Boa Noite pessoal, Estou tentando configurar a seguinte estrutura.... Linux DEBIAN (ADSL IP DINAMICO)
--------------------------- INTERNET -------------------------------- Linux
DEBIAN (ADSL IP DINAMICO) (servidor1.no-ip.info) Qdo tento subir o ipsec com o comando ipsec auto –-up vpn-udi, ele dá o seguinte: ipsec auto --up vpn-udi 104 "vpn-udi" #1:
STATE_MAIN_I1: initiate 003 "vpn-udi" #1:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 106 "vpn-udi" #1:
STATE_MAIN_I2: sent MI2, expecting MR2 003 "vpn-udi" #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected 108 "vpn-udi" #1:
STATE_MAIN_I3: sent MI3, expecting MR3 003 "vpn-udi" #1:
ignoring informational payload, type INVALID_KEY_INFORMATION 003 "vpn-udi" #1:
received and ignored informational message 010 "vpn-udi" #1:
STATE_MAIN_I3: retransmission; will wait 20s for response 003 "vpn-udi" #1:
discarding duplicate packet; already STATE_MAIN_I3 003 "vpn-udi" #1:
ignoring informational payload, type INVALID_KEY_INFORMATION 003 "vpn-udi" #1:
received and ignored informational message 010 "vpn-udi" #1:
STATE_MAIN_I3: retransmission; will wait 40s for response 003 "vpn-udi" #1:
discarding duplicate packet; already STATE_MAIN_I3 003 "vpn-udi" #1:
ignoring informational payload, type INVALID_KEY_INFORMATION 003 "vpn-udi" #1:
received and ignored informational message 031 "vpn-udi" #1:
max number of retransmissions (2) reached STATE_MAIN_I3. Possible
authentication failure: no acceptable response to our first encrypted message Agradeço a ajuda... :D Thiago Ja regerei tudo... e nao consegui... nada!! Abaixo
segue as configurações: O que eu fiz, criei um registro
servidor1.no-ip.info, e fiz as seguitne configurações no ipsec.conf: DO LADO DO
GATEWAY(servidor1.no-ip.info): Servidor1:/etc# cat ipsec.conf version 2.0 config setup
interfaces=%defaultroute nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16 conn %default keyingtries=1 compress=yes
disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn vpn-udi leftsubnet=10.1.0.0/16 leftid=”C=BR, ST=MG, L=CIDADE, O=EMPRESA,
CN=servidor1, E=meuemail” rightid=”C=BR, ST=MG, L=CIDADE, O=EMPRESA,
CN=servidor2, E=meuemail” left=%defaultroute leftcert=/etc/ipsec/ca/servidor1.pem right=%any
rightsubnet=vhost:%no,%priv auto=add pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #Disable Opportunistic
Encryption include /etc/ipsec.d/examples/no_oe.conf O IPSEC.SECRETS DO LADO O GW : RSA /etc/ipsec/ca/servidor1.key “senha_do_pass_ phrase” A geração
das chaves, foram usados o seguintes comandos tanto no servidor 1 qto no 2: Mkdir
/etc/ipsec/ca /usr/lib/ssl/misc/CA.sh –newca openssl ca -gencrl -out crl.pem /usr/lib/ssl/misc/CA.sh –newreq /usr/lib/ssl/misc/CA.sh –sign mv newcert.pem servidor1.pem mv newreq.pem servidor1.key DO LADO DO
CLIENTE Servidor2:/etc# cat ipsec.conf version 2 config setup interfaces=%defaultroute nat_traversal=yes conn %default keyingtries=1 compress=yes authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert conn vpn-udi
leftsubnet=10.1.0.0/16 left= servidor1.no-ip.info leftcert=/etc/ipsec/ca/servidor1.no-ip.info.pem right=%defaultroute rightcert=/etc/ipsec/ca/servidor2.no-ip.info.pem auto=add pfs=yes leftid=”C=BR, ST=MG, L=CIDADE, O=EMPRESA,
CN=servidor1, E=meuemail” rightid=”C=BR, ST=MG, L=CIDADE, O=EMPRESA,
CN=servidor2, E=meuemail” conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore #Disable Opportunistic
Encryption include
/etc/ipsec.d/examples/no_oe.conf IPSEC.SECRETS : RSA /etc/ipsec/ca/servidor2.key "senha_do_pass_phrase"
|