URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID10
Нить номер: 2809
[ Назад ]

Исходное сообщение
"Проблема c IPSec: Racoon не удается установить соединение."

Отправлено mk , 23-Июл-06 15:44 
Вопрос к специалистам, настраивавшим IPSec под FreeBSD.
Имеется 2 узла в одной локальной сети - 10.75.99.166 и 10.75.99.167. На обоих установлены FreeBSD 4.10 и ipsec-tools 0.6.6. Последние правда не родные из коллекции портов, а установлены из исходных кодов (пакет взят на sourceforge.net). Firewall не настроен (пропускает весь входящий и исходящий трафик).
Безуспешно пытаюсь настроить простейшее transport mode соединение. На обоих машинах запускаю Racoon:

/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log

Затем скрипты:

#!/bin/sh
skeycmd="/usr/sbin/setkey"

$skeycmd -FP
$skeycmd -F

$skeycmd -c << EOF

spdadd 10.75.99.167/32 10.75.99.166/32 any -P out ipsec esp/transport//require;
spdadd 10.75.99.166/32 10.75.99.167/32 any -P in ipsec esp/transport//require;
EOF

И

#!/bin/sh
skeycmd="/usr/sbin/setkey"

$skeycmd -FP
$skeycmd -F

$skeycmd -c << EOF

spdadd 10.75.99.166/32 10.75.99.167/32 any -P out ipsec esp/transport//require;
spdadd 10.75.99.167/32 10.75.99.166/32 any -P in ipsec esp/transport//require;
EOF

на 1-й и 2-й машинах соответственно.

Racoon.log на 1-ой машине (10.75.99.167) выдает:

2006-07-20 09:45:00: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
.net)
2006-07-20 09:45:00: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:45:00: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2006-07-20 09:45:00: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2006-07-20 09:45:00: INFO: ::1[500] used as isakmp port (fd=7)
2006-07-20 09:45:00: INFO: 10.75.99.167[500] used as isakmp port (fd=
2006-07-20 09:45:00: INFO: fe80::230:84ff:fe0f:e5dd%rl0[500] used as isakmp port
(fd=9)

СЛЕДУЮЩАЯ СТРОКА ПОЯВЛЯЕТСЯ ПОСЛЕ ТОГО КАК ДОБАВЛЯЮТСЯ ЗАПИСИ В SPD (С ПОМОЩЬЮ setkey spdadd), А ОСТАЛЬНЫЕ ПОСЛЕ ПОПЫТКИ ПРОПИНГОВАТЬ ВТОРОЙ УЗЕЛ (10.75.99.166)

2006-07-20 09:52:47: INFO: unsupported PF_KEY message REGISTER
2006-07-20 09:54:27: INFO: IPsec-SA request for 10.75.99.166 queued due to no ph
ase1 found.
2006-07-20 09:54:27: INFO: initiate new phase 1 negotiation: 10.75.99.167[500]<=
>10.75.99.166[500]
2006-07-20 09:54:27: INFO: begin Identity Protection mode.
2006-07-20 09:54:58: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:54:58: INFO: delete phase 2 handler.
2006-07-20 09:55:00: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:55:28: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
c8ea55:0000000000000000
2006-07-20 09:55:32: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:55:32: INFO: delete phase 2 handler.

Racoon.log на 2-й машине (10.75.99.166):

2006-07-20 09:52:01: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
.net)
2006-07-20 09:52:01: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:52:01: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2006-07-20 09:52:01: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2006-07-20 09:52:01: INFO: ::1[500] used as isakmp port (fd=7)
2006-07-20 09:52:01: INFO: 192.168.0.1[500] used as isakmp port (fd=
2006-07-20 09:52:01: INFO: fe80::230:4fff:fe08:4f85%rl1[500] used as isakmp port
(fd=9)
2006-07-20 09:52:01: INFO: 10.75.99.166[500] used as isakmp port (fd=10)
2006-07-20 09:52:01: INFO: fe80::202:44ff:fe8b:4ed3%rl0[500] used as isakmp port
(fd=11)
2006-07-20 09:52:58: INFO: unsupported PF_KEY message REGISTER

2006-07-20 09:56:22: INFO: respond new phase 1 negotiation: 10.75.99.166[500]<=>
10.75.99.167[500]
2006-07-20 09:56:22: INFO: begin Identity Protection mode.
2006-07-20 09:56:22: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:56:32: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:42: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:52: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:53: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:56:53: INFO: delete phase 2 handler.
2006-07-20 09:57:03: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:57:12: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:57:13: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:57:22: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
c8ea55:4babaf5d82e8cf88
2006-07-20 09:57:43: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:57:43: INFO: delete phase 2 handler.

Racoon.conf я использую из сэмплов:

# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/usr/local/v6/etc" ;
#include "remote.conf" ;

# the file should contain key ID/key pairs, for pre-shared key authentication.

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/openssl/certs" ;

# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;

remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;

#my_identifier fqdn "server.kame.net";
#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

lifetime time 24 hour ; # sec,min,hour

#initial_contact off ;
#passive on ;

# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}

# the configuration makes racoon (as a responder) to obey the
# initiator's lifetime and PFS group proposal.
# this makes testing so much easier.
proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}

PSK.TXT на 1-й машине (10.75.99.167):

10.75.99.166 Secretkey123

PSK.TXT на 2-й:

10.75.99.167 Secretkey123

Права доступа к ним 0600.

Всем благодарен за помощь.


Содержание

Сообщения в этом обсуждении
"Проблема c IPSec: Racoon не удается установить соединение."
Отправлено Z_M , 25-Июл-06 10:55 
http://www.opennet.me/openforum/vsluhforumID10/2815.html

>Вопрос к специалистам, настраивавшим IPSec под FreeBSD.
>Имеется 2 узла в одной локальной сети - 10.75.99.166 и 10.75.99.167. На
>обоих установлены FreeBSD 4.10 и ipsec-tools 0.6.6. Последние правда не родные
>из коллекции портов, а установлены из исходных кодов (пакет взят на
>sourceforge.net). Firewall не настроен (пропускает весь входящий и исходящий трафик).
>Безуспешно пытаюсь настроить простейшее transport mode соединение. На обоих машинах запускаю Racoon:
>
>
>/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
>
>Затем скрипты:
>
>#!/bin/sh
>skeycmd="/usr/sbin/setkey"
>
>$skeycmd -FP
>$skeycmd -F
>
>$skeycmd -c << EOF
>
>spdadd 10.75.99.167/32 10.75.99.166/32 any -P out ipsec esp/transport//require;
>spdadd 10.75.99.166/32 10.75.99.167/32 any -P in ipsec esp/transport//require;
>EOF
>

>
>#!/bin/sh
>skeycmd="/usr/sbin/setkey"
>
>$skeycmd -FP
>$skeycmd -F
>
>$skeycmd -c << EOF
>
>spdadd 10.75.99.166/32 10.75.99.167/32 any -P out ipsec esp/transport//require;
>spdadd 10.75.99.167/32 10.75.99.166/32 any -P in ipsec esp/transport//require;
>EOF
>
>на 1-й и 2-й машинах соответственно.
>
>Racoon.log на 1-ой машине (10.75.99.167) выдает:
>
>2006-07-20 09:45:00: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
>.net)
>2006-07-20 09:45:00: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
>
>ttp://www.openssl.org/)
>2006-07-20 09:45:00: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
>2006-07-20 09:45:00: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
>2006-07-20 09:45:00: INFO: ::1[500] used as isakmp port (fd=7)
>2006-07-20 09:45:00: INFO: 10.75.99.167[500] used as isakmp port (fd=
>2006-07-20 09:45:00: INFO: fe80::230:84ff:fe0f:e5dd%rl0[500] used as isakmp port
>(fd=9)
>
>СЛЕДУЮЩАЯ СТРОКА ПОЯВЛЯЕТСЯ ПОСЛЕ ТОГО КАК ДОБАВЛЯЮТСЯ ЗАПИСИ В SPD (С ПОМОЩЬЮ
>setkey spdadd), А ОСТАЛЬНЫЕ ПОСЛЕ ПОПЫТКИ ПРОПИНГОВАТЬ ВТОРОЙ УЗЕЛ (10.75.99.166)
>
>2006-07-20 09:52:47: INFO: unsupported PF_KEY message REGISTER
>2006-07-20 09:54:27: INFO: IPsec-SA request for 10.75.99.166 queued due to no ph
>
>ase1 found.
>2006-07-20 09:54:27: INFO: initiate new phase 1 negotiation: 10.75.99.167[500]<=
>>10.75.99.166[500]
>2006-07-20 09:54:27: INFO: begin Identity Protection mode.
>2006-07-20 09:54:58: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
>2006-07-20 09:54:58: INFO: delete phase 2 handler.
>2006-07-20 09:55:00: INFO: request for establishing IPsec-SA was queued due to n
>
>o phase1 found.
>2006-07-20 09:55:28: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
>c8ea55:0000000000000000
>2006-07-20 09:55:32: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
>2006-07-20 09:55:32: INFO: delete phase 2 handler.
>
>Racoon.log на 2-й машине (10.75.99.166):
>
>2006-07-20 09:52:01: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
>.net)
>2006-07-20 09:52:01: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
>
>ttp://www.openssl.org/)
>2006-07-20 09:52:01: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
>2006-07-20 09:52:01: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
>2006-07-20 09:52:01: INFO: ::1[500] used as isakmp port (fd=7)
>2006-07-20 09:52:01: INFO: 192.168.0.1[500] used as isakmp port (fd=
>2006-07-20 09:52:01: INFO: fe80::230:4fff:fe08:4f85%rl1[500] used as isakmp port
>(fd=9)
>2006-07-20 09:52:01: INFO: 10.75.99.166[500] used as isakmp port (fd=10)
>2006-07-20 09:52:01: INFO: fe80::202:44ff:fe8b:4ed3%rl0[500] used as isakmp port
>(fd=11)
>2006-07-20 09:52:58: INFO: unsupported PF_KEY message REGISTER
>
>2006-07-20 09:56:22: INFO: respond new phase 1 negotiation: 10.75.99.166[500]<=>
>10.75.99.167[500]
>2006-07-20 09:56:22: INFO: begin Identity Protection mode.
>2006-07-20 09:56:22: INFO: request for establishing IPsec-SA was queued due to n
>
>o phase1 found.
>2006-07-20 09:56:32: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:56:42: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:56:52: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:56:53: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
>2006-07-20 09:56:53: INFO: delete phase 2 handler.
>2006-07-20 09:57:03: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:57:12: INFO: request for establishing IPsec-SA was queued due to n
>
>o phase1 found.
>2006-07-20 09:57:13: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:57:22: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
>c8ea55:4babaf5d82e8cf88
>2006-07-20 09:57:43: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
>2006-07-20 09:57:43: INFO: delete phase 2 handler.
>
>Racoon.conf я использую из сэмплов:
>
># $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
>
># "path" affects "include" directives. "path" must be specified before any
># "include" directive with relative file path.
># you can overwrite "path" directive afterwards, however, doing so may add
>
># more confusion.
>#path include "/usr/local/v6/etc" ;
>#include "remote.conf" ;
>
># the file should contain key ID/key pairs, for pre-shared key authentication.
>
>
>path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
>
># racoon will look for certificate file in the directory,
># if the certificate/certificate request payload is received.
>#path certificate "/usr/local/openssl/certs" ;
>
># "log" specifies logging level. It is followed by either "notify", "debug"
>
># or "debug2".
>#log debug;
>
>remote anonymous
>{
>#exchange_mode main,aggressive,base;
>exchange_mode main,base;
>
>#my_identifier fqdn "server.kame.net";
>#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
>
>lifetime time 24 hour ; # sec,min,hour
>
>#initial_contact off ;
>#passive on ;
>
># phase 1 proposal (for ISAKMP SA)
>proposal {
>encryption_algorithm 3des;
>hash_algorithm sha1;
>authentication_method pre_shared_key ;
>dh_group 2 ;
>}
>
># the configuration makes racoon (as a responder) to obey the
># initiator's lifetime and PFS group proposal.
># this makes testing so much easier.
>proposal_check obey;
>}
>
># phase 2 proposal (for IPsec SA).
># actual phase 2 proposal will obey the following items:
># - kernel IPsec policy configuration (like "esp/transport//use)
># - permutation of the crypto/hash/compression algorithms presented below
>sainfo anonymous
>{
>pfs_group 2;
>lifetime time 12 hour ;
>encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
>authentication_algorithm hmac_sha1, hmac_md5 ;
>compression_algorithm deflate ;
>}
>
>PSK.TXT на 1-й машине (10.75.99.167):
>
>10.75.99.166 Secretkey123
>
>PSK.TXT на 2-й:
>
>10.75.99.167 Secretkey123
>
>Права доступа к ним 0600.
>
>Всем благодарен за помощь.