URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 93963
[ Назад ]

Исходное сообщение
"CentOS 5.8 ipsec-tools проблема..."
Отправлено luxury_85 , 26-Окт-12 15:41

Установил две виртуальные машины на VirtualBox CentOS 5.8 для начала сделал yum update,отключил iptables и selinux. Изначально ipsec-tools 0.6.5 был установлен, делал по статьи:http://www.ossg.ru/wiki/Admin/%D0%9D%D0%...
статью взял для отработки теста...
вроде правильно настроил...
логи с первой виртуалки и со второй одинаковые,кроме ipшников:
@(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
2012-10-26 12:22:21: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl
.org/)
2012-10-26 12:22:22: INFO: 192.168.21.10[500] used as isakmp port (fd=9)
2012-10-26 12:22:22: INFO: 192.168.21.10[500] used for NAT-T
все и тишина...
setkey -D
No SAD entries
модули подгружал с помощью modprobe, ядро не компилил
нужно уже в понедельник на боевой сервер ставить, а то от начальства мне кирдык...
ПОМОГИТЕ ПОЖАЛУЙСТА ТОВАРИЩИ СИС.АДМИНЫ !!!

Содержание

CentOS 5.8 ipsec-tools проблема...,КуКу, 16:01 , 26-Окт-12
- CentOS 5.8 ipsec-tools проблема...,luxury_85, 16:06 , 26-Окт-12
- CentOS 5.8 ipsec-tools проблема...,luxury_85, 16:13 , 26-Окт-12
- CentOS 5.8 ipsec-tools проблема...,luxury_85, 16:18 , 26-Окт-12
  - CentOS 5.8 ipsec-tools проблема...,КуКу, 13:40 , 28-Окт-12

Сообщения в этом обсуждении

"CentOS 5.8 ipsec-tools проблема..."
Отправлено КуКу , 26-Окт-12 16:01

Пойдем попорядку.
Вылаживайте примеры конфигов, логи переведите в дебаг режим будем смотреть

"CentOS 5.8 ipsec-tools проблема..."
Отправлено luxury_85 , 26-Окт-12 16:06

gw1: racoon.conf
# File with key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/etc/racoon/psk.txt";
# "log" specifies logging level.  It is followed by either "notify", "debug" or "debug2".
log notify;
# "padding" defines some padding parameters.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
# Specify various default timers.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per send.
        # maximum time to wait for completing each phase.
        phase1 30 sec;
        phase2 15 sec;
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
        isakmp  192.168.21.10 [500];           # IP [port] for ISAKMP protocol
        isakmp_natt  192.168.21.10 [4500];  # IP [port] for NAT-T protocol
        strict_address;  # requires that all addresses must be bound.
}
remote 192.168.21.11 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo address 192.168.21.10/24 any address 192.168.21.11/24 any {
        pfs_group modp1024;
        lifetime time 30 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
gw1: setkey.conf
# /usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 192.168.21.10/24 192.168.21.11/24 any -P out
        ipsec esp/tunnel/192.168.21.10-192.168.21.11/require;
spdadd 192.168.21.11/24 192.168.21.10/24 any -P in
        ipsec esp/tunnel/192.168.21.11-192.168.21.10/require;
gw1: psk.txt
# file for pre-shared keys used for IKE authentication
# format is:  'identifier' 'key'
# For example:
#
#  10.1.1.1             flibbertigibbet
#  www.example.com      12345
#  foo@www.example.com  micropachycephalosaurus
192.168.21.11 psk_123321

"CentOS 5.8 ipsec-tools проблема..."
Отправлено luxury_85 , 26-Окт-12 16:13

gw2: racoon.conf
# File with key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/etc/racoon/psk.txt";
# "log" specifies logging level.  It is followed by either "notify", "debug" or "debug2".
log notify;
# "padding" defines some padding parameters.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
# Specify various default timers.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per send.
        # maximum time to wait for completing each phase.
        phase1 30 sec;
        phase2 15 sec;
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
        isakmp  192.168.21.11 [500];           # IP [port] for ISAKMP protocol
        isakmp_natt  192.168.21.11 [4500];  # IP [port] for NAT-T protocol
        strict_address;  # requires that all addresses must be bound.
}
remote 192.168.21.10 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
sainfo address 192.168.21.11/24 any address 192.168.21.10/24 any {
        pfs_group modp1024;
        lifetime time 30 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
gw2: setkey.conf
# /usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
# Create policies for racoon
spdadd 192.168.21.11/24 192.168.21.10/24 any -P out
        ipsec esp/tunnel/192.168.21.11-192.168.21.10/require;
spdadd 192.168.21.10/24 192.168.21.11/24 any -P in
        ipsec esp/tunnel/192.168.21.10-192.168.21.11/require;

gw2: psk.txt
# file for pre-shared keys used for IKE authentication
# format is:  'identifier' 'key'
# For example:
#
#  10.1.1.1             flibbertigibbet
#  www.example.com      12345
#  foo@www.example.com  micropachycephalosaurus
192.168.21.10 psk_123321

"CentOS 5.8 ipsec-tools проблема..."
Отправлено luxury_85 , 26-Окт-12 16:18

GW1: Логи в режиме debug
2012-10-26 18:15:59: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
2012-10-26 18:15:59: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/)
2012-10-26 18:15:59: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2012-10-26 18:15:59: DEBUG: open /var/racoon/racoon.sock as racoon management.
2012-10-26 18:15:59: INFO: 192.168.21.10[4500] used as isakmp port (fd=9)
2012-10-26 18:15:59: INFO: 192.168.21.10[4500] used for NAT-T
2012-10-26 18:15:59: INFO: 192.168.21.10[500] used as isakmp port (fd=10)
2012-10-26 18:15:59: INFO: 192.168.21.10[500] used for NAT-T
2012-10-26 18:15:59: DEBUG: get pfkey X_SPDDUMP message
2012-10-26 18:15:59: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
аналогично и на GW2

"CentOS 5.8 ipsec-tools проблема..."
Отправлено КуКу , 28-Окт-12 13:40

может немного поздновато, но обратите внимание на
> DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
и
>DEBUG: pfkey X_SPDDUMP failed: No such file or directory