IPsec problem? - dlouhe

Josef Brzak brzak at linux.fjfi.cvut.cz
Tue Nov 9 01:59:42 CET 2004


Dobry den,

  mel bych jeden drobny dotaz ohledne IPsecu:

  Nakonfiguroval jsem si tunel mezi dvema sitemi podle navodu,
  ktery jsem nasel v handbooku. K zabezpeceni jsem pouzil
  IPsec. Vse funguje tak jak ma jen se mi nekdy v logach
  vypisuje nasledujici hlaska:

  IPv4 ESP input: no key association found for spi 113014365
  IPv4 ESP input: no key association found for spi 113014365

  Tato hlaska se take nekdy vypisuje po resetu jednoho routeru
  a nejakou dobu trva nez se navaze spojeni mezi routery.

  Na routech v sitich je stejny system tj. FreeBSD 4.10-RELEASE-p3

  Predem Vam moc dekuji za radu/pomoc.

				Pepa Brzak

  btw: prikladam konfiguraci racoonu.

  cat racoon.conf

  path include "/usr/local/etc/racoon" ;

  padding
  {
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
  }

   listen
  {
        isakmp verejna_ip_adresa [500];
  }

  timer
  {
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
  }

  remote anonymous
  {
        exchange_mode main,aggressive;
        doi ipsec_doi;
        situation identity_only;

        nonce_size 16;
        lifetime time 60 min;   # sec,min,hour
        initial_contact on;
        #support_mip6 on;
        support_proxy on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm blowfish;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
  }

  sainfo anonymous
  {
        pfs_group 2;
        lifetime time 24 sec;
        encryption_algorithm blowfish ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
  }




More information about the Users-l mailing list