Проблемы с ipsec туннелями

[Re-Master]

Всем доброго времени суток.

Возникла проблема с ipseс туннелями. На левом конце - сервер ubuntu 10.10 server с openswan на борту. на правых концах туннелей - два идентичных D-Link DI-808HV. Первый туннель (Lukovskkon) поднимается нормально, но через какое-то время виснет и спасает только либо перезапуск ipsec на сервере, либо перезагрузка vpn-роутера. Второй туннель поднимается, но как-то односторонне, то есть из левой подсети пинги в правую не доходят, они почему-то уходят в интернет, а не в туннель (судя по ответу пинга), а вот правая подсеть спокойно работает с серверами в левой подсети.

Конфиг ipsec

(Нажмите, чтобы показать/скрыть)

Ipsec.conf:
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    protostack=netkey
    interfaces=%defaultroute
    uniqueids=yes

conn %default
    keyingtries=0
    disablearrivalcheck=no
    #authby=rsasig
    leftrsasigkey=%dns
    rightrsasigkey=%dns

conn Lukovskkon
    left=92.255.194.238
    leftid=92.255.194.238
    leftsubnet=192.168.1.0/24
    leftnexthop=%defaultroute
    right=83.151.5.36
    rightsubnet=192.168.3.0/24
    rightid=83.151.5.36
    keyexchange=ike
    ikelifetime=240m
    keylife=3600s
    pfs=yes
    compress=no
    authby=secret
    keyingtries=0
    auto=start

conn Chelnykon
    left=92.255.194.238
    leftsourceip=192.168.1.1
    leftid=92.255.194.238
    leftsubnet=192.168.1.0/24
    leftnexthop=%defaultroute
    right=79.175.29.70
    rightsourceip=192.168.4.1
    rightsubnet=192.168.4.0/24
    rightid=79.175.29.70
    keyexchange=ike
    ikelifetime=240m
    keylife=3600s
    pfs=yes
    compress=no
    authby=secret
    keyingtries=0
    auto=start

Кусок лога:

(Нажмите, чтобы показать/скрыть)

Dec 10 16:01:27 gate pluto[13110]: Starting Pluto (Openswan Version 2.6.26; Vendor ID OEPK~zvMNd_W) pid:13110
Dec 10 16:01:27 gate pluto[13110]: Setting NAT-Traversal port-4500 floating to on
Dec 10 16:01:27 gate pluto[13110]:    port floating activation criteria nat_t=1/port_float=1
Dec 10 16:01:27 gate pluto[13110]:    NAT-Traversal support  [enabled]
Dec 10 16:01:27 gate pluto[13110]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: starting up 3 cryptographic helpers
Dec 10 16:01:27 gate pluto[13110]: started helper pid=13114 (fd:7)
Dec 10 16:01:27 gate pluto[13110]: started helper pid=13115 (fd:
Dec 10 16:01:27 gate pluto[13114]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13110]: started helper pid=13116 (fd:9)
Dec 10 16:01:27 gate pluto[13110]: Using Linux 2.6 IPsec interface code on 2.6.35-22-generic-pae (experimental code)
Dec 10 16:01:27 gate pluto[13115]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13116]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: Changed path to directory '/etc/ipsec.d/cacerts'
Dec 10 16:01:27 gate pluto[13110]: Changed path to directory '/etc/ipsec.d/aacerts'
Dec 10 16:01:27 gate pluto[13110]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Dec 10 16:01:27 gate pluto[13110]: Changing to directory '/etc/ipsec.d/crls'
Dec 10 16:01:27 gate pluto[13110]:   Warning: empty directory
Dec 10 16:01:27 gate pluto[13110]: added connection description "Lukovskkon"
Dec 10 16:01:27 gate pluto[13110]: added connection description "Chelnykon"
Dec 10 16:01:27 gate pluto[13110]: listening for IKE messages
Dec 10 16:01:27 gate pluto[13110]: NAT-Traversal: Trying new style NAT-T
Dec 10 16:01:27 gate pluto[13110]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Dec 10 16:01:27 gate pluto[13110]: NAT-Traversal: Trying old style NAT-T
Dec 10 16:01:27 gate pluto[13110]: adding interface eth1/eth1 92.255.194.238:500
Dec 10 16:01:27 gate pluto[13110]: adding interface eth1/eth1 92.255.194.238:4500
Dec 10 16:01:27 gate pluto[13110]: adding interface eth0/eth0 192.168.1.1:500
Dec 10 16:01:27 gate pluto[13110]: adding interface eth0/eth0 192.168.1.1:4500
Dec 10 16:01:27 gate pluto[13110]: adding interface lo/lo 127.0.0.1:500
Dec 10 16:01:27 gate pluto[13110]: adding interface lo/lo 127.0.0.1:4500
Dec 10 16:01:27 gate pluto[13110]: adding interface lo/lo ::1:500
Dec 10 16:01:27 gate pluto[13110]: loading secrets from "/etc/ipsec.secrets"
Dec 10 16:01:27 gate pluto[13110]: no secrets filename matched "/var/lib/openswan/ipsec.secrets.inc"
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: initiating Main Mode
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: initiating Main Mode
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: Main mode peer ID is ID_IPV4_ADDR: '79.175.29.70'
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#2 msgid:2514737a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: Main mode peer ID is ID_IPV4_ADDR: '83.151.5.36'
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:c8540863 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 10 16:01:28 gate pluto[13110]: "Chelnykon" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 10 16:01:28 gate pluto[13110]: "Chelnykon" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x960462c1<0x0c311c19 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Dec 10 16:01:28 gate pluto[13110]: "Lukovskkon" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 10 16:01:28 gate pluto[13110]: "Lukovskkon" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x1e074e95<0x13a75566 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Dec 10 16:01:31 gate pluto[13110]: "Chelnykon" #5: responding to Main Mode
Dec 10 16:01:31 gate pluto[13110]: "Chelnykon" #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:31 gate pluto[13110]: "Chelnykon" #5: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: responding to Main Mode
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: Main mode peer ID is ID_IPV4_ADDR: '83.151.5.36'
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: the peer proposed: 192.168.1.0/24:0/0 ->  192.168.3.0/24:0/0
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: responding to Quick Mode proposal {msgid:643fe80e}
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7:     us: 192.168.1.0/24===92.255.194.238<92.255.194.238>[+S=C]---92.255.194.237
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7:   them: 83.151.5.36<83.151.5.36>[+S=C]===192.168.3.0/24
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: keeping refhim=4294901761 during rekey
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 10 16:01:32 gate pluto[13110]: "Lukovskkon" #7: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 10 16:01:32 gate pluto[13110]: "Lukovskkon" #7: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1f07e7e7<0x08274fc2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Dec 10 16:01:35 gate pluto[13110]: "Lukovskkon" #1: received Delete SA(0x1e074e95) payload: deleting IPSEC State #4
Dec 10 16:01:35 gate pluto[13110]: "Lukovskkon" #1: received and ignored informational message
Dec 10 16:01:36 gate pluto[13110]: "Chelnykon" #8: responding to Main Mode
Dec 10 16:01:36 gate pluto[13110]: "Chelnykon" #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:36 gate pluto[13110]: "Chelnykon" #8: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:46 gate pluto[13110]: "Chelnykon" #9: responding to Main Mode
Dec 10 16:01:46 gate pluto[13110]: "Chelnykon" #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:46 gate pluto[13110]: "Chelnykon" #9: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:56 gate pluto[13110]: "Chelnykon" #10: responding to Main Mode
Dec 10 16:01:56 gate pluto[13110]: "Chelnykon" #10: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:56 gate pluto[13110]: "Chelnykon" #10: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:02:16 gate pluto[13110]: "Chelnykon" #11: responding to Main Mode
Dec 10 16:02:16 gate pluto[13110]: "Chelnykon" #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:02:16 gate pluto[13110]: "Chelnykon" #11: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:02:17 gate pluto[13110]: packet from 79.175.29.70:500: ignoring Delete SA payload: not encrypted
Dec 10 16:02:17 gate pluto[13110]: packet from 79.175.29.70:500: received and ignored informational message
Dec 10 16:02:41 gate pluto[13110]: "Chelnykon" #5: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:02:46 gate pluto[13110]: "Chelnykon" #8: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:02:56 gate pluto[13110]: "Chelnykon" #9: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:03:06 gate pluto[13110]: "Chelnykon" #10: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:03:26 gate pluto[13110]: "Chelnykon" #11: max number of retransmissions (2) reached STATE_MAIN_R1

Очень хочется эти недуги побороть 

[drako]

nat_traversal=no
interfaces="ipsec0=eth1 ipsec1=eth1"
leftnexthop=адрес шлюза
Это то что явно в глаза бросается.

P.S. А почему не использовали racoon, тем более что поб него и мануал на длинке есть?

[Re-Master]

отключение traversal nat не помогло. А вот interfaces= и leftnexthop= настроены на defaultroute по инструкции, которая лежит на сайте openswan. Про racoon просто не задумывался

[drako]

%defaulroute используется при динамическом адресе, а у вас статика, и если вы обратили внимание, то идет попытка прослушивать все интерфейсы.

[Re-Master]

конструкция interfaces="ipsec0=eth1 ipsec1=eth1" выдала ошибку.
Не помогло. Всё так же второй туннель не пингуестя с правой стороны.

Судя по логам, первый туннель переходит в  STATE_QUICK_R2, а вот второй стопорится на STATE_MAIN_R1: sent MR1, expecting MI2

[Puggy]

чтобы не создавать аналогичных тем пишу сюда:

схема "узел - узел" :
 cisco внешний Ip статичесчкий  < -- > внешний IP динамический [ router dir-100 192.168.1.1 ] <-- [ xubuntu 192.168.1.195 ]
на роутере d-link пробросил 500 порт. Вообще мне интересно имеет ли смысл пробовать с динам. IP такие вещи, провайдер говорит что порты не закрывает.

/etc/init.d/racoon start
Starting IKE (ISAKMP/Oakley) server: racoon.

syslog:
INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
INFO: @(#)This product linked OpenSSL 0.9.8o 01 Jun 2010 (http://www.openssl.org/)
INFO: Reading configuration from "/etc/racoon/racoon.conf"
ERROR: failed to bind to address 46.146.91.142[500] (Cannot assign requested address).
racoon: ERROR: no address could be bound.

setkey имеются.

racoon не стартует соответственно порт некому слушать, как исправить?

[NanoGlist]

А в конфиге ракуна указано именно так 46.146.91.142[500] ?