IPSEC tunnel FreeBSD Freeswan (dlouhe)
Josef Dvorak
pepadvorak at volny.cz
Thu May 27 15:12:36 CEST 2004
Zdravim,
pokousim se rozbehat IPSec tunnel mezi FreeBSD a Linuxem (freeswan).
Podotykam, ze tunel BSD-BSD mi chodi bez problemu. Asi delam nakou
elementarni blbost. Logy prikladam nize.
Sit vypada klasicky:
A.B.C.D/24 E.F.G.H/32 I.J.K.L/32 M.N.O.P/24
---------LINUX-----------net------------FREEBSD----
Strana BSD vypada nasledovne:
- policy.conf
spdadd A.B.C.D/24 M.N.O.P/24 any -P in ipsec
esp/tunnel/E.F.G.H-I.J.K.L/require;
spdadd M.N.O.P/24 A.B.C.D/24 any -P out ipsec
esp/tunnel/I.J.K.L-E.F.G.H/require;
- racoon.conf
remote E.F.G.H
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
lifetime time 28800 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
- psk.txt
E.F.G.H heslo
Strana Linuxu (Freeswan)
- ipsec.conf
conn cz-sk
auto=add
type=tunnel
authby=secret
left=E.F.G.H
leftsubnet=A.B.C.D/24
right=I.J.K.L
rightsubnet=M.N.O.P/24
spi=0x200
- ipsec.secrets
E.F.G.H I.J.K.L: PSK "heslo"
Na BSD nyni nastartuju racoon pomoci:
setkey -FP
setkey -F
setkey -f /usr/local/etc/racoon/policy.conf
/usr/local/sbin/racoon -F -v -f /usr/local/etc/racoon/racoon.conf -l
/var/log/racoon.log
Na Linuxu pri nastartovanem IPSecu (dodavam, ze na stejnem Linuxu mi tunel
proti jinemu Linuxu jede):
ipsec auto --up cz-sk
Vypise:
104 "cz-sk" #12: STATE_MAIN_I1: initiate
003 "cz-sk" #12: ignoring Vendor ID payload
106 "cz-sk" #12: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cz-sk" #12: ignoring Vendor ID payload
108 "cz-sk" #12: STATE_MAIN_I3: sent MI3, expecting MR3
004 "cz-sk" #12: STATE_MAIN_I4: ISAKMP SA established
112 "cz-sk" #13: STATE_QUICK_I1: initiate
010 "cz-sk" #13: STATE_QUICK_I1: retransmission; will wait 20s for response
a na BSD to pise:
2004-05-27 15:05:11: INFO: isakmp.c:1368:isakmp_open():
fe80::201:2ff:fea0:395d%xl0[500] used as isakmp port (fd=9)
2004-05-27 15:05:11: INFO: isakmp.c:1368:isakmp_open(): 192.168.48.201[500]
used as isakmp port (fd=10)
2004-05-27 15:05:15: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 217.118.110.74[500]<=>195.122.223.34[500]
2004-05-27 15:05:15: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Identity
Protection mode.
2004-05-27 15:05:16: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA
established I.J.K.L[500]-E.F.G.H[500] spi:1a9e4852114db962:2697f297b45a33bc
2004-05-27 15:05:16: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new
phase 2 negotiation: I.J.K.L[0]<=>E.F.G.H[0]
2004-05-27 15:05:16: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched
2004-05-27 15:05:16: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable
policy found.
2004-05-27 15:05:16: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to
pre-process packet.
Hlasce "no suitable policy found" sice rozumim, ale nevim proc ji nenajde,
kdyz jsem ji tam pomoci spadd nahral. Viz: setkey -PD
A.B.C.D/24[any] M.N.O.P/24[any] any
in ipsec
esp/tunnel/E.F.G.G-I.J.K.L/require
created: May 27 15:05:11 2004 lastused: May 27 15:05:11 2004
lifetime: 0(s) validtime: 0(s)
spid=16692 seq=1 pid=1720
refcnt=1
M.N.O.P/24[any] A.B.C.D/24[any] any
out ipsec
esp/tunnel/I.J.K.L-E.F.G.H/require
created: May 27 15:05:11 2004 lastused: May 27 15:08:25 2004
lifetime: 0(s) validtime: 0(s)
spid=16693 seq=0 pid=1720
refcnt=1
Pro uplnost
FreeBSD 5.2.1
Freeswan 1.99 with X509
Diky za kazdy nakopnuti
Josef Dvorak
More information about the Users-l
mailing list