Ipsec Freebsd + Cisco - не запускается

[ita]

Помогите разобраться..

Freebsd 8.4
внешний ip 1.1.1.1
сеть 10.10.104.0/24

Сisco, доступа к настройкам нет.
внешний ip 2.2.2.2
сеть 10.10.10.17.0/29

/etc/rc.conf

Код: Выделить всё

racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"

gif_interfaces="gif0"
gifconfig_gif0="1.1.1.1 2.2.2.2"
ifconfig_gif0="inet 10.10.104.1 10.10.17.4 netmask 0xffffff00"
static_routes="net17"
route_net17="-net 10.10.17.0/29 -interface gif0"

/usr/local/etc/racoon/racoon.conf

Код: Выделить всё

path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;

padding
{
  maximum_length 20;
  randomize off;
  strict_check off;
  exclusive_tail off;
}
listen
{
  isakmp 1.1.1.1 [500];
}

timer
{
 counter 5;
 interval 20 sec;
 persend 1;
 phase1 30 sec;
 phase2 15 sec;
}

remote 2.2.2.2
{
 exchange_mode main;
 doi ipsec_doi;
 situation identity_only;
 nonce_size 16;
 lifetime time 24 hour;
 initial_contact on;
 support_proxy on;
 proposal_check obey;# obey, strict or claim
    proposal
    {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key;
         dh_group 2;
    }
}

sainfo subnet 10.10.104.0/24 any address 10.10.17.0/29 any
{
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

/etc/ipsec.conf

Код: Выделить всё

flush;
spdflush;
spdadd 10.10.104.0/24 10.10.17.0/29 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/unique; пробовал require - результат тот-же
spdadd 10.10.17.0/29 10.10.104.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/unique;

IPFW - правила из HandBook

Код: Выделить всё

${Fw} add 00201 allow log esp from any to any
${Fw} add 00202 allow log ah from any to any
${Fw} add 00203 allow log ipencap from any to any
${Fw} add 00204 allow log udp from any 500 to any

Результат: sainfo subnet 10.10.104.0/24 any address 10.10.17.0/29 any или sainfo anonymous
/var/log/racoon.log

Код: Выделить всё

2014-07-05 12:09:49: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2014-07-05 12:09:49: INFO: @(#)This product linked OpenSSL 0.9.8y 5 Feb 2013 (http://www.openssl.org/)
2014-07-05 12:09:49: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-07-05 12:09:49: DEBUG: no check of compression algorithm; not supported in sadb message.
2014-07-05 12:09:49: DEBUG: getsainfo params: loc='10.10.104.0/24' rmt='10.10.17.0/29' peer='NULL' client='NULL' id=0
2014-07-05 12:09:49: INFO: 1.1.1.1[500] used for NAT-T
2014-07-05 12:09:49: INFO: 1.1.1.1[500] used as isakmp port (fd=5)
2014-07-05 12:09:49: DEBUG: pk_recv: retry[0] recv()
2014-07-05 12:09:49: DEBUG: got pfkey X_SPDDUMP message
2014-07-05 12:09:49: DEBUG: pk_recv: retry[0] recv()
2014-07-05 12:09:49: DEBUG: got pfkey X_SPDDUMP message
2014-07-05 12:09:49: DEBUG: sub:0x7fffffffe5a0: 10.10.104.0/24[0] 10.10.17.0/29[0] proto=any dir=out
2014-07-05 12:09:49: DEBUG: db :0x80123a490: 10.10.17.0/29[0] 10.10.104.0/24[0] proto=any dir=in
2014-07-05 12:28:17: INFO: caught signal 15
2014-07-05 12:28:17: INFO: racoon process 1357 shutdown
2014-07-05 12:29:45: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2014-07-05 12:29:46: INFO: @(#)This product linked OpenSSL 0.9.8y 5 Feb 2013 (http://www.openssl.org/)
2014-07-05 12:29:46: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-07-05 12:29:46: DEBUG: no check of compression algorithm; not supported in sadb message.
2014-07-05 12:29:46: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
2014-07-05 12:29:46: INFO: 1.1.1.1[500] used for NAT-T
2014-07-05 12:29:46: INFO: 1.1.1.1[500] used as isakmp port (fd=5)
2014-07-05 12:29:46: DEBUG: pk_recv: retry[0] recv()
2014-07-05 12:29:46: DEBUG: got pfkey X_SPDDUMP message
2014-07-05 12:29:46: DEBUG: pk_recv: retry[0] recv()
2014-07-05 12:29:46: DEBUG: got pfkey X_SPDDUMP message
2014-07-05 12:29:46: DEBUG: sub:0x7fffffffe5a0: 10.10.104.0/24[0] 10.10.17.0/29[0] proto=any dir=out
2014-07-05 12:29:46: DEBUG: db :0x80123a490: 10.10.17.0/29[0] 10.10.104.0/24[0] proto=any dir=in

Помолите плиз - первый раз с IPSec столкнулся.
Спасибо.

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[ita]

Наткнулся на информацию. что racoon сам не инициализирует сессию..
Пересобрал с поддержкой админ интерфейса..

В итоге
racoonctl -s /var/db/racoon/racoon.sock establish-sa isakmp inet 1.1.1.1 2.2.2.2

Код: Выделить всё

2014-07-05 16:10:54: INFO: accept a request to establish IKE-SA: 2.2.2.2
2014-07-05 16:10:54: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
2014-07-05 16:10:54: INFO: begin Identity Protection mode.
2014-07-05 16:10:54: INFO: received broken Microsoft ID: FRAGMENTATION
2014-07-05 16:10:54: INFO: received Vendor ID: CISCO-UNITY
2014-07-05 16:10:54: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-07-05 16:10:54: INFO: received Vendor ID: DPD
2014-07-05 16:10:54: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:39c65a14df0ffb99:dba665f31cf0ef59

Но на этом все, вторая фаза не инициируется, туннель не поднимается

[gumeniuc]

покажите

Код: Выделить всё

setkey -D
setkey -DP

[ita]

Код: Выделить всё

# setkey -D
No SAD entries.
setkey -DP
10.10.17.0/29[any] 10.10.104.0/24[any] any
        in ipsec
        esp/tunnel/2.2.2.2-1.1.1.1/unique#16386
        spid=2 seq=1 pid=43491
        refcnt=1
10.10.104.0/24[any] 10.10.17.0/29[any] any
        out ipsec
        esp/tunnel/1.1.1.1-2.2.2.2/unique#16385
        spid=1 seq=0 pid=43491
        refcnt=1

[gumeniuc]

неплохо было бы увидеть полный лог подключения, но с событиями уровня DEBUG.

[ita]

Полный лог в первом сообщении. На этом все замирает.
Или лог после ручного запуска racoonctl -s /var/db/racoon/racoon.sock establish-sa isakmp inet 1.1.1.1 2.2.2.2 ?

[gumeniuc]

не знаю как насчёт 8.4, есть у меня 8.3, там дебаг намного информативнее.

попробуйте пересобрать ядро с

Код: Выделить всё

options         IPSEC
options         IPSEC_DEBUG
device          crypto

[ita]

Ядро

Код: Выделить всё

device  crypto
options         IPSEC
options         IPSEC_DEBUG
options         IPSEC_FILTERTUNNEL
options         IPSEC_NAT_T

Лог после запуска racoonctl -s /var/db/racoon/racoon.sock establish-sa isakmp inet 1.1.1.1 2.2.2.2

Код: Выделить всё

2014-07-07 10:13:16: [2.2.2.2] DEBUG: configuration "2.2.2.2[500]" selected.
2014-07-07 10:13:16: INFO: accept a request to establish IKE-SA: 2.2.2.2
2014-07-07 10:13:16: DEBUG: ===
2014-07-07 10:13:16: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]
2014-07-07 10:13:16: INFO: begin Identity Protection mode.
2014-07-07 10:13:16: DEBUG: new cookie:
f2010884926c5e2c
2014-07-07 10:13:16: DEBUG: add payload of len 52, next type 13
2014-07-07 10:13:16: DEBUG: add payload of len 16, next type 0
2014-07-07 10:13:16: DEBUG: 104 bytes from 1.1.1.1[500] to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: sockname 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet from 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: 1 times of 104 bytes message will be sent to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 00000000 00000000 01100200 00000000 00000068 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
00015180 80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9
6b8696fc 77570100
2014-07-07 10:13:16: DEBUG: resend phase1 packet f2010884926c5e2c:0000000000000000
2014-07-07 10:13:16: DEBUG: [7] admin connection is polling events
2014-07-07 10:13:16: DEBUG: [7] admin connection established
2014-07-07 10:13:16: DEBUG: [7] admin connection released
2014-07-07 10:13:16: DEBUG: ===
2014-07-07 10:13:16: DEBUG: 108 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 46480879 139ea769 01100200 00000000 0000006c 0d000038
00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020002
80040002 80030001 800b0001 000c0004 00015180 00000018 4048b7d5 6ebce885
25e7de7f 00d6c2d3 c0000000
2014-07-07 10:13:16: DEBUG: begin.
2014-07-07 10:13:16: DEBUG: seen nptype=1(sa)
2014-07-07 10:13:16: DEBUG: seen nptype=13(vid)
2014-07-07 10:13:16: DEBUG: succeed.
2014-07-07 10:13:16: INFO: received broken Microsoft ID: FRAGMENTATION
2014-07-07 10:13:16: DEBUG: total SA len=52
2014-07-07 10:13:16: DEBUG:
00000001 00000001 0000002c 01010001 00000024 01010000 80010005 80020002
80040002 80030001 800b0001 000c0004 00015180
2014-07-07 10:13:16: DEBUG: begin.
2014-07-07 10:13:16: DEBUG: seen nptype=2(prop)
2014-07-07 10:13:16: DEBUG: succeed.
2014-07-07 10:13:16: DEBUG: proposal #1 len=44
2014-07-07 10:13:16: DEBUG: begin.
2014-07-07 10:13:16: DEBUG: seen nptype=3(trns)
2014-07-07 10:13:16: DEBUG: succeed.
2014-07-07 10:13:16: DEBUG: transform #1 len=36
2014-07-07 10:13:16: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2014-07-07 10:13:16: DEBUG: hash(sha1)
2014-07-07 10:13:16: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
2014-07-07 10:13:16: DEBUG: hmac(modp1024)
2014-07-07 10:13:16: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
2014-07-07 10:13:16: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2014-07-07 10:13:16: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2014-07-07 10:13:16: DEBUG: pair 1:
2014-07-07 10:13:16: DEBUG:  0x80122a620: next=0x0 tnext=0x0
2014-07-07 10:13:16: DEBUG: proposal #1: 1 transform
2014-07-07 10:13:16: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
2014-07-07 10:13:16: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
2014-07-07 10:13:16: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
2014-07-07 10:13:16: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
2014-07-07 10:13:16: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
2014-07-07 10:13:16: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2014-07-07 10:13:16: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
2014-07-07 10:13:16: DEBUG: trns#=1, trns-id=IKE
2014-07-07 10:13:16: DEBUG:   lifetime = 86400
2014-07-07 10:13:16: DEBUG:   lifebyte = 0
2014-07-07 10:13:16: DEBUG:   enctype = 3DES-CBC
2014-07-07 10:13:16: DEBUG:   encklen = 0
2014-07-07 10:13:16: DEBUG:   hashtype = SHA
2014-07-07 10:13:16: DEBUG:   authmethod = pre-shared key
2014-07-07 10:13:16: DEBUG:   dh_group = 1024-bit MODP group
2014-07-07 10:13:16: DEBUG: an acceptable proposal found.
2014-07-07 10:13:16: DEBUG: hmac(modp1024)
2014-07-07 10:13:16: DEBUG: agreed on pre-shared key auth.
2014-07-07 10:13:16: DEBUG: ===
2014-07-07 10:13:16: DEBUG: compute DH's private.
2014-07-07 10:13:16: DEBUG:
4b0dbf43 d54b4267 9a812c5d 2ad4a1cb c66442dd 5377e85a 9ecf5b42 595e07e3
8afcf280 d6a3c5c2 e0e5b3b6 da364929 cd437245 039019eb 7e5ea0b2 179bdfe2
5c6bf8d1 2470a9e6 3405ab25 de0656bf 1a68159b fcec091d a2342b57 43a980ed
d94844a9 53dfd691 9161838e bd1c1fe9 199dda91 e41d846a c682122e 886b84ad
2014-07-07 10:13:16: DEBUG: compute DH's public.
2014-07-07 10:13:16: DEBUG:
d4c38122 2b85c4a4 dc907bb2 535fc180 cd132d3b d8ef6800 420bf9d1 c3c10f53
5b0b044d e888ab3b f1c37bab 40b0bc5e 4b3f6981 cf852617 17784495 de297b25
02afafb4 53e3b0c9 ada3d5ab 787350e5 34583598 a8956845 810dec3b 60303b39
a031dd9c f135a7e9 d42c22a3 edaf7bb7 ca682134 a713645d 67c01356 835f1033
2014-07-07 10:13:16: DEBUG: add payload of len 128, next type 10
2014-07-07 10:13:16: DEBUG: add payload of len 16, next type 0
2014-07-07 10:13:16: DEBUG: 180 bytes from 1.1.1.1[500] to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: sockname 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet from 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: 1 times of 180 bytes message will be sent to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 46480879 139ea769 04100200 00000000 000000b4 0a000084
d4c38122 2b85c4a4 dc907bb2 535fc180 cd132d3b d8ef6800 420bf9d1 c3c10f53
5b0b044d e888ab3b f1c37bab 40b0bc5e 4b3f6981 cf852617 17784495 de297b25
02afafb4 53e3b0c9 ada3d5ab 787350e5 34583598 a8956845 810dec3b 60303b39
a031dd9c f135a7e9 d42c22a3 edaf7bb7 ca682134 a713645d 67c01356 835f1033
00000014 e5d59c6f b7fd2fdb 72298b3d e54bceaa
2014-07-07 10:13:16: DEBUG: resend phase1 packet f2010884926c5e2c:46480879139ea769
2014-07-07 10:13:16: DEBUG: ===
2014-07-07 10:13:16: DEBUG: 256 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 46480879 139ea769 04100200 00000000 00000100 0a000084
ec53b87d e237bc80 cab57312 d496b802 58a3af76 e8736dcc 62699ce3 2e1e2db9
440e7391 2b1dd346 2bde24ae fe817613 a0203e20 654f8c71 02ff705b dbaa5d4e
166e687b a3efd59e df477e47 16bf6a92 041d0e96 49190724 633f1906 bd789a0b
27740ae0 1d27b1e7 c54b28e1 5e2db737 d30ca66d 17e75cc9 8536445e 1a904dcd
0d000018 fc0295bf 6cf171e2 8503c128 9484734e ac5ac085 0d000014 12f5f28c
457168a9 702d9fe2 74cc0100 0d00000c 09002689 dfd6b712 0d000014 b38faf64
139fa769 cec3b521 f8cf0dd0 00000014 1f07f70e aa6514d3 b0fa9654 2a500100
2014-07-07 10:13:16: DEBUG: begin.
2014-07-07 10:13:16: DEBUG: seen nptype=4(ke)
2014-07-07 10:13:16: DEBUG: seen nptype=10(nonce)
2014-07-07 10:13:16: DEBUG: seen nptype=13(vid)
2014-07-07 10:13:16: DEBUG: seen nptype=13(vid)
2014-07-07 10:13:16: DEBUG: seen nptype=13(vid)
2014-07-07 10:13:16: DEBUG: seen nptype=13(vid)
2014-07-07 10:13:16: DEBUG: succeed.
2014-07-07 10:13:16: INFO: received Vendor ID: CISCO-UNITY
2014-07-07 10:13:16: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2014-07-07 10:13:16: DEBUG: received unknown Vendor ID
2014-07-07 10:13:16: DEBUG:
b38faf64 139fa769 cec3b521 f8cf0dd0
2014-07-07 10:13:16: DEBUG: received unknown Vendor ID
2014-07-07 10:13:16: DEBUG:
1f07f70e aa6514d3 b0fa9654 2a500100
2014-07-07 10:13:16: DEBUG: ===
2014-07-07 10:13:16: DEBUG: compute DH's shared.
2014-07-07 10:13:16: DEBUG:
73537904 c0e71c7f ad7863c5 116aa49a 3cdc3400 814a85d1 88f2db92 27336359
768b0e41 b93ff47d 65d435eb 4ba68810 4ad36881 8ec9da32 57919bf5 4ff76601
4a71a595 5ea17281 18c78d6a fb1f0362 5e1dc62a 59feadbe 678ed414 f382fa48
7f2e5342 0e999806 9873f719 2909d98c 6fe64d6a 4cee3884 16921e25 ac9d6c44
2014-07-07 10:13:16: DEBUG: the psk found.
2014-07-07 10:13:16: DEBUG: nonce 1: 2014-07-07 10:13:16: DEBUG:
e5d59c6f b7fd2fdb 72298b3d e54bceaa
2014-07-07 10:13:16: DEBUG: nonce 2: 2014-07-07 10:13:16: DEBUG:
fc0295bf 6cf171e2 8503c128 9484734e ac5ac085
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: SKEYID computed:
2014-07-07 10:13:16: DEBUG:
3f41668d ee1fa5fb dd6fa187 ff898518 9125472e
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: SKEYID_d computed:
2014-07-07 10:13:16: DEBUG:
468f9866 a3202c3d 36e64305 768284bf 1cf7acd3
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: SKEYID_a computed:
2014-07-07 10:13:16: DEBUG:
f068a62f 9a3fc5c0 6968f3bf 4427e555 a173e59e
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: SKEYID_e computed:
2014-07-07 10:13:16: DEBUG:
4a4d34c6 aba85446 eb362af2 f4445c40 14432993
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: hash(sha1)
2014-07-07 10:13:16: DEBUG: len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...)
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: compute intermediate encryption key K1
2014-07-07 10:13:16: DEBUG:
00
2014-07-07 10:13:16: DEBUG:
4d20ed1a 3c50baea d32b4723 879dd7d4 82746485
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: compute intermediate encryption key K2
2014-07-07 10:13:16: DEBUG:
4d20ed1a 3c50baea d32b4723 879dd7d4 82746485
2014-07-07 10:13:16: DEBUG:
c31c73d7 c0c5e5f2 83da6a01 699f185c 0a554e44
2014-07-07 10:13:16: DEBUG: final encryption key computed:
2014-07-07 10:13:16: DEBUG:
4d20ed1a 3c50baea d32b4723 879dd7d4 82746485 c31c73d7
2014-07-07 10:13:16: DEBUG: hash(sha1)
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: IV computed:
2014-07-07 10:13:16: DEBUG:
f7cfbe87 028570f6
2014-07-07 10:13:16: DEBUG: use ID type of IPv4_address
2014-07-07 10:13:16: DEBUG: HASH with:
2014-07-07 10:13:16: DEBUG:
d4c38122 2b85c4a4 dc907bb2 535fc180 cd132d3b d8ef6800 420bf9d1 c3c10f53
5b0b044d e888ab3b f1c37bab 40b0bc5e 4b3f6981 cf852617 17784495 de297b25
02afafb4 53e3b0c9 ada3d5ab 787350e5 34583598 a8956845 810dec3b 60303b39
a031dd9c f135a7e9 d42c22a3 edaf7bb7 ca682134 a713645d 67c01356 835f1033
ec53b87d e237bc80 cab57312 d496b802 58a3af76 e8736dcc 62699ce3 2e1e2db9
440e7391 2b1dd346 2bde24ae fe817613 a0203e20 654f8c71 02ff705b dbaa5d4e
166e687b a3efd59e df477e47 16bf6a92 041d0e96 49190724 633f1906 bd789a0b
27740ae0 1d27b1e7 c54b28e1 5e2db737 d30ca66d 17e75cc9 8536445e 1a904dcd
f2010884 926c5e2c 46480879 139ea769 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002
80040002 011101f4 5bd7353e
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: HASH (init) computed:
2014-07-07 10:13:16: DEBUG:
8ead0761 d4487302 f7a4cc56 4f8c1bf8 baa69d4d
2014-07-07 10:13:16: DEBUG: add payload of len 8, next type 8
2014-07-07 10:13:16: DEBUG: add payload of len 20, next type 0
2014-07-07 10:13:16: DEBUG: begin encryption.
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: pad length = 4
2014-07-07 10:13:16: DEBUG:
0800000c 011101f4 5bd7353e 00000018 8ead0761 d4487302 f7a4cc56 4f8c1bf8
baa69d4d 00000004
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: with key:
2014-07-07 10:13:16: DEBUG:
4d20ed1a 3c50baea d32b4723 879dd7d4 82746485 c31c73d7
2014-07-07 10:13:16: DEBUG: encrypted payload by IV:
2014-07-07 10:13:16: DEBUG:
f7cfbe87 028570f6
2014-07-07 10:13:16: DEBUG: save IV for next:
2014-07-07 10:13:16: DEBUG:
958083d6 4a32c791
2014-07-07 10:13:16: DEBUG: encrypted.
2014-07-07 10:13:16: DEBUG: 68 bytes from 1.1.1.1[500] to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: sockname 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet from 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: 1 times of 68 bytes message will be sent to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 46480879 139ea769 05100201 00000000 00000044 de84536c
a86220af f8f2a2c6 46c0183a 5bb389e1 1d56e314 0d02046d 9494b447 958083d6
4a32c791
2014-07-07 10:13:16: DEBUG: resend phase1 packet f2010884926c5e2c:46480879139ea769
2014-07-07 10:13:16: DEBUG: ===
2014-07-07 10:13:16: DEBUG: 84 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 46480879 139ea769 05100201 00000000 00000054 e9da76b7
be8a53df 12a764ce 27e3f417 feecc957 d0829d69 7f497388 d29726fd 4f2bad50
cee3a8bc 5f5646c8 94bf0a4f d7b846e7 be289711
2014-07-07 10:13:16: DEBUG: begin decryption.
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: IV was saved for next processing:
2014-07-07 10:13:16: DEBUG:
d7b846e7 be289711
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: with key:
2014-07-07 10:13:16: DEBUG:
4d20ed1a 3c50baea d32b4723 879dd7d4 82746485 c31c73d7
2014-07-07 10:13:16: DEBUG: decrypted payload by IV:
2014-07-07 10:13:16: DEBUG:
958083d6 4a32c791
2014-07-07 10:13:16: DEBUG: decrypted payload, but not trimed.
2014-07-07 10:13:16: DEBUG:
0800000c 011101f4 c1135481 0d000018 bb20c494 4da7a96d 941e60ab db4e3cf9
1878e210 00000014 afcad713 68a1f1c9 6b8696fc 77570100
2014-07-07 10:13:16: DEBUG: padding len=0
2014-07-07 10:13:16: DEBUG: skip to trim padding.
2014-07-07 10:13:16: DEBUG: decrypted.
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 46480879 139ea769 05100201 00000000 00000054 0800000c
011101f4 c1135481 0d000018 bb20c494 4da7a96d 941e60ab db4e3cf9 1878e210
00000014 afcad713 68a1f1c9 6b8696fc 77570100
2014-07-07 10:13:16: DEBUG: begin.
2014-07-07 10:13:16: DEBUG: seen nptype=5(id)
2014-07-07 10:13:16: DEBUG: seen nptype=8(hash)
2014-07-07 10:13:16: DEBUG: seen nptype=13(vid)
2014-07-07 10:13:16: DEBUG: succeed.
2014-07-07 10:13:16: INFO: received Vendor ID: DPD
2014-07-07 10:13:16: DEBUG: remote supports DPD
2014-07-07 10:13:16: DEBUG: HASH received:
2014-07-07 10:13:16: DEBUG:
bb20c494 4da7a96d 941e60ab db4e3cf9 1878e210
2014-07-07 10:13:16: DEBUG: HASH with:
2014-07-07 10:13:16: DEBUG:
ec53b87d e237bc80 cab57312 d496b802 58a3af76 e8736dcc 62699ce3 2e1e2db9
440e7391 2b1dd346 2bde24ae fe817613 a0203e20 654f8c71 02ff705b dbaa5d4e
166e687b a3efd59e df477e47 16bf6a92 041d0e96 49190724 633f1906 bd789a0b
27740ae0 1d27b1e7 c54b28e1 5e2db737 d30ca66d 17e75cc9 8536445e 1a904dcd
d4c38122 2b85c4a4 dc907bb2 535fc180 cd132d3b d8ef6800 420bf9d1 c3c10f53
5b0b044d e888ab3b f1c37bab 40b0bc5e 4b3f6981 cf852617 17784495 de297b25
02afafb4 53e3b0c9 ada3d5ab 787350e5 34583598 a8956845 810dec3b 60303b39
a031dd9c f135a7e9 d42c22a3 edaf7bb7 ca682134 a713645d 67c01356 835f1033
46480879 139ea769 f2010884 926c5e2c 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 000c0004 00015180 80010005 80030001 80020002
80040002 011101f4 c1135481
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: HASH (init) computed:
2014-07-07 10:13:16: DEBUG:
bb20c494 4da7a96d 941e60ab db4e3cf9 1878e210
2014-07-07 10:13:16: DEBUG: HASH for PSK validated.
2014-07-07 10:13:16: [2.2.2.2] DEBUG: peer's ID:2014-07-07 10:13:16: DEBUG:
011101f4 c1135481
2014-07-07 10:13:16: DEBUG: ===
2014-07-07 10:13:16: DEBUG: compute IV for phase2
2014-07-07 10:13:16: DEBUG: phase1 last IV:
2014-07-07 10:13:16: DEBUG:
d7b846e7 be289711 ec301551
2014-07-07 10:13:16: DEBUG: hash(sha1)
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: phase2 IV computed:
2014-07-07 10:13:16: DEBUG:
18238afb df0341a9
2014-07-07 10:13:16: DEBUG: HASH with:
2014-07-07 10:13:16: DEBUG:
ec301551 0000001c 00000001 01106002 f2010884 926c5e2c 46480879 139ea769
2014-07-07 10:13:16: DEBUG: hmac(hmac_sha1)
2014-07-07 10:13:16: DEBUG: HASH computed:
2014-07-07 10:13:16: DEBUG:
d97946ae b98345ae e1357f50 fc7341d5 90b7c099
2014-07-07 10:13:16: DEBUG: begin encryption.
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: pad length = 4
2014-07-07 10:13:16: DEBUG:
0b000018 d97946ae b98345ae e1357f50 fc7341d5 90b7c099 0000001c 00000001
01106002 f2010884 926c5e2c 46480879 139ea769 00000004
2014-07-07 10:13:16: DEBUG: encryption(3des)
2014-07-07 10:13:16: DEBUG: with key:
2014-07-07 10:13:16: DEBUG:
4d20ed1a 3c50baea d32b4723 879dd7d4 82746485 c31c73d7
2014-07-07 10:13:16: DEBUG: encrypted payload by IV:
2014-07-07 10:13:16: DEBUG:
18238afb df0341a9
2014-07-07 10:13:16: DEBUG: save IV for next:
2014-07-07 10:13:16: DEBUG:
7ac74df3 44af1659
2014-07-07 10:13:16: DEBUG: encrypted.
2014-07-07 10:13:16: DEBUG: 84 bytes from 1.1.1.1[500] to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: sockname 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet from 1.1.1.1[500]
2014-07-07 10:13:16: DEBUG: send packet to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG: 1 times of 84 bytes message will be sent to 2.2.2.2[500]
2014-07-07 10:13:16: DEBUG:
f2010884 926c5e2c 46480879 139ea769 08100501 ec301551 00000054 fd695879
9b73e8aa 7ba488ae 45d33eaa e2e4d1d1 9bea9af1 83a9dd63 f24a15ca 777d62c3
3479b0fb 19dac567 25536ca7 7ac74df3 44af1659
2014-07-07 10:13:16: DEBUG: sendto Information notify.
2014-07-07 10:13:16: DEBUG: IV freed
2014-07-07 10:13:16: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:f2010884926c5e2c:46480879139ea769
2014-07-07 10:13:16: DEBUG: ===

[gumeniuc]

обе фазы завершились.

теперь

Код: Выделить всё

setkey -D

также пустой ?

[ita]

Да, так же пусто.
Очень смущает то, что приходится запускать вручную.
и в логе нет ничего похожего на

Код: Выделить всё

2006-01-30 01:36:04: INFO: ISAKMP-SA established 172.16.5.4[500]-192.168.1.12[500] spi:623b9b3bd2492452:7deab82d54ff704a
2006-01-30 01:36:05: INFO: initiate new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=28496098(0x1b2d0e2)
2006-01-30 01:36:09: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=47784998(0x2d92426)
2006-01-30 01:36:13: INFO: respond new phase 2 negotiation: 172.16.5.4[0]192.168.1.12[0]
2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.12[0]->172.16.5.4[0] spi=124397467(0x76a279b)
2006-01-30 01:36:18: INFO: IPsec-SA established: ESP/Tunnel 172.16.5.4[0]->192.168.1.12[0] spi=175852902(0xa7b4d66)

это из HandBook

[gumeniuc]

Очень смущает то, что приходится запускать вручную.

при таких настройках всё запускается автоматически.

Код: Выделить всё

ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot

racoon_enable="YES"
racoon_flags="-f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log"

помнится мне был какой-то косяк при первом запуске. решался классически ( reboot ).

[ita]

обе фазы завершились.

Разве обе? в моем логе ни слова об "initiate new phase 2 negotiation".

racoon запускается автоматически, но совсем не пытается установить связь. Приходиться вручную пинать с пом. racoonctl чтобы хоть что-то увидеть.
И в итоге все равно туннель не поднимается.
Ваши настройки rc.conf поставил - ситуация не изменилась.
reboot пробовал не один раз..

[gumeniuc]

обе фазы завершились.

Разве обе? в моем логе ни слова об "initiate new phase 2 negotiation".

Согласен, поторопился.

Помнится мне делал по ману http://www.freebsd.org/doc/en_US.ISO885 ... ipsec.html

В статье настройки несколько отличаются от Ваших. Попробуйте поменять у себя.

А в messages ничего не валится в момент подключения ?

[ita]

Вроде нашел проблему. не согласование алгоритмов.
со стороны Cisco encryption algorithm - ESP-3DES-SHA

man racoon.conf

Код: Выделить всё

 encryption_algorithm algorithms;
                     des, 3des, des_iv64, des_iv32, rc5, rc4, idea, 3idea,
                     cast128, blowfish, null_enc, twofish, rijndael, aes,
                     camellia (used with ESP)

тогда какой набор в racoon ставить... encryption_algorithm camellia,3des а дальше... на sha1 ругается.

[gumeniuc]

Нет такого алгоритма ESP-3DES-SHA.

Скорее всего просто transform-set так обозвали. У Вас правильные настройки. Уточните значения таймеров у другой стороны.

[ita]

вот ошибка в логе

Код: Выделить всё

2014-07-07 12:46:09: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.

Из гугла

> ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
Это значит, что не совпадают пары алгоритмов шифрования/подписи, доступные на обеих сторонах. Насколько я помню, racoon таки позволяет указать наборы для алгоритмов в конфигурации - так и надо сделать, пройдя полноятью ряды DES-3DES-AES для алгоритмов шифрования и MD5-SHA1 для подписи. В этом случае будет запущен процесс согласования для определения совпадающих комбинаций на обеих сторонах.

[gumeniuc]

Уточните у другой стороны:
1. Доступные политики 1ой фазы
2. Настройки 2ой фазы для вашего пира.

[ita]

Код: Выделить всё

PHASE I		
Key management	Pre-share
Encryption algorithm	3DES
Hash algorithm		SHA
Diffie-Hellman group	group 2
Key lifetime in seconds	86400

PHASE II		
Encryption algorithm		ESP-3DES-SHA
Authentication algorithm	SHA-HMAC
Perfect Forward Secrecy		none
Security association lifetime in seconds		28800

Указаная выше ошибка происходит во второй фазе. судя по логу.

[gumeniuc]

удалите

Код: Выделить всё

pfs_group 2 

из раздела

Код: Выделить всё

sainfo subnet 10.10.104.0/24 any address 10.10.17.0/29 any

[ita]

пробовал, получаю

Код: Выделить всё

2014-07-07 14:06:53: ERROR: failed to get sainfo.
2014-07-07 14:06:53: ERROR: failed to get sainfo.
2014-07-07 14:06:53: [2.2.2.2] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).

[gumeniuc]

Проверьте encryption domain.

[ita]

Проверьте encryption domain.

Где это проверить?

[gumeniuc]

у Вас

Код: Выделить всё

sainfo subnet 10.10.104.0/24 any address 10.10.17.0/29 any

надо у другой стороны спросить какой трафик и между какими адресами шифруют

[ita]

Да, с адресами проблемы были, решили их. но проблемы еще есть
# setkey -D

Код: Выделить всё

2.2.2.2 1.1.1.1
        esp mode=tunnel spi=193255979(0x0b84da2b) reqid=16390(0x00004006)
        E: 3des-cbc  feeae707 a80b57d4 3206df82 f242f219 51eb0640 8ed5e40a
        A: hmac-sha1  133dc61c 2cc73475 79a04247 4c6236ea afda6cec
        seq=0x00000018 replay=4 flags=0x00000000 state=mature
        created: Jul  7 16:48:03 2014   current: Jul  7 17:24:09 2014
        diff: 2166(s)   hard: 28800(s)  soft: 23040(s)
        last: Jul  7 17:02:43 2014      hard: 0(s)      soft: 0(s)
        current: 2880(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 24   hard: 0 soft: 0
        sadb_seq=0 pid=3566 refcnt=1

Cisco

Код: Выделить всё

Jul 07 16:54:49 [xxxx]: Group = 1.1.1.1, IP = 1.1.1.1, All IPSec SA proposals found unacceptable!

/var/log/racoon.log

Код: Выделить всё

2014-07-07 17:00:53: DEBUG: resend phase2 packet 5cf2ddd92c8656e2:96112be46728c168:0000d627
2014-07-07 17:00:53: DEBUG: ===
2014-07-07 17:00:53: DEBUG: 84 bytes message received from 2.2.2.2[500] to 1.1.1.1[500]
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: receive Information.
2014-07-07 17:00:53: DEBUG: compute IV for phase2
2014-07-07 17:00:53: DEBUG: phase1 last IV:
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: hash(sha1)
2014-07-07 17:00:53: DEBUG: encryption(3des)
2014-07-07 17:00:53: DEBUG: phase2 IV computed:
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: begin decryption.
2014-07-07 17:00:53: DEBUG: encryption(3des)
2014-07-07 17:00:53: DEBUG: IV was saved for next processing:
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: encryption(3des)
2014-07-07 17:00:53: DEBUG: with key:
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: decrypted payload by IV:
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: decrypted payload, but not trimed.
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: padding len=56
2014-07-07 17:00:53: DEBUG: skip to trim padding.
2014-07-07 17:00:53: DEBUG: decrypted.
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: IV freed
2014-07-07 17:00:53: DEBUG: HASH with:
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: hmac(hmac_sha1)
2014-07-07 17:00:53: DEBUG: HASH computed:
2014-07-07 17:00:53: DEBUG:
2014-07-07 17:00:53: DEBUG: hash validated.
2014-07-07 17:00:53: DEBUG: begin.
2014-07-07 17:00:53: DEBUG: seen nptype=8(hash)
2014-07-07 17:00:53: DEBUG: seen nptype=11(notify)
2014-07-07 17:00:53: DEBUG: succeed.
2014-07-07 17:00:53: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
2014-07-07 17:00:53: [2.2.2.2] ERROR: error message: ''>8'.
2014-07-07 17:01:08: ERROR: 2.2.2.2 give up to get IPsec-SA due to time up to wait.
2014-07-07 17:01:08: DEBUG: IV freed

[gumeniuc]

2 фаза сейчас как выглядит ?

Код: Выделить всё

sainfo subnet 10.10.104.0/24 any address 10.10.17.0/29 any
{
    lifetime time 8 hour;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}

если так, попросите другую сторону показать настройки 2ой фазы, только именно кусок реальный конфига.