ipsec: racoon <-> D-Link 804HV

[m.hamster]

Всем привет!

Пытаюсь связать сеть предприятия (шлюз - FreeBSD 9.0) и удаленный офис (шлюз - D-Link 804hv).
Не получается.

Дано:
FreeBSD

Код: Выделить всё

gate# uname -a
FreeBSD gate 9.0-RELEASE FreeBSD 9.0-RELEASE #6: Sun Sep  2 17:32:43 MSK 2012     mike@gate:/usr/obj/usr/src/sys/GATEKERNEL  i386

установлен racoon:

Код: Выделить всё

gate# pkg_info | grep ipsec
ipsec-tools-0.8.0_3 KAME racoon IKE daemon, ipsec-tools version

WAN ip: xx.xx.xx.xx
LAN: 192.168.100.0/24

на сервере ipfw + nat
для теста специально разрешал весь трафик с d-link'а:

Код: Выделить всё

 ipfw show 
<...>
00199     9    1052 allow ip from yy.yy.yy.yy to me
00200     2     416 allow ip from me to yy.yy.yy.yy
<...>

с другой стороны D-Link 804HV:

Код: Выделить всё

Firmware Version: V1.51, Fri, Jun 27 2008

с версии 1.53 специально откатился, т.к. там нет 3des.
WAN ip: yy.yy.yy.yy
LAN: 192.168.18.0/24

конфиг racoon:

Код: Выделить всё

gate# cat /usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

listen
{
#isakmp ::1 [7000];
isakmp xx.xx.xx.xx [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}

# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}

remote anonymous
{
exchange_mode main,base;
# doi ipsec_doi;
# situation identity_only;
lifetime time 28800 sec;
#my_identifier asn1dn;
#certificate_type x509 "my.cert.pem" "my.key.pem";
#nonce_size 16;
# initial_contact on;
generate_policy on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal_check strict;

}

sainfo anonymous
{
#pfs_group 2;
lifetime time 28800 sec;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

лог racoon'а:

Код: Выделить всё

gate# /usr/local/etc/rc.d/racoon restart && tail -f /var/log/racoon.log
Stopping racoon.
Waiting for PIDS: 2890.
Starting racoon.
Sep  2 23:28:57 gate racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Sep  2 23:28:57 gate racoon: INFO: @(#)This product linked OpenSSL 0.9.8q 2 Dec 2010 (http://www.openssl.org/)
Sep  2 23:28:57 gate racoon: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
Sep  2 23:28:57 gate racoon: DEBUG2: lifetime = 28800
Sep  2 23:28:57 gate racoon: DEBUG2: lifebyte = 0
Sep  2 23:28:57 gate racoon: DEBUG2: encklen=0
Sep  2 23:28:57 gate racoon: DEBUG2: p:1 t:1
Sep  2 23:28:57 gate racoon: DEBUG2: 3DES-CBC(5)
Sep  2 23:28:57 gate racoon: DEBUG2: SHA(2)
Sep  2 23:28:57 gate racoon: DEBUG2: 1024-bit MODP group(2)
Sep  2 23:28:57 gate racoon: DEBUG2: pre-shared key(1)
Sep  2 23:28:57 gate racoon: DEBUG2: 
Sep  2 23:28:57 gate racoon: DEBUG2: Etype mismatch: got 2, expected 4.
Sep  2 23:28:57 gate racoon: DEBUG2: Etype mismatch: got 1, expected 4.
Sep  2 23:28:57 gate racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
Sep  2 23:28:57 gate racoon: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
Sep  2 23:28:57 gate racoon: DEBUG2: parse successed.
Sep  2 23:28:57 gate racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
Sep  2 23:28:57 gate racoon: INFO: xx.xx.xx.xx[500] used as isakmp port (fd=6)
Sep  2 23:28:57 gate racoon: DEBUG: pk_recv: retry[0] recv() 
Sep  2 23:28:57 gate racoon: DEBUG: got pfkey X_SPDDUMP message
Sep  2 23:28:57 gate racoon: DEBUG2:  02120000 0f000100 01000000 780b0000 03000500 ff180000 10020000 c0a81200 00000000 00000000 03000600 ff180000 10020000 c0a86400 00000000 00000000 07001200 02000100 02000000 00000000 28003200 02020000 10020000 5e8ff34b 00000000 00000000 10020000 c3be6fae 00000000 00000000
Sep  2 23:28:57 gate racoon: DEBUG: pk_recv: retry[0] recv() 
Sep  2 23:28:57 gate racoon: DEBUG: got pfkey X_SPDDUMP message
Sep  2 23:28:57 gate racoon: DEBUG2:  02120000 0f000100 00000000 780b0000 03000500 ff180000 10020000 c0a86400 00000000 00000000 03000600 ff180000 10020000 c0a81200 00000000 00000000 07001200 02000200 01000000 00000000 28003200 02020000 10020000 c3be6fae 00000000 00000000 10020000 5e8ff34b 00000000 00000000
Sep  2 23:28:57 gate racoon: DEBUG: sub:0xbfbfe53c: 192.168.100.0/24[0] 192.168.18.0/24[0] proto=any dir=out
Sep  2 23:28:57 gate racoon: DEBUG: db :0x2883e148: 192.168.18.0/24[0] 192.168.100.0/24[0] proto=any dir=in
Sep  2 23:29:03 gate racoon: DEBUG: ===
Sep  2 23:29:03 gate racoon: DEBUG: 124 bytes message received from yy.yy.yy.yy[500] to xx.xx.xx.xx[500]
Sep  2 23:29:03 gate racoon: DEBUG:  8cba2a7f a5a67870 00000000 00000000 01100200 00000000 0000007c 00000060 00000001 00000001 00000054 01010402 3c031b77 03000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00007080 00000024 02010000 80010005 80020001 80030001 80040002 800b0001 000c0004 00007080
Sep  2 23:29:03 gate racoon: [yy.yy.yy.yy] DEBUG2: Checking remote conf "anonymous" anonymous.
Sep  2 23:29:03 gate racoon: DEBUG2: enumrmconf: "anonymous" matches.
Sep  2 23:29:03 gate racoon: DEBUG: ===
Sep  2 23:29:03 gate racoon: INFO: respond new phase 1 negotiation: xx.xx.xx.xx[500]<=>yy.yy.yy.yy[500]
Sep  2 23:29:03 gate racoon: INFO: begin Identity Protection mode.
Sep  2 23:29:03 gate racoon: DEBUG: begin.
Sep  2 23:29:03 gate racoon: DEBUG: seen nptype=1(sa)
Sep  2 23:29:03 gate racoon: DEBUG: succeed.
Sep  2 23:29:03 gate racoon: DEBUG: total SA len=92
Sep  2 23:29:03 gate racoon: DEBUG:  00000001 00000001 00000054 01010402 3c031b77 03000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00007080 00000024 02010000 80010005 80020001 80030001 80040002 800b0001 000c0004 00007080
Sep  2 23:29:03 gate racoon: DEBUG: begin.
Sep  2 23:29:03 gate racoon: DEBUG: seen nptype=2(prop)
Sep  2 23:29:03 gate racoon: DEBUG: succeed.
Sep  2 23:29:03 gate racoon: DEBUG: proposal #1 len=84
Sep  2 23:29:03 gate racoon: WARNING: SPI size isn't zero, but IKE proposal.
Sep  2 23:29:03 gate racoon: DEBUG: begin.
Sep  2 23:29:03 gate racoon: DEBUG: seen nptype=3(trns)
Sep  2 23:29:03 gate racoon: DEBUG: seen nptype=3(trns)
Sep  2 23:29:03 gate racoon: DEBUG: succeed.
Sep  2 23:29:03 gate racoon: DEBUG: transform #1 len=36
Sep  2 23:29:03 gate racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Sep  2 23:29:03 gate racoon: DEBUG: encryption(3des)
Sep  2 23:29:03 gate racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Sep  2 23:29:03 gate racoon: DEBUG: hash(sha1)
Sep  2 23:29:03 gate racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Sep  2 23:29:03 gate racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Sep  2 23:29:03 gate racoon: DEBUG: hmac(modp1024)
Sep  2 23:29:03 gate racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Sep  2 23:29:03 gate racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Sep  2 23:29:03 gate racoon: DEBUG: transform #2 len=36
Sep  2 23:29:03 gate racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Sep  2 23:29:03 gate racoon: DEBUG: encryption(3des)
Sep  2 23:29:03 gate racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Sep  2 23:29:03 gate racoon: DEBUG: hash(md5)
Sep  2 23:29:03 gate racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Sep  2 23:29:03 gate racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Sep  2 23:29:03 gate racoon: DEBUG: hmac(modp1024)
Sep  2 23:29:03 gate racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Sep  2 23:29:03 gate racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Sep  2 23:29:03 gate racoon: DEBUG: pair 1:
Sep  2 23:29:03 gate racoon: DEBUG:  0x2881b400: next=0x0 tnext=0x2881b410
Sep  2 23:29:03 gate racoon: DEBUG:   0x2881b410: next=0x0 tnext=0x0
Sep  2 23:29:03 gate racoon: DEBUG: proposal #1: 2 transform
Sep  2 23:29:03 gate racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Sep  2 23:29:03 gate racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Sep  2 23:29:03 gate racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Sep  2 23:29:03 gate racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Sep  2 23:29:03 gate racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Sep  2 23:29:03 gate racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Sep  2 23:29:03 gate racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=2
Sep  2 23:29:03 gate racoon: DEBUG: trns#=1, trns-id=IKE
Sep  2 23:29:03 gate racoon: DEBUG:   lifetime = 28800
Sep  2 23:29:03 gate racoon: DEBUG:   lifebyte = 0
Sep  2 23:29:03 gate racoon: DEBUG:   enctype = 3DES-CBC
Sep  2 23:29:03 gate racoon: DEBUG:   encklen = 0
Sep  2 23:29:03 gate racoon: DEBUG:   hashtype = SHA
Sep  2 23:29:03 gate racoon: DEBUG:   authmethod = pre-shared key
Sep  2 23:29:03 gate racoon: DEBUG:   dh_group = 1024-bit MODP group
Sep  2 23:29:03 gate racoon: [yy.yy.yy.yy] DEBUG2: Checking remote conf "anonymous" anonymous.
Sep  2 23:29:03 gate racoon: DEBUG2: enumrmconf: "anonymous" matches.
Sep  2 23:29:03 gate racoon: DEBUG2: checkisakmpsa: authmethod: 1 / 1
Sep  2 23:29:03 gate racoon: DEBUG: an acceptable proposal found.
Sep  2 23:29:03 gate racoon: DEBUG: hmac(modp1024)
Sep  2 23:29:03 gate racoon: DEBUG: agreed on pre-shared key auth.
Sep  2 23:29:03 gate racoon: DEBUG: ===
Sep  2 23:29:03 gate racoon: DEBUG: new cookie: 05466480e0c33ac1 
Sep  2 23:29:03 gate racoon: DEBUG: add payload of len 56, next type 0
Sep  2 23:29:03 gate racoon: DEBUG: 88 bytes from xx.xx.xx.xx[500] to yy.yy.yy.yy[500]
Sep  2 23:29:03 gate racoon: DEBUG: sockname xx.xx.xx.xx[500]
Sep  2 23:29:03 gate racoon: DEBUG: send packet from xx.xx.xx.xx[500]
Sep  2 23:29:03 gate racoon: DEBUG: send packet to yy.yy.yy.yy[500]
Sep  2 23:29:03 gate racoon: DEBUG: 1 times of 88 bytes message will be sent to yy.yy.yy.yy[500]
Sep  2 23:29:03 gate racoon: DEBUG:  8cba2a7f a5a67870 05466480 e0c33ac1 01100200 00000000 00000058 0000003c 00000001 00000001 00000030 01010401 00000000 00000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00007080
Sep  2 23:29:03 gate racoon: DEBUG: resend phase1 packet 8cba2a7fa5a67870:05466480e0c33ac1
Sep  2 23:29:08 gate racoon: DEBUG: ===
Sep  2 23:29:08 gate racoon: DEBUG: 124 bytes message received from yy.yy.yy.yy[500] to xx.xx.xx.xx[500]
Sep  2 23:29:08 gate racoon: DEBUG:  8cba2a7f a5a67870 00000000 00000000 01100200 00000000 0000007c 00000060 00000001 00000001 00000054 01010402 3c031b77 03000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00007080 00000024 02010000 80010005 80020001 80030001 80040002 800b0001 000c0004 00007080
Sep  2 23:29:08 gate racoon: DEBUG: sockname xx.xx.xx.xx[500]
Sep  2 23:29:08 gate racoon: DEBUG: send packet from xx.xx.xx.xx[500]
Sep  2 23:29:08 gate racoon: DEBUG: send packet to yy.yy.yy.yy[500]
Sep  2 23:29:08 gate racoon: DEBUG: 1 times of 88 bytes message will be sent to yy.yy.yy.yy[500]
Sep  2 23:29:08 gate racoon: DEBUG:  8cba2a7f a5a67870 05466480 e0c33ac1 01100200 00000000 00000058 0000003c 00000001 00000001 00000030 01010401 00000000 00000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00007080
Sep  2 23:29:08 gate racoon: NOTIFY: the packet is retransmitted by yy.yy.yy.yy[500] (1).
Sep  2 23:29:08 gate racoon: DEBUG: ===
Sep  2 23:29:08 gate racoon: DEBUG: 184 bytes message received from yy.yy.yy.yy[500] to xx.xx.xx.xx[500]
Sep  2 23:29:08 gate racoon: DEBUG:  8cba2a7f a5a67870 05466480 e0c33ac1 04100200 00000000 000000b8 0a000084 05d7dbe6 ff348cac 9958a888 a5b2958c 9205ec80 3241c79b 49b4c3d4 2c2c9c31 040a359c 8b80e60e 2b2e5ed6 4634a568 6e5b7043 3594f65b a8e33919 16f7cfb4 3722b132 7b69204f cb0cb76c 5013b800 908dfe2d a16b1395 e9ad5f1b 07826173 d4d72fdf 91e6ad8a f4cafa0c 6e1f0509 cf48b6fc d35c7479 68a85980 8b5d8c27 00000018 062c0f7d cf77d80e 4ff7ccd8 6ae93cf9 e1196fb4
Sep  2 23:29:08 gate racoon: DEBUG: begin.
Sep  2 23:29:08 gate racoon: DEBUG: seen nptype=4(ke)
Sep  2 23:29:08 gate racoon: DEBUG: seen nptype=10(nonce)
Sep  2 23:29:08 gate racoon: DEBUG: succeed.
Sep  2 23:29:08 gate racoon: DEBUG: ===
Sep  2 23:29:08 gate racoon: DEBUG: compute DH's private.
Sep  2 23:29:08 gate racoon: DEBUG:  7152ae84 1ae6962e bd04e42f e8cad506 e3c832bc 46af9a7e 20008b1c df2b8c17 78c45e32 29d13c08 5d9a559c ee564de8 6cdac796 65cd1430 b5440009 8544b361 67d3abd9 81001649 9e07e8ae b831f39f 8fc0e28a 840b2144 21957b82 d87290d2 8bf1fabb ed28a233 9c832b46 80c3e12b 23fa44b2 b479c9a5 0d51adc6 2e0e3caa
Sep  2 23:29:08 gate racoon: DEBUG: compute DH's public.
Sep  2 23:29:08 gate racoon: DEBUG:  062135e8 618f8178 cb937683 7d8502c2 19c1573e 59d3dc65 a7835669 a80da846 5acb9b4a 650b5ca1 c3f788c0 64360772 3bddbf9c b010158a 53f17d00 40958bc0 50b4c3d1 4da0f410 9e07c90e 1a0a0cab 9a026bb2 b672e682 9c6aec26 b20015db 006b7fe9 a972b373 6399b3f5 eb399eff ae268a95 3b644a71 0b770b46 2293abc2
Sep  2 23:29:08 gate racoon: DEBUG: add payload of len 128, next type 10
Sep  2 23:29:08 gate racoon: DEBUG: add payload of len 16, next type 0
Sep  2 23:29:08 gate racoon: DEBUG: 180 bytes from xx.xx.xx.xx[500] to yy.yy.yy.yy[500]
Sep  2 23:29:08 gate racoon: DEBUG: sockname xx.xx.xx.xx[500]
Sep  2 23:29:08 gate racoon: DEBUG: send packet from xx.xx.xx.xx[500]
Sep  2 23:29:08 gate racoon: DEBUG: send packet to yy.yy.yy.yy[500]
Sep  2 23:29:08 gate racoon: DEBUG: 1 times of 180 bytes message will be sent to yy.yy.yy.yy[500]
Sep  2 23:29:08 gate racoon: DEBUG:  8cba2a7f a5a67870 05466480 e0c33ac1 04100200 00000000 000000b4 0a000084 062135e8 618f8178 cb937683 7d8502c2 19c1573e 59d3dc65 a7835669 a80da846 5acb9b4a 650b5ca1 c3f788c0 64360772 3bddbf9c b010158a 53f17d00 40958bc0 50b4c3d1 4da0f410 9e07c90e 1a0a0cab 9a026bb2 b672e682 9c6aec26 b20015db 006b7fe9 a972b373 6399b3f5 eb399eff ae268a95 3b644a71 0b770b46 2293abc2 00000014 c21debdb 4d82221c f91a2d6a 06256807
Sep  2 23:29:08 gate racoon: DEBUG: resend phase1 packet 8cba2a7fa5a67870:05466480e0c33ac1
Sep  2 23:29:08 gate racoon: DEBUG: compute DH's shared.
Sep  2 23:29:08 gate racoon: DEBUG:  b6ab367d 0a3896df 4d00b6bb 1cd8a36b 582fb142 67a4464e 07db2e0c 241f1284 70d49f78 f8e370dc e1f505a4 d4ae9263 b65833a4 3bda329e 792d16c8 0b5df9e0 73eea890 b91da019 2755272c 504274d6 6ef818d5 fd0c5dac ff3dcf26 6ba8d089 38b84364 9f60a5fb 62aea2d5 9542dab9 fce10ace 0f323a3a 5f2529c4 fcf07260
Sep  2 23:29:08 gate racoon: DEBUG: the psk found.
Sep  2 23:29:08 gate racoon: DEBUG2: psk: 
Sep  2 23:29:08 gate racoon: DEBUG2:  31323334 35363738 393020
Sep  2 23:29:08 gate racoon: DEBUG: nonce 1: 
Sep  2 23:29:08 gate racoon: DEBUG:  062c0f7d cf77d80e 4ff7ccd8 6ae93cf9 e1196fb4
Sep  2 23:29:08 gate racoon: DEBUG: nonce 2: 
Sep  2 23:29:08 gate racoon: DEBUG:  c21debdb 4d82221c f91a2d6a 06256807
Sep  2 23:29:08 gate racoon: DEBUG: hmac(hmac_sha1)
Sep  2 23:29:08 gate racoon: DEBUG: SKEYID computed:
Sep  2 23:29:08 gate racoon: DEBUG:  27169f88 6c92dfb6 f3ecf467 4682fdc3 0423c27c
Sep  2 23:29:08 gate racoon: DEBUG: hmac(hmac_sha1)
Sep  2 23:29:08 gate racoon: DEBUG: SKEYID_d computed:
Sep  2 23:29:08 gate racoon: DEBUG:  fb285fdf e98c5641 4cf2d44d b785b293 d8ea72de
Sep  2 23:29:08 gate racoon: DEBUG: hmac(hmac_sha1)
Sep  2 23:29:08 gate racoon: DEBUG: SKEYID_a computed:
Sep  2 23:29:08 gate racoon: DEBUG:  fc879116 f7a792a5 751c5444 bfb8c676 92753ab0
Sep  2 23:29:08 gate racoon: DEBUG: hmac(hmac_sha1)
Sep  2 23:29:08 gate racoon: DEBUG: SKEYID_e computed:
Sep  2 23:29:08 gate racoon: DEBUG:  c4958178 fd85ca1a f55ba46e c4bbed21 8b3e1e51
Sep  2 23:29:08 gate racoon: DEBUG: encryption(3des)
Sep  2 23:29:08 gate racoon: DEBUG: hash(sha1)
Sep  2 23:29:08 gate racoon: DEBUG: len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...)
Sep  2 23:29:08 gate racoon: DEBUG: hmac(hmac_sha1)
Sep  2 23:29:08 gate racoon: DEBUG: compute intermediate encryption key K1
Sep  2 23:29:08 gate racoon: DEBUG:  00
Sep  2 23:29:08 gate racoon: DEBUG:  6609cbb5 4ac5a556 1a15ab9d e77d3fe8 c6cd4766
Sep  2 23:29:08 gate racoon: DEBUG: hmac(hmac_sha1)
Sep  2 23:29:08 gate racoon: DEBUG: compute intermediate encryption key K2
Sep  2 23:29:08 gate racoon: DEBUG:  6609cbb5 4ac5a556 1a15ab9d e77d3fe8 c6cd4766
Sep  2 23:29:08 gate racoon: DEBUG:  d19b2c1c 5039261e 05d43eb6 3a57c069 cdd449bb
Sep  2 23:29:08 gate racoon: DEBUG: final encryption key computed:
Sep  2 23:29:08 gate racoon: DEBUG:  6609cbb5 4ac5a556 1a15ab9d e77d3fe8 c6cd4766 d19b2c1c
Sep  2 23:29:08 gate racoon: DEBUG: hash(sha1)
Sep  2 23:29:08 gate racoon: DEBUG: encryption(3des)
Sep  2 23:29:08 gate racoon: DEBUG: IV computed:
Sep  2 23:29:08 gate racoon: DEBUG:  32bf571e 9538f1ce
Sep  2 23:29:09 gate racoon: DEBUG: ===
Sep  2 23:29:09 gate racoon: DEBUG: 68 bytes message received from yy.yy.yy.yy[500] to xx.xx.xx.xx[500]
Sep  2 23:29:09 gate racoon: DEBUG:  8cba2a7f a5a67870 05466480 e0c33ac1 05100201 00000000 00000044 86a22451 05fec1e5 3e894c80 70cecf04 20209b0d 881fcbe0 6dab2bc4 872921b5 0f8535e0 9f16ce16
Sep  2 23:29:09 gate racoon: DEBUG: begin decryption.
Sep  2 23:29:09 gate racoon: DEBUG: encryption(3des)
Sep  2 23:29:09 gate racoon: DEBUG: IV was saved for next processing:
Sep  2 23:29:09 gate racoon: DEBUG:  0f8535e0 9f16ce16
Sep  2 23:29:09 gate racoon: DEBUG: encryption(3des)
Sep  2 23:29:09 gate racoon: DEBUG: with key:
Sep  2 23:29:09 gate racoon: DEBUG:  6609cbb5 4ac5a556 1a15ab9d e77d3fe8 c6cd4766 d19b2c1c
Sep  2 23:29:09 gate racoon: DEBUG: decrypted payload by IV:
Sep  2 23:29:09 gate racoon: DEBUG:  32bf571e 9538f1ce
Sep  2 23:29:09 gate racoon: DEBUG: decrypted payload, but not trimed.
Sep  2 23:29:09 gate racoon: DEBUG:  69b4578f 685c7de2 a08ca513 0c783c59 93fa2a04 6e66e190 132a77e4 7173139e e0c0c674 7cc35ceb
Sep  2 23:29:09 gate racoon: DEBUG: padding len=235
Sep  2 23:29:09 gate racoon: DEBUG: skip to trim padding.
Sep  2 23:29:09 gate racoon: DEBUG: decrypted.
Sep  2 23:29:09 gate racoon: DEBUG:  8cba2a7f a5a67870 05466480 e0c33ac1 05100201 00000000 00000044 69b4578f 685c7de2 a08ca513 0c783c59 93fa2a04 6e66e190 132a77e4 7173139e e0c0c674 7cc35ceb
Sep  2 23:29:09 gate racoon: DEBUG: begin.
Sep  2 23:29:09 gate racoon: DEBUG: seen nptype=5(id)
Sep  2 23:29:09 gate racoon: DEBUG: invalid length of payload

Ну и повторяется это бесконечно.
SA, ес-но, пустые, т.к. никакого соединения нет:

Код: Выделить всё

gate# setkey -D
No SAD entries.

вообще все настройки содраны из статьи: http://habrahabr.ru/post/137456/
Настройки на D-Link полностью соответствуют - не буду здесь картинки повторять (хотя могу, если надо).

Я сильно слаб в работе с защищенными соединениями. И довольно примерно представляю себе процедуру инициализации как IKE и IPSEC. Я так понимаю, что у меня первая фаза IKE проходит. Кто-нибудь может мне на моих логах объяснить в чем проблема?
Я бы и рад сам разобраться, но времени сейчас нет выкурить столько мануалов. Хотя придется, конечно, если никто не поможет.

Заранее спасибо.

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[_gegemon]

Для начала:
http://ftp.dlink.ru/pub/Router/DI-804HV/Firmware/

[m.hamster]

Для начала:
http://ftp.dlink.ru/pub/Router/DI-804HV/Firmware/

Вы это советуете потому что знаете, что на 1.51 есть проблемы? Или просто так?
Я сознательно откатывался на 1.51, т.к. в 1.53 убрали 3des.
Сначала я пробовал настраивать именно на последней прошивке, но результат был таким же.

[_gegemon]

Скрещивал несколько лет назад D-Link и Linksys.
D-Link не работал на прошивке, что была с завода.
Обновился - и вуаля! Заработало.
Про D-Link ус-ва "аля для дома" давно известно: как купил - сразу обновляй на последнюю прошивку - авось заработает как надо.
Ну и логи D-Link'а показали бы.

[m.hamster]

Сегодня попробую снова 1.53 поставить и с des настроить туннель. Напишу по результатам и логи скину.
Спасибо за ответ.

[m.hamster]

Долго танцевал с бубном. Заработало после замены знака пробела на знак табуляции в файле с паролем (/usr/local/etc/racoon/psk.txt). Прошивку в итоге оставил 1.51, т.к. хочу 3des.