Debian/Ubuntu

[mzd] · Конфигурация компьютера

Рекомендую к прочтению:
The official IPsec Howto for Linux
Debian IPsec Micro‐Howto

J.Rico · Отправлено: **09:35, 28-12-2007** | #3

по второй ссылке пробовал делать, но через Racoon не получилось, поэтому к isakmpd обратился - там в конфигах хотя бы что-то совпадает с теми настройками, что оператор прислал.

по первой ссылке чичас про OpenBSD's isakmpd почитаю...
спасибо

J.Rico · Отправлено: **10:21, 28-12-2007** | #4

вот что удалось "нарыть":
kannel:~# isakmpd -d -4 -DA=90
120328.755939 Default log_debug_cmd: log level changed from 0 to 90 for class 0
120328.756711 Default log_debug_cmd: log level changed from 0 to 90 for class 1
120328.756792 Default log_debug_cmd: log level changed from 0 to 90 for class 2
120328.756869 Default log_debug_cmd: log level changed from 0 to 90 for class 3
120328.756946 Default log_debug_cmd: log level changed from 0 to 90 for class 4
120328.757022 Default log_debug_cmd: log level changed from 0 to 90 for class 5
120328.757099 Default log_debug_cmd: log level changed from 0 to 90 for class 6
120328.757175 Default log_debug_cmd: log level changed from 0 to 90 for class 7
120328.757252 Default log_debug_cmd: log level changed from 0 to 90 for class 8
120328.757328 Default log_debug_cmd: log level changed from 0 to 90 for class 9
120328.759054 Default log_debug_cmd: log level changed from 0 to 90 for class 10120328.760491 Sdep 80 pf_key_v2_write: iov[0]:
120328.760736 Sdep 80 02070003 02000000 01000000 110e0000
120329.084039 Sdep 80 pf_key_v2_read: msg:
120329.084325 Sdep 80 02070003 0f000000 01000000 110e0000 05000e00 65732d63 fb000000 00000000
120329.084440 Sdep 80 02008000 80000000 0300a000 a0000000 05000001 00010000 08000f00 616e6775
120329.084549 Sdep 80 0b000000 00000000 02084000 40000000 0308c000 c0000000 07082800 c0010000
120329.084648 Sdep 80 0c088000 00010000 fc088000 00010000 fd088000 00010000
120329.084736 Sdep 80 pf_key_v2_write: iov[0]:
120329.084830 Sdep 80 02070002 02000000 02000000 110e0000
120329.413101 Sdep 80 pf_key_v2_read: msg:
120329.413360 Sdep 80 02070002 0f000000 02000000 110e0000 05000e00 01000000 fb000000 00000000
120329.413475 Sdep 80 02008000 80000000 0300a000 a0000000 05000001 00010000 08000f00 00000000
120329.413581 Sdep 80 0b000000 00000000 02084000 40000000 0308c000 c0000000 07082800 c0010000
120329.413681 Sdep 80 0c088000 00010000 fc088000 00010000 fd088000 00010000
120329.413767 Sdep 80 pf_key_v2_write: iov[0]:
120329.413857 Sdep 80 02070009 02000000 03000000 110e0000
120329.744223 Sdep 80 pf_key_v2_read: msg:
120329.744503 Sdep 80 02070009 0f000000 03000000 110e0000 05000e00 01000000 fb000000 00000000
120329.744618 Sdep 80 02008000 80000000 0300a000 a0000000 05000001 00010000 08000f00 00000000
120329.744725 Sdep 80 0b000000 00000000 02084000 40000000 0308c000 c0000000 07082800 c0010000
120329.744825 Sdep 80 0c088000 00010000 fc088000 00010000 fd088000 00010000
120330.020624 Timr 10 timer_add_event: event connection_checker(0x82ba900) added last, expiration in 0s
120330.021101 Misc 60 connection_record_passive: passive connection "IPsec-east-west" added
120330.021232 Plcy 30 policy_init: initializing
120330.021728 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/ca/
120330.022032 Cryp 40 x509_read_from_dir: reading certs from /etc/isakmpd/certs/120330.022190 Cryp 40 x509_read_crls_from_dir: reading CRLs from /etc/isakmpd/crls/
120330.022456 Trpt 90 virtual_bind_if: interface lo family v4 address 127.0.0.1
120330.022564 Trpt 40 virtual_listen_lookup: no match
120330.022719 Trpt 90 virtual_bind_if: interface eth0 family v4 address 192.168.0.68
120330.022805 Trpt 40 virtual_listen_lookup: no match
120330.022925 Trpt 50 virtual_init: not binding ISAKMP port(s) to ADDR_ANY
120330.023023 Cryp 60 hash_get: requested algorithm 0
120330.023123 Exch 50 nat_t_setup_hashes: MD5("draft-ietf-ipsec-nat-t-ike-02
") (16 bytes)
120330.023202 Exch 50 nat_t_setup_hashes:
120330.023292 Exch 50 90cb8091 3ebb696e 086381b5 ec427b1f
120330.023371 Exch 50 nat_t_setup_hashes: MD5("draft-ietf-ipsec-nat-t-ike-03") (16 bytes)
120330.023486 Exch 50 nat_t_setup_hashes:
120330.023576 Exch 50 7d9419a6 5310ca6f 2c179d92 15529d56
120330.023657 Exch 50 nat_t_setup_hashes: MD5("RFC 3947") (16 bytes)
120330.023734 Exch 50 nat_t_setup_hashes:
120330.023824 Exch 50 4a131c81 07035845 5c5728f2 0e95452f
120330.024592 Timr 10 timer_handle_expirations: event connection_checker(0x82ba900)
120330.024815 Timr 10 timer_add_event: event connection_checker(0x82ba900) added last, expiration in 60s
120330.024906 SA 90 sa_find: no SA matched query
120330.024984 Sdep 70 pf_key_v2_connection_check: SA for IPsec-east-west missing120330.025118 SA 90 sa_find: no SA matched query
120330.025281 Trpt 40 virtual_listen_lookup: no match
120330.025365 Default udp_create: no matching listener found
120330.025446 Default exchange_establish: transport "udp" for peer "ISAKMP-peer-west" could not be created
120330.025524 SA 90 sa_find: no SA matched query
120430.026892 Timr 10 timer_handle_expirations: event connection_checker(0x82ba900)
120430.027151 Timr 10 timer_add_event: event connection_checker(0x82ba900) added last, expiration in 60s
120430.027241 SA 90 sa_find: no SA matched query
120430.027318 Sdep 70 pf_key_v2_connection_check: SA for IPsec-east-west missing120430.027432 SA 90 sa_find: no SA matched query
120430.027594 Trpt 40 virtual_listen_lookup: no match
120430.027675 Default udp_create: no matching listener found
120430.027755 Default exchange_establish: transport "udp" for peer "ISAKMP-peer-west" could not be created
120430.027833 SA 90 sa_find: no SA matched query
120530.030519 Timr 10 timer_handle_expirations: event connection_checker(0x82ba900)
120530.030801 Timr 10 timer_add_event: event connection_checker(0x82ba900) added last, expiration in 60s
120530.030896 SA 90 sa_find: no SA matched query
120530.030977 Sdep 70 pf_key_v2_connection_check: SA for IPsec-east-west missing120530.031094 SA 90 sa_find: no SA matched query
120530.031259 Trpt 40 virtual_listen_lookup: no match
120530.031344 Default udp_create: no matching listener found
120530.031427 Default exchange_establish: transport "udp" for peer "ISAKMP-peer-west" could not be created
120530.031509 SA 90 sa_find: no SA matched query
120630.033739 Timr 10 timer_handle_expirations: event connection_checker(0x82ba900)
120630.034009 Timr 10 timer_add_event: event connection_checker(0x82ba900) added last, expiration in 60s
120630.034102 SA 90 sa_find: no SA matched query
120630.034183 Sdep 70 pf_key_v2_connection_check: SA for IPsec-east-west missing120630.034300 SA 90 sa_find: no SA matched query
120630.034467 Trpt 40 virtual_listen_lookup: no match
120630.034552 Default udp_create: no matching listener found
120630.034635 Default exchange_establish: transport "udp" for peer "ISAKMP-peer-west" could not be created
120630.034717 SA 90 sa_find: no SA matched query
120730.037164 Timr 10 timer_handle_expirations: event connection_checker(0x82ba900)
120730.037412 Timr 10 timer_add_event: event connection_checker(0x82ba900) added last, expiration in 60s
120730.037507 SA 90 sa_find: no SA matched query
120730.037588 Sdep 70 pf_key_v2_connection_check: SA for IPsec-east-west missing120730.037706 SA 90 sa_find: no SA matched query
120730.037874 Trpt 40 virtual_listen_lookup: no match
120730.037959 Default udp_create: no matching listener found
120730.038042 Default exchange_establish: transport "udp" for peer "ISAKMP-peer-west" could not be created
120730.038124 SA 90 sa_find: no SA matched query
120830.040653 Timr 10 timer_handle_expirations: event connection_checker(0x82ba900)
120830.040906 Timr 10 timer_add_event: event connection_checker(0x82ba900) added last, expiration in 60s
120830.040999 SA 90 sa_find: no SA matched query
120830.041080 Sdep 70 pf_key_v2_connection_check: SA for IPsec-east-west missing120830.041196 SA 90 sa_find: no SA matched query
120830.041362 Trpt 40 virtual_listen_lookup: no match
120830.041447 Default udp_create: no matching listener found
120830.041530 Default exchange_establish: transport "udp" for peer "ISAKMP-peer-west" could not be created
120830.041613 SA 90 sa_find: no SA matched query

что не так делаю?
(файлы настройки ниже)

ISAKMPD.CONF

# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $
# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).
[General]
Listen-on= 83.149.33.133

[Phase 1]
83.149.33.133= ISAKMP-peer-west

[Phase 2]
Connections= IPsec-east-west

[ISAKMP-peer-west]
Phase= 1
Transport= udp
Address= 83.149.33.133
Configuration= Default-main-mode
Authentication= hqMR32yH4Gvi008Gw966

[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west

[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 83.149.33.0
Netmask= 255.255.255.0

[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 81.91.60.0
Netmask= 255.255.255.0

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= ESP-3DES ESP-SHA-HMAC

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE

ISAKMPD.POLICY

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
$OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
$EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "passphrase:hqMR32yH4Gvi008Gw966"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
#esp_enc_alg == "aes" &&
#esp_auth_alg == "hmac-sha" -> "true";
esp_enc_alg == "3des" &&
esp_auth_alg == "pre-share" -> "true";
#pfs == "group 2"
pfs == "yes" -> "true";
ah_hash_alg == "sha" &&
esp_lifetime_seconds == "3600" &&

148vsib3@vk · Отправлено: **16:51, 10-09-2013** | #5

Вот, подробная статья по настройке ipsec через racoon http://joyit.ru/ubuntu/29-ubuntu-11-...ls-racoon.html