forum.opennet.ru

Составление сообщения

Исходное сообщение

"IPSec + Racoon на FreeBSD, всё наоборот..."
Отправлено Bani, 29-Сен-06 07:52

Привет народ, вот начал ставить тунель на Фри-хах, версия 6.0, траблы такие что сам врубиться немогу...
Настройки на обоих машинах одинаковые. Что делать???
rc.conf-----------------------------------------------------------------------
defaultrouter="10.220.138.1"
gateway_enable="YES"
hostname="router.vostok.tj"
ifconfig_sis0="inet 10.220.138.220  netmask 255.255.255.0"
ifconfig_xl0="inet 192.168.10.110  netmask 255.255.255.0"
linux_enable="YES"
usbd_enable="NO"
firewall_enable="YES"
firewall_type="OPEN"
firewall_logging="YES"
natd_enable="YES"
natd_interface="sis0"
sshd_enable="YES"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
gif_interfaces="gif0"
gifconfig_gif0="10.220.138.220 10.220.138.221"
ifconfig_gif0="inet 192.168.10.110 192.168.2.110 netmask 255.255.255.0"
static_route="vpn"
route_vpn="192.168.2.0/24 192.168.2.110"
export route_vpn
#IPsec
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
named_enable="YES"
IPSec.conf---------------------------------------------------------------------
Машина 1 (10.220.138.220-внеш, 192.168.10.110)
flush;
spdflush;
spdadd 192.168.10.0/24 192.168.2.0/24 ipencap -P in ipsec
  esp/tunnel/10.220.138.220-10.220.138.221/require;
spdadd 192.168.2.0/24 192.168.10.0/24 ipencap -P out ipsec
  esp/tunnel/10.220.138.221-10.220.138.220/require;
Машина 2 (10.220.138.221-внеш, 192.168.2.110)
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.10.0/24 any -P in ipsec
esp/tunnel/10.220.138.221-10.220.138.220/require;
spdadd 192.168.10.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/10.220.138.220-10.220.138.221/require;
Вот тут то и оно... по теории в этих правилах In должен стоять вместо Out, но когда ставлю наоборот ничего не ходит, уже перепробовал кучу конфигов один чёрт...
Racoon.conf-------------------------------------------------------------------------
       # search this file for pre_shared_key with various ID key.
        path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
        # "log" specifies logging level.  It is followed by either "notify", "debug"
        # or "debug2".
        log notify;
        # if no listen directive is specified, racoon will listen to all
        # available interface addresses.
        listen
        {
                isakmp 10.220.138.221 [500];
        }
        # Specification of default various timer.
        timer
        {
                # These value can be changed per remote node.
                counter 5;              # maximum trying count to send.
                interval 20 sec;        # maximum interval to resend.
                persend 1;              # the number of packets per a send.
                # timer for waiting to complete each phase.
                phase1 60 sec;
                phase2 60 sec;
        }
        remote anonymous
        {
            exchange_mode main;
            lifetime time 600 sec;
            proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
            }
        }
        sainfo anonymous
        {
                lifetime time 600 sec;
               encryption_algorithm 3des;
                authentication_algorithm hmac_md5;
                compression_algorithm deflate ;
        }
Что бы там нибыло ракуун ничего не криптует, вот лог...
2006-09-28 18:54:26: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 18:54:26: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 18:54:27: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 18:58:20: INFO: caught signal 15
2006-09-28 18:58:21: INFO: racoon shutdown
2006-09-28 18:59:29: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 18:59:29: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 18:59:29: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:03:40: INFO: unsupported PF_KEY message REGISTER
2006-09-28 19:04:34: INFO: caught signal 15
2006-09-28 19:04:35: INFO: racoon shutdown
2006-09-28 19:05:34: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:05:34: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:05:34: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:13:12: INFO: caught signal 15
2006-09-28 19:13:13: INFO: racoon shutdown
2006-09-28 19:14:10: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:14:10: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:14:11: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:21:39: INFO: caught signal 15
2006-09-28 19:21:40: INFO: racoon shutdown
2006-09-28 19:22:38: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:22:39: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:22:39: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:26:17: INFO: caught signal 15
2006-09-28 19:26:18: INFO: racoon shutdown
2006-09-28 19:27:22: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:27:22: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:27:22: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:29:29: INFO: caught signal 15
2006-09-28 19:29:30: INFO: racoon shutdown
2006-09-28 19:30:30: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:30:30: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:30:30: INFO: 10.220.138.220[500] used as isakmp port (fd=6)

Исходное сообщение
"IPSec + Racoon на FreeBSD, всё наоборот..." Отправлено Bani, 29-Сен-06 07:52
Привет народ, вот начал ставить тунель на Фри-хах, версия 6.0, траблы такие что сам врубиться немогу... Настройки на обоих машинах одинаковые. Что делать??? rc.conf----------------------------------------------------------------------- defaultrouter="10.220.138.1" gateway_enable="YES" hostname="router.vostok.tj" ifconfig_sis0="inet 10.220.138.220 netmask 255.255.255.0" ifconfig_xl0="inet 192.168.10.110 netmask 255.255.255.0" linux_enable="YES" usbd_enable="NO" firewall_enable="YES" firewall_type="OPEN" firewall_logging="YES" natd_enable="YES" natd_interface="sis0" sshd_enable="YES" racoon_enable="YES" racoon_flags="-l /var/log/racoon.log" gif_interfaces="gif0" gifconfig_gif0="10.220.138.220 10.220.138.221" ifconfig_gif0="inet 192.168.10.110 192.168.2.110 netmask 255.255.255.0" static_route="vpn" route_vpn="192.168.2.0/24 192.168.2.110" export route_vpn #IPsec ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" named_enable="YES" IPSec.conf--------------------------------------------------------------------- Машина 1 (10.220.138.220-внеш, 192.168.10.110) flush; spdflush; spdadd 192.168.10.0/24 192.168.2.0/24 ipencap -P in ipsec esp/tunnel/10.220.138.220-10.220.138.221/require; spdadd 192.168.2.0/24 192.168.10.0/24 ipencap -P out ipsec esp/tunnel/10.220.138.221-10.220.138.220/require; Машина 2 (10.220.138.221-внеш, 192.168.2.110) flush; spdflush; spdadd 192.168.2.0/24 192.168.10.0/24 any -P in ipsec esp/tunnel/10.220.138.221-10.220.138.220/require; spdadd 192.168.10.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.220.138.220-10.220.138.221/require; Вот тут то и оно... по теории в этих правилах In должен стоять вместо Out, но когда ставлю наоборот ничего не ходит, уже перепробовал кучу конфигов один чёрт... Racoon.conf------------------------------------------------------------------------- # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log notify; # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 10.220.138.221 [500]; } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 60 sec; phase2 60 sec; } remote anonymous { exchange_mode main; lifetime time 600 sec; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } } sainfo anonymous { lifetime time 600 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } Что бы там нибыло ракуун ничего не криптует, вот лог... 2006-09-28 18:54:26: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-09-28 18:54:26: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2006-09-28 18:54:27: INFO: 10.220.138.220[500] used as isakmp port (fd=6) 2006-09-28 18:58:20: INFO: caught signal 15 2006-09-28 18:58:21: INFO: racoon shutdown 2006-09-28 18:59:29: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-09-28 18:59:29: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2006-09-28 18:59:29: INFO: 10.220.138.220[500] used as isakmp port (fd=6) 2006-09-28 19:03:40: INFO: unsupported PF_KEY message REGISTER 2006-09-28 19:04:34: INFO: caught signal 15 2006-09-28 19:04:35: INFO: racoon shutdown 2006-09-28 19:05:34: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-09-28 19:05:34: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2006-09-28 19:05:34: INFO: 10.220.138.220[500] used as isakmp port (fd=6) 2006-09-28 19:13:12: INFO: caught signal 15 2006-09-28 19:13:13: INFO: racoon shutdown 2006-09-28 19:14:10: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-09-28 19:14:10: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2006-09-28 19:14:11: INFO: 10.220.138.220[500] used as isakmp port (fd=6) 2006-09-28 19:21:39: INFO: caught signal 15 2006-09-28 19:21:40: INFO: racoon shutdown 2006-09-28 19:22:38: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-09-28 19:22:39: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2006-09-28 19:22:39: INFO: 10.220.138.220[500] used as isakmp port (fd=6) 2006-09-28 19:26:17: INFO: caught signal 15 2006-09-28 19:26:18: INFO: racoon shutdown 2006-09-28 19:27:22: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-09-28 19:27:22: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2006-09-28 19:27:22: INFO: 10.220.138.220[500] used as isakmp port (fd=6) 2006-09-28 19:29:29: INFO: caught signal 15 2006-09-28 19:29:30: INFO: racoon shutdown 2006-09-28 19:30:30: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 2006-09-28 19:30:30: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) 2006-09-28 19:30:30: INFO: 10.220.138.220[500] used as isakmp port (fd=6)

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> Привет народ, вот начал ставить тунель на Фри-хах, версия 6.0, траблы такие > что сам врубиться немогу... > Настройки на обоих машинах одинаковые. Что делать??? > rc.conf----------------------------------------------------------------------- > defaultrouter="10.220.138.1" > gateway_enable="YES" > hostname="router.vostok.tj" > ifconfig_sis0="inet 10.220.138.220 netmask 255.255.255.0" > ifconfig_xl0="inet 192.168.10.110 netmask 255.255.255.0" > linux_enable="YES" > usbd_enable="NO" > firewall_enable="YES" > firewall_type="OPEN" > firewall_logging="YES" > natd_enable="YES" > natd_interface="sis0" > sshd_enable="YES" > racoon_enable="YES" > racoon_flags="-l /var/log/racoon.log" > gif_interfaces="gif0" > gifconfig_gif0="10.220.138.220 10.220.138.221" > ifconfig_gif0="inet 192.168.10.110 192.168.2.110 netmask 255.255.255.0" > static_route="vpn" > route_vpn="192.168.2.0/24 192.168.2.110" > export route_vpn > #IPsec > ipsec_enable="YES" > ipsec_file="/etc/ipsec.conf" > named_enable="YES" > IPSec.conf--------------------------------------------------------------------- > Машина 1 (10.220.138.220-внеш, 192.168.10.110) > flush; > spdflush; > spdadd 192.168.10.0/24 192.168.2.0/24 ipencap -P in ipsec > esp/tunnel/10.220.138.220-10.220.138.221/require; > spdadd 192.168.2.0/24 192.168.10.0/24 ipencap -P out ipsec > esp/tunnel/10.220.138.221-10.220.138.220/require; > Машина 2 (10.220.138.221-внеш, 192.168.2.110) > flush; > spdflush; > spdadd 192.168.2.0/24 192.168.10.0/24 any -P in ipsec > esp/tunnel/10.220.138.221-10.220.138.220/require; > spdadd 192.168.10.0/24 192.168.2.0/24 any -P out ipsec > esp/tunnel/10.220.138.220-10.220.138.221/require; > Вот тут то и оно... по теории в этих правилах In должен > стоять вместо Out, но когда ставлю наоборот ничего не ходит, уже > перепробовал кучу конфигов один чёрт... > Racoon.conf------------------------------------------------------------------------- > # search this file for > pre_shared_key with various ID key. > path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; > # "log" specifies logging > level. It is followed by either "notify", "debug" > # or "debug2". > log notify; > # if no listen > directive is specified, racoon will listen to all > # available interface addresses. > listen > { > > isakmp 10.220.138.221 [500]; > } > # Specification of default > various timer. > timer > { > > # These value can be changed per > remote node. > > counter 5; > # maximum trying > count to send. > > interval 20 sec; > # maximum interval to resend. > > persend 1; > # the number > of packets per a send. > > # timer for waiting to complete each > phase. > > phase1 60 sec; > > phase2 60 sec; > } > remote anonymous > { > > exchange_mode main; > > lifetime time 600 sec; > > proposal { > > encryption_algorithm 3des; > > hash_algorithm md5; > > authentication_method pre_shared_key; > > dh_group 1; > > } > } > sainfo anonymous > { > > lifetime time 600 sec; > > encryption_algorithm 3des; > > authentication_algorithm hmac_md5; > > compression_algorithm deflate ; > } > Что бы там нибыло ракуун ничего не криптует, вот лог... > 2006-09-28 18:54:26: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) > 2006-09-28 18:54:26: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > 2006-09-28 18:54:27: INFO: 10.220.138.220[500] used as isakmp port (fd=6) > 2006-09-28 18:58:20: INFO: caught signal 15 > 2006-09-28 18:58:21: INFO: racoon shutdown > 2006-09-28 18:59:29: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) > 2006-09-28 18:59:29: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > 2006-09-28 18:59:29: INFO: 10.220.138.220[500] used as isakmp port (fd=6) > 2006-09-28 19:03:40: INFO: unsupported PF_KEY message REGISTER > 2006-09-28 19:04:34: INFO: caught signal 15 > 2006-09-28 19:04:35: INFO: racoon shutdown > 2006-09-28 19:05:34: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) > 2006-09-28 19:05:34: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > 2006-09-28 19:05:34: INFO: 10.220.138.220[500] used as isakmp port (fd=6) > 2006-09-28 19:13:12: INFO: caught signal 15 > 2006-09-28 19:13:13: INFO: racoon shutdown > 2006-09-28 19:14:10: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) > 2006-09-28 19:14:10: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > 2006-09-28 19:14:11: INFO: 10.220.138.220[500] used as isakmp port (fd=6) > 2006-09-28 19:21:39: INFO: caught signal 15 > 2006-09-28 19:21:40: INFO: racoon shutdown > 2006-09-28 19:22:38: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) > 2006-09-28 19:22:39: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > 2006-09-28 19:22:39: INFO: 10.220.138.220[500] used as isakmp port (fd=6) > 2006-09-28 19:26:17: INFO: caught signal 15 > 2006-09-28 19:26:18: INFO: racoon shutdown > 2006-09-28 19:27:22: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) > 2006-09-28 19:27:22: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > 2006-09-28 19:27:22: INFO: 10.220.138.220[500] used as isakmp port (fd=6) > 2006-09-28 19:29:29: INFO: caught signal 15 > 2006-09-28 19:29:30: INFO: racoon shutdown > 2006-09-28 19:30:30: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) > 2006-09-28 19:30:30: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) > 2006-09-28 19:30:30: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру