Вопрос знатокам
что надо сделать что бы перейти от racoon к openswanисходные данные
SERVER.EXT.IP = 10.10.10.1
CISCO.EXT.IP = 10.10.10.9
server.itern.ip/32 = 192.168.1.1/32
cisco.itern.ip/32 = 193.168.2.1/32и так есть настроенная удаленная Cisco
с которой успешно держит vpn туннель racoon на сервере Centos
вот конфиг racooncat racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
#log debug;
log info;padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}listen
{
isakmp SERVER.EXT.IP [500];
}# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote CISCO.EXT.IP
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;verify_identifier off;#on
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict or claimproposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}##############FAZA 2
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des, des;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}есть правила
### Flush SAD and SPD
flush;
spdflush;spdadd server.itern.ip/32 cisco.itern.ip/32 any -P out ipsec esp/tunnel/SERVER.EXT.IP- CISCO.EXT.IP/unique;
spdadd cisco.itern.ip/32 server.itern.ip/32 any -P in ipsec esp/tunnel/SERVER.EXT.IP- CISCO.EXT.IP/unique;и это прекрасно пашет весь трафик заворачивается в туннель
переходим к настройке openswanconn TEST
type=tunnel
authby=secret
left=SERVER.EXT.IP
leftsubnet=server.itern.ip/32
right=CISCO.EXT.IP
rightsubnet=cisco.itern.ip
keyexchange=ike
aggrmode=yes
ike=3des-md5!
auth=esp
compress=yes
phase2alg=3des-md5!
pfs=yes
auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
ну и пароли
SERVER.EXT.IP CISCO.EXT.IP : PSK "qwerty"
запускаем /etc/init.d/ipsec startsetkey -D
и видим
CISCO.EXT.IP SERVER.EXT.IP
ipcomp mode=tunnel spi=19215(0x00004b0f) reqid=16386(0x00004002)
C: none seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 15 16:38:40 2012 current: Feb 15 16:39:03 2012
diff: 23(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=9800 refcnt=0
CISCO.EXT.IP SERVER.EXT.IP
esp mode=transport spi=857328471(0x3319cb57) reqid=16385(0x00004001)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 15 16:38:40 2012 current: Feb 15 16:39:03 2012
diff: 23(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=9800 refcnt=0начинаем трасировать с нашего хоста (server.itern.ip/32)
traceroute server.itern.ipи получаем вот такое
CISCO.EXT.IP SERVER.EXT.IP
ipcomp mode=tunnel spi=34408(0x00008668) reqid=16386(0x00004002)
C: none seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 15 16:42:02 2012 current: Feb 15 16:42:04 2012
diff: 2(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=9837 refcnt=0
CISCO.EXT.IP SERVER.EXT.IP
esp mode=transport spi=3498032097(0xd07fbbe1) reqid=16385(0x00004001)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 15 16:42:02 2012 current: Feb 15 16:42:04 2012
diff: 2(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=9837 refcnt=0
CISCO.EXT.IP SERVER.EXT.IP
ipcomp mode=tunnel spi=61305(0x0000ef79) reqid=16386(0x00004002)
C: none seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 15 16:42:02 2012 current: Feb 15 16:42:04 2012
diff: 2(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=9837 refcnt=0
CISCO.EXT.IP SERVER.EXT.IP
esp mode=transport spi=1929422124(0x7300a52c) reqid=16385(0x00004001)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 15 16:42:02 2012 current: Feb 15 16:42:04 2012
diff: 2(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=9837 refcnt=0
server.itern.ip cisco.itern.ip
esp mode=transport spi=0(0x00000000) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Feb 15 16:42:02 2012 current: Feb 15 16:42:04 2012
diff: 2(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=9837 refcnt=0вообщем туннель не поднимается и не пашет
если меня начинают пинговать со стороны CISCO то тунель успешно подымается и все пашетipsec auto --status
выдает000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,32,64} trans={0,32,2304} attrs={0,32,1536}
000
000 "TEST": server.itern.ip/32===SERVER.EXT.IP<SERVER.EXT.IP>[+S=C]...CISCO.EXT.IP<CISCO.EXT.IP>[+S=C]===cisco.itern.ip/32; erouted HOLD; eroute owner: #0
000 "TEST": myip=unset; hisip=unset;
000 "TEST": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "TEST": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth1;
000 "TEST": dpd: action:clear; delay:0; timeout:0;
000 "TEST": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "TEST": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1536(5), 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "TEST": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "TEST": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "TEST": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "TEST": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000
000 #32: "TEST":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 8s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #31: "TEST":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 20s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #30: "TEST":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 20s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #29: "TEST":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 25s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: "TEST":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1975s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
Хотелось бы увидеть весь конфиг openswan.
А так посмотрите опции nat_travelsal
По умолчанию в centos для racoon эта опция выключена, но вот в openswan эта опция включена, что естественно запрещает хождение трафика AH.
Кстати какая версия centos? и если получится расскажите, как нагрузка, уже на двух машиных openswan через некоторое время убивает машину напрочь, даже по ssh трудно зайти. При этом повышается Soft irq. С чем связано пока не смог разобраться.
> Хотелось бы увидеть весь конфиг openswan.
> А так посмотрите опции nat_travelsal
> По умолчанию в centos для racoon эта опция выключена, но вот в
> openswan эта опция включена, что естественно запрещает хождение трафика AH.
> Кстати какая версия centos? и если получится расскажите, как нагрузка, уже на
> двух машиных openswan через некоторое время убивает машину напрочь, даже по
> ssh трудно зайти. При этом повышается Soft irq. С чем связано
> пока не смог разобраться.конфиг да не проблема
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .confversion 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
#nat_traversal=yes
nat_traversal=no
#virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
plutostderrlog="/var/log/ipsec.log"
plutodebug=all
klipsdebug=all
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.confверсия ос CentOS release 6.2 (Final)