[BSD] vpn
Illó Gábor
igabor at stageline.hu
2010. Május. 29., Szo, 22:14:48 CEST
Sziasztok
Sajnos nem tudom életre bírni a VPN hálózatom, légyszíves
segítsetek. A handbook alapján készítettem el mindent.
(http://www.freebsd.org/doc/hu/books/handbook/ipsec.html) beemelek minden
configot ide, úgy átláthatóbb a gondom talán.
kernel:
options IPSEC
device crypto
ee /etc/rc.conf
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
ee /etc/pf.conf
#vpn
pass in quick proto esp from any to any
pass in
quick proto ah from any to any
pass in quick proto ipencap from any to
any
pass in quick proto udp from any port = 500 to any port = 500
pass
in quick on gif0 from any to any
ee /usr/local/etc/racoon/setkey.conf
flush;
spdflush;
spdadd 10.246.38.0/24 10.0.0.0/24 any -P out ipsec
esp/tunnel/195.228.156.104-192.168.1.12/use;
spdadd 10.0.0.0/24
10.246.38.0/24 any -P in ipsec esp/tunnel/192.168.1.12-195.228.156.104/use;
setkey -c
flush;
spdflush;
spdadd 10.246.38.0/24 10.0.0.0/24 any -P
out ipsec esp/tunnel/195.228.156.104-192.168.1.12/use;
spdadd 10.0.0.0/24
10.246.38.0/24 any -P in ipsec
esp/tunnel/192.168.1.12-195.228.156.104/use;
ctrl+d
ee
/usr/local/etc/racoon/racoon.conf
# $KAME: racoon.conf.in,v 1.18
2001/08/16 06:33:40 itojun Exp $
# "path" affects "include" directives.
"path" must be specified before any
# "include" directive with relative
file path.
# you can overwrite "path" directive afterwards, however,
doing so may add
# more confusion.
path include
"@sysconfdir_x@/racoon";
#include "remote.conf";
# the file should
contain key ID/key pairs, for pre-shared key authentication.
path
pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
# racoon will look for
certificate file in the directory,
# if the certificate/certificate
request payload is received.
path certificate "@sysconfdir_x@/cert";
#
"log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log debug;
# "padding" defines some padding
parameters. You should not touch these.
padding
{
maximum_length 20;
# maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract
last one octet.
}
# if no listen directive is specified, racoon will
listen on all
# available interface addresses.
listen
{
isakmp
195.228.156.104 [500];
#isakmp ::1 [7000];
#isakmp 202.249.11.124
[500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
#
Specify various default timers.
timer
{
# These value can be changed
per remote node.
counter 5; # maximum trying count to send.
interval
20 sec; # maximum interval to resend.
persend 1; # the number of packets
per send.
# maximum time to wait for completing each phase.
phase1 30
sec;
phase2 15 sec;
}
remote 192.168.1.12 [500]
{
exchange_mode
main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 195.228.156.104;
peers_identifier address
192.168.1.12;
lifetime time 8 hour;
passive off;
proposal_check
obey; # obey, strict, or claim
generate_policy off;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group
1;
}
}
sainfo address 10.246.38.0/24 any address 10.0.0.0/24 any
{
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm
blowfish,3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
ee /usr/local/etc/racoon/psk.txt
igabor...stageline.hu *******jelszó
192.168.0.12 ********jelszó
tcpdump
-i em0 host 195.228.156.104 and dst 192.168.0.12
Nem csinál semmit.
sockstat -4 | grep racoon
root racoon 87792 6 udp4 195.228.156.104:500 *:*
cat /var/log/debug.log
May 29 16:09:45 ns1 racoon: DEBUG: pk_recv:
retry[0] recv()
May 29 16:09:45 ns1 racoon: DEBUG: get pfkey FLUSH
message
May 29 16:09:46 ns1 racoon: DEBUG: call pfkey_send_dump
May 29
16:09:46 ns1 racoon: DEBUG: pk_recv: retry[0] recv()
May 29 16:09:47 ns1
racoon: DEBUG: hmac(modp768)
May 29 16:09:47 ns1 racoon: DEBUG:
compression algorithm can not be checked because sadb message doesn't
support it.
May 29 16:09:47 ns1 racoon: DEBUG: getsainfo params:
loc='10.246.38.0/24', rmt='10.0.0.0/24', peer='NULL', id=0
May 29 16:09:47
ns1 racoon: DEBUG: getsainfo pass #2
May 29 16:09:47 ns1 racoon: DEBUG:
pk_recv: retry[0] recv()
May 29 16:09:47 ns1 racoon: DEBUG: get pfkey
X_SPDDUMP message
May 29 16:09:47 ns1 racoon: DEBUG: pk_recv: retry[0]
recv()
May 29 16:09:47 ns1 racoon: DEBUG: get pfkey X_SPDDUMP message
May
29 16:09:47 ns1 racoon: DEBUG: sub:0x7fffffffe440: 10.246.38.0/24[0]
10.0.0.0/24[0] proto=any dir=out
May 29 16:09:47 ns1 racoon: DEBUG: db
:0x80103d150: 10.0.0.0/24[0] 10.246.38.0/24[0] proto=any dir=in
May 29
16:23:20 ns1 racoon: DEBUG: caught rtm:14, need update interface address
list
May 29 16:30:11 ns1 racoon: DEBUG: caught rtm:14, need update
interface address list
May 29 16:32:53 ns1 racoon: DEBUG: pk_recv:
retry[0] recv()
May 29 16:32:53 ns1 racoon: DEBUG: get pfkey FLUSH
message
May 29 16:32:54 ns1 racoon: DEBUG: call pfkey_send_dump
May 29
16:32:54 ns1 racoon: DEBUG: pk_recv: retry[0] recv()
May 29 16:32:55 ns1
racoon: DEBUG: hmac(modp768)
May 29 16:32:55 ns1 racoon: DEBUG:
compression algorithm can not be checked because sadb message doesn't
support it.
May 29 16:32:55 ns1 racoon: DEBUG: getsainfo params:
loc='10.246.38.0/24', rmt='10.0.0.0/24', peer='NULL', id=0
May 29 16:32:55
ns1 racoon: DEBUG: getsainfo pass #2
May 29 16:32:55 ns1 racoon: DEBUG:
pk_recv: retry[0] recv()
May 29 16:32:55 ns1 racoon: DEBUG: get pfkey
X_SPDDUMP message
May 29 16:32:55 ns1 racoon: DEBUG: pk_recv: retry[0]
recv()
May 29 16:32:55 ns1 racoon: DEBUG: get pfkey X_SPDDUMP message
May
29 16:32:55 ns1 racoon: DEBUG: sub:0x7fffffffe440: 10.246.38.0/24[0]
10.0.0.0/24[0] proto=any dir=out
May 29 16:32:55 ns1 racoon: DEBUG: db
:0x80103d150: 10.0.0.0/24[0] 10.246.38.0/24[0] proto=any dir=in
Más
érdekes log nincs sajnos.
Látszólag túljut a VPN kapcsolódás a
hitelesítésen, de kapcsolódni már nem akar, pedig én nagyon szeretném ha ez
működne.
Köszi srácok.
--
Best Regards
Gábor Illó
--------- következő rész ---------
Egy csatolt HTML állomány át lett konvertálva...
URL: <http://datacast.hu/pipermail/bsd/attachments/20100529/0246a025/attachment.html>
További információk a(z) BSD levelezőlistáról