Привет!
Не могу никак понять в чем проблема с поднятием site-to-site впн-а между центос и циской.
Конфиги и логи:Со стороны центоса:
[root@gate racoon]# uname –r
2.6.18-164.2.my
[root@gate racoon]# yum list | grep ipsec
ipsec-tools.i386 0.6.5-14.el5_5.5 installedСеть – 192.168.2.0/23
Шлюз – 192.168.2.3
Внешний адрес – 217.217.217.217/etc/sysconfig/network-scripts/ifcfg-ipsec0:
DSTGW=172.16.1.1
SRCGW=192.168.2.3
DSTNET=172.16.1.0/24
SRCNET=192.168.2.0/23
DST=97.97.97.97
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK/etc/sysconfig/network-scripts/key-ipsec0:
IKE_PSK=very_secure_key/etc/raccoon/racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";log debug ;
remote anonymous
{
exchange_mode main ;
my_identifier address 97.97.97.97 ;
initial_contact on ;
situation identity_only ;
proposal_check obey ;
nat_traversal off ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des ;
hash_algorithm md5 ;
authentication_method pre_shared_key ;
dh_group 2 ; }
}sainfo anonymous
{
pfs_group 2;
lifetime time 24 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}
#include "/etc/racoon/.conf";
include "/etc/racoon/97.97.97.97.conf";/etc/raccoon/97.97.97.97.conf:
remote 97.97.97.97
{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
/etc/raccoon/setkey.conf:
spdflush;
flush;spdadd 192.168.2.0/23 172.16.1.1/24 any -P out ipsec esp/tunnel/97.97.97.97-217.217.217.217/require;
spdadd 172.16.1.1/24 192.168.2.0/23 any -P in ipsec esp/tunnel/217.217.217.217-97.97.97.97/require;
Со стороны циски:
Cisco ASA 5510Сеть – 172.16.1.0/24
Шлюз – 172.16.1.1
Внешний адрес – 97.97.97.97
crypto map outside2_map 2 match address outside2_2_cryptomap
crypto map outside2_map 2 set peer 217.217.217.217
crypto map outside2_map 2 set transform-set ESP-3DES-SHAaccess-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside2_2_cryptomap extended permit ip 172.16.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1object-group network DM_INLINE_NETWORK_1
network-object host 192.168.2.0
network-object host 255.255.254.0crypto isakmp enable outside2
crypto isakmp policy 25
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400tunnel-group 217.217.217.217 type ipsec-l2l
tunnel-group 217.217.217.217 ipsec-attributes
pre-shared-key *****
Лог ракуна при попытке соединения:
2011-08-31 16:23:57: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
2011-08-31 16:23:57: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/)
2011-08-31 16:23:57: DEBUG: call pfkey_send_register for AH
2011-08-31 16:23:57: DEBUG: call pfkey_send_register for ESP
2011-08-31 16:23:57: DEBUG: call pfkey_send_register for IPCOMP
2011-08-31 16:23:57: DEBUG: reading config file /etc/racoon/racoon.conf
2011-08-31 16:23:57: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2011-08-31 16:23:57: DEBUG: filename: /etc/racoon/97.97.97.97.conf
2011-08-31 16:23:57: DEBUG: reading config file /etc/racoon/97.97.97.97.conf
2011-08-31 16:23:57: DEBUG: hmac(modp1024)
2011-08-31 16:23:57: DEBUG: open /var/racoon/racoon.sock as racoon management.
2011-08-31 16:23:57: DEBUG: my interface: 172.16.2.2 (eth2)
2011-08-31 16:23:57: DEBUG: my interface: 192.168.2.3 (eth2)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.136 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.135 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.134 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.133 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.132 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.131 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.130 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 217.217.217.217 (eth0)
2011-08-31 16:23:57: DEBUG: my interface: 127.0.0.1 (lo)
2011-08-31 16:23:57: DEBUG: configuring default isakmp port.
2011-08-31 16:23:57: DEBUG: 11 addrs are configured successfully
2011-08-31 16:23:57: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2011-08-31 16:23:57: INFO: 127.0.0.1[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217.217.217.217[500] used as isakmp port (fd=9)
2011-08-31 16:23:57: INFO: 217.217.217.217[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217. 217.217.130[500] used as isakmp port (fd=10)
2011-08-31 16:23:57: INFO: 217. 217.217.130[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217. 217.217.131[500] used as isakmp port (fd=11)
2011-08-31 16:23:57: INFO: 217. 217.217.131[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217. 217.217.132[500] used as isakmp port (fd=12)
2011-08-31 16:23:57: INFO: 217. 217.217.132[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217. 217.217.133[500] used as isakmp port (fd=13)
2011-08-31 16:23:57: INFO: 217. 217.217.133[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217. 217.217.134[500] used as isakmp port (fd=14)
2011-08-31 16:23:57: INFO: 217. 217.217.134[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217. 217.217.135[500] used as isakmp port (fd=15)
2011-08-31 16:23:57: INFO: 217. 217.217.135[500] used for NAT-T
2011-08-31 16:23:57: INFO: 217. 217.217.136[500] used as isakmp port (fd=16)
2011-08-31 16:23:57: INFO: 217. 217.217.136[500] used for NAT-T
2011-08-31 16:23:57: INFO: 192.168.2.3[500] used as isakmp port (fd=17)
2011-08-31 16:23:57: INFO: 192.168.2.3[500] used for NAT-T
2011-08-31 16:23:57: INFO: 172.16.2.2[500] used as isakmp port (fd=18)
2011-08-31 16:23:57: INFO: 172.16.2.2[500] used for NAT-T
2011-08-31 16:23:57: DEBUG: get pfkey X_SPDDUMP message
2011-08-31 16:23:57: DEBUG: get pfkey X_SPDDUMP message
2011-08-31 16:23:57: DEBUG: sub:0xbf967288: 192.168.2.0/23[0] 172.16.1.0/24[0] proto=any dir=out
2011-08-31 16:23:57: DEBUG: db :0x94d0190: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=in
2011-08-31 16:23:57: DEBUG: sub:0xbf967288: 192.168.2.0/23[0] 172.16.1.0/24[0] proto=any dir=out
2011-08-31 16:23:57: DEBUG: db :0x94d0190: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=in
2011-08-31 16:23:57: DEBUG: get pfkey X_SPDDUMP message
2011-08-31 16:23:57: DEBUG: sub:0xbf967288: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=fwd
2011-08-31 16:23:57: DEBUG: db :0x94d0190: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=in
2011-08-31 16:23:57: DEBUG: sub:0xbf967288: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=fwd
2011-08-31 16:23:57: DEBUG: db :0x94d0fc8: 192.168.2.0/23[0] 172.16.1.0/24[0] proto=any dir=out
2011-08-31 16:24:14: DEBUG: get pfkey ACQUIRE message
2011-08-31 16:24:14: DEBUG: suitable outbound SP found: 192.168.2.0/23[0] 172.16.1.0/24[0] proto=any dir=out.
2011-08-31 16:24:14: DEBUG: sub:0xbf967288: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=in
2011-08-31 16:24:14: DEBUG: db :0x94d0190: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=in
2011-08-31 16:24:14: DEBUG: suitable inbound SP found: 172.16.1.0/24[0] 192.168.2.0/23[0] proto=any dir=in.
2011-08-31 16:24:14: DEBUG: new acquire 192.168.2.0/23[0] 172.16.1.0/24[0] proto=any dir=out
2011-08-31 16:24:14: DEBUG: anonymous sainfo selected.
2011-08-31 16:24:14: DEBUG: (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2011-08-31 16:24:14: DEBUG: (trns_id=MD5 authtype=hmac-md5)
2011-08-31 16:24:14: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2011-08-31 16:24:14: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
2011-08-31 16:24:14: DEBUG: configuration found for 97.97.97.97.
2011-08-31 16:24:14: INFO: IPsec-SA request for 97.97.97.97 queued due to no phase1 found.
2011-08-31 16:24:14: DEBUG: ===
2011-08-31 16:24:14: INFO: initiate new phase 1 negotiation: 217.217.217.217[500]<=>97.97.97.97[500]
2011-08-31 16:24:14: INFO: begin Aggressive mode.
2011-08-31 16:24:14: DEBUG: new cookie:
a12bfd41c5f00ceb
2011-08-31 16:24:14: DEBUG: use ID type of IPv4_address
2011-08-31 16:24:14: DEBUG: compute DH's private.
2011-08-31 16:24:14: DEBUG:
6a2bf631 24e4f132 1edbe6d1 be073625 1a730b72 145a9ab3 63b12ece e6e10ced
16dd7ec4 bd98550c 98a6d71e 67398d11 9d0e747d 59b1c5f3 3068e2f3 368b0a63
4e9114df 31c1711c 4f0af73e 6403c656 9e98730f bc1875ed 532acdc5 03a25578
681b82cc 1930d2cb 102eb637 bc80aa43 74b1b5d6 ac90b17e d18a2a3a 7cb9cf7f
2011-08-31 16:24:14: DEBUG: compute DH's public.
2011-08-31 16:24:14: DEBUG:
1efecb42 b7c9d730 bb494fde 24296553 d37db099 d23c5653 a43b1dd5 b1043f30
db0c9049 a0948cb1 d4cc616e 01603333 58c96a29 b2e0d085 4c84ea40 a98f2279
5d48f367 6c02199f 6d40e8d6 9bb23574 04352ab1 2c681803 8eb8db7b 8d517ea4
0b4ffe2c a5eb1642 dd057552 c2a6ccb6 238d4ce3 16fee7da ab924680 9ff3b677
2011-08-31 16:24:14: DEBUG: authmethod is pre-shared key
2011-08-31 16:24:14: DEBUG: add payload of len 48, next type 4
2011-08-31 16:24:14: DEBUG: add payload of len 128, next type 10
2011-08-31 16:24:14: DEBUG: add payload of len 16, next type 5
2011-08-31 16:24:14: DEBUG: add payload of len 8, next type 13
2011-08-31 16:24:14: DEBUG: add payload of len 16, next type 0
2011-08-31 16:24:14: DEBUG: 264 bytes from 217.217.217.217[500] to 97.97.97.97[500]
2011-08-31 16:24:14: DEBUG: sockname 217.217.217.217[500]
2011-08-31 16:24:14: DEBUG: send packet from 217.217.217.217[500]
2011-08-31 16:24:14: DEBUG: send packet to 97.97.97.97[500]
2011-08-31 16:24:14: DEBUG: src4 217.217.217.217[500]
2011-08-31 16:24:14: DEBUG: dst4 97.97.97.97[500]
2011-08-31 16:24:14: DEBUG: src4 217.217.217.217[500]
2011-08-31 16:24:14: DEBUG: dst4 97.97.97.97[500]
2011-08-31 16:24:14: DEBUG: 1 times of 264 bytes message will be sent to 97.97.97.97[500]
2011-08-31 16:24:14: DEBUG:
a12bfd41 c5f00ceb 00000000 00000000 01100400 00000000 00000108 04000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020002 80040002 0a000084 1efecb42 b7c9d730 bb494fde
24296553 d37db099 d23c5653 a43b1dd5 b1043f30 db0c9049 a0948cb1 d4cc616e
01603333 58c96a29 b2e0d085 4c84ea40 a98f2279 5d48f367 6c02199f 6d40e8d6
9bb23574 04352ab1 2c681803 8eb8db7b 8d517ea4 0b4ffe2c a5eb1642 dd057552
c2a6ccb6 238d4ce3 16fee7da ab924680 9ff3b677 05000014 d4fb1856 2ff4cdb6
1eab6acd eeaf37aa 0d00000c 011101f4 d90cc2f6 00000014 afcad713 68a1f1c9
6b8696fc 77570100
2011-08-31 16:24:14: DEBUG: resend phase1 packet a12bfd41c5f00ceb:0000000000000000
2011-08-31 16:24:14: DEBUG: ===
2011-08-31 16:24:14: DEBUG: 92 bytes message received from 97.97.97.97[500] to 217.217.217.217[500]
2011-08-31 16:24:14: DEBUG:
a12bfd41 c5f00ceb 810f30f1 85c0994d 0b100500 00000000 0000005c 00000040
00000001 0000000e 04003400 01000000 01000000 00002800 01010001 28000000
01000000 00000000 78ec7fd9 80449409 287888d7 a0014908 78ec7fd9
2011-08-31 16:24:14: DEBUG: receive Information.
2011-08-31 16:24:14: ERROR: reject the packet, received unexpecting payload type 0.
2011-08-31 16:24:24: DEBUG: 264 bytes from 217.217.217.217[500] to 97.97.97.97[500]
2011-08-31 16:24:24: DEBUG: sockname 217.217.217.217[500]
2011-08-31 16:24:24: DEBUG: send packet from 217.217.217.217[500]
2011-08-31 16:24:24: DEBUG: send packet to 97.97.97.97[500]
2011-08-31 16:24:24: DEBUG: src4 217.217.217.217[500]
2011-08-31 16:24:24: DEBUG: dst4 97.97.97.97[500]
2011-08-31 16:24:24: DEBUG: 1 times of 264 bytes message will be sent to 97.97.97.97[500]
2011-08-31 16:24:24: DEBUG:
a12bfd41 c5f00ceb 00000000 00000000 01100400 00000000 00000108 04000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020002 80040002 0a000084 1efecb42 b7c9d730 bb494fde
24296553 d37db099 d23c5653 a43b1dd5 b1043f30 db0c9049 a0948cb1 d4cc616e
01603333 58c96a29 b2e0d085 4c84ea40 a98f2279 5d48f367 6c02199f 6d40e8d6
9bb23574 04352ab1 2c681803 8eb8db7b 8d517ea4 0b4ffe2c a5eb1642 dd057552
c2a6ccb6 238d4ce3 16fee7da ab924680 9ff3b677 05000014 d4fb1856 2ff4cdb6
1eab6acd eeaf37aa 0d00000c 011101f4 d90cc2f6 00000014 afcad713 68a1f1c9
6b8696fc 77570100
2011-08-31 16:24:24: DEBUG: resend phase1 packet a12bfd41c5f00ceb:0000000000000000
2011-08-31 16:24:24: DEBUG: ===
2011-08-31 16:24:24: DEBUG: 92 bytes message received from 97.97.97.97[500] to 217.217.217.217[500]
2011-08-31 16:24:24: DEBUG:
a12bfd41 c5f00ceb 4a18dd48 2a4aa181 0b100500 00000000 0000005c 00000040
00000001 0000000e 04003400 01000000 01000000 00002800 01010001 28000000
01000000 00000000 f0642dd9 80449409 287888d7 a0014908 f0642dd9
2011-08-31 16:24:24: DEBUG: receive Information.
2011-08-31 16:24:24: ERROR: reject the packet, received unexpecting payload type 0.
2011-08-31 16:24:34: DEBUG: 264 bytes from 217.217.217.217[500] to 97.97.97.97[500]
2011-08-31 16:24:34: DEBUG: sockname 217.217.217.217[500]
a12bfd41 c5f00ceb 00000000 00000000 01100400 00000000 00000108 04000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020002 80040002 0a000084 1efecb42 b7c9d730 bb494fde
24296553 d37db099 d23c5653 a43b1dd5 b1043f30 db0c9049 a0948cb1 d4cc616e
01603333 58c96a29 b2e0d085 4c84ea40 a98f2279 5d48f367 6c02199f 6d40e8d6
9bb23574 04352ab1 2c681803 8eb8db7b 8d517ea4 0b4ffe2c a5eb1642 dd057552
c2a6ccb6 238d4ce3 16fee7da ab924680 9ff3b677 05000014 d4fb1856 2ff4cdb6
1eab6acd eeaf37aa 0d00000c 011101f4 d90cc2f6 00000014 afcad713 68a1f1c9
6b8696fc 77570100
2011-08-31 16:24:44: DEBUG: resend phase1 packet a12bfd41c5f00ceb:0000000000000000
2011-08-31 16:24:44: DEBUG: ===
2011-08-31 16:24:44: DEBUG: 92 bytes message received from 97.97.97.97[500] to 217.217.217.217[500]
2011-08-31 16:24:44: DEBUG:
a12bfd41 c5f00ceb bc7c631c 0dd1e797 0b100500 00000000 0000005c 00000040
00000001 0000000e 04003400 01000000 01000000 00002800 01010001 28000000
01000000 00000000 f0642dd9 80449409 287888d7 a0014908 f0642dd9
2011-08-31 16:24:44: DEBUG: receive Information.
2011-08-31 16:24:44: ERROR: reject the packet, received unexpecting payload type 0.
2011-08-31 16:24:45: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 97.97.97.97[500]->217.217.217.217[500]
2011-08-31 16:24:45: INFO: delete phase 2 handler.
2011-08-31 16:24:54: INFO: caught signal 2
2011-08-31 16:24:54: DEBUG: 264 bytes from 217.217.217.217[500] to 97.97.97.97[500]
2011-08-31 16:24:54: DEBUG: sockname 217.217.217.217[500]
2011-08-31 16:24:54: DEBUG: send packet from 217.217.217.217[500]
2011-08-31 16:24:54: DEBUG: send packet to 97.97.97.97[500]
2011-08-31 16:24:54: DEBUG: src4 217.217.217.217[500]
2011-08-31 16:24:54: DEBUG: dst4 97.97.97.97[500]
2011-08-31 16:24:54: DEBUG: 1 times of 264 bytes message will be sent to 97.97.97.97[500]
Setkey –DP:172.16.1.0/24[any] 192.168.2.0/23[any] any
in prio def ipsec
esp/tunnel/97.97.97.97-217.217.217.217/require
ah/tunnel/97.97.97.97-217.217.217.217/require
created: Aug 31 16:23:36 2011 lastused:
lifetime: 0(s) validtime: 0(s)
spid=11472 seq=2 pid=8600
refcnt=1
192.168.2.0/23[any] 172.16.1.0/24[any] any
out prio def ipsec
esp/tunnel/217.217.217.217-97.97.97.97/require
ah/tunnel/217.217.217.217-97.97.97.97/require
created: Aug 31 16:23:36 2011 lastused: Aug 31 16:24:16 2011
lifetime: 0(s) validtime: 0(s)
spid=11465 seq=1 pid=8600
refcnt=1
172.16.1.0/24[any] 192.168.2.0/23[any] any
fwd prio def ipsec
esp/tunnel/97.97.97.97-217.217.217.217/require
ah/tunnel/97.97.97.97-217.217.217.217/require
created: Aug 31 16:23:36 2011 lastused:
lifetime: 0(s) validtime: 0(s)
spid=11482 seq=0 pid=8600
refcnt=1
Я не знаток, но:
----------
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}crypto isakmp policy 25
authentication pre-share
encryption 3des
hash md5
-------------------
access-list outside2_2_cryptomap extended permit ip 172.16.1.0 255.255.255.0в acl используется не маска 0.0.0.255
-------------------
Может поможет
>[оверквотинг удален]
> }
> crypto isakmp policy 25
> authentication pre-share
> encryption 3des
> hash md5
> -------------------
> access-list outside2_2_cryptomap extended permit ip 172.16.1.0 255.255.255.0
> в acl используется не маска 0.0.0.255
> -------------------
> Может поможетэто PIX или ASAшка ACL написан правильно,!!!!!!!!!!!!!