Привет народ, вот начал ставить тунель на Фри-хах, версия 6.0, траблы такие что сам врубиться немогу...
Настройки на обоих машинах одинаковые. Что делать???rc.conf-----------------------------------------------------------------------
defaultrouter="10.220.138.1"
gateway_enable="YES"
hostname="router.vostok.tj"
ifconfig_sis0="inet 10.220.138.220 netmask 255.255.255.0"
ifconfig_xl0="inet 192.168.10.110 netmask 255.255.255.0"
linux_enable="YES"
usbd_enable="NO"
firewall_enable="YES"
firewall_type="OPEN"
firewall_logging="YES"
natd_enable="YES"
natd_interface="sis0"
sshd_enable="YES"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
gif_interfaces="gif0"
gifconfig_gif0="10.220.138.220 10.220.138.221"
ifconfig_gif0="inet 192.168.10.110 192.168.2.110 netmask 255.255.255.0"
static_route="vpn"
route_vpn="192.168.2.0/24 192.168.2.110"
export route_vpn
#IPsec
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
named_enable="YES"
IPSec.conf---------------------------------------------------------------------
Машина 1 (10.220.138.220-внеш, 192.168.10.110)
flush;
spdflush;
spdadd 192.168.10.0/24 192.168.2.0/24 ipencap -P in ipsec
esp/tunnel/10.220.138.220-10.220.138.221/require;
spdadd 192.168.2.0/24 192.168.10.0/24 ipencap -P out ipsec
esp/tunnel/10.220.138.221-10.220.138.220/require;
Машина 2 (10.220.138.221-внеш, 192.168.2.110)
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.10.0/24 any -P in ipsec
esp/tunnel/10.220.138.221-10.220.138.220/require;
spdadd 192.168.10.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/10.220.138.220-10.220.138.221/require;
Вот тут то и оно... по теории в этих правилах In должен стоять вместо Out, но когда ставлю наоборот ничего не ходит, уже перепробовал кучу конфигов один чёрт...
Racoon.conf-------------------------------------------------------------------------
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log notify;
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
isakmp 10.220.138.221 [500];
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 60 sec;
phase2 60 sec;
}
remote anonymous
{
exchange_mode main;
lifetime time 600 sec;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 1;
}
}
sainfo anonymous
{
lifetime time 600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
Что бы там нибыло ракуун ничего не криптует, вот лог...
2006-09-28 18:54:26: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 18:54:26: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 18:54:27: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 18:58:20: INFO: caught signal 15
2006-09-28 18:58:21: INFO: racoon shutdown
2006-09-28 18:59:29: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 18:59:29: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 18:59:29: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:03:40: INFO: unsupported PF_KEY message REGISTER
2006-09-28 19:04:34: INFO: caught signal 15
2006-09-28 19:04:35: INFO: racoon shutdown
2006-09-28 19:05:34: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:05:34: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:05:34: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:13:12: INFO: caught signal 15
2006-09-28 19:13:13: INFO: racoon shutdown
2006-09-28 19:14:10: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:14:10: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:14:11: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:21:39: INFO: caught signal 15
2006-09-28 19:21:40: INFO: racoon shutdown
2006-09-28 19:22:38: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:22:39: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:22:39: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:26:17: INFO: caught signal 15
2006-09-28 19:26:18: INFO: racoon shutdown
2006-09-28 19:27:22: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:27:22: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:27:22: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
2006-09-28 19:29:29: INFO: caught signal 15
2006-09-28 19:29:30: INFO: racoon shutdown
2006-09-28 19:30:30: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2006-09-28 19:30:30: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2006-09-28 19:30:30: INFO: 10.220.138.220[500] used as isakmp port (fd=6)
Вариант для распечатки
Информационная безопасность (Public)
on 29-Сен-06, 07:52 
