[BSD] ipsec problemak freebsd 6.1 es debian linux kozott
lefty
lefty at tinycreatures.ro
2006. Sze. 6., Sze, 17:22:49 CEST
Hello.
Adottak a kovetekezo premisszak:
A.A.A.A FreeBSD 6.1 Gw, 192.168.150.0/24-es belso halozat tartoja.
B.B.B.B Debian Linux 3.1, backportsbol 2.6.15-s kernel, 192.168.100.0/24
(ill. 110.0/27 es 115.0/25) halozat tartoja.
A kovetkezo konfiguracios fajlok a FreeBSD geprol vannak. Meg annyit, hogy
ugyanaz az ipsec Debian-Debian gep kozott megy.
Ime a racoon.conf:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug;
#local ipsec interface
listen {
isakmp A.A.A.A[FreeBSD Box IP] [500];
}
#remote ipsec-gw
remote B.B.B.B[Debian Box IP] {
exchange_mode main;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
#local net to remote net
sainfo address 192.168.150.0/24 any address 192.168.100.0/24 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#local net to remote ipsec-gw
sainfo address 192.168.150.0/24 any address B.B.B.B[Debian Box IP]/32 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#local ipsec-gw to remote net
sainfo address A.A.A.A[FreeBSD Box IP]/32 any address 192.168.100.0/24 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#local ipsec-gw to remote ipsec-gw
sainfo address A.A.A.A[FreeBSD Box IP]/32 any address B.B.B.B[Debian Box
IP]/32 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#####
sainfo address 192.168.150.0/24 any address 192.168.110.0/27 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address A.A.A.A[FreeBSD Box IP]/32 any address 192.168.110.0/27 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.150.0/24 any address 192.168.115.0/25 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address A.A.A.A[FreeBSD Box IP]/32 any address 192.168.115.0/25 any {
pfs_group 2;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
=========================================
Az /etc/ipsec.conf
#!/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.100.0/24 192.168.150.0/24 any -P in ipsec
esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
spdadd 192.168.100.0/24 A.A.A.A[FreeBSD Box IP]/32 any -P in ipsec
esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
spdadd B.B.B.B[Debian Box IP]/32 192.168.150.0/24 any -P in ipsec
esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
spdadd B.B.B.B[Debian Box IP]/32 A.A.A.A[FreeBSD Box IP]/32 any -P in
ipsec esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
#
spdadd 192.168.110.0/27 192.168.150.0/24 any -P in ipsec
esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
spdadd 192.168.110.0/27 A.A.A.A[FreeBSD Box IP]/32 any -P in ipsec
esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
spdadd 192.168.115.0/25 192.168.150.0/24 any -P in ipsec
esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
spdadd 192.168.115.0/25 A.A.A.A[FreeBSD Box IP]/32 any -P in ipsec
esp/tunnel/B.B.B.B[Debian Box IP]-A.A.A.A[FreeBSD Box IP]/require;
spdadd 192.168.150.0/24 192.168.100.0/24 any -P out ipsec
esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box IP]/require;
spdadd 192.168.150.0/24 B.B.B.B[Debian Box IP]/32 any -P out ipsec
esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box IP]/require;
spdadd A.A.A.A[FreeBSD Box IP]/32 192.168.100.0/24 any -P out ipsec
esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box IP]/require;
spdadd A.A.A.A[FreeBSD Box IP]/32 B.B.B.B[Debian Box IP]/32 any -P
out ipsec esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box
IP]/require;
#
spdadd 192.168.150.0/24 192.168.110.0/27 any -P out ipsec
esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box IP]/require;
spdadd A.A.A.A[FreeBSD Box IP]/32 192.168.110.0/27 any -P out ipsec
esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box IP]/require;
spdadd 192.168.150.0/24 192.168.115.0/25 any -P out ipsec
esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box IP]/require;
spdadd A.A.A.A[FreeBSD Box IP]/32 192.168.115.0/25 any -P out ipsec
esp/tunnel/A.A.A.A[FreeBSD Box IP]-B.B.B.B[Debian Box IP]/require;
========================================
ifconfig gif0:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet A.A.A.A[FreeBSD Box IP] --> B.B.B.B[Debian Box IP]
inet6 fe80::202:55ff:fe74:6535%gif0 prefixlen 64 scopeid 0x5
inet 192.168.150.29 --> 192.168.100.11 netmask 0xffffffff
ill. netstat:
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
......
192.168.100.11 192.168.150.29 UH 0 0 gif0
......
==========================================
es ime a log:
Aug 6 17:06:12 turul racoon: DEBUG: db :0x80aa608: B.B.B.B[Debian Box
IP]/32[0] A.A.A.A[FreeBSD Box IP]/32[0] proto=any dir=in
Aug 6 17:06:12 turul racoon: DEBUG: suitable inbound SP found:
B.B.B.B[Debian Box IP]/32[0] A.A.A.A[FreeBSD Box IP]/32[0] proto=any
dir=in.
Aug 6 17:06:12 turul racoon: DEBUG: new acquire A.A.A.A[FreeBSD Box
IP]/32[0] B.B.B.B[Debian Box IP]/32[0] proto=any dir=out
Aug 6 17:06:12 turul racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Tunnel reqid=0:0)
Aug 6 17:06:12 turul racoon: DEBUG: (trns_id=AES encklen=128
authtype=hmac-sha)
Aug 6 17:06:12 turul racoon: DEBUG: configuration found for
B.B.B.B[Debian Box IP].
Aug 6 17:06:12 turul racoon: INFO: IPsec-SA request for B.B.B.B[Debian
Box IP] queued due to no phase1 found.
Aug 6 17:06:12 turul racoon: DEBUG: ===
Aug 6 17:06:12 turul racoon: INFO: initiate new phase 1 negotiation:
A.A.A.A[FreeBSD Box IP][500]<=>B.B.B.B[Debian Box IP][500]
Aug 6 17:06:12 turul racoon: INFO: begin Identity Protection mode.
Aug 6 17:06:12 turul racoon: DEBUG: new cookie: baff6e0ccd524ba5
Aug 6 17:06:12 turul racoon: DEBUG: add payload of len 52, next type 13
Aug 6 17:06:12 turul racoon: DEBUG: add payload of len 16, next type 0
Aug 6 17:06:12 turul racoon: DEBUG: 104 bytes from A.A.A.A[FreeBSD Box
IP][500] to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:12 turul racoon: DEBUG: sockname A.A.A.A[FreeBSD Box IP][500]
Aug 6 17:06:12 turul racoon: DEBUG: send packet from A.A.A.A[FreeBSD Box
IP][500]
Aug 6 17:06:12 turul racoon: DEBUG: send packet to B.B.B.B[Debian Box
IP][500]
Aug 6 17:06:12 turul racoon: DEBUG: 1 times of 104 bytes message will be
sent to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:12 turul racoon: DEBUG: baff6e0c cd524ba5 00000000 00000000
01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Aug 6 17:06:12 turul racoon: DEBUG: resend phase1 packet
baff6e0ccd524ba5:0000000000000000
Aug 6 17:06:22 turul racoon: DEBUG: 104 bytes from A.A.A.A[FreeBSD Box
IP][500] to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:22 turul racoon: DEBUG: sockname A.A.A.A[FreeBSD Box IP][500]
Aug 6 17:06:22 turul racoon: DEBUG: send packet from A.A.A.A[FreeBSD Box
IP][500]
Aug 6 17:06:22 turul racoon: DEBUG: send packet to B.B.B.B[Debian Box
IP][500]
Aug 6 17:06:22 turul racoon: DEBUG: 1 times of 104 bytes message will be
sent to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:22 turul racoon: DEBUG: baff6e0c cd524ba5 00000000 00000000
01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Aug 6 17:06:22 turul racoon: DEBUG: resend phase1 packet
baff6e0ccd524ba5:0000000000000000
Aug 6 17:06:25 turul racoon: DEBUG: msg 1 not interesting
Aug 6 17:06:31 turul racoon: DEBUG: msg 1 not interesting
Aug 6 17:06:32 turul racoon: DEBUG: 104 bytes from A.A.A.A[FreeBSD Box
IP][500] to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:32 turul racoon: DEBUG: sockname A.A.A.A[FreeBSD Box IP][500]
Aug 6 17:06:32 turul racoon: DEBUG: send packet from A.A.A.A[FreeBSD Box
IP][500]
Aug 6 17:06:32 turul racoon: DEBUG: send packet to B.B.B.B[Debian Box
IP][500]
Aug 6 17:06:32 turul racoon: DEBUG: 1 times of 104 bytes message will be
sent to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:32 turul racoon: DEBUG: baff6e0c cd524ba5 00000000 00000000
01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Aug 6 17:06:32 turul racoon: DEBUG: resend phase1 packet
baff6e0ccd524ba5:0000000000000000
Aug 6 17:06:42 turul racoon: DEBUG: 104 bytes from A.A.A.A[FreeBSD Box
IP][500] to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:42 turul racoon: DEBUG: sockname A.A.A.A[FreeBSD Box IP][500]
Aug 6 17:06:42 turul racoon: DEBUG: send packet from A.A.A.A[FreeBSD Box
IP][500]
Aug 6 17:06:42 turul racoon: DEBUG: send packet to B.B.B.B[Debian Box
IP][500]
Aug 6 17:06:42 turul racoon: DEBUG: 1 times of 104 bytes message will be
sent to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:42 turul racoon: DEBUG: baff6e0c cd524ba5 00000000 00000000
01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Aug 6 17:06:42 turul racoon: DEBUG: resend phase1 packet
baff6e0ccd524ba5:0000000000000000
Aug 6 17:06:42 turul racoon: DEBUG: get pfkey ACQUIRE message
Aug 6 17:06:42 turul racoon: DEBUG: ignore the acquire because ph2 found
Aug 6 17:06:43 turul racoon: ERROR: phase2 negotiation failed due to time
up waiting for phase1. ESP B.B.B.B[Debian Box IP][0]->A.A.A.A[FreeBSD Box
IP][0]
Aug 6 17:06:43 turul racoon: INFO: delete phase 2 handler.
Aug 6 17:06:52 turul racoon: DEBUG: 104 bytes from A.A.A.A[FreeBSD Box
IP][500] to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:52 turul racoon: DEBUG: sockname A.A.A.A[FreeBSD Box IP][500]
Aug 6 17:06:52 turul racoon: DEBUG: send packet from A.A.A.A[FreeBSD Box
IP][500]
Aug 6 17:06:52 turul racoon: DEBUG: send packet to B.B.B.B[Debian Box
IP][500]
Aug 6 17:06:52 turul racoon: DEBUG: 1 times of 104 bytes message will be
sent to B.B.B.B[Debian Box IP][500]
Aug 6 17:06:52 turul racoon: DEBUG: baff6e0c cd524ba5 00000000 00000000
01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Aug 6 17:06:52 turul racoon: DEBUG: resend phase1 packet
baff6e0ccd524ba5:0000000000000000
Aug 6 17:07:02 turul racoon: DEBUG: 104 bytes from A.A.A.A[FreeBSD Box
IP][500] to B.B.B.B[Debian Box IP][500]
Aug 6 17:07:02 turul racoon: DEBUG: sockname A.A.A.A[FreeBSD Box IP][500]
Aug 6 17:07:02 turul racoon: DEBUG: send packet from A.A.A.A[FreeBSD Box
IP][500]
Aug 6 17:07:02 turul racoon: DEBUG: send packet to B.B.B.B[Debian Box
IP][500]
Aug 6 17:07:02 turul racoon: DEBUG: 1 times of 104 bytes message will be
sent to B.B.B.B[Debian Box IP][500]
Aug 6 17:07:02 turul racoon: DEBUG: baff6e0c cd524ba5 00000000 00000000
01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002
80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Aug 6 17:07:02 turul racoon: DEBUG: resend phase1 packet
baff6e0ccd524ba5:0000000000000000
Aug 6 17:07:12 turul racoon: ERROR: phase1 negotiation failed due to time
up. baff6e0ccd524ba5:0000000000000000
===========================
Elnezest a hosszu emailert.
Elore is koszonom a segitseget.
-lefty
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
További információk a(z) BSD levelezőlistáról