Вопрос к специалистам, настраивавшим IPSec под FreeBSD.
Имеется 2 узла в одной локальной сети - 10.75.99.166 и 10.75.99.167. На обоих установлены FreeBSD 4.10 и ipsec-tools 0.6.6. Последние правда не родные из коллекции портов, а установлены из исходных кодов (пакет взят на sourceforge.net). Firewall не настроен (пропускает весь входящий и исходящий трафик).
Безуспешно пытаюсь настроить простейшее transport mode соединение. На обоих машинах запускаю Racoon:/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
Затем скрипты:
#!/bin/sh
skeycmd="/usr/sbin/setkey"$skeycmd -FP
$skeycmd -F$skeycmd -c << EOF
spdadd 10.75.99.167/32 10.75.99.166/32 any -P out ipsec esp/transport//require;
spdadd 10.75.99.166/32 10.75.99.167/32 any -P in ipsec esp/transport//require;
EOFИ
#!/bin/sh
skeycmd="/usr/sbin/setkey"$skeycmd -FP
$skeycmd -F$skeycmd -c << EOF
spdadd 10.75.99.166/32 10.75.99.167/32 any -P out ipsec esp/transport//require;
spdadd 10.75.99.167/32 10.75.99.166/32 any -P in ipsec esp/transport//require;
EOFна 1-й и 2-й машинах соответственно.
Racoon.log на 1-ой машине (10.75.99.167) выдает:
2006-07-20 09:45:00: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
.net)
2006-07-20 09:45:00: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:45:00: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2006-07-20 09:45:00: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2006-07-20 09:45:00: INFO: ::1[500] used as isakmp port (fd=7)
2006-07-20 09:45:00: INFO: 10.75.99.167[500] used as isakmp port (fd=
2006-07-20 09:45:00: INFO: fe80::230:84ff:fe0f:e5dd%rl0[500] used as isakmp port
(fd=9)СЛЕДУЮЩАЯ СТРОКА ПОЯВЛЯЕТСЯ ПОСЛЕ ТОГО КАК ДОБАВЛЯЮТСЯ ЗАПИСИ В SPD (С ПОМОЩЬЮ setkey spdadd), А ОСТАЛЬНЫЕ ПОСЛЕ ПОПЫТКИ ПРОПИНГОВАТЬ ВТОРОЙ УЗЕЛ (10.75.99.166)
2006-07-20 09:52:47: INFO: unsupported PF_KEY message REGISTER
2006-07-20 09:54:27: INFO: IPsec-SA request for 10.75.99.166 queued due to no ph
ase1 found.
2006-07-20 09:54:27: INFO: initiate new phase 1 negotiation: 10.75.99.167[500]<=
>10.75.99.166[500]
2006-07-20 09:54:27: INFO: begin Identity Protection mode.
2006-07-20 09:54:58: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:54:58: INFO: delete phase 2 handler.
2006-07-20 09:55:00: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:55:28: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
c8ea55:0000000000000000
2006-07-20 09:55:32: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:55:32: INFO: delete phase 2 handler.Racoon.log на 2-й машине (10.75.99.166):
2006-07-20 09:52:01: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
.net)
2006-07-20 09:52:01: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:52:01: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2006-07-20 09:52:01: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2006-07-20 09:52:01: INFO: ::1[500] used as isakmp port (fd=7)
2006-07-20 09:52:01: INFO: 192.168.0.1[500] used as isakmp port (fd=
2006-07-20 09:52:01: INFO: fe80::230:4fff:fe08:4f85%rl1[500] used as isakmp port
(fd=9)
2006-07-20 09:52:01: INFO: 10.75.99.166[500] used as isakmp port (fd=10)
2006-07-20 09:52:01: INFO: fe80::202:44ff:fe8b:4ed3%rl0[500] used as isakmp port
(fd=11)
2006-07-20 09:52:58: INFO: unsupported PF_KEY message REGISTER2006-07-20 09:56:22: INFO: respond new phase 1 negotiation: 10.75.99.166[500]<=>
10.75.99.167[500]
2006-07-20 09:56:22: INFO: begin Identity Protection mode.
2006-07-20 09:56:22: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:56:32: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:42: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:52: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:53: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:56:53: INFO: delete phase 2 handler.
2006-07-20 09:57:03: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:57:12: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:57:13: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:57:22: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
c8ea55:4babaf5d82e8cf88
2006-07-20 09:57:43: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:57:43: INFO: delete phase 2 handler.Racoon.conf я использую из сэмплов:
# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/usr/local/v6/etc" ;
#include "remote.conf" ;# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/openssl/certs" ;# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;#my_identifier fqdn "server.kame.net";
#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;lifetime time 24 hour ; # sec,min,hour
#initial_contact off ;
#passive on ;# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}# the configuration makes racoon (as a responder) to obey the
# initiator's lifetime and PFS group proposal.
# this makes testing so much easier.
proposal_check obey;
}# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}PSK.TXT на 1-й машине (10.75.99.167):
10.75.99.166 Secretkey123
PSK.TXT на 2-й:
10.75.99.167 Secretkey123
Права доступа к ним 0600.
Всем благодарен за помощь.
http://www.opennet.me/openforum/vsluhforumID10/2815.html>Вопрос к специалистам, настраивавшим IPSec под FreeBSD.
>Имеется 2 узла в одной локальной сети - 10.75.99.166 и 10.75.99.167. На
>обоих установлены FreeBSD 4.10 и ipsec-tools 0.6.6. Последние правда не родные
>из коллекции портов, а установлены из исходных кодов (пакет взят на
>sourceforge.net). Firewall не настроен (пропускает весь входящий и исходящий трафик).
>Безуспешно пытаюсь настроить простейшее transport mode соединение. На обоих машинах запускаю Racoon:
>
>
>/usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
>
>Затем скрипты:
>
>#!/bin/sh
>skeycmd="/usr/sbin/setkey"
>
>$skeycmd -FP
>$skeycmd -F
>
>$skeycmd -c << EOF
>
>spdadd 10.75.99.167/32 10.75.99.166/32 any -P out ipsec esp/transport//require;
>spdadd 10.75.99.166/32 10.75.99.167/32 any -P in ipsec esp/transport//require;
>EOF
>
>И
>
>#!/bin/sh
>skeycmd="/usr/sbin/setkey"
>
>$skeycmd -FP
>$skeycmd -F
>
>$skeycmd -c << EOF
>
>spdadd 10.75.99.166/32 10.75.99.167/32 any -P out ipsec esp/transport//require;
>spdadd 10.75.99.167/32 10.75.99.166/32 any -P in ipsec esp/transport//require;
>EOF
>
>на 1-й и 2-й машинах соответственно.
>
>Racoon.log на 1-ой машине (10.75.99.167) выдает:
>
>2006-07-20 09:45:00: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
>.net)
>2006-07-20 09:45:00: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
>
>ttp://www.openssl.org/)
>2006-07-20 09:45:00: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
>2006-07-20 09:45:00: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
>2006-07-20 09:45:00: INFO: ::1[500] used as isakmp port (fd=7)
>2006-07-20 09:45:00: INFO: 10.75.99.167[500] used as isakmp port (fd=
>2006-07-20 09:45:00: INFO: fe80::230:84ff:fe0f:e5dd%rl0[500] used as isakmp port
>(fd=9)
>
>СЛЕДУЮЩАЯ СТРОКА ПОЯВЛЯЕТСЯ ПОСЛЕ ТОГО КАК ДОБАВЛЯЮТСЯ ЗАПИСИ В SPD (С ПОМОЩЬЮ
>setkey spdadd), А ОСТАЛЬНЫЕ ПОСЛЕ ПОПЫТКИ ПРОПИНГОВАТЬ ВТОРОЙ УЗЕЛ (10.75.99.166)
>
>2006-07-20 09:52:47: INFO: unsupported PF_KEY message REGISTER
>2006-07-20 09:54:27: INFO: IPsec-SA request for 10.75.99.166 queued due to no ph
>
>ase1 found.
>2006-07-20 09:54:27: INFO: initiate new phase 1 negotiation: 10.75.99.167[500]<=
>>10.75.99.166[500]
>2006-07-20 09:54:27: INFO: begin Identity Protection mode.
>2006-07-20 09:54:58: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
>2006-07-20 09:54:58: INFO: delete phase 2 handler.
>2006-07-20 09:55:00: INFO: request for establishing IPsec-SA was queued due to n
>
>o phase1 found.
>2006-07-20 09:55:28: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
>c8ea55:0000000000000000
>2006-07-20 09:55:32: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
>2006-07-20 09:55:32: INFO: delete phase 2 handler.
>
>Racoon.log на 2-й машине (10.75.99.166):
>
>2006-07-20 09:52:01: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
>.net)
>2006-07-20 09:52:01: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
>
>ttp://www.openssl.org/)
>2006-07-20 09:52:01: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
>2006-07-20 09:52:01: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
>2006-07-20 09:52:01: INFO: ::1[500] used as isakmp port (fd=7)
>2006-07-20 09:52:01: INFO: 192.168.0.1[500] used as isakmp port (fd=
>2006-07-20 09:52:01: INFO: fe80::230:4fff:fe08:4f85%rl1[500] used as isakmp port
>(fd=9)
>2006-07-20 09:52:01: INFO: 10.75.99.166[500] used as isakmp port (fd=10)
>2006-07-20 09:52:01: INFO: fe80::202:44ff:fe8b:4ed3%rl0[500] used as isakmp port
>(fd=11)
>2006-07-20 09:52:58: INFO: unsupported PF_KEY message REGISTER
>
>2006-07-20 09:56:22: INFO: respond new phase 1 negotiation: 10.75.99.166[500]<=>
>10.75.99.167[500]
>2006-07-20 09:56:22: INFO: begin Identity Protection mode.
>2006-07-20 09:56:22: INFO: request for establishing IPsec-SA was queued due to n
>
>o phase1 found.
>2006-07-20 09:56:32: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:56:42: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:56:52: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:56:53: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
>2006-07-20 09:56:53: INFO: delete phase 2 handler.
>2006-07-20 09:57:03: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:57:12: INFO: request for establishing IPsec-SA was queued due to n
>
>o phase1 found.
>2006-07-20 09:57:13: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
>2006-07-20 09:57:22: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
>c8ea55:4babaf5d82e8cf88
>2006-07-20 09:57:43: ERROR: phase2 negotiation failed due to time up waiting for
>
>phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
>2006-07-20 09:57:43: INFO: delete phase 2 handler.
>
>Racoon.conf я использую из сэмплов:
>
># $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
>
># "path" affects "include" directives. "path" must be specified before any
># "include" directive with relative file path.
># you can overwrite "path" directive afterwards, however, doing so may add
>
># more confusion.
>#path include "/usr/local/v6/etc" ;
>#include "remote.conf" ;
>
># the file should contain key ID/key pairs, for pre-shared key authentication.
>
>
>path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
>
># racoon will look for certificate file in the directory,
># if the certificate/certificate request payload is received.
>#path certificate "/usr/local/openssl/certs" ;
>
># "log" specifies logging level. It is followed by either "notify", "debug"
>
># or "debug2".
>#log debug;
>
>remote anonymous
>{
>#exchange_mode main,aggressive,base;
>exchange_mode main,base;
>
>#my_identifier fqdn "server.kame.net";
>#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
>
>lifetime time 24 hour ; # sec,min,hour
>
>#initial_contact off ;
>#passive on ;
>
># phase 1 proposal (for ISAKMP SA)
>proposal {
>encryption_algorithm 3des;
>hash_algorithm sha1;
>authentication_method pre_shared_key ;
>dh_group 2 ;
>}
>
># the configuration makes racoon (as a responder) to obey the
># initiator's lifetime and PFS group proposal.
># this makes testing so much easier.
>proposal_check obey;
>}
>
># phase 2 proposal (for IPsec SA).
># actual phase 2 proposal will obey the following items:
># - kernel IPsec policy configuration (like "esp/transport//use)
># - permutation of the crypto/hash/compression algorithms presented below
>sainfo anonymous
>{
>pfs_group 2;
>lifetime time 12 hour ;
>encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
>authentication_algorithm hmac_sha1, hmac_md5 ;
>compression_algorithm deflate ;
>}
>
>PSK.TXT на 1-й машине (10.75.99.167):
>
>10.75.99.166 Secretkey123
>
>PSK.TXT на 2-й:
>
>10.75.99.167 Secretkey123
>
>Права доступа к ним 0600.
>
>Всем благодарен за помощь.