Помогите поднять Racoon уже неделю с ним капаюсь... 8(
прочитал много доков и просмотрел много чужих примеровесть две сети которые соединеные туннелем
сеть А сеть В
192.168.35.0/24 eth0 192.168.36.0/24 eth0
(ПК А1..А254) (ПК В1..В254)
| |
192.168.35.1 eth0 (ПК А0) 192.168.36.1 eth0 (ПК В0)
192.168.0.3 eth1 (ПК А0) 192.168.0.2 eth1 (ПК В0)
|____________________________|
поднят ipip0 туннель между машиной А0 и В0 192.168.0.3 <=> 192.168.0.2
ipip0 Link encap:IPIP Tunnel HWaddr
inet addr:192.168.40.3 P-t-P:192.168.40.2 Mask:255.255.255.0
успешно проходят пинги от 192.168.36.2 к 192.168.35.2 и обратно
требуется организовать vpn теннуль между 192.168.36.0/24 и 192.168.35.0/24
настройка Racoon
на машине А0
содержимое /etc/racoon/psk.txt
192.168.40.2 secret1
содержимое /etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
log debug;
padding{
maximum_length 20;# maximum padding length.
randomize off;# enable randomize length.
strict_check off;# enable strict check.
exclusive_tail off;# extract last one octet.
}
listen{
isakmp 192.168.40.3 [500];
}
timer{
counter 5;# maximum trying count to send.
interval 20 sec;# maximum interval to resend.
persend 1;# the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote 192.168.40.2{
exchange_mode main,aggressive;
doi ipsec_doi;
lifetime time 24 hour; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.35.0/24 any address 192.168.36.0/24 any{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
содержимое /etc/racoon/setkey.conf
flush;
spdflush;
spdadd 192.168.35.0/24 192.168.36.0/24 any -P out ipsec esp/tunnel 192.68.40.3-192.168.40.2/require;
spdadd 192.168.36.0/24 192.168.35.0/24 any -P in ipsec esp/tunnel/192.68.40.2-192.168.40.3/require;
настройка Racoon
на машине B0
содержимое /etc/racoon/psk.txt
192.168.40.3 secret1
содержимое /etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
log debug;
padding{
maximum_length 20;# maximum padding length.
randomize off;# enable randomize length.
strict_check off;# enable strict check.
exclusive_tail off;# extract last one octet.
}
listen{
isakmp 192.168.40.2 [500];
}
timer{
counter 5;# maximum trying count to send.
interval 20 sec;# maximum interval to resend.
persend 1;# the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote 192.168.40.3{
exchange_mode main,aggressive;
doi ipsec_doi;
lifetime time 24 hour; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.36.0/24 any address 192.168.35.0/24 any{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
содержимое /etc/racoon/setkey.conf
flush;
spdflush;
spdadd 192.168.36.0/24 192.168.35.0/24 any -P out ipsec esp/tunnel/192.68.40.2-192.168.40.3/require;
spdadd 192.168.35.0/24 192.168.36.0/24 any -P in ipsec esp/tunnel 192.68.40.3-192.168.40.2/require;
при запуске /etc/init.d/racoon start
пинг между 192.168.36.2 и 192.168.35.2 исчезает
в log пишется
INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
INFO: @(#)This product linked OpenSSL 1.0.0 29 Mar 2010 (http://www.openssl.org/)
INFO: Reading configuration from "/etc/racoon/racoon.conf"
DEBUG: hmac(modp1024)
DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
DEBUG: getsainfo params: loc='192.168.35.0/24', rmt='192.168.36.0/24', peer='NULL', id=0
DEBUG: getsainfo pass #2
DEBUG: open /var/run/racoon/racoon.sock as racoon management.
INFO: 192.168.40.3[500] used as isakmp port (fd=6)
INFO: 192.168.40.3[500] used for NAT-T
DEBUG: pk_recv: retry[0] recv()
DEBUG: get pfkey X_SPDDUMP message
DEBUG: pk_recv: retry[0] recv()
DEBUG: get pfkey X_SPDDUMP message
DEBUG: sub:0xbffccc80: 192.168.36.0/24[0] 192.168.35.0/24[0] proto=any dir=in
DEBUG: db :0x80eec68: 192.168.36.0/24[0] 192.168.35.0/24[0] proto=any dir=fwd
DEBUG: pk_recv: retry[0] recv()
DEBUG: get pfkey X_SPDDUMP message
DEBUG: sub:0xbffccc80: 192.168.35.0/24[0] 192.168.36.0/24[0] proto=any dir=out
DEBUG: db :0x80eec68: 192.168.36.0/24[0] 192.168.35.0/24[0] proto=any dir=fwd
DEBUG: sub:0xbffccc80: 192.168.35.0/24[0] 192.168.36.0/24[0] proto=any dir=out
DEBUG: db :0x80eeee8: 192.168.36.0/24[0] 192.168.35.0/24[0] proto=any dir=in
DEBUG: pk_recv: retry[0] recv()
DEBUG: get pfkey ACQUIRE message
DEBUG: ignore because do not listen on source address : 192.68.40.3.
DEBUG: pk_recv: retry[0] recv()
DEBUG: get pfkey ACQUIRE message
DEBUG: ignore because do not listen on source address : 192.68.40.3.
DEBUG: pk_recv: retry[0] recv()
DEBUG: get pfkey REGISTER message
INFO: unsupported PF_KEY message REGISTER
DEBUG: pk_recv: retry[0] recv()
DEBUG: get pfkey FLUSH message
спасибо за помошь