IPSec

Dušátko Jan jan at dusatko.org
Wed Sep 22 15:24:32 CEST 2010


Zdravim,
mam problem s konfiguraci IPSec pod FreeBSD 8.1/amd64.
V soucasnosti mi vraci v debug modu po nejake dobe stale stejnou informaci:

ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in
ERROR: failed to get proposal for responder.
ERROR: failed to pre-process packet.

Napada vas nekoho neco?

Honza

V konfiguracnim scriptu mam uvedeno:

racoon.conf:
------------
path    include "/usr/local/etc/racoon" ;
path    pre_shared_key "/usr/local/etc/racoon/psk.txt";
path    certificate "/usr/local/etc/racoon/cert" ;
path    script "/usr/local/etc/racoon" ;
log     debug2;

padding
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer
{
        counter         5;
        interval        20 sec;
        persend         1;
        natt_keepalive  15 sec;
        phase1          28800 sec;
        phase2          1800 sec;
}

listen
{
        adminsock       "/var/run/racoon.sock";
}

remote  e.f.g.h [500]
{
        exchange_mode           main,aggressive;
        nonce_size              16;
        initial_contact         on;
        doi                     ipsec_doi;
        situation               identity_only;
        my_identifier           address a.b.c.d;
        peers_identifier        address e.f.g.h;
        passive                 off;
        verify_identifier       off;
        proposal_check          obey;
        generate_policy         off;
        ike_frag                on;
                        proposal {
                                encryption_algorithm    aes;
                                hash_algorithm          sha1;
                                authentication_method   pre_shared_key;
                                dh_group                2;
                        }
}

sainfo  (address x.y.z.w/24 any address x.y.z.w/24 any)
{
#        pfs_group                      1;
        encryption_algorithm            aes ;
        authentication_algorithm        hmac_sha1;
        compression_algorithm           deflate;
}

setkey.conf:
------------
#!/sbin/setkey -f
flush;
spdflush;
# To the home network
spdadd x.y.z.w/24 x.y.z.w/24 any -P out ipsec
esp/tunnel/a.b.c.d-e.f.g.h/use;
spdadd x.y.z.w/24 x.y.z.w/24 any -P in ipsec esp/tunnel/e.f.g.h-a.b.c.d/use;





More information about the Users-l mailing list