message has no hash payload.
2005-07-20 09:42:20: ERROR: ignore information
because the message has no hash payload.
2005-07-20 09:42:20: NOTIFY: the packet
is retransmitted by 200.111.111.1[500].
2005-07-20 09:42:20: ERROR: ignore information
because the message has no hash payload.
Reply to: