freebsd ipsec site-to-site
Добавлено: 2015-09-10 11:10:53
Помогите побороть.
Ибо топор начальства уже зенесен.
Моя Freebsd 10.1
внешний ip 1.1.1.1
сеть 192.168.4.0/24
Сisco, в чужой канторе
внешний ip 2.2.2.2
сеть 10.131.0.0/16
IPSec Proposal - ESP-AES-256-SHA
IKE policy – Ike v1, pre-share-aes-256-sha
/etc/rc.conf
racoon_enable="YES"
racoon_flags="-f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
/etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.4.0/24 10.131.0.0/16 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/unique;
spdadd 10.131.0.0/16 192.168.4.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/unique;
/usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug;
padding
{
}
listen
{
isakmp 1.1.1.1 [500];
adminsock "/var/db/racoon/racoon.sock";
}
timer
{
phase1 30 sec;
phase2 15 sec;
}
remote 2.2.2.2 #Внешний IP адрес удаленной стороны
{
my_identifier address 1.1.1.1;
peers_identifier address 2.2.2.2;
exchange_mode main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 86400 sec;
initial_contact on;
support_proxy on;
proposal
{
encryption_algorithm aes 256; #Алгоритм шифрования
hash_algorithm sha1; #Метод хеширования
authentication_method pre_shared_key; #Метод аутентификации на общем ключе
dh_group 5; #Длина ключа Диффи-Хеллмана
}
}
sainfo subnet 192.168.4.0/24 any subnet 10.131.0.0/16 any
{
lifetime time 24 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
/etc/ipf.rules
pass in quick proto esp from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass out quick proto esp from any to any
pass out quick proto udp from any port = 500 to any port = 500
Выхлоп setkey -D
2.2.2.2 1.1.1.1
esp mode=tunnel spi=154187536(0x0930b710) reqid=16386(0x00004002)
E: rijndael-cbc 87e30073 4735a2f5 586f7cbd a85dec0a 15b43912 b5a92271 fcf49714 262f2c23
A: hmac-sha1 96e50055 6ea73993 ab1a2710 4b3b0a67 b658c713
seq=0x00000042 replay=4 flags=0x00000000 state=mature
created: Sep 10 07:13:26 2015 current: Sep 10 11:00:05 2015
diff: 13599(s) hard: 28800(s) soft: 23040(s)
last: Sep 10 07:14:33 2015 hard: 0(s) soft: 0(s)
current: 5544(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 66 hard: 0 soft: 0
sadb_seq=0 pid=6494 refcnt=1
Вопрос: не пингуется машина 10.131.1.5
Куда копать?
Ибо топор начальства уже зенесен.
Моя Freebsd 10.1
внешний ip 1.1.1.1
сеть 192.168.4.0/24
Сisco, в чужой канторе
внешний ip 2.2.2.2
сеть 10.131.0.0/16
IPSec Proposal - ESP-AES-256-SHA
IKE policy – Ike v1, pre-share-aes-256-sha
/etc/rc.conf
racoon_enable="YES"
racoon_flags="-f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
/etc/ipsec.conf
flush;
spdflush;
spdadd 192.168.4.0/24 10.131.0.0/16 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/unique;
spdadd 10.131.0.0/16 192.168.4.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/unique;
/usr/local/etc/racoon/racoon.conf
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug;
padding
{
}
listen
{
isakmp 1.1.1.1 [500];
adminsock "/var/db/racoon/racoon.sock";
}
timer
{
phase1 30 sec;
phase2 15 sec;
}
remote 2.2.2.2 #Внешний IP адрес удаленной стороны
{
my_identifier address 1.1.1.1;
peers_identifier address 2.2.2.2;
exchange_mode main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 86400 sec;
initial_contact on;
support_proxy on;
proposal
{
encryption_algorithm aes 256; #Алгоритм шифрования
hash_algorithm sha1; #Метод хеширования
authentication_method pre_shared_key; #Метод аутентификации на общем ключе
dh_group 5; #Длина ключа Диффи-Хеллмана
}
}
sainfo subnet 192.168.4.0/24 any subnet 10.131.0.0/16 any
{
lifetime time 24 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
/etc/ipf.rules
pass in quick proto esp from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass out quick proto esp from any to any
pass out quick proto udp from any port = 500 to any port = 500
Выхлоп setkey -D
2.2.2.2 1.1.1.1
esp mode=tunnel spi=154187536(0x0930b710) reqid=16386(0x00004002)
E: rijndael-cbc 87e30073 4735a2f5 586f7cbd a85dec0a 15b43912 b5a92271 fcf49714 262f2c23
A: hmac-sha1 96e50055 6ea73993 ab1a2710 4b3b0a67 b658c713
seq=0x00000042 replay=4 flags=0x00000000 state=mature
created: Sep 10 07:13:26 2015 current: Sep 10 11:00:05 2015
diff: 13599(s) hard: 28800(s) soft: 23040(s)
last: Sep 10 07:14:33 2015 hard: 0(s) soft: 0(s)
current: 5544(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 66 hard: 0 soft: 0
sadb_seq=0 pid=6494 refcnt=1
Вопрос: не пингуется машина 10.131.1.5
Куда копать?