Привет всем, уже запарился, а у самого не как не получается, трабл следующий:
Пытаюсь соединить OpenBSD с ISAKMPD и Linux с FreeS/WAN.
OpenBSD выступает в качестве CA и на ней и генерили все ключи и сертификаты. Для начало соденили OpenBSD c CA --- OpenBSD, все заработала.
Со следующим конфигом:isakmpd.conf
[General]
Listen-on= 192.168.250.100
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/192.168.250.100.key
[Phase 1]
192.168.250.102= ISAKMP-peer-east
[Phase 2]
Connections= IPsec-west-east
[ISAKMP-peer-east]
Phase= 1
Transport= udp
Local-address= 192.168.250.100
Address= 192.168.250.101
Configuration= Default-main-mode
#Authentication=
#ID= Open-ID
#[Open-ID]
#ID-type= IPV4_ADDR
#Name= 192.168.250.100
[IPsec-west-east]
Phase= 2
ISAKMP-peer= ISAKMP-peer-east
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 10.1.1.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 10.1.2.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG
[3DES-SHA-RSA_SIG]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= RSA_SIG
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITEisakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees:"DN:/C=RU/ST=Region/L=City/O=Company/OU=VPN Auth/CN=CA/emailAddress=root@mail.net"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";После чего вместо OpenBSD(второй) соединяю Linux с конфигом:
ipsec.conf
config setup
interfaces=чfaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn чfault
type=tunnel
authby=rsasig
auth=esp
keyexchange=ike
keyingtries=0
disablearrivalcheck=no
left=192.168.250.101
leftsubnet=10.1.2.0/24
leftrsasigkey=нrt
leftcert=/etc/ipsec.d/cacerts/192.168.250.101.crt
auto=add
conn Linux-Open
esp=3des-sha,3des-md5
right=192.168.250.100
rightsubnet=10.1.1.0/24
rightrsasigkey=нrt
rightcert=/etc/ipsec.d/cacerts/192.168.250.100.crt
compress=yes
pfs=yesipsec.secrets
: RSA /etc/ipsec.d/private/192.168.250.101.key "pass"на команду ipsec auto --status следующие
[root@linux log]# ipsec auto --status
000 interface ipsec0/eth1 192.168.250.101
000
000 "Linux-Open": 10.1.2.0/24===192.168.250.101[C=RU, ST=Region, L=City, O=Company, OU=VPN Auth, CN=192.168.250.101, E=root@mail.net]...192.168.250.100[C=RU, ST=Region, L=City, O=Company, OU=VPN Auth, CN=192.168.250.100, E=root@mail.net]===10.1.1.0/24
000 "Linux-Open": ike_life: 9000s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Linux-Open": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface: eth1; unrouted
000 "Linux-Open": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000В логах:
linux ipsec__plutorun: Starting Pluto subsystem...
linux Pluto[12825]: Starting Pluto (FreeS/WAN Version 1.96)
linux Pluto[12825]: including X.509 patch (Version 0.9.9)
linux Pluto[12825]: Changing to directory '/etc/ipsec.d/cacerts'
linux Pluto[12825]: loaded cacert file 'ca.crt' (936 bytes)
linux Pluto[12825]: loaded cacert file '192.168.250.102.crt' (993 bytes)
linux Pluto[12825]: loaded cacert file '192.168.250.101.crt' (993 bytes)
linux Pluto[12825]: loaded cacert file '192.168.250.100.crt' (993 bytes)
linux Pluto[12825]: Changing to directory '/etc/ipsec.d/crls'
linux Pluto[12825]: Warning: empty directory
linux Pluto[12825]: loaded my X.509 cert file '/etc/x509cert.der' (649 bytes)
linux Pluto[12825]: loaded host cert file '/etc/ipsec.d/cacerts/192.168.250.101.crt' (993 bytes)
linux Pluto[12825]: loaded host cert file '/etc/ipsec.d/cacerts/192.168.250.100.crt' (993 bytes)
linux Pluto[12825]: added connection description "Linux-Open"
linux Pluto[12825]: listening for IKE messages
linux Pluto[12825]: adding interface ipsec0/eth1 192.168.250.101
linux Pluto[12825]: loading secrets from "/etc/ipsec.secrets"
linux Pluto[12825]: loaded private key file '/etc/ipsec.d/private/192.168.250.101.key' (891 bytes)
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring Vendor ID payload
linux last message repeated 3 times
linux Pluto[12825]: "Linux-Open" #1: responding to Main Mode
linux Pluto[12825]: "Linux-Open" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
linux Pluto[12825]: "Linux-Open" #1: Peer ID is ID_IPV4_ADDR: '192.168.250.100'
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: no suitable connection for peer '192.168.250.100'
linux Pluto[12825]: "Linux-Open" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
linux Pluto[12825]: "Linux-Open" #1: Peer ID is ID_IPV4_ADDR: '192.168.250.100'
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: no suitable connection for peer '192.168.250.100'
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring informational payload, type INVALID_FLAGS
linux Pluto[12825]: packet from 192.168.250.100:500: received and ignored informational message
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring informational payload, type INVALID_FLAGS
linux Pluto[12825]: packet from 192.168.250.100:500: received and ignored informational message
linux Pluto[12825]: "Linux-Open" #1: max number of retransmissions (2) reached STATE_MAIN_R2
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring Vendor ID payload
linux last message repeated 3 timesНА OpenBSD
# isakmpd -d -DA=9
122655.410859 Default log_debug_cmd: log level changed from 0 to 9 for class 0 [priv]
122655.412708 Default log_debug_cmd: log level changed from 0 to 9 for class 1 [priv]
122655.413229 Default log_debug_cmd: log level changed from 0 to 9 for class 2 [priv]
122655.414065 Default log_debug_cmd: log level changed from 0 to 9 for class 3 [priv]
122655.414652 Default log_debug_cmd: log level changed from 0 to 9 for class 4 [priv]
122655.415113 Default log_debug_cmd: log level changed from 0 to 9 for class 5 [priv]
122655.415631 Default log_debug_cmd: log level changed from 0 to 9 for class 6 [priv]
122655.416074 Default log_debug_cmd: log level changed from 0 to 9 for class 7 [priv]
122655.416555 Default log_debug_cmd: log level changed from 0 to 9 for class 8 [priv]
122655.416981 Default log_debug_cmd: log level changed from 0 to 9 for class 9 [priv]
122655.417457 Default log_debug_cmd: log level changed from 0 to 9 for class 10 [priv]
122704.851774 Default message_recv: cleartext phase 1 message
122704.853094 Default dropped message from 192.168.250.101 port 500 due to notification type INVALID_FLAGS
122724.871151 Default message_recv: cleartext phase 1 message
122724.873079 Default dropped message from 192.168.250.101 port 500 due to notification type INVALID_FLAGSГде грабли ???
>122724.871151 Default message_recv: cleartext phase 1 message
>122724.873079 Default dropped message from 192.168.250.101 port 500 due to notification type
>INVALID_FLAGSпробую вот так tcpdump -avs 1440 -r /var/run/isakmpd.pcap
15:39:34.221547 192.168.250.100.isakmp > 192.168.250.101.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 40e840cead160881->0000000000000000 msgid: 00000000 len: 192
payload: SA len: 84 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 72 proposal: 1 proto: ISAKMP spisz: 0 xforms: 2
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 220)
15:39:41.240801 192.168.250.101.isakmp > 192.168.250.100.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 40e840cead160881->0810a61fa1246e82 msgid: 00000000 len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 [ttl 0] (id 1, len 108)
15:39:41.259213 192.168.250.100.isakmp > 192.168.250.101.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 40e840cead160881->0810a61fa1246e82 msgid: 00000000 len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 [ttl 0] (id 1, len 208)
15:39:41.270789 192.168.250.101.isakmp > 192.168.250.100.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 40e840cead160881->0810a61fa1246e82 msgid: 00000000 len: 188
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: CERTREQUEST len: 5 [ttl 0] (id 1, len 216)
15:39:41.297018 192.168.250.100.isakmp > 192.168.250.101.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 40e840cead160881->0810a61fa1246e82 msgid: 00000000 len: 200
payload: ID len: 12 type: IPV4_ADDR = 192.168.250.100
payload: SIG len: 132
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT (40e840cead160881->0810a61fa1246e82) [ttl 0] (id 1, len 228)
15:39:51.315528 192.168.250.101.isakmp > 192.168.250.100.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: 40e840cead160881->0810a61fa1246e82 msgid: 00000000 len: 188
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: CERTREQUEST len: 5 [ttl 0] (id 1, len 216)
15:39:51.316920 192.168.250.100.isakmp > 192.168.250.101.isakmp: [udp sum ok] isakmp v1.0 exchange INFO
cookie: 319cf51b8c2ad284->0000000000000000 msgid: 00000000 len: 40
payload: NOTIFICATION len: 12
notification: INVALID FLAGS [ttl 0] (id 1, len 68)
и всерано не понимаю что за INVALID FLAGS