ipsec s linuxom
Robert Hecko
robo at cpe.sk
Sat Aug 30 10:25:07 CEST 2003
dan
ospravedlnujem sa za take strohe informacie.
tu su detailnejsie. overovanie je cez x509 certifikaty.
>V teto chvili prochazi racoon seznam lokalnich IP adres a na kazde se
>snazi otevrit port 500. Z LOGu je zrejme, ze pro adresy 192.168.25.1,
>127.0.0.1 a 195.168.24.254 se mu to povedlo. Pro nasledujici adresu ale
>nikoliv (sama adresa v chybove hlasce chybi, coz je podle vseho chyba
>kodu racoona). Protoze sitova konfigurace pocitace nam zustala utajena,
>nelze odhadnout jaka adresa by to mohla byt a nelze tedy prilis
>spekulovat o pricinach a uz vubec ne o nasledcich teto chyby.
>
stroj ma iba spominane ip adresy
ps: existuje moznost aj tunel modu pre komunikaciu medzi freeswan a
racoon (spojenie celych lokalnych sieti, nie iba dvoch strojov) ?
ps2: dakujem za odpoved
na strane linuxu je freeswan
conn ph-ba
leftcert=certs/ph-cert.pem
right=195.168.24.254
rightsubnet=192.168.25.0/24
rightid="/C=CZ/O=CPE/OU=Net-WAN/CN=gw.cpe.sk"
ja mam na strane racoonu
remote 80.95.98.29
{
exchange_mode main;
situation identity_only;
initial_contact off;
my_identifier asn1dn "C=CZ/O=CPE/OU=Net-WAN/CN=gw.cpe.sk";
peers_identifier asn1dn "C=CZ/O=CPE/OU=Net-WAN";
certificate_type x509 "cpesk-cert.pem" "gw-ba-key.pem";
peers_certfile "cacert.pem";
passive off;
lifetime time 30 min;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig ;
dh_group modp1536 ;
}
toto je /etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.25.0/24 192.168.1.0/24 any -P out ipsec
esp/transport/195.168.24.254-80.95.98.29/require;
spdadd 192.168.1.0/24 192.168.25.0/24 any -P in ipsec
esp/transport/80.95.98.29-195.168.24.254/require;
-----------------------------------------------------------------------------------
tu je tcpdump
-----------------------------------------------------------------------------------
09:57:42.361843 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:58:22.423778 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:59:02.492887 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:59:42.561629 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
09:59:42.564200 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=1
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))))
(vid: len=16)
09:59:42.676706 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(ke: key len=192)
(nonce: n len=16) (DF)
09:59:42.741934 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
09:59:42.947737 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
09:59:42.952585 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 2/others R inf[E]: [encrypted hash]
09:59:52.877269 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:00:02.882548 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:00:13.041176 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:00:22.045907 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:00:42.056045 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:00:53.139086 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:00:53.140625 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=1
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))))
(vid: len=16)
10:00:53.253591 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(ke: key len=192)
(nonce: n len=16) (DF)
10:00:53.301725 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:00:53.510336 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:00:53.514338 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:01:02.533295 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:01:03.676841 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:01:13.683431 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:01:22.693460 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:01:23.847025 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:01:33.853834 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:01:53.203986 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:02:03.278216 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:02:03.279897 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=1
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))))
(vid: len=16)
10:02:03.385438 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(ke: key len=192)
(nonce: n len=16) (DF)
10:02:03.444038 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:02:03.660444 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:02:03.664394 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:02:13.764332 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:02:13.801449 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:02:23.864499 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:02:33.684186 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:02:33.685024 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:02:43.704878 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:03:03.725129 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:03:13.814895 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:03:13.816333 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=1
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))))
(vid: len=16)
10:03:13.930386 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(ke: key len=192)
(nonce: n len=16) (DF)
10:03:13.978493 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:03:14.190000 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:03:14.194136 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:03:23.195350 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:03:23.349470 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:03:33.355555 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:03:43.365644 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:03:43.527013 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:03:53.535933 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:04:13.556181 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:04:23.640068 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:04:23.641612 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=1
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))))
(vid: len=16)
10:04:23.750611 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(ke: key len=192)
(nonce: n len=16) (DF)
10:04:23.799588 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:04:24.007292 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:04:24.011374 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 2/others R inf[E]: [encrypted hash]
10:04:33.016470 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:04:34.165327 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:04:43.166506 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:04:53.176749 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:04:54.323508 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident[E]: [encrypted id] (DF)
10:05:03.327123 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:05:23.347240 195.168.24.254.isakmp > wll029.cdipraha.cz.isakmp:
isakmp: phase 1 R ident:
(ke: key len=192)
(nonce: n len=16)
(vid: len=16)
10:05:33.427309 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
10:05:43.496209 wll029.cdipraha.cz.isakmp > 195.168.24.254.isakmp:
isakmp: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=4
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=0005))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=rsa sig)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth
value=rsa sig)(type=group desc value=modp1024)))) (DF)
-----------------------------------------------------------------------------------
a tu je vypis z logu (uroven notifyv racoon.conf)
-----------------------------------------------------------------------------------
Aug 30 09:59:15 gw racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20030711a
Aug 30 09:59:15 gw racoon: INFO: main.c:174:main(): @(#)internal version
20001216 sakane at kame.net
Aug 30 09:59:15 gw racoon: INFO: main.c:175:main(): @(#)This product
linked OpenSSL 0.9.6g 9 Aug 2002 (http://www.openssl.org/)
Aug 30 09:59:15 gw racoon: INFO: isakmp.c:1358:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=6)
Aug 30 09:59:15 gw racoon: INFO: isakmp.c:1358:isakmp_open():
195.168.24.254[500] used as isakmp port (fd=7)
Aug 30 09:59:15 gw racoon: INFO: isakmp.c:1358:isakmp_open():
192.168.25.1[500] used as isakmp port (fd=8)
Aug 30 09:59:42 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r():
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 09:59:42 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin
Identity Protection mode.
Aug 30 09:59:42 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only
a single transform payload is allowed during phase 1 processing.
Aug 30 09:59:42 gw racoon: WARNING:
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 09:59:42 gw racoon: ERROR: oakley.c:1596:oakley_check_certid():
Invalid ID length in phase 1.
Aug 30 10:00:53 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r():
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:00:53 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin
Identity Protection mode.
Aug 30 10:00:53 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only
a single transform payload is allowed during phase 1 processing.
Aug 30 10:00:53 gw racoon: WARNING:
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:00:53 gw racoon: ERROR: oakley.c:1596:oakley_check_certid():
Invalid ID length in phase 1.
Aug 30 10:01:42 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend():
phase1 negotiation failed due to time up. 18261e773fef560a:46d2f815c36ba984
Aug 30 10:01:48 gw racoon: INFO: isakmp.c:1703:isakmp_post_acquire():
request for establishing IPsec-SA was queued due to no phase1 found.
Aug 30 10:02:03 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r():
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:02:03 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin
Identity Protection mode.
Aug 30 10:02:03 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only
a single transform payload is allowed during phase 1 processing.
Aug 30 10:02:03 gw racoon: WARNING:
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:02:03 gw racoon: ERROR: oakley.c:1596:oakley_check_certid():
Invalid ID length in phase 1.
Aug 30 10:02:19 gw racoon: ERROR: isakmp.c:1776:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
80.95.98.29->195.168.24.254
Aug 30 10:02:19 gw racoon: INFO: isakmp.c:1781:isakmp_chkph1there():
delete phase 2 handler.
Aug 30 10:02:53 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend():
phase1 negotiation failed due to time up. fada65838fd3d3a8:b257eb13905d0532
Aug 30 10:03:13 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r():
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:03:13 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin
Identity Protection mode.
Aug 30 10:03:13 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only
a single transform payload is allowed during phase 1 processing.
Aug 30 10:03:14 gw racoon: WARNING:
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:03:14 gw racoon: ERROR: oakley.c:1596:oakley_check_certid():
Invalid ID length in phase 1.
Aug 30 10:04:03 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend():
phase1 negotiation failed due to time up. 6ace4bc8481b5c86:3b306e0c406803c4
Aug 30 10:04:23 gw racoon: INFO: isakmp.c:894:isakmp_ph1begin_r():
respond new phase 1 negotiation: 195.168.24.254[500]<=>80.95.98.29[500]
Aug 30 10:04:23 gw racoon: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin
Identity Protection mode.
Aug 30 10:04:23 gw racoon: ERROR: ipsec_doi.c:1318:get_transform(): Only
a single transform payload is allowed during phase 1 processing.
Aug 30 10:04:24 gw racoon: WARNING:
ipsec_doi.c:3091:ipsecdoi_checkid1(): ID value mismatched.
Aug 30 10:04:24 gw racoon: ERROR: oakley.c:1596:oakley_check_certid():
Invalid ID length in phase 1.
Aug 30 10:05:13 gw racoon: ERROR: isakmp.c:1437:isakmp_ph1resend():
phase1 negotiation failed due to time up. 8c8c00dfd983cfc7:45c0f8fa5f8c46f8
Aug 30 10:05:25 gw racoon: INFO: session.c:299:check_sigreq(): caught
signal 15
Aug 30 10:05:26 gw racoon: INFO: session.c:180:close_session(): racoon
shutdown
robo
More information about the Users-l
mailing list