[BSD] IPSec
Gabor Illo
stageline at gmail.com
2010. Aug. 31., K, 12:50:55 CEST
Üdv
Következő a problémám:
Van egy gép amin szeretnék vpn-t üzemeltetni, hogy azon keresztül tudjak
biztonságosan internetezni. Ennek a leírásnak megfelelően felconfigoltam az
A gépet http://www.techbabu.com/2009/10/ipsec-freebsd/ azonban amikor el
akarom indítani a racoon-t ezt kapom:
2010-08-31 12:44:01: INFO: @(#)ipsec-tools 0.7.3 (
http://ipsec-tools.sourceforge.net)
2010-08-31 12:44:01: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar
2010 (http://www.openssl.org/)
2010-08-31 12:44:01: INFO: Reading configuration from
"/usr/local/etc/racoon/racoon.conf"
2010-08-31 12:44:01: DEBUG: hmac(modp1024)
2010-08-31 12:44:01: DEBUG: hmac(modp1024)
2010-08-31 12:44:01: DEBUG: compression algorithm can not be checked because
sadb message doesn't support it.
2010-08-31 12:44:01: DEBUG: getsainfo params: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='NULL', id=0
2010-08-31 12:44:01: DEBUG: getsainfo pass #2
2010-08-31 12:44:01: DEBUG: compression algorithm can not be checked because
sadb message doesn't support it.
2010-08-31 12:44:01: DEBUG: getsainfo params: loc='172.17.1.254',
rmt='172.18.1.254', peer='NULL', id=0
2010-08-31 12:44:01: DEBUG: getsainfo pass #2
2010-08-31 12:44:01: DEBUG: evaluating sainfo: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='ANY', id=0
2010-08-31 12:44:01: ERROR: failed to bind to address 172.17.1.254[500]
(Can't assign requested address).
2010-08-31 12:44:01: ERROR: no address could be bound.
A setkey -DP parancsra pedig:
10.0.0.0/24[any] 10.246.38.0/24[any] any
in ipsec
esp/tunnel/192.168.1.12-172.16.5.4/use
spid=2 seq=1 pid=5187
refcnt=1
10.246.38.0/24[any] 10.0.0.0/24[any] any
out ipsec
esp/tunnel/172.16.5.4-192.168.1.12/use
spid=1 seq=0 pid=5187
refcnt=1
Ami nem jó, mert a setkey.conf-ban ez van:
flush;
spdflush;
spdadd 172.17.1.254/32 172.18.1.254/32 ipencap -P out ipsec
esp/tunnel/192.168.1.1-192.168.2.1/require;
spdadd 172.18.1.254/32 172.17.1.254/32 ipencap -P in ipsec
esp/tunnel/192.168.2.1-192.168.1.1/require;
ifconfig gif0 kimenete:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 172.17.1.254 --> 172.18.1.254
inet6 fe80::219:dbff:fe62:626a%gif0 prefixlen 64 scopeid 0x3
inet 192.168.1.1 --> 192.168.2.1 netmask 0xffffff00
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
options=1<ACCEPT_REV_ETHIP_VER>
racoon.conf tatalma:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug;
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen
{
isakmp 172.17.1.254[500];
}
timer
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "my.cert.pem" "my.key.pem";
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
remote 172.18.1.254[500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 172.16.5.4;
peers_identifier address 192.168.1.12;
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 172.17.1.254 any address 172.18.1.254 any
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm blowfish;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Több hónapja próbálok létrehozni egy VPN kapcsolatot de nem sikerül egyik
leírás szerint sem. Ötlet?
--------- következő rész ---------
Egy csatolt HTML állomány át lett konvertálva...
URL: <http://datacast.hu/pipermail/bsd/attachments/20100831/2eed21ac/attachment.html>
További információk a(z) BSD levelezőlistáról