Исходное сообщение
"Проблема c IPSec: Racoon не удается установить соединение." Отправлено Z_M, 25-Июл-06 10:55
http://www.opennet.ru/openforum/vsluhforumID10/2815.html >Вопрос к специалистам, настраивавшим IPSec под FreeBSD. >Имеется 2 узла в одной локальной сети - 10.75.99.166 и 10.75.99.167. На >обоих установлены FreeBSD 4.10 и ipsec-tools 0.6.6. Последние правда не родные >из коллекции портов, а установлены из исходных кодов (пакет взят на >sourceforge.net). Firewall не настроен (пропускает весь входящий и исходящий трафик). >Безуспешно пытаюсь настроить простейшее transport mode соединение. На обоих машинах запускаю Racoon: > > >/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log > >Затем скрипты: > >#!/bin/sh >skeycmd="/usr/sbin/setkey" > >$skeycmd -FP >$skeycmd -F > >$skeycmd -c << EOF > >spdadd 10.75.99.167/32 10.75.99.166/32 any -P out ipsec esp/transport//require; >spdadd 10.75.99.166/32 10.75.99.167/32 any -P in ipsec esp/transport//require; >EOF > >И > >#!/bin/sh >skeycmd="/usr/sbin/setkey" > >$skeycmd -FP >$skeycmd -F > >$skeycmd -c << EOF > >spdadd 10.75.99.166/32 10.75.99.167/32 any -P out ipsec esp/transport//require; >spdadd 10.75.99.167/32 10.75.99.166/32 any -P in ipsec esp/transport//require; >EOF > >на 1-й и 2-й машинах соответственно. > >Racoon.log на 1-ой машине (10.75.99.167) выдает: > >2006-07-20 09:45:00: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge >.net) >2006-07-20 09:45:00: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h > >ttp://www.openssl.org/) >2006-07-20 09:45:00: INFO: 127.0.0.1[500] used as isakmp port (fd=5) >2006-07-20 09:45:00: INFO: fe80::1%lo0[500] used as isakmp port (fd=6) >2006-07-20 09:45:00: INFO: ::1[500] used as isakmp port (fd=7) >2006-07-20 09:45:00: INFO: 10.75.99.167[500] used as isakmp port (fd= >2006-07-20 09:45:00: INFO: fe80::230:84ff:fe0f:e5dd%rl0[500] used as isakmp port >(fd=9) > >СЛЕДУЮЩАЯ СТРОКА ПОЯВЛЯЕТСЯ ПОСЛЕ ТОГО КАК ДОБАВЛЯЮТСЯ ЗАПИСИ В SPD (С ПОМОЩЬЮ >setkey spdadd), А ОСТАЛЬНЫЕ ПОСЛЕ ПОПЫТКИ ПРОПИНГОВАТЬ ВТОРОЙ УЗЕЛ (10.75.99.166) > >2006-07-20 09:52:47: INFO: unsupported PF_KEY message REGISTER >2006-07-20 09:54:27: INFO: IPsec-SA request for 10.75.99.166 queued due to no ph > >ase1 found. >2006-07-20 09:54:27: INFO: initiate new phase 1 negotiation: 10.75.99.167[500]<= >>10.75.99.166[500] >2006-07-20 09:54:27: INFO: begin Identity Protection mode. >2006-07-20 09:54:58: ERROR: phase2 negotiation failed due to time up waiting for > >phase1. ESP 10.75.99.166[0]->10.75.99.167[0] >2006-07-20 09:54:58: INFO: delete phase 2 handler. >2006-07-20 09:55:00: INFO: request for establishing IPsec-SA was queued due to n > >o phase1 found. >2006-07-20 09:55:28: ERROR: phase1 negotiation failed due to time up. 6abcce46eb >c8ea55:0000000000000000 >2006-07-20 09:55:32: ERROR: phase2 negotiation failed due to time up waiting for > >phase1. ESP 10.75.99.166[0]->10.75.99.167[0] >2006-07-20 09:55:32: INFO: delete phase 2 handler. > >Racoon.log на 2-й машине (10.75.99.166): > >2006-07-20 09:52:01: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge >.net) >2006-07-20 09:52:01: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h > >ttp://www.openssl.org/) >2006-07-20 09:52:01: INFO: 127.0.0.1[500] used as isakmp port (fd=5) >2006-07-20 09:52:01: INFO: fe80::1%lo0[500] used as isakmp port (fd=6) >2006-07-20 09:52:01: INFO: ::1[500] used as isakmp port (fd=7) >2006-07-20 09:52:01: INFO: 192.168.0.1[500] used as isakmp port (fd= >2006-07-20 09:52:01: INFO: fe80::230:4fff:fe08:4f85%rl1[500] used as isakmp port >(fd=9) >2006-07-20 09:52:01: INFO: 10.75.99.166[500] used as isakmp port (fd=10) >2006-07-20 09:52:01: INFO: fe80::202:44ff:fe8b:4ed3%rl0[500] used as isakmp port >(fd=11) >2006-07-20 09:52:58: INFO: unsupported PF_KEY message REGISTER > >2006-07-20 09:56:22: INFO: respond new phase 1 negotiation: 10.75.99.166[500]<=> >10.75.99.167[500] >2006-07-20 09:56:22: INFO: begin Identity Protection mode. >2006-07-20 09:56:22: INFO: request for establishing IPsec-SA was queued due to n > >o phase1 found. >2006-07-20 09:56:32: NOTIFY: the packet is retransmitted by 10.75.99.167[500]. >2006-07-20 09:56:42: NOTIFY: the packet is retransmitted by 10.75.99.167[500]. >2006-07-20 09:56:52: NOTIFY: the packet is retransmitted by 10.75.99.167[500]. >2006-07-20 09:56:53: ERROR: phase2 negotiation failed due to time up waiting for > >phase1. ESP 10.75.99.167[0]->10.75.99.166[0] >2006-07-20 09:56:53: INFO: delete phase 2 handler. >2006-07-20 09:57:03: NOTIFY: the packet is retransmitted by 10.75.99.167[500]. >2006-07-20 09:57:12: INFO: request for establishing IPsec-SA was queued due to n > >o phase1 found. >2006-07-20 09:57:13: NOTIFY: the packet is retransmitted by 10.75.99.167[500]. >2006-07-20 09:57:22: ERROR: phase1 negotiation failed due to time up. 6abcce46eb >c8ea55:4babaf5d82e8cf88 >2006-07-20 09:57:43: ERROR: phase2 negotiation failed due to time up waiting for > >phase1. ESP 10.75.99.167[0]->10.75.99.166[0] >2006-07-20 09:57:43: INFO: delete phase 2 handler. > >Racoon.conf я использую из сэмплов: > ># $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $ > ># "path" affects "include" directives. "path" must be specified before any ># "include" directive with relative file path. ># you can overwrite "path" directive afterwards, however, doing so may add > ># more confusion. >#path include "/usr/local/v6/etc" ; >#include "remote.conf" ; > ># the file should contain key ID/key pairs, for pre-shared key authentication. > > >path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; > ># racoon will look for certificate file in the directory, ># if the certificate/certificate request payload is received. >#path certificate "/usr/local/openssl/certs" ; > ># "log" specifies logging level. It is followed by either "notify", "debug" > ># or "debug2". >#log debug; > >remote anonymous >{ >#exchange_mode main,aggressive,base; >exchange_mode main,base; > >#my_identifier fqdn "server.kame.net"; >#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; > >lifetime time 24 hour ; # sec,min,hour > >#initial_contact off ; >#passive on ; > ># phase 1 proposal (for ISAKMP SA) >proposal { >encryption_algorithm 3des; >hash_algorithm sha1; >authentication_method pre_shared_key ; >dh_group 2 ; >} > ># the configuration makes racoon (as a responder) to obey the ># initiator's lifetime and PFS group proposal. ># this makes testing so much easier. >proposal_check obey; >} > ># phase 2 proposal (for IPsec SA). ># actual phase 2 proposal will obey the following items: ># - kernel IPsec policy configuration (like "esp/transport//use) ># - permutation of the crypto/hash/compression algorithms presented below >sainfo anonymous >{ >pfs_group 2; >lifetime time 12 hour ; >encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; >authentication_algorithm hmac_sha1, hmac_md5 ; >compression_algorithm deflate ; >} > >PSK.TXT на 1-й машине (10.75.99.167): > >10.75.99.166 Secretkey123 > >PSK.TXT на 2-й: > >10.75.99.167 Secretkey123 > >Права доступа к ним 0600. > >Всем благодарен за помощь.