IPSEC tunnel FreeBSD Freeswan (dlouhe)

Josef Dvorak pepadvorak at volny.cz
Thu May 27 15:12:36 CEST 2004


Zdravim,
pokousim se rozbehat IPSec tunnel mezi FreeBSD a Linuxem (freeswan).
Podotykam, ze tunel BSD-BSD mi chodi bez problemu. Asi delam nakou
elementarni blbost. Logy prikladam nize.
Sit vypada klasicky:
A.B.C.D/24   E.F.G.H/32          I.J.K.L/32   M.N.O.P/24
---------LINUX-----------net------------FREEBSD----

Strana BSD vypada nasledovne:
- policy.conf
spdadd A.B.C.D/24 M.N.O.P/24 any -P in ipsec
esp/tunnel/E.F.G.H-I.J.K.L/require;
spdadd M.N.O.P/24 A.B.C.D/24 any -P out ipsec
esp/tunnel/I.J.K.L-E.F.G.H/require;
- racoon.conf
remote E.F.G.H
{
        exchange_mode main,aggressive;
        doi ipsec_doi;
        situation identity_only;
        lifetime time 28800 sec;        # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
- psk.txt
E.F.G.H heslo

Strana Linuxu (Freeswan)
- ipsec.conf
conn cz-sk
        auto=add
        type=tunnel
        authby=secret
        left=E.F.G.H
        leftsubnet=A.B.C.D/24
        right=I.J.K.L
        rightsubnet=M.N.O.P/24
        spi=0x200
- ipsec.secrets
E.F.G.H I.J.K.L: PSK "heslo"

Na BSD nyni nastartuju racoon pomoci:
setkey -FP
setkey -F
setkey -f /usr/local/etc/racoon/policy.conf
/usr/local/sbin/racoon -F -v -f /usr/local/etc/racoon/racoon.conf -l
/var/log/racoon.log

Na Linuxu pri nastartovanem IPSecu (dodavam, ze na stejnem Linuxu mi tunel
proti jinemu Linuxu jede):
ipsec auto --up cz-sk
Vypise:
104 "cz-sk" #12: STATE_MAIN_I1: initiate
003 "cz-sk" #12: ignoring Vendor ID payload
106 "cz-sk" #12: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cz-sk" #12: ignoring Vendor ID payload
108 "cz-sk" #12: STATE_MAIN_I3: sent MI3, expecting MR3
004 "cz-sk" #12: STATE_MAIN_I4: ISAKMP SA established
112 "cz-sk" #13: STATE_QUICK_I1: initiate
010 "cz-sk" #13: STATE_QUICK_I1: retransmission; will wait 20s for response

a na BSD to pise:
2004-05-27 15:05:11: INFO: isakmp.c:1368:isakmp_open():
fe80::201:2ff:fea0:395d%xl0[500] used as isakmp port (fd=9)
2004-05-27 15:05:11: INFO: isakmp.c:1368:isakmp_open(): 192.168.48.201[500]
used as isakmp port (fd=10)
2004-05-27 15:05:15: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 217.118.110.74[500]<=>195.122.223.34[500]
2004-05-27 15:05:15: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Identity
Protection mode.
2004-05-27 15:05:16: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA
established I.J.K.L[500]-E.F.G.H[500] spi:1a9e4852114db962:2697f297b45a33bc
2004-05-27 15:05:16: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new
phase 2 negotiation: I.J.K.L[0]<=>E.F.G.H[0]
2004-05-27 15:05:16: ERROR: ipsec_doi.c:1001:get_ph2approvalx(): not matched
2004-05-27 15:05:16: ERROR: ipsec_doi.c:966:get_ph2approval(): no suitable
policy found.
2004-05-27 15:05:16: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to
pre-process packet.

Hlasce "no suitable policy found" sice rozumim, ale nevim proc ji nenajde,
kdyz jsem ji tam pomoci spadd nahral. Viz: setkey -PD
A.B.C.D/24[any] M.N.O.P/24[any] any
        in ipsec
        esp/tunnel/E.F.G.G-I.J.K.L/require
        created: May 27 15:05:11 2004  lastused: May 27 15:05:11 2004
        lifetime: 0(s) validtime: 0(s)
        spid=16692 seq=1 pid=1720
        refcnt=1
M.N.O.P/24[any] A.B.C.D/24[any] any
        out ipsec
        esp/tunnel/I.J.K.L-E.F.G.H/require
        created: May 27 15:05:11 2004  lastused: May 27 15:08:25 2004
        lifetime: 0(s) validtime: 0(s)
        spid=16693 seq=0 pid=1720
        refcnt=1


Pro uplnost
FreeBSD 5.2.1
Freeswan 1.99 with X509


Diky za kazdy nakopnuti

Josef Dvorak




More information about the Users-l mailing list