ipsec s linuxom

Robert Hecko robo at cpe.sk
Sat Aug 30 10:25:07 CEST 2003


dan

ospravedlnujem sa za take strohe informacie.
tu su detailnejsie. overovanie je cez x509 certifikaty.

 >V teto chvili prochazi racoon seznam lokalnich IP adres a na kazde se
 >snazi otevrit port 500. Z LOGu je zrejme, ze pro adresy 192.168.25.1,
 >127.0.0.1 a 195.168.24.254 se mu to povedlo. Pro nasledujici adresu ale
 >nikoliv (sama adresa v chybove hlasce chybi, coz je podle vseho chyba
 >kodu racoona). Protoze sitova konfigurace pocitace nam zustala utajena,
 >nelze odhadnout jaka adresa by to mohla byt a nelze tedy prilis
 >spekulovat o pricinach a uz vubec ne o nasledcich teto chyby.
 >

stroj ma iba spominane ip adresy


ps: existuje moznost aj tunel modu pre komunikaciu medzi freeswan a 
racoon (spojenie celych lokalnych sieti, nie iba dvoch strojov) ?

ps2: dakujem za odpoved


na strane linuxu je freeswan

conn ph-ba
	leftcert=certs/ph-cert.pem
	right=195.168.24.254
	rightsubnet=192.168.25.0/24
	rightid="/C=CZ/O=CPE/OU=Net-WAN/CN=gw.cpe.sk"

ja mam na strane racoonu

remote 80.95.98.29
{
         exchange_mode main;
	situation identity_only;
	initial_contact off;

         my_identifier asn1dn "C=CZ/O=CPE/OU=Net-WAN/CN=gw.cpe.sk";
         peers_identifier asn1dn "C=CZ/O=CPE/OU=Net-WAN";

         certificate_type x509 "cpesk-cert.pem" "gw-ba-key.pem";
         peers_certfile "cacert.pem";

	passive off;
	lifetime time 30 min;
	initial_contact on;
	proposal_check obey;

proposal {
                 encryption_algorithm 3des;
                 hash_algorithm md5;
                 authentication_method rsasig ;
                 dh_group modp1536 ;
         }

toto je /etc/ipsec.conf

flush;
spdflush;
spdadd 192.168.25.0/24 192.168.1.0/24 any -P out ipsec 
esp/transport/195.168.24.254-80.95.98.29/require;
spdadd 192.168.1.0/24 192.168.25.0/24 any -P in ipsec 
esp/transport/80.95.98.29-195.168.24.254/require;


-----------------------------------------------------------------------------------

tu je tcpdump

-----------------------------------------------------------------------------------

09:57:42.361843 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:58:22.423778 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:59:02.492887 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:59:42.561629 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:59:42.564200 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=1
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))))
     (vid: len=16)
09:59:42.676706 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (ke: key len=192)
     (nonce: n len=16) (DF)
09:59:42.741934 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
09:59:42.947737 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
09:59:42.952585 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 2/others R inf[E]: [encrypted hash]
09:59:52.877269 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:00:02.882548 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:00:13.041176 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:00:22.045907 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:00:42.056045 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:00:53.139086 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:00:53.140625 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=1
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))))
     (vid: len=16)
10:00:53.253591 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (ke: key len=192)
     (nonce: n len=16) (DF)
10:00:53.301725 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:00:53.510336 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:00:53.514338 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:01:02.533295 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:01:03.676841 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:01:13.683431 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:01:22.693460 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:01:23.847025 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:01:33.853834 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:01:53.203986 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:02:03.278216 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:02:03.279897 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=1
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))))
     (vid: len=16)
10:02:03.385438 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (ke: key len=192)
     (nonce: n len=16) (DF)
10:02:03.444038 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:02:03.660444 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:02:03.664394 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:02:13.764332 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:02:13.801449 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:02:23.864499 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:02:33.684186 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:02:33.685024 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:02:43.704878 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:03:03.725129 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:03:13.814895 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:03:13.816333 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=1
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))))
     (vid: len=16)
10:03:13.930386 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (ke: key len=192)
     (nonce: n len=16) (DF)
10:03:13.978493 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:03:14.190000 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:03:14.194136 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:03:23.195350 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:03:23.349470 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:03:33.355555 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:03:43.365644 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:03:43.527013 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:03:53.535933 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:04:13.556181 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:04:23.640068 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:04:23.641612 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=1
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))))
     (vid: len=16)
10:04:23.750611 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (ke: key len=192)
     (nonce: n len=16) (DF)
10:04:23.799588 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:04:24.007292 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:04:24.011374 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:04:33.016470 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:04:34.165327 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:04:43.166506 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:04:53.176749 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:04:54.323508 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:05:03.327123 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:05:23.347240 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp: 
isakmp: phase 1 R ident:
     (ke: key len=192)
     (nonce: n len=16)
     (vid: len=16)
10:05:33.427309 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:05:43.496209 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp: 
isakmp: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=4
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=0005))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=rsa sig)(type=group desc value=modp1024))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=rsa sig)(type=group desc value=modp1024)))) (DF)

-----------------------------------------------------------------------------------

a tu je vypis z logu (uroven notifyv racoon.conf)

-----------------------------------------------------------------------------------

Aug 30 09:59:15 gw racoon: INFO: main.c:172:main(): @(#)package version 
freebsd-20030711a
Aug 30 09:59:15 gw racoon: INFO: main.c:174:main(): @(#)internal version 
20001216 sakane at kame.net
Aug 30 09:59:15 gw racoon: INFO: main.c:175:main(): @(#)This product 
linked OpenSSL 0.9.6g 9 Aug 2002 (http://www.openssl.org/)
Aug 30 09:59:15 gw racoon: INFO: isakmp.c:1358:isakmp_open(): 
127.0.0.1[500] used as isakmp port (fd=6)
Aug 30 09:59:15 gw racoon: INFO: isakmp.c:1358:isakmp_open(): 
195.168.24.254[500] used as isakmp port (fd=7)
Aug 30 09:59:15 gw racoon: INFO: isakmp.c:1358:isakmp_open(): 
192.168.25.1[500] used as isakmp port (fd=8)
Aug 30 09:59:42 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r(): 
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 09:59:42 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin 
Identity Protection mode.
Aug 30 09:59:42 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only 
a single transform payload is allowed during phase 1 processing.
Aug 30 09:59:42 gw racoon: WARNING: 
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 09:59:42 gw racoon: ERROR: oakley.c:1596:oakley_check_certid(): 
Invalid ID length in phase 1.
Aug 30 10:00:53 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r(): 
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:00:53 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin 
Identity Protection mode.
Aug 30 10:00:53 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only 
a single transform payload is allowed during phase 1 processing.
Aug 30 10:00:53 gw racoon: WARNING: 
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:00:53 gw racoon: ERROR: oakley.c:1596:oakley_check_certid(): 
Invalid ID length in phase 1.
Aug 30 10:01:42 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend(): 
phase1 negotiation failed due to time up. 18261e773fef560a:46d2f815c36ba984
Aug 30 10:01:48 gw racoon: INFO: isakmp.c:1703:isakmp_post_acquire(): 
request for establishing IPsec-SA was queued due to no phase1 found.
Aug 30 10:02:03 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r(): 
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:02:03 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin 
Identity Protection mode.
Aug 30 10:02:03 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only 
a single transform payload is allowed during phase 1 processing.
Aug 30 10:02:03 gw racoon: WARNING: 
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:02:03 gw racoon: ERROR: oakley.c:1596:oakley_check_certid(): 
Invalid ID length in phase 1.
Aug 30 10:02:19 gw racoon: ERROR: isakmp.c:1776:isakmp_chkph1there(): 
phase2 negotiation failed due to time up waiting for phase1. ESP 
80.95.98.29->195.168.24.254
Aug 30 10:02:19 gw racoon: INFO: isakmp.c:1781:isakmp_chkph1there(): 
delete phase 2 handler.
Aug 30 10:02:53 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend(): 
phase1 negotiation failed due to time up. fada65838fd3d3a8:b257eb13905d0532
Aug 30 10:03:13 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r(): 
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:03:13 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin 
Identity Protection mode.
Aug 30 10:03:13 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only 
a single transform payload is allowed during phase 1 processing.
Aug 30 10:03:14 gw racoon: WARNING: 
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:03:14 gw racoon: ERROR: oakley.c:1596:oakley_check_certid(): 
Invalid ID length in phase 1.
Aug 30 10:04:03 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend(): 
phase1 negotiation failed due to time up. 6ace4bc8481b5c86:3b306e0c406803c4
Aug 30 10:04:23 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r(): 
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:04:23 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin 
Identity Protection mode.
Aug 30 10:04:23 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only 
a single transform payload is allowed during phase 1 processing.
Aug 30 10:04:24 gw racoon: WARNING: 
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:04:24 gw racoon: ERROR: oakley.c:1596:oakley_check_certid(): 
Invalid ID length in phase 1.
Aug 30 10:05:13 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend(): 
phase1 negotiation failed due to time up. 8c8c00dfd983cfc7:45c0f8fa5f8c46f8
Aug 30 10:05:25 gw racoon: INFO: session.c:299:check_sigreq(): caught 
signal 15
Aug 30 10:05:26 gw racoon: INFO: session.c:180:close_session(): racoon 
shutdown


robo










More information about the Users-l mailing list