Я настраивал тунель между FREEBSD-7.3 и Lynksys RVS 4000
Ядро собрал с опциями:
Код: Выделить всё
options IPSEC
options IPSEC_DEBUG
options IPSEC_FILTERTUNNEL
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
device gif
device crypto
Код: Выделить всё
# cat /usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2; # Для отладки могут пригодиться "debug" или "debug2"
padding
{
maximum_length 28;
randomize off;
strict_check off;
exclusive_tail off;
}
listen
{
isakmp 1.1.1.1 [500];
}
timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 60 sec;
phase2 45 sec;
}
remote anonymous
{
exchange_mode aggressive,main,base;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 3600 sec;
initial_contact on;
passive on;
support_mip6 on;
#support_proxy on;
proposal_check obey;
#proposal_check strict;
proposal
{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Код: Выделить всё
# cat /usr/local/etc/racoon/psk.txt
2.2.2.2 primerpass #удаленный адрес
Код: Выделить всё
cat /usr/local/etc/racoon/ipsec.conf
#!/usr/local/sbin/setkey -f
flush;
spdflush;
spdadd 4.4.4.4/24 5.5.5.5/24 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 5.5.5.5/24 4.4.4.4/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require;
Код: Выделить всё
# cat /etc/sysctl.conf
net.key.preferred_oldsa=0 #( for new keys)
Код: Выделить всё
# cat /etc/rc.conf
gateway_enable="YES"
inetd_enable="YES"
ifconfig_re0="inet 4.4.4.4 netmask 255.255.255.0"
ifconfig_re1="inet 1.1.1.1 netmask 255.255.255.224"
defaultrouter="1.1.1.3"
hostname="xxx"
cloned_interfaces="gif0"
gif_interfaces="gif0"
gifconfig_gif0="1.1.1.1 2.2.2.2"
ifconfig_gif0="inet 4.4.4.4 5.5.5.5 netmask 255.255.255.0"
static_routes="VPN"
route_PS="5.5.5.5/24 -interface gif0"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/ipsec.conf"
Код: Выделить всё
# setkey -D
1.1.1.1 2.2.2.2
esp mode=tunnel spi=3088247169(0xb812e981) reqid=0(0x00000000)
E: 3des-cbc 575b3970 49d591ce f011f75f 1faf1793 03959cf7 96890e13
A: hmac-sha1 12c9ffd3 654606af 74517de4 d4b5ce5f 0eea33a0
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Dec 10 11:08:01 2010 current: Dec 10 11:38:24 2010
diff: 1823(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=10120 refcnt=1
2.2.2.2 1.1.1.1
esp mode=tunnel spi=46559906(0x02c672a2) reqid=0(0x00000000)
E: 3des-cbc 1fdf74c0 15ca4b71 f9b4b5c4 daf973c7 40293a1c e1a8394a
A: hmac-sha1 aac263fb b7ce5aef 02cf55e3 c58ae035 87b82bdf
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Dec 10 11:08:01 2010 current: Dec 10 11:38:24 2010
diff: 1823(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=10120 refcnt=1
последние строки с # cat /var/log/messages
Код: Выделить всё
Dec 10 10:12:18 xxx kernel: re0: promiscuous mode enabled
Dec 10 10:12:18 xxx kernel: re0: promiscuous mode disabled
Dec 10 10:12:21 xxx kernel: re0: promiscuous mode enabled
Dec 10 10:12:21 xxx kernel: re0: promiscuous mode disabled
Dec 10 10:18:07 xxx kernel: gif0: promiscuous mode enabled
Dec 10 10:19:10 xxx kernel: gif0: promiscuous mode disabled
Dec 10 10:19:12 xxx kernel: gif0: promiscuous mode enabled
Dec 10 10:25:27 xxx kernel: gif0: promiscuous mode disabled
Dec 10 10:25:35 xxx kernel: gif0: promiscuous mode enabled
Dec 10 10:30:53 xxx kernel: gif0: promiscuous mode disabled
Последние строки с raccon.log
Код: Выделить всё
2010-12-10 11:34:20: DEBUG: encrypted.
2010-12-10 11:34:20: DEBUG: 68 bytes from 1.1.1.1[500] to 2.2.2.2[500]
2010-12-10 11:34:20: DEBUG: sockname 1.1.1.1[500]
2010-12-10 11:34:20: DEBUG: send packet from 1.1.1.1[500]
2010-12-10 11:34:20: DEBUG: send packet to 2.2.2.2[500]
2010-12-10 11:34:20: DEBUG: 1 times of 68 bytes message will be sent to 2.2.2.2[500]
2010-12-10 11:34:20: DEBUG:
761864a8 78b69ef8 49f770a2 e5c9d711 05100201 00000000 00000044 6a8d3c17
d0d06a99 12989866 7adb7986 841c6e5d d4f91433 6c3851f1 8c1220a6 94ab5e0c
6ecb068a
2010-12-10 11:34:20: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:761864a878b69ef8:49f770a2e5c9d711
2010-12-10 11:34:20: DEBUG: ===