Нашел в сети конфиги http://www.informatik.uni-bremen.de/~fa ... coon-vpnc/, потом нашел
вот этот документ http://www.netbsd.org/docs/network/ipsec/rasvpn.html.
В итоге получил работающее подключение на первый взгляд,
а именно проходит первая и вторая фазы IKE (как я себе это представляю).
VPN-клиент получает адрес из пула адресов, аутентифицируется через radius.
На стороне клиента создается туннель, прописываются split-сети в машрутах.
Но при всем при этом tcpdump не фиксирует хождение ESP-трафика между
клиентом и сервером, хотя политики SA прописываются нормально. На сервере
не создается туннельный интерфейс. Ко всему, после установления соединения
постоянно выводится сообщение "ERROR: packet shorter than isakmp header size (5, 0, 28)"
Все это происходит на FreeBSD 9.1 c откомпилированным ядром с опциями:
Код: Выделить всё
options IPSEC
options IPSEC_NAT_T
Вот конфиг:
Код: Выделить всё
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log info;
padding {
maximum_length 20;
randomize on;
randomize_length on;
strict_check off;
exclusive_tail off;
}
listen {
isakmp 10.75.2.1 [500];
isakmp 10.75.2.1 [4500];
strict_address;
}
timer {
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote anonymous {
exchange_mode aggressive,main;
passive on;
support_proxy off;
nat_traversal force;
proposal_check obey;
generate_policy on;
ike_frag on;
esp_frag 552;
dpd_delay 20;
initial_contact on;
nonce_size 16;
lifetime time 1440 min;
weak_phase1_check on;
mode_cfg on;
# my_identifier address;
# verify_identifier off;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
}
}
mode_cfg {
banner "/etc/motd";
pool_size 100;
dns4 127.0.0.1;
default_domain "domain.local";
split_network include 192.168.1.0/24;
split_network include 192.168.2.0/24;
split_network include 192.168.3.0/24;
split_network include 192.168.4.0/24;
pfs_group 2;
save_passwd off;
split_dns "domain.local";
auth_source radius;
accounting radius;
conf_source local;
network4 10.168.14.1;
netmask4 255.255.255.255;
}
radiuscfg {
auth "127.0.0.1" "q@dFerIHq67p0";
acct "127.0.0.1" "q@dFerIHq67p0";
retries 3;
timeout 5;
}
sainfo anonymous {
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3 min;
}
Вот лог в режиме отладки INFO:
Код: Выделить всё
2013-07-09 14:09:54: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-07-09 14:09:54: INFO: @(#)This product linked OpenSSL 0.9.8x 10 May 2012 (http://www.openssl.org/)
2013-07-09 14:09:54: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2013-07-09 14:09:54: INFO: Resize address pool from 0 to 100
2013-07-09 14:09:54: INFO: 10.75.2.1[4500] used for NAT-T
2013-07-09 14:09:54: INFO: 10.75.2.1[4500] used as isakmp port (fd=4)
2013-07-09 14:09:54: INFO: 10.75.2.1[500] used for NAT-T
2013-07-09 14:09:54: INFO: 10.75.2.1[500] used as isakmp port (fd=5)
2013-07-09 14:11:12: INFO: respond new phase 1 negotiation: 10.75.2.1[500]<=>10.75.2.11[60472]
2013-07-09 14:11:12: INFO: begin Aggressive mode.
2013-07-09 14:11:12: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-07-09 14:11:12: INFO: received Vendor ID: CISCO-UNITY
2013-07-09 14:11:12: INFO: received Vendor ID: RFC 3947
2013-07-09 14:11:12: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-07-09 14:11:12: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-07-09 14:11:12: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2013-07-09 14:11:12: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-07-09 14:11:12: INFO: received Vendor ID: DPD
2013-07-09 14:11:12: [10.75.2.11] INFO: Selected NAT-T version: RFC 3947
[b]2013-07-09 14:11:12: ERROR: invalied encryption algorithm=0.
2013-07-09 14:11:12: ERROR: invalied encryption algorithm=0.
2013-07-09 14:11:12: ERROR: invalied encryption algorithm=0.
2013-07-09 14:11:12: ERROR: invalied encryption algorithm=0.[/b]
2013-07-09 14:11:12: INFO: Adding remote and local NAT-D payloads.
2013-07-09 14:11:12: [10.75.2.11] INFO: Hashing 10.75.2.11[60472] with algo #2 (NAT-T forced)
2013-07-09 14:11:12: [10.75.2.1] INFO: Hashing 10.75.2.1[500] with algo #2 (NAT-T forced)
2013-07-09 14:11:12: INFO: Adding xauth VID payload.
2013-07-09 14:11:12: INFO: NAT-T: ports changed to: 10.75.2.11[58597]<->10.75.2.1[4500]
[b]2013-07-09 14:11:12: [10.75.2.11] ERROR: notification INITIAL-CONTACT received in aggressive exchange.[/b]
2013-07-09 14:11:12: INFO: received Vendor ID: CISCO-UNITY
2013-07-09 14:11:12: INFO: NAT-D payload #0 doesn't match
2013-07-09 14:11:12: INFO: NAT-D payload #1 doesn't match
2013-07-09 14:11:12: INFO: NAT detected: ME PEER
2013-07-09 14:11:12: INFO: Sending Xauth request
2013-07-09 14:11:12: INFO: ISAKMP-SA established 10.75.2.1[4500]-10.75.2.11[58597] spi:cddc2af60aacfe90:97636a1dee3d5dea
2013-07-09 14:11:12: INFO: Using port 0
2013-07-09 14:11:12: INFO: login succeeded for user "dmitriy@domain.com"
2013-07-09 14:11:12: INFO: respond new phase 2 negotiation: 10.75.2.1[4500]<=>10.75.2.11[58597]
2013-07-09 14:11:12: INFO: no policy found, try to generate the policy : 10.168.14.1/32[0] 0.0.0.0/0[0] proto=any dir=in
2013-07-09 14:11:12: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
2013-07-09 14:11:12: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
2013-07-09 14:11:12: INFO: IPsec-SA established: ESP/Tunnel 10.75.2.1[500]->10.75.2.11[500] spi=197282934(0xbc24c76)
2013-07-09 14:11:12: INFO: IPsec-SA established: ESP/Tunnel 10.75.2.1[500]->10.75.2.11[500] spi=3557239259(0xd40729db)
[b]2013-07-09 14:11:21: [10.75.2.11] ERROR: packet shorter than isakmp header size (5, 0, 28)
2013-07-09 14:11:30: [10.75.2.11] ERROR: packet shorter than isakmp header size (5, 0, 28)
2013-07-09 14:11:35: [10.75.2.11] ERROR: packet shorter than isakmp header size (5, 0, 28)
2013-07-09 14:11:42: [10.75.2.11] ERROR: packet shorter than isakmp header size (5, 0, 28)
2013-07-09 14:11:48: [10.75.2.11] ERROR: packet shorter than isakmp header size (5, 0, 28)
[/b]Код: Выделить всё
root@gate:/root # setkey -D
10.75.2.1 10.75.2.11
esp mode=tunnel spi=4094845162(0xf41260ea) reqid=0(0x00000000)
E: rijndael-cbc f5112e58 76b588ea 04150d6e ef0bf94a 10fbfa30 9ed6fc6d d2b730af 3f16307c
A: hmac-sha1 1526d495 6fca5fab 85cc792d 7e445bcf 040d7615
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul 9 15:07:09 2013 current: Jul 9 15:07:38 2013
diff: 29(s) hard: 2147483(s) soft: 1717986(s)
last: hard: 0(s) soft: 0(s)
[b] current: 0(bytes) hard: 0(bytes) soft: 0(bytes)[/b]
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=8568 refcnt=1
10.75.2.11 10.75.2.1
esp mode=tunnel spi=177832900(0x0a9983c4) reqid=0(0x00000000)
E: rijndael-cbc 55f21481 59e1fbbc 5d91e646 0efcf52e b1befe8b e9049fd5 0e9c42ed 3e626b09
A: hmac-sha1 4b74c636 2eb66619 8acb626a 627632d1 2aea9c0f
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul 9 15:07:09 2013 current: Jul 9 15:07:38 2013
diff: 29(s) hard: 2147483(s) soft: 1717986(s)
last: hard: 0(s) soft: 0(s)
[b] current: 0(bytes) hard: 0(bytes) soft: 0(bytes)[/b]
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=8568 refcnt=1
root@gate:/root # setkey -PD
10.168.14.1[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/10.75.2.11-10.75.2.1/require
created: Jul 9 15:07:09 2013 lastused: Jul 9 15:07:09 2013
lifetime: 2147483(s) validtime: 0(s)
spid=57 seq=1 pid=8569
refcnt=1
0.0.0.0/0[any] 10.168.14.1[any] any
out ipsec
esp/tunnel/10.75.2.1-10.75.2.11/require
created: Jul 9 15:07:09 2013 lastused: Jul 9 15:07:09 2013
lifetime: 2147483(s) validtime: 0(s)
spid=58 seq=0 pid=8569
refcnt=1
root@gate:/root #
Код: Выделить всё
root@gate:/root # tcpdump -ni vlan20 host 10.75.2.1 and host 10.75.2.11
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan20, link-type EN10MB (Ethernet), capture size 65535 bytes
15:17:38.707279 IP 10.75.2.11.57172 > 10.75.2.1.500: isakmp: phase 1 I agg
15:17:38.717888 IP 10.75.2.1.500 > 10.75.2.11.57172: isakmp: phase 1 R agg
15:17:38.728053 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 1 I agg[E]
15:17:38.730069 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R #6[E]
15:17:38.731019 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
15:17:38.734027 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R #6[E]
15:17:38.736040 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
15:17:38.736172 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
15:17:38.737316 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R #6[E]
15:17:38.754117 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
15:17:38.755584 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
15:17:38.757081 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
15:17:38.758021 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
15:17:38.759789 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R inf[E]
15:17:47.770410 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: [|isakmp]
15:17:57.280527 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: [|isakmp]
15:17:58.731676 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R inf[E]
15:17:58.734473 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
15:18:07.743664 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: [|isakmp]
15:18:17.248838 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: [|isakmp]
15:18:18.737441 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R inf[E]
15:18:18.738824 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
15:18:27.748022 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: [|isakmp]
15:18:37.249271 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: [|isakmp]
15:18:38.741068 IP 10.75.2.1.4500 > 10.75.2.11.42228: NONESP-encap: isakmp: phase 2/others R inf[E]
15:18:38.743120 IP 10.75.2.11.42228 > 10.75.2.1.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
