racoon problem
Jan Dušátko
jan at dusatko.org
Mon Oct 4 19:39:39 CEST 2010
Ahoj
Prave resim podobne zalezitosti. Doporucuji udelat nasledujici:
Pokud mas tunel pres gif nebo gre interface, pust si tcpdump na techto,
dale druhy tcpdump na externim interface.
Jakmile navazes tunel, zkus ping a zjisti si, kam ti to jde/nejde.
Dale se podivej na setkey, na nastaveni policy.
Honza
Caute,
mam fbsd 8.1-Stable, potrebujem spravit spojenie s cisco zariadenim na
druhej strane.
racoon.conf :
# the file should contain key ID/key pairs, for pre-shared key
authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; #log debug; listen {
isakmp 217.67.31.61 [500];
}
timer {
phase1 60 seconds ;
phase2 60 seconds ;
}
remote 195.80.190.60
{
# exchange_mode main,aggressive,base;
exchange_mode aggressive;
doi ipsec_doi;
situation identity_only;
# my_identifier fqdn "192.168.8.95";
my_identifier fqdn "217.67.31.61";
lifetime time 24 hour ; # sec,min,hour
initial_contact off ;
passive on ;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes 256;
# encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
# the configuration could makes racoon (as a responder)
# to obey the initiator's lifetime and PFS group proposal,
# by setting proposal_check to obey.
# this would makes testing "so much easier", but is really
# *not* secure !!!
proposal_check obey;
}
#sainfo anonymous
sainfo (address 192.168.8.95/32 any address 192.168.7.95/32 any) {
pfs_group 5;
lifetime time 28800 sec ;
encryption_algorithm des;
authentication_algorithm hmac_sha1 ;
compression_algorithm deflate ; } setkey.conf
flush;
spdflush;
spdadd 192.168.7.95/32 192.168.8.95/32 any -P in ipsec
esp/tunnel/195.80.190.60-217.67.31.61/require; # (alebo /require) spdadd
192.168.8.95/32 192.168.7.95/32 any -P out ipsec
esp/tunnel/217.67.31.61-195.80.190.60/require; #(alebo /require)
rc.conf
gif_interfaces="gif0"
gifconfig_gif0="217.67.31.61 195.80.190.60"
ifconfig_gif0="192.168.8.95 192.168.7.95 netmask 255.255.255.0 up"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
ked spustim racoon s konfigurakom :
2010-10-04 12:35:56: INFO: @(#)ipsec-tools 0.7.3
(http://ipsec-tools.sourceforge.net)
2010-10-04 12:35:56: INFO: @(#)This product linked OpenSSL 1.0.0a 1 Jun 2010
(http://www.openssl.org/)
2010-10-04 12:35:56: INFO: Reading configuration from "racoon2.conf"
2010-10-04 12:35:56: INFO: remote 195.80.190.60[500] {
2010-10-04 12:35:56: INFO: exchange_type aggressive;
2010-10-04 12:35:56: INFO: doi ipsec_doi;
2010-10-04 12:35:56: INFO: my_identifier fqdn "217.67.31.61";
2010-10-04 12:35:56: INFO: send_cert on;
2010-10-04 12:35:56: INFO: send_cr on;
2010-10-04 12:35:56: INFO: verify_cert on;
2010-10-04 12:35:56: INFO: verify_identifier off;
2010-10-04 12:35:56: INFO: nat_traversal off;
2010-10-04 12:35:56: INFO: nonce_size 16;
2010-10-04 12:35:56: INFO: passive on;
2010-10-04 12:35:56: INFO: ike_frag off;
2010-10-04 12:35:56: INFO: esp_frag 65535;
2010-10-04 12:35:56: INFO: initial_contact off;
2010-10-04 12:35:56: INFO: generate_policy off;
2010-10-04 12:35:56: INFO: support_proxy off;
2010-10-04 12:35:56: INFO:
2010-10-04 12:35:56: INFO: /* prop_no=1, trns_no=1,
rmconf=195.80.190.60[500] */
2010-10-04 12:35:56: INFO: proposal {
2010-10-04 12:35:56: INFO: lifetime time 86400 sec;
2010-10-04 12:35:56: INFO: lifetime bytes 0;
2010-10-04 12:35:56: INFO: dh_group modp1024;
2010-10-04 12:35:56: INFO: encryption_algorithm aes;
2010-10-04 12:35:56: INFO: hash_algorithm sha1;
2010-10-04 12:35:56: INFO: authentication_method
pre_shared_key;
2010-10-04 12:35:56: INFO: }
2010-10-04 12:35:56: INFO: }
2010-10-04 12:35:56: INFO:
2010-10-04 12:35:56: INFO: 217.67.31.61[500] used as isakmp port (fd=6)
2010-10-04 12:35:56: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE):
UDP_ENCAP Invalid argument
^ ten varning neviem ci je daka zavazna vec..
pripojim VPN
racoonctl vc 195.80.190.60
2010-10-04 12:36:36: INFO: accept a request to establish IKE-SA:
195.80.190.60
2010-10-04 12:36:36: INFO: initiate new phase 1 negotiation:
217.67.31.61[500]<=>195.80.190.60[500]
2010-10-04 12:36:36: INFO: begin Aggressive mode.
2010-10-04 12:36:36: INFO: received Vendor ID: CISCO-UNITY
2010-10-04 12:36:36: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
2010-10-04 12:36:36: INFO: received Vendor ID: DPD
2010-10-04 12:36:36: INFO: received broken Microsoft ID: FRAGMENTATION
2010-10-04 12:36:36: WARNING: port 500 expected, but 0
2010-10-04 12:36:36: NOTIFY: couldn't find the proper pskey, try to get one
by the peer's address.
2010-10-04 12:36:36: INFO: ISAKMP-SA established
217.67.31.61[500]-195.80.190.60[500] spi:c965effcc3c71c8d:b6707de2d30471a4
isakmp spojenie sa nadviazalo ale ipsec kryptovanie nejde... a neviem preco
vidite tam niekto daku chybu preco by to nemalo chodit ?
--
------------------------------
S pozdravom
Robert Popelka (jimy)
mail : jimy na kick.sk
mob. : +421 (0) 915 770 987
msn : jimy na kick.sk
jabber : jimy na kick.sk
icq : 120614660
www : http://www.kick.sk/
More information about the Users-l
mailing list