forum.lissyara.su

Добавлено: **2008-11-21 9:37:49**

Здравствуйте столкнулся с задачей объединения 2х сетей.
Почитал http://www.lissyara.su/?id=1328, http://www.lissyara.su/?id=1503.
Имеется:
сеть1: 192.168.10.0/23 <внешний freebsd ip>
сеть2: 192.168.0.0/24 <внешний DI-804HV ip>
Пересобрал ядро с опциями:

Код: Выделить всё

options		IPFIREWALL
options		IPFIREWALL_VERBOSE
options		IPFIREWALL_VERBOSE_LIMIT=1000
# IPSEC
options		IPSEC
device		crypto
options		IPSEC_DEBUG

на этапе настройки firewall_type=OPEN
Установил ipsec-tools: 0.7.1

Конфиги:
ipsec.conf :

Код: Выделить всё

flush;
spdflush;
spdadd 192.168.10.0/23 192.168.0.0/24 any -P out ipsec esp/tunnel/<внешний freebsd ip>-<внешний DI-804HV ip>/require;
spdadd 192.168.0.0/24 192.168.10.0/23 any -P in ipsec esp/tunnel/<внешний DI-804HV ip>-<внешний freebsd ip>/require;

raccon.conf :

Код: Выделить всё

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
path certificate "/usr/local/etc/racoon/cert";
log debug;
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}
listen
{
	isakmp <внешний freebsd ip> [500];
}
timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per send.
	# maximum time to wait for completing each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote anonymous
{
	exchange_mode main,aggressive;
	doi ipsec_doi;
	situation identity_only;

	my_identifier user_fqdn "mers@domain.ru";
	peers_identifier user_fqdn "mers@domain.ru";

	nonce_size 16;
	lifetime time 9600 sec; # sec,min,hour
	initial_contact on;
	support_mip6 on;
	proposal_check obey; # obey, strict or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 1;
	}
}
sainfo anonymous
{
        pfs_group 1;
        lifetime time 9600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

rc.conf :

Код: Выделить всё

racoon_enable="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"

Настройки D-Link DI-804HV:

Логи:

Код: Выделить всё

Nov 21 02:23:47 pereezd racoon: DEBUG: ===
Nov 21 02:23:47 pereezd racoon: DEBUG: 196 bytes message received from <внешний DI-804HV ip>[500] to <внешний freebsd ip>[500]
Nov 21 02:23:47 pereezd racoon: DEBUG:  bb52ec21 648a1f7f 00000000 00000000 01100200 00000000 000000c4 000000a8 00000001 00000001 0000009c 01010404 3800c8e1 03000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00007080 03000024 02010000 80010005 80020001 80030001 80040002 800b0001 000c0004 00007080 03000024 03010000 80010001 80020002 80030001 80040002 800b0001 000c0004 00007080 00000024 04010000 80010001 80020001 80030001 80040002 800b0001 000c0004 00007080
Nov 21 02:23:47 pereezd racoon: DEBUG: begin.
Nov 21 02:23:47 pereezd racoon: DEBUG: seen nptype=1(sa)
Nov 21 02:23:47 pereezd racoon: DEBUG: succeed.
Nov 21 02:23:47 pereezd racoon: DEBUG: total SA len=164
Nov 21 02:23:47 pereezd racoon: DEBUG:  00000001 00000001 0000009c 01010404 3800c8e1 03000024 01010000 80010005 80020002 80030001 80040002 800b0001 000c0004 00007080 03000024 02010000 80010005 80020001 80030001 80040002 800b0001 000c0004 00007080 03000024 03010000 80010001 80020002 80030001 80040002 800b0001 000c0004 00007080 00000024 04010000 80010001 80020001 80030001 80040002 800b0001 000c0004 00007080
Nov 21 02:23:47 pereezd racoon: DEBUG: begin.
Nov 21 02:23:47 pereezd racoon: DEBUG: seen nptype=2(prop)
Nov 21 02:23:47 pereezd racoon: DEBUG: succeed.
Nov 21 02:23:47 pereezd racoon: DEBUG: proposal #1 len=156
Nov 21 02:23:47 pereezd racoon: DEBUG: begin.
Nov 21 02:23:47 pereezd racoon: DEBUG: seen nptype=3(trns)
Nov 21 02:23:47 pereezd last message repeated 3 times
Nov 21 02:23:47 pereezd racoon: DEBUG: succeed.
Nov 21 02:23:47 pereezd racoon: DEBUG: transform #1 len=36
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: encryption(3des)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: hash(sha1)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: hmac(modp1024)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: transform #2 len=36
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: encryption(3des)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: hash(md5)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: hmac(modp1024)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: transform #3 len=36
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: encryption(des)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: hash(sha1)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: hmac(modp1024)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: transform #4 len=36
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: encryption(des)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: hash(md5)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: hmac(modp1024)
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: pair 1:
Nov 21 02:23:47 pereezd racoon: DEBUG:  0x2843a340: next=0x0 tnext=0x2843a350
Nov 21 02:23:47 pereezd racoon: DEBUG:   0x2843a350: next=0x0 tnext=0x2843a360
Nov 21 02:23:47 pereezd racoon: DEBUG:    0x2843a360: next=0x0 tnext=0x2843a370
Nov 21 02:23:47 pereezd racoon: DEBUG:     0x2843a370: next=0x0 tnext=0x0
Nov 21 02:23:47 pereezd racoon: DEBUG: proposal #1: 4 transform
Nov 21 02:23:47 pereezd racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=4
Nov 21 02:23:47 pereezd racoon: DEBUG: trns#=1, trns-id=IKE
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: Compared: DB:Peer
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifetime = 28800:28800)
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifebyte = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: enctype = 3DES-CBC:3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: (encklen = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: hashtype = SHA:SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: authmethod = pre-shared key:pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: dh_group = 768-bit MODP group:1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=4
Nov 21 02:23:47 pereezd racoon: DEBUG: trns#=2, trns-id=IKE
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: Compared: DB:Peer
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifetime = 28800:28800)
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifebyte = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: enctype = 3DES-CBC:3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: (encklen = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: hashtype = SHA:MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: authmethod = pre-shared key:pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: dh_group = 768-bit MODP group:1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=4
Nov 21 02:23:47 pereezd racoon: DEBUG: trns#=3, trns-id=IKE
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: Compared: DB:Peer
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifetime = 28800:28800)
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifebyte = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: enctype = 3DES-CBC:DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: (encklen = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: hashtype = SHA:SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: authmethod = pre-shared key:pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: dh_group = 768-bit MODP group:1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=4, #trns=4
Nov 21 02:23:47 pereezd racoon: DEBUG: trns#=4, trns-id=IKE
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: Compared: DB:Peer
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifetime = 28800:28800)
Nov 21 02:23:47 pereezd racoon: DEBUG: (lifebyte = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: enctype = 3DES-CBC:DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: (encklen = 0:0)
Nov 21 02:23:47 pereezd racoon: DEBUG: hashtype = SHA:MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: authmethod = pre-shared key:pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: dh_group = 768-bit MODP group:1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
Nov 21 02:23:47 pereezd racoon: DEBUG: type=Life Duration, flag=0x0000, lorv=4
Nov 21 02:24:07 pereezd racoon: DEBUG: ===

tcpdump | grep <внешний DI-804HV ip>

Код: Выделить всё

13:56:40.558826 IP <внешний DI-804HV ip>.isakmp > <внешний freebsd ip>.isakmp: isakmp: phase 1 I ident
13:56:41.556309 IP <внешний DI-804HV ip>.isakmp > <внешний freebsd ip>.isakmp: isakmp: phase 2/others I inf
13:56:41.557183 IP <внешний DI-804HV ip>.isakmp > <внешний freebsd ip>.isakmp: isakmp: phase 1 I ident
13:56:46.543746 IP <внешний DI-804HV ip>.isakmp > <внешний freebsd ip>.isakmp: isakmp: phase 1 I ident
13:56:51.531306 IP <внешний DI-804HV ip>.isakmp > <внешний freebsd ip>.isakmp: isakmp: phase 1 I ident
13:57:01.506191 IP <внешний DI-804HV ip>.isakmp > <внешний freebsd ip>.isakmp: isakmp: phase 1 I ident
13:57:11.481048 IP <внешний DI-804HV ip>.isakmp > <внешний freebsd ip>.isakmp: isakmp: phase 1 I ident

Голову сломал, откуда косяк идет?

Добавлено: **2008-11-21 10:27:05**

Нашел ошибку, вот только понять не могу, почему?

Код: Выделить всё

2008-11-21 14:48:22: ERROR: couldn't find the pskey for <внешний DI-804HV ip>.
2008-11-21 14:48:22: ERROR: failed to process packet.
2008-11-21 14:48:22: ERROR: phase1 negotiation failed.

Добавлено: **2008-11-21 11:22:43**

Тунель поднял, но тут еще одна проблема появилась, чтобы не плодить темы, напишу здесь.

Код: Выделить всё

route add 192.168.0.0/24 Внешний IP
route: writing to routing socket: Network is unreachable
add net 192.168.0.0: gateway Внешний IP: Network is unreachable

forum.lissyara.su

VPN-туннель между D-Link DI-804HV и FreeBSD 7

VPN-туннель между D-Link DI-804HV и FreeBSD 7

Re: VPN-туннель между D-Link DI-804HV и FreeBSD 7

Re: VPN-туннель между D-Link DI-804HV и FreeBSD 7