IPSec
Radek Tománek
rtomanek at epark.cz
Thu Sep 23 08:19:55 CEST 2010
Ahoj,
nemám to sice rozjetý pod FreeBSD, ale podobný hlášky mám v logu, když
kolísá kvalita linky - tunel spadne a už se nespojí, což je doprovázeno
hláškami "no policy found", "droping packet" apod.
RaT
Dušátko Jan píše v St 22. 09. 2010 v 15:24 +0200:
> Zdravim,
> mam problem s konfiguraci IPSec pod FreeBSD 8.1/amd64.
> V soucasnosti mi vraci v debug modu po nejake dobe stale stejnou informaci:
>
> ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in
> ERROR: failed to get proposal for responder.
> ERROR: failed to pre-process packet.
>
> Napada vas nekoho neco?
>
> Honza
>
> V konfiguracnim scriptu mam uvedeno:
>
> racoon.conf:
> ------------
> path include "/usr/local/etc/racoon" ;
> path pre_shared_key "/usr/local/etc/racoon/psk.txt";
> path certificate "/usr/local/etc/racoon/cert" ;
> path script "/usr/local/etc/racoon" ;
> log debug2;
>
> padding
> {
> maximum_length 20;
> randomize off;
> strict_check off;
> exclusive_tail off;
> }
>
> timer
> {
> counter 5;
> interval 20 sec;
> persend 1;
> natt_keepalive 15 sec;
> phase1 28800 sec;
> phase2 1800 sec;
> }
>
> listen
> {
> adminsock "/var/run/racoon.sock";
> }
>
> remote e.f.g.h [500]
> {
> exchange_mode main,aggressive;
> nonce_size 16;
> initial_contact on;
> doi ipsec_doi;
> situation identity_only;
> my_identifier address a.b.c.d;
> peers_identifier address e.f.g.h;
> passive off;
> verify_identifier off;
> proposal_check obey;
> generate_policy off;
> ike_frag on;
> proposal {
> encryption_algorithm aes;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
>
> sainfo (address x.y.z.w/24 any address x.y.z.w/24 any)
> {
> # pfs_group 1;
> encryption_algorithm aes ;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
> setkey.conf:
> ------------
> #!/sbin/setkey -f
> flush;
> spdflush;
> # To the home network
> spdadd x.y.z.w/24 x.y.z.w/24 any -P out ipsec
> esp/tunnel/a.b.c.d-e.f.g.h/use;
> spdadd x.y.z.w/24 x.y.z.w/24 any -P in ipsec esp/tunnel/e.f.g.h-a.b.c.d/use;
>
>
>
More information about the Users-l
mailing list