Boa Noite pessoal,
Estou tentando configurar a seguinte estrutura....
Linux DEBIAN (ADSL IP DINAMICO) --------------------------- INTERNET -------------------------------- Linux DEBIAN (ADSL IP DINAMICO)
Qdo tento subir o ipsec com o comando
ipsec auto –-up vpn-udi, ele dá o seguinte:
ipsec auto --up vpn-udi
104 "vpn-udi" #1: STATE_MAIN_I1: initiate
003 "vpn-udi" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
106 "vpn-udi" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn-udi" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "vpn-udi" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn-udi" #1: ignoring informational payload, type INVALID_KEY_INFORMATION
003 "vpn-udi" #1: received and ignored informational message
010 "vpn-udi" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "vpn-udi" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "vpn-udi" #1: ignoring informational payload, type INVALID_KEY_INFORMATION
003 "vpn-udi" #1: received and ignored informational message
010 "vpn-udi" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "vpn-udi" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "vpn-udi" #1: ignoring informational payload, type INVALID_KEY_INFORMATION
003 "vpn-udi" #1: received and ignored informational message
031 "vpn-udi" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Agradeço a ajuda...
:D
Thiago
Ja regerei tudo... e nao consegui... nada!! Abaixo segue as configurações:
O que eu fiz, criei um registro servidor1.no-ip.info, e fiz as seguitne configurações no ipsec.conf:
DO LADO DO GATEWAY(servidor1.no-ip.info):
Servidor1:/etc# cat ipsec.conf
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4: 10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn vpn-udi
leftsubnet=10.1.0.0/16
leftid="C=BR, ST=MG, L=CIDADE, O=EMPRESA, CN=servidor1, E=meuemail"
rightid="C=BR, ST=MG, L=CIDADE, O=EMPRESA, CN=servidor2, E=meuemail"
left=%defaultroute
leftcert=/etc/ipsec/ca/servidor1.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
O IPSEC.SECRETS DO LADO O GW
: RSA /etc/ipsec/ca/servidor1.key "senha_do_pass_ phrase "
A geração das chaves, foram usados o seguintes comandos tanto no servidor 1 qto no 2:
Mkdir /etc/ipsec/ca
/usr/lib/ssl/misc/CA.sh –newca
openssl ca -gencrl -out crl.pem
/usr/lib/ssl/misc/CA.sh –newreq
/usr/lib/ssl/misc/CA.sh –sign
mv newcert.pem servidor1.pem
mv newreq.pem servidor1.key
DO LADO DO CLIENTE
Servidor2:/etc# cat ipsec.conf
version 2
config setup
interfaces=%defaultroute
nat_traversal=yes
conn %default
keyingtries=1
compress=yes
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn vpn-udi
leftsubnet=10.1.0.0/16
left= servidor1.no-ip.info
leftcert=/etc/ipsec/ca/servidor1.no-ip.info.pem
right=%defaultroute
rightcert=/etc/ipsec/ca/servidor2.no-ip.info.pem
auto=add
pfs=yes
leftid="C=BR, ST=MG, L=CIDADE, O=EMPRESA, CN=servidor1, E=meuemail"
rightid="C=BR, ST=MG, L=CIDADE, O=EMPRESA, CN=servidor2, E=meuemail"
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
IPSEC.SECRETS
: RSA /etc/ipsec/ca/servidor2.key "senha_do_pass_phrase"