Народ , помогите , пожалуйста , перечетал тонну доков , но ответа не нашел. возможно где-то на начальной стадии ошибка, потому что в 5.1 нет gifconfiga и я все делал через ifconfig. вообщем проблема такая
у меня стоит бсд и ее надо соеденить с cisco.
на циске настройки такие
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 28800 seconds, no volume limit
pfs group1
я со свей стороны делаю тунель
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 tunnel my_ip remote_ip
setkey -FP
setkey -F
setkey -c << END
spdadd my_ip remote_ip any -P out ipsec esp/transport/my_ip-remote_ip/require;
spdadd remote_ip my_ip any -P in ipsec esp/transport/remote_ip-my_ip/require;
END
/sbin/route add remote_ip my_ip
конфиг racoon'a
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 28800 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1 ;
lifetime time 28800 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
ключ прописан в pfs.txt
setkey -DP показывает
remote_ip[any] my_ip/24[any] any
in ipsec
esp/transport/remote_ip-my_ip/require
spid=36 seq=3 pid=94744
refcnt=1
my_ip[any] remote_ip[any] any
out ipsec
esp/transport/my_ip-remote_ip/require
spid=35 seq=1 pid=94744
refcnt=1
т.е. все вроде сделано нормально , racoon запускается .
racoon -F -d
но вот при пропускании первого пинга появляется
(извиняюсь за большой кусок)
2003-12-24 14:35:20: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 212.12.64.235[500]<=>195.161.86.106[500]
2003-12-24 14:35:20: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin Aggressive mode.
2003-12-24 14:35:20: DEBUG: isakmp.c:1996:isakmp_newcookie(): new cookie:
130eae3ced3d136e
2003-12-24 14:35:20: DEBUG: ipsec_doi.c:3185:ipsecdoi_setid1(): use ID type of IPv4_address
2003-12-24 14:35:20: DEBUG: oakley.c:256:oakley_dh_generate(): compute DH's private.
2003-12-24 14:35:20: DEBUG: plog.c:193:plogdump():
5d0e717b aed1e24a 4c77d2e7 29e9503a f736f5c0 2e1835b4 5608b991 d378f3ac
2ed9e4e9 ddddf360 f0e134d6 c404fbde cf22f129 e4fd47ac 3eb23602 8524d251
da4afcc7 29cf852e 1fbfae84 df99bace b01745b1 423e1d8b 04a099a0 0d29f403
cdc9b321 49162a9c 32b24a39 06395751 8623a3e7 fb75dd5f 506d369c 9cd3c344
2003-12-24 14:35:20: DEBUG: oakley.c:258:oakley_dh_generate(): compute DH's public.
2003-12-24 14:35:20: DEBUG: plog.c:193:plogdump():
c5599be2 321cfb69 781ff16d 1e47e9af b15982ca 1f1320e3 7e33389b 1a2fe65c
323f524d 3c53ad50 cdb481d4 ce8d379b 169c9cd2 abe11617 ff51ee57 c70bb1e8
932b313f 0fa21508 0a0775cb 89df4c68 93ac72a7 43d6d943 f2be1620 a4d49355
9d79e2a8 03ed404a 9a31d3c2 c89f01c0 1a3dd336 28d8a4d4 63178abf 8f786930
2003-12-24 14:35:20: DEBUG: isakmp_agg.c:162:agg_i1send(): authmethod is pre-shared key
2003-12-24 14:35:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 48, next type 4
2003-12-24 14:35:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 128, next type 10
2003-12-24 14:35:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 16, next type 5
2003-12-24 14:35:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 8, next type 0
2003-12-24 14:35:20: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin.
35:20.946685 212.12.64.235:500 -> 195.161.86.106:500: isakmp 1.0 msgid 00000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))
(ke: key len=128)
(nonce: n len=16)
(id: idtype=IPv4 protoid=udp port=500 len=4 212.12.64.235)
2003-12-24 14:35:20: DEBUG: sockmisc.c:421:sendfromto(): sockname 212.12.64.235[500]
2003-12-24 14:35:20: DEBUG: sockmisc.c:423:sendfromto(): send packet from 212.12.64.235[500]
2003-12-24 14:35:20: DEBUG: sockmisc.c:425:sendfromto(): send packet to 195.161.86.106[500]
2003-12-24 14:35:20: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 244 bytes message will be sent to 212.12.64.235[500]
2003-12-24 14:35:20: DEBUG: plog.c:193:plogdump():
130eae3c ed3d136e 00000000 00000000 01100400 00000000 000000f4 04000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020002 80040002 0a000084 c5599be2 321cfb69 781ff16d
1e47e9af b15982ca 1f1320e3 7e33389b 1a2fe65c 323f524d 3c53ad50 cdb481d4
ce8d379b 169c9cd2 abe11617 ff51ee57 c70bb1e8 932b313f 0fa21508 0a0775cb
89df4c68 93ac72a7 43d6d943 f2be1620 a4d49355 9d79e2a8 03ed404a 9a31d3c2
c89f01c0 1a3dd336 28d8a4d4 63178abf 8f786930 05000014 eaf96ac0 33a84305
d1b2a8e3 c2f42191 0000000c 011101f4 d40c40eb
2003-12-24 14:35:20: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1 packet 130eae3ced3d136e:0000000000000000
2003-12-24 14:35:25: DEBUG: grabmyaddr.c:438:update_myaddrs(): msg 5 not interesting
2003-12-24 14:35:25: DEBUG: grabmyaddr.c:438:update_myaddrs(): msg 1 not interesting
2003-12-24 14:35:40: DEBUG: sockmisc.c:421:sendfromto(): sockname 212.12.64.235[500]
2003-12-24 14:35:40: DEBUG: sockmisc.c:423:sendfromto(): send packet from 212.12.64.235[500]
2003-12-24 14:35:40: DEBUG: sockmisc.c:425:sendfromto(): send packet to 195.161.86.106[500]
2003-12-24 14:35:40: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 244 bytes message will be sent to 212.12.64.235[500]
2003-12-24 14:35:40: DEBUG: plog.c:193:plogdump():
130eae3c ed3d136e 00000000 00000000 01100400 00000000 000000f4 04000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020002 80040002 0a000084 c5599be2 321cfb69 781ff16d
1e47e9af b15982ca 1f1320e3 7e33389b 1a2fe65c 323f524d 3c53ad50 cdb481d4
ce8d379b 169c9cd2 abe11617 ff51ee57 c70bb1e8 932b313f 0fa21508 0a0775cb
89df4c68 93ac72a7 43d6d943 f2be1620 a4d49355 9d79e2a8 03ed404a 9a31d3c2
c89f01c0 1a3dd336 28d8a4d4 63178abf 8f786930 05000014 eaf96ac0 33a84305
d1b2a8e3 c2f42191 0000000c 011101f4 d40c40eb
2003-12-24 14:35:40: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1 packet 130eae3ced3d136e:0000000000000000
2003-12-24 14:35:41: DEBUG: grabmyaddr.c:438:update_myaddrs(): msg 1 not interesting
2003-12-24 14:35:42: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message
2003-12-24 14:35:42: DEBUG: pfkey.c:1506:pk_recvacquire(): ignore the acquire becuase ph2 found
2003-12-24 14:35:46: DEBUG: grabmyaddr.c:438:update_myaddrs(): msg 1 not interesting
2003-12-24 14:35:47: DEBUG: grabmyaddr.c:438:update_myaddrs(): msg 1 not interesting
2003-12-24 14:35:51: DEBUG: grabmyaddr.c:438:update_myaddrs(): msg 5 not interesting
2003-12-24 14:35:51: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 195.161.86.106->212.12.64.235
2003-12-24 14:35:51: INFO: isakmp.c:1781:isakmp_chkph1there(): delete phase 2 handler.
2003-12-24 14:35:54: DEBUG: grabmyaddr.c:438:update_myaddrs(): msg 5 not interesting
2003-12-24 14:35:54: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message
2003-12-24 14:35:54: DEBUG: pfkey.c:1522:pk_recvacquire(): suitable outbound SP found: 212.12.64.235/32[0] 195.161.86.106/32[0] proto=any dir=out.
2003-12-24 14:35:54: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbff900: 195.161.86.106/32[0] 212.12.64.235/32[0] proto=any dir=in
2003-12-24 14:35:54: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a2c08: 195.161.86.106/32[0] 212.12.64.235/32[0] proto=any dir=in
2003-12-24 14:35:54: DEBUG: pfkey.c:1538:pk_recvacquire(): suitable inbound SP found: 195.161.86.106/32[0] 212.12.64.235/32[0] proto=any dir=in.
2003-12-24 14:35:54: DEBUG: pfkey.c:1577:pk_recvacquire(): new acquire 212.12.64.235/32[0] 195.161.86.106/32[0] proto=any dir=out
2003-12-24 14:35:54: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected.
2003-12-24 14:35:54: DEBUG: proposal.c:825:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
2003-12-24 14:35:54: DEBUG: proposal.c:859:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
2003-12-24 14:35:54: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for 195.161.86.106.
2003-12-24 14:35:54: INFO: isakmp.c:1703:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
очень хочется спросить , почему появляется 2
003-12-24 14:35:51: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 195.161.86.106->212.12.64.235 ???
в чем именно проблема в racoon'e в cisco ?
скажите , а то я уже 3 день бьюсь , и т.к. не поднимал ipsec никогда то не могу ума приложить , что же делать ....
зы нашел на google 2 ссылки на вопросы с похожей проблемой , но там были только вопросы ... увы , ответов не было.
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
24-Дек-03, 14:41 (MSK)
