Всем привет!
(192.168.0.0)LINUX ----internet------DI-804HV(192.168.1.0)
Firmware Version: V1.51, Fri, Jun 27 2008 С поддержкой 3DESПомогите осилить racoon и настроить ipsec между DI-804hv и ubuntu
Что бы клиенты сети 0.0 могли иметь доступ к сети 1.0 и наоборот
Во время подключение и тестирования iptables все в accept(по дефолту)
log DI-804HVMonday December 17, 2012 21:02:59 IKED re-TX : INIT to 95.XX.28.XXX
Monday December 17, 2012 21:03:04 IKED re-TX : INIT to 95.XX.28.XXX
Monday December 17, 2012 21:03:14 IKED re-TX : INIT to 95.XX.28.XXX
Monday December 17, 2012 21:03:14 Receive IKE M2(RESP) : 95.XX.28.XXX --> 95.XX.52.XXX
Monday December 17, 2012 21:03:14 Try to match with ENC:3DES AUTH:PSK HASH:SHA1 Group:Group2
Monday December 17, 2012 21:03:14 Send IKE M3(KEYINIT) : 95.XX.52.XXX --> 95.XX.28.XXX
Monday December 17, 2012 21:03:14 Receive IKE M4(KEYRESP) : 95.XX.28.XXX --> 95.XX.52.XXX
Monday December 17, 2012 21:03:14 Send IKE M5(IDINIT) : 95.XX.52.XXX --> 95.XX.28.XXX
Monday December 17, 2012 21:03:14 Receive IKE M6(IDRESP) : 95.XX.28.XXX --> 95.XX.52.XXX
Monday December 17, 2012 21:03:14 IKE Phase1 (ISAKMP SA) established : 95.XX.28.XXX <-> 95.XX.52.XXX
Monday December 17, 2012 21:03:15 Send IKE Q1(QINIT) : 192.168.1.0 --> 192.168.0.0
Monday December 17, 2012 21:03:15 Receive IKE INFO : 95.XX.28.XXX --> 95.XX.52.XXX
Monday December 17, 2012 21:03:19 IKED re-TX : QINIT to 95.XX.28.XXX
Monday December 17, 2012 21:03:24 IKED re-TX : QINIT to 95.XX.28.XXX
Monday December 17, 2012 21:03:34 IKED re-TX : QINIT to 95.XX.28.XXX
ifconfigeth0 Link encap:Ethernet HWaddr 00:01:02:0a:1b:46
inet6 addr: fe80::201:2ff:fe0a:1b46/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5865635 errors:0 dropped:0 overruns:0 frame:0
TX packets:12408003 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2346522829 (2.3 GB) TX bytes:2880478602 (2.8 GB)
Interrupt:16 Base address:0x4c00
eth1 Link encap:Ethernet HWaddr 00:c0:26:2c:00:a7
inet addr:192.168.25.200 Bcast:192.168.25.255 Mask:255.255.255.0
inet6 addr: fe80::2c0:26ff:fe2c:a7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27434 errors:0 dropped:0 overruns:0 frame:0
TX packets:29617 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4539962 (4.5 MB) TX bytes:5685115 (5.6 MB)
Interrupt:17 Base address:0xe800
eth2 Link encap:Ethernet HWaddr 00:23:54:39:b7:30
inet addr:192.168.0.252 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::223:54ff:fe39:b730/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11936497 errors:2 dropped:0 overruns:0 frame:1
TX packets:5598732 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2164131987 (2.1 GB) TX bytes:1601620236 (1.6 GB)
Память:fe940000-fe960000
lo Link encap:Локальная петля (Loopback)
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:116486 errors:0 dropped:0 overruns:0 frame:0
TX packets:116486 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:35782384 (35.7 MB) TX bytes:35782384 (35.7 MB)
ppp0 Link encap:Протокол PPP (Point-to-Point Protocol)
inet addr:95.XX.28.XXX P-t-P:91.XX.184.XX Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:5820556 errors:0 dropped:0 overruns:0 frame:0
TX packets:12403878 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:2215746606 (2.2 GB) TX bytes:2607380216 (2.6 GB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.40.1 P-t-P:10.10.40.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1338999 errors:0 dropped:0 overruns:0 frame:0
TX packets:1691442 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:98784177 (98.7 MB) TX bytes:390432552 (390.4 MB)
racoon.confpath pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 95.XX.28.XXX [500];
strict_address;
}
remote 95.XX.52.XXX
{
exchange_mode main;
lifetime time 28800 sec;
generate_policy off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal_check strict;
}
sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any
{
pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
psk.txt95.XX.52.XXX password
/etc/ipsec-tools.confflush;
spdflush;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/95.XX.52.XXX-95.XX.28.XXX/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/95.XX.28.XXX-95.XX.52.XXX/require;
sudo racoon -F sudo racoon -F
Foreground mode.
2012-12-17 20:40:36: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
2012-12-17 20:40:36: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
2012-12-17 20:40:36: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2012-12-17 20:40:36: INFO: Resize address pool from 0 to 255
2012-12-17 20:40:36: INFO: 95.XX.28.XXX[500] used as isakmp port (fd=6)
2012-12-17 20:40:36: INFO: 95.XX.28.XXX[500] used for NAT-T
2012-12-17 20:40:53: INFO: respond new phase 1 negotiation: 95.XX.28.XXX[500]<=>95.XX.52.XXX[500]
2012-12-17 20:40:53: INFO: begin Identity Protection mode.
2012-12-17 20:40:53: WARNING: SPI size isn't zero, but IKE proposal.
2012-12-17 20:40:53: INFO: ISAKMP-SA established 95.XX.28.XXX[500]-95.XX.52.XXX[500] spi:b47cc6f3b46c3bdc:a6ac75c36bd3854a
2012-12-17 20:40:53: INFO: respond new phase 2 negotiation: 95.XX.28.XXX[500]<=>95.XX.52.XXX[500]
2012-12-17 20:40:53: ERROR: no policy found: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
2012-12-17 20:40:53: ERROR: failed to get proposal for responder.
2012-12-17 20:40:53: ERROR: failed to pre-process packet.
Что надо для диагностики?что привести?
причем,если я выствляю на DI-804HV Aggressive Mode,то после
sudo racoon -F2012-12-17 20:49:49: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
2012-12-17 20:49:49: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
2012-12-17 20:49:49: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2012-12-17 20:49:49: INFO: Resize address pool from 0 to 255
2012-12-17 20:49:49: INFO: 95.XX.28.XXX[500] used as isakmp port (fd=6)
2012-12-17 20:49:49: INFO: 95.XX.28.XXX[500] used for NAT-T
2012-12-17 20:49:56: ERROR: not acceptable Aggressive mode
2012-12-17 20:50:06: ERROR: not acceptable Aggressive mode
Т.е получается они пытаются соединиться....
Не работало из за
generate_policy off;Туннель поднялся,но есть ошибки2012-12-17 22:57:47: WARNING: SPI size isn't zero, but IKE proposal.
2012-12-17 22:57:48: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in"
2012-12-17 22:57:48: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=fwd"
2012-12-17 22:57:48: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out"
Со стороны DI-804HV ping идут в 0.0, а со стороны linux шлюза в 1.0 не идут!
sudo setkey -D
95.XX.28.XXX 95.XX.52.XXX
esp mode=tunnel spi=1476543092(0x58024274) reqid=0(0x00000000)
E: 3des-cbc 1026dee8 0df73e83 849a763c ee1b221c c2cef481 4a6c4934
A: hmac-md5 a57f356e a9cff753 c9152ab8 29b301b2
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Dec 17 23:11:04 2012 current: Dec 17 23:16:49 2012
diff: 345(s) hard: 28800(s) soft: 23040(s)
last: Dec 17 23:11:12 2012 hard: 0(s) soft: 0(s)
current: 1820(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 24 hard: 0 soft: 0
sadb_seq=1 pid=24871 refcnt=0
95.XX.52.XXX 95.XX.28.XXX
esp mode=tunnel spi=11352655(0x00ad3a4f) reqid=0(0x00000000)
E: 3des-cbc 007d581f ff72a9dd 228053b4 b6cbc2a8 74443402 c4bfd87b
A: hmac-md5 99c5e0db 40462847 f96d34ad f616a8f9
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Dec 17 23:11:04 2012 current: Dec 17 23:16:49 2012
diff: 345(s) hard: 28800(s) soft: 23040(s)
last: Dec 17 23:11:12 2012 hard: 0(s) soft: 0(s)
current: 1820(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 24 hard: 0 soft: 0
sadb_seq=0 pid=24871 refcnt=0
racoon.confremote 95.XX.52.XXX
{
exchange_mode main,base;
lifetime time 86400 sec;
generate_policy on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal_check strict;
}
sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any
{
pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Пользователь решил продолжить мысль 18 Декабря 2012, 00:35:41:
перезапустил сервер....попробовал поднять туннель...и облом....не вышло
ERROR: can't start the quick mode, there is no ISAKMP-SA, 2e571adb8ee088f2:edfe05ec2e864030:000010a9