Год назад был создан ipsec туннель между 2 сетями (с одной стороны FreeBSD 9.0, с другой Cisco неизвестной модели). Туннель успешно работал до пятницы. После внеплановой перезагрузки Фри (по питанию) туннель поднимается, но трафик через него не идет. Обновил фрю до 9,2 и весь софт - не помогло. На этом же сервере есть еще один ipsec туннель - он прекрасно работает. Также пробовал создавать туннель с этой же Cisco но с другого сервера (FreeBSD 8.4) - туннель поднялся и работает, настройки - один в один.
Конфиги:
/etc/ipsec.conf
Код: Выделить всё
spdadd 192.168.10.0/24 192.168.151.16/28 any -P out ipsec
esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;
spdadd 192.168.151.16/28 192.168.10.0/24 any -P in ipsec
esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
Код: Выделить всё
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_enable="YES"
gif_interfaces="gif0 gif1 gif2 gif3"
gifconfig_gif2="XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY"
ifconfig_gif2="inet 192.168.10.253 192.168.151.16 netmask 0xffffffff"
static_routes="... SportLan"
route_SportLan="192.168.151.16/28 -interface gif2"
Код: Выделить всё
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/racoon/cert/" ;
#log debug2 ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp XXX.XXX.XXX.XXX [500];
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 10 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote YYY.YYY.YYY.YYY
{
exchange_mode main, aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "shad@p-k.su";
peers_identifier user_fqdn "shad@p-k.su";
nonce_size 16;
lifetime time 480 min; # sec,min,hour
initial_contact on;
support_proxy on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 60 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5, hmac_sha1;
compression_algorithm deflate;
}
Код: Выделить всё
${FwCMD} add allow ip from any to any via gif2
${FwCMD} add allow ip from YYY.YYY.YYY.YYY to me isakmp
${FwCMD} add allow ip from me to YYY.YYY.YYY.YYY isakmp
${FwCMD} add allow ip from YYY.YYY.YYY.YYY 500 to me
${FwCMD} add allow ip from me 500 to YYY.YYY.YYY.YYY
${FwCMD} add allow ipencap from YYY.YYY.YYY.YYY to me
${FwCMD} add allow ipencap from me to YYY.YYY.YYY.YYY
${FwCMD} add allow esp from me to YYY.YYY.YYY.YYY
${FwCMD} add allow esp from YYY.YYY.YYY.YYY to me
racoon.log
Код: Выделить всё
Jun 8 12:54:30 network-253d racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Jun 8 12:54:30 network-253d racoon: INFO: @(#)This product linked OpenSSL 0.9.8y 5 Feb 2013 (http://www.openssl.org/)
Jun 8 12:54:30 network-253d racoon: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
Jun 8 12:54:30 network-253d racoon: INFO: XXX.XXX.XXX.XXX[500] used as isakmp port (fd=6)
Jun 8 12:54:39 network-253d racoon: INFO: IPsec-SA request for YYY.YYY.YYY.YYY queued due to no phase1 found.
Jun 8 12:54:39 network-253d racoon: INFO: initiate new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>YYY.YYY.YYY.YYY[500]
Jun 8 12:54:39 network-253d racoon: INFO: begin Identity Protection mode.
Jun 8 12:54:39 network-253d racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 8 12:54:39 network-253d racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 8 12:54:39 network-253d racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jun 8 12:54:39 network-253d racoon: INFO: received Vendor ID: DPD
Jun 8 12:54:39 network-253d racoon: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-YYY.YYY.YYY.YYY[500] spi:ca12a2ea5979dc0f:0817102a1c13af79
Jun 8 12:54:40 network-253d racoon: INFO: initiate new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>YYY.YYY.YYY.YYY[500]
Jun 8 12:54:40 network-253d racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[500]->YYY.YYY.YYY.YYY[500] spi=262841350(0xfaaa406)
Jun 8 12:54:40 network-253d racoon: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[500]->YYY.YYY.YYY.YYY[500] spi=2176197542(0x81b623a6)
Код: Выделить всё
tcpdump -ni rl0 | grep YYY.YYY.YYY.YYY
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:56:39.487118 IP XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x81b623a6,seq=0x77), length 116
12:56:40.488121 IP XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x81b623a6,seq=0x78), length 116
12:56:41.489140 IP XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x81b623a6,seq=0x79), length 116
12:56:42.490144 IP XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x81b623a6,seq=0x7a), length 116
12:56:43.491146 IP XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x81b623a6,seq=0x7b), length 116
12:56:44.492113 IP XXX.XXX.XXX.XXX > YYY.YYY.YYY.YYY: ESP(spi=0x81b623a6,seq=0x7c), length 116