racoon problem

[Jan Dušátko]

Ahoj
Prave resim podobne zalezitosti. Doporucuji udelat nasledujici:
Pokud mas tunel pres gif nebo gre  interface, pust si tcpdump na techto,
dale druhy tcpdump na externim interface.
Jakmile navazes tunel, zkus ping a zjisti si, kam ti to jde/nejde.

Dale se podivej na setkey, na nastaveni policy.

Honza


Caute,
mam fbsd 8.1-Stable, potrebujem spravit spojenie s cisco zariadenim na
druhej strane.

racoon.conf :
# the file should contain key ID/key pairs, for pre-shared key
authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; #log debug; listen {
         isakmp          217.67.31.61 [500];
         }
timer {
                 phase1 60 seconds ;
                 phase2 60 seconds ;
}

remote 195.80.190.60
{
#       exchange_mode main,aggressive,base;
         exchange_mode aggressive;
     doi ipsec_doi;
     situation identity_only;


#       my_identifier fqdn "192.168.8.95";
         my_identifier fqdn "217.67.31.61";

         lifetime time 24 hour ; # sec,min,hour

         initial_contact off ;
         passive on ;

         # phase 1 proposal (for ISAKMP SA)
         proposal {
                 encryption_algorithm aes 256;
#               encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key ;
                 dh_group 2 ;
         }

         # the configuration could makes racoon (as a responder)
         # to obey the initiator's lifetime and PFS group proposal,
         # by setting proposal_check to obey.
         # this would makes testing "so much easier", but is really
         # *not* secure !!!
         proposal_check obey;
}

#sainfo anonymous
sainfo (address 192.168.8.95/32 any address 192.168.7.95/32 any) {
         pfs_group 5;
         lifetime time 28800 sec ;
        encryption_algorithm des;
         authentication_algorithm hmac_sha1 ;
         compression_algorithm deflate ; } setkey.conf

flush;
spdflush;
spdadd 192.168.7.95/32 192.168.8.95/32 any -P in ipsec
esp/tunnel/195.80.190.60-217.67.31.61/require; # (alebo /require) spdadd
192.168.8.95/32 192.168.7.95/32 any -P out ipsec
esp/tunnel/217.67.31.61-195.80.190.60/require; #(alebo /require)

rc.conf
gif_interfaces="gif0"
gifconfig_gif0="217.67.31.61 195.80.190.60"
ifconfig_gif0="192.168.8.95 192.168.7.95 netmask 255.255.255.0 up"

ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"

ked spustim racoon s konfigurakom :

2010-10-04 12:35:56: INFO: @(#)ipsec-tools 0.7.3
(http://ipsec-tools.sourceforge.net)
2010-10-04 12:35:56: INFO: @(#)This product linked OpenSSL 1.0.0a 1 Jun 2010
(http://www.openssl.org/)
2010-10-04 12:35:56: INFO: Reading configuration from "racoon2.conf"
2010-10-04 12:35:56: INFO: remote 195.80.190.60[500] {
2010-10-04 12:35:56: INFO:      exchange_type aggressive;
2010-10-04 12:35:56: INFO:      doi ipsec_doi;
2010-10-04 12:35:56: INFO:      my_identifier fqdn "217.67.31.61";
2010-10-04 12:35:56: INFO:      send_cert on;
2010-10-04 12:35:56: INFO:      send_cr on;
2010-10-04 12:35:56: INFO:      verify_cert on;
2010-10-04 12:35:56: INFO:      verify_identifier off;
2010-10-04 12:35:56: INFO:      nat_traversal off;
2010-10-04 12:35:56: INFO:      nonce_size 16;
2010-10-04 12:35:56: INFO:      passive on;
2010-10-04 12:35:56: INFO:      ike_frag off;
2010-10-04 12:35:56: INFO:      esp_frag 65535;
2010-10-04 12:35:56: INFO:      initial_contact off;
2010-10-04 12:35:56: INFO:      generate_policy off;
2010-10-04 12:35:56: INFO:      support_proxy off;
2010-10-04 12:35:56: INFO:
2010-10-04 12:35:56: INFO:      /* prop_no=1, trns_no=1, 
rmconf=195.80.190.60[500] */
2010-10-04 12:35:56: INFO:      proposal {
2010-10-04 12:35:56: INFO:              lifetime time 86400 sec;
2010-10-04 12:35:56: INFO:              lifetime bytes 0;
2010-10-04 12:35:56: INFO:              dh_group modp1024;
2010-10-04 12:35:56: INFO:              encryption_algorithm aes;
2010-10-04 12:35:56: INFO:              hash_algorithm sha1;
2010-10-04 12:35:56: INFO:              authentication_method 
pre_shared_key;
2010-10-04 12:35:56: INFO:      }
2010-10-04 12:35:56: INFO: }
2010-10-04 12:35:56: INFO:
2010-10-04 12:35:56: INFO: 217.67.31.61[500] used as isakmp port (fd=6)
2010-10-04 12:35:56: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): 
UDP_ENCAP Invalid argument

^ ten varning neviem ci je daka zavazna vec..

pripojim VPN
racoonctl vc 195.80.190.60
2010-10-04 12:36:36: INFO: accept a request to establish IKE-SA: 
195.80.190.60
2010-10-04 12:36:36: INFO: initiate new phase 1 negotiation: 
217.67.31.61[500]<=>195.80.190.60[500]
2010-10-04 12:36:36: INFO: begin Aggressive mode.
2010-10-04 12:36:36: INFO: received Vendor ID: CISCO-UNITY
2010-10-04 12:36:36: INFO: received Vendor ID: 
draft-ietf-ipsra-isakmp-xauth-06.txt
2010-10-04 12:36:36: INFO: received Vendor ID: DPD
2010-10-04 12:36:36: INFO: received broken Microsoft ID: FRAGMENTATION
2010-10-04 12:36:36: WARNING: port 500 expected, but 0
2010-10-04 12:36:36: NOTIFY: couldn't find the proper pskey, try to get one
by the peer's address.
2010-10-04 12:36:36: INFO: ISAKMP-SA established
217.67.31.61[500]-195.80.190.60[500] spi:c965effcc3c71c8d:b6707de2d30471a4

isakmp spojenie sa nadviazalo ale ipsec kryptovanie nejde... a neviem preco

vidite tam niekto daku chybu preco by to nemalo chodit ?






--
------------------------------
S pozdravom
Robert Popelka (jimy)

mail	: jimy na kick.sk		
mob.	: +421 (0) 915 770 987
msn	: jimy na kick.sk
jabber	: jimy na kick.sk
icq 	: 120614660
www 	: http://www.kick.sk/