IPSec

[Radek Tománek]

Ahoj,
nemám to sice rozjetý pod FreeBSD, ale podobný hlášky mám v logu, když
kolísá kvalita linky - tunel spadne a už se nespojí, což je doprovázeno
hláškami "no policy found", "droping packet" apod. 



RaT


Dušátko Jan píše v St 22. 09. 2010 v 15:24 +0200:
> Zdravim,
> mam problem s konfiguraci IPSec pod FreeBSD 8.1/amd64.
> V soucasnosti mi vraci v debug modu po nejake dobe stale stejnou informaci:
> 
> ERROR: no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in
> ERROR: failed to get proposal for responder.
> ERROR: failed to pre-process packet.
> 
> Napada vas nekoho neco?
> 
> Honza
> 
> V konfiguracnim scriptu mam uvedeno:
> 
> racoon.conf:
> ------------
> path    include "/usr/local/etc/racoon" ;
> path    pre_shared_key "/usr/local/etc/racoon/psk.txt";
> path    certificate "/usr/local/etc/racoon/cert" ;
> path    script "/usr/local/etc/racoon" ;
> log     debug2;
> 
> padding
> {
>         maximum_length  20;
>         randomize       off;
>         strict_check    off;
>         exclusive_tail  off;
> }
> 
> timer
> {
>         counter         5;
>         interval        20 sec;
>         persend         1;
>         natt_keepalive  15 sec;
>         phase1          28800 sec;
>         phase2          1800 sec;
> }
> 
> listen
> {
>         adminsock       "/var/run/racoon.sock";
> }
> 
> remote  e.f.g.h [500]
> {
>         exchange_mode           main,aggressive;
>         nonce_size              16;
>         initial_contact         on;
>         doi                     ipsec_doi;
>         situation               identity_only;
>         my_identifier           address a.b.c.d;
>         peers_identifier        address e.f.g.h;
>         passive                 off;
>         verify_identifier       off;
>         proposal_check          obey;
>         generate_policy         off;
>         ike_frag                on;
>                         proposal {
>                                 encryption_algorithm    aes;
>                                 hash_algorithm          sha1;
>                                 authentication_method   pre_shared_key;
>                                 dh_group                2;
>                         }
> }
> 
> sainfo  (address x.y.z.w/24 any address x.y.z.w/24 any)
> {
> #        pfs_group                      1;
>         encryption_algorithm            aes ;
>         authentication_algorithm        hmac_sha1;
>         compression_algorithm           deflate;
> }
> 
> setkey.conf:
> ------------
> #!/sbin/setkey -f
> flush;
> spdflush;
> # To the home network
> spdadd x.y.z.w/24 x.y.z.w/24 any -P out ipsec
> esp/tunnel/a.b.c.d-e.f.g.h/use;
> spdadd x.y.z.w/24 x.y.z.w/24 any -P in ipsec esp/tunnel/e.f.g.h-a.b.c.d/use;
> 
> 
>