URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID10
Нить номер: 3701
[ Назад ]

Исходное сообщение
"ipsec, проблемы с маршрутизацией."

Отправлено OzZ , 14-Мрт-08 11:46 
eth0      Link encap:Ethernet  HWaddr 00:04:75:94:6E:5D  
          inet addr:192.168.0.90  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:326951 errors:0 dropped:0 overruns:0 frame:0
          TX packets:278471 errors:0 dropped:0 overruns:0 carrier:0
          collisions:328 txqueuelen:1000
          RX bytes:121577058 (115.9 Mb)  TX bytes:33765098 (32.2 Mb)
          Interrupt:16

eth1      Link encap:Ethernet  HWaddr 00:0C:76:8A:17:25  
          inet addr:192.168.35.2  Bcast:192.168.35.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:335754 errors:0 dropped:0 overruns:0 frame:0
          TX packets:348544 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:38987878 (37.1 Mb)  TX bytes:127166529 (121.2 Mb)
          Interrupt:20 Base address:0x2000

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.12.27.33    192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.228.79.201  192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
198.41.0.4      192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
193.0.14.129    192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.5.5.241     192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
128.8.10.90     192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.112.36.4    192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.203.230.10  192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.58.128.30   192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
128.63.2.53     192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.36.148.17   192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
198.32.64.12    192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.33.4.12     192.168.0.100   255.255.255.255 UGH   0      0        0 eth0
192.168.55.0    192.168.0.100   255.255.255.0   UG    0      0        0 eth0
192.168.35.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.0.100   128.0.0.0       UG    0      0        0 eth0
128.0.0.0       192.168.0.100   128.0.0.0       UG    0      0        0 eth0
0.0.0.0         192.168.0.100   0.0.0.0         UG    0      0        0 eth0

# cat /etc/ipsec/ipsec.conf
version 2

config setup
    interfaces=чfaultroute
    klipsdebug=none
    plutodebug=none
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.35.0/255.255.255.0,%v4:!192.168.55.0/255.255.255.0

conn чfault
    keyingtries=0
    disablearrivalcheck=no

conn ascn
    left=192.168.0.90
    leftnexthop=чfaultroute
    leftsubnet=192.168.35.0/255.255.255.0
    right=192.168.0.91
    rightsubnet=192.168.55.0/255.255.255.0
    rightnexthop=чfaultroute
    ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
    esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
    ikelifetime=1h
    keylife=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=hold
    pfs=yes
    authby=secret
    auto=start

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 888

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  192.168.35.0/24     !192.168.55.0/24    

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.19-gentoo-r5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: nixgate                 [MISSING]
  Cannot execute command "host -t txt nixgate": No such file or directory
   Does the machine have at least one non-private address?      [FAILED]

# ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=192.168.0.90
routenexthop=192.168.0.100

# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.90
000 interface eth0/eth0 192.168.0.90
000 interface eth1/eth1 192.168.35.2
000 interface eth1/eth1 192.168.35.2
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,216} attrs={0,2,144}
000  
000 "ascn": 192.168.35.0/24===192.168.0.90---192.168.0.100...192.168.0.100---192.168.0.91===192.168.55.0/24; erouted; eroute owner: #2
000 "ascn":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "ascn":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ascn":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; encap: esp;
000 "ascn":   dpd: action:hold; delay:30; timeout:120;
000 "ascn":   newest ISAKMP SA: #3; newest IPsec SA: #2;
000 "ascn":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5), AES_CBC(7)_128-SHA1(2)-MODP1024(2), AES_CBC(7)_128-MD5(1)-MODP1536(5), AES_CBC(7)_128-MD5(1)-MODP1024(2), 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2), 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "ascn":   IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-MD5(1)_128-MODP1536(5), AES_CBC(7)_128-MD5(1)_128-MODP1024(2), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "ascn":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
000 "ascn":   ESP algorithms wanted: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000 "ascn":   ESP algorithms loaded: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000 "ascn":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000 "block": 192.168.0.90[%myid]---192.168.0.100...%group; unrouted; eroute owner: #0
000 "block":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "block":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "block":   policy: TUNNEL+PFS+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "block":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear": 192.168.0.90[%myid]---192.168.0.100...%group; unrouted; eroute owner: #0
000 "clear":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear":   policy: TUNNEL+PFS+GROUP+GROUTED+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#128.63.2.53/32": 192.168.0.90[%myid]---192.168.0.100...%any===128.63.2.53/32; prospective erouted; eroute owner: #0
000 "clear#128.63.2.53/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#128.63.2.53/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#128.63.2.53/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#128.63.2.53/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#128.8.10.90/32": 192.168.0.90[%myid]---192.168.0.100...%any===128.8.10.90/32; prospective erouted; eroute owner: #0
000 "clear#128.8.10.90/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#128.8.10.90/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#128.8.10.90/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#128.8.10.90/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.112.36.4/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.112.36.4/32; prospective erouted; eroute owner: #0
000 "clear#192.112.36.4/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.112.36.4/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.112.36.4/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.112.36.4/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.203.230.10/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.203.230.10/32; prospective erouted; eroute owner: #0
000 "clear#192.203.230.10/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.203.230.10/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.203.230.10/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.203.230.10/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.228.79.201/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.228.79.201/32; prospective erouted; eroute owner: #0
000 "clear#192.228.79.201/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.228.79.201/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.228.79.201/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.228.79.201/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.33.4.12/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.33.4.12/32; prospective erouted; eroute owner: #0
000 "clear#192.33.4.12/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.33.4.12/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.33.4.12/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.33.4.12/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.36.148.17/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.36.148.17/32; prospective erouted; eroute owner: #0
000 "clear#192.36.148.17/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.36.148.17/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.36.148.17/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.36.148.17/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.5.5.241/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.5.5.241/32; prospective erouted; eroute owner: #0
000 "clear#192.5.5.241/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.5.5.241/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.5.5.241/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.5.5.241/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.58.128.30/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.58.128.30/32; prospective erouted; eroute owner: #0
000 "clear#192.58.128.30/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.58.128.30/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.58.128.30/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.58.128.30/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#193.0.14.129/32": 192.168.0.90[%myid]---192.168.0.100...%any===193.0.14.129/32; prospective erouted; eroute owner: #0
000 "clear#193.0.14.129/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#193.0.14.129/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#193.0.14.129/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#193.0.14.129/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#198.32.64.12/32": 192.168.0.90[%myid]---192.168.0.100...%any===198.32.64.12/32; prospective erouted; eroute owner: #0
000 "clear#198.32.64.12/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#198.32.64.12/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#198.32.64.12/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#198.32.64.12/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#198.41.0.4/32": 192.168.0.90[%myid]---192.168.0.100...%any===198.41.0.4/32; prospective erouted; eroute owner: #0
000 "clear#198.41.0.4/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#198.41.0.4/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#198.41.0.4/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#198.41.0.4/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#202.12.27.33/32": 192.168.0.90[%myid]---192.168.0.100...%any===202.12.27.33/32; prospective erouted; eroute owner: #0
000 "clear#202.12.27.33/32":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#202.12.27.33/32":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#202.12.27.33/32":   policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#202.12.27.33/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear-or-private": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "clear-or-private":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear-or-private":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "clear-or-private":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+PASS+failurePASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear-or-private":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "packetdefault": 0.0.0.0/0===192.168.0.90[%myid]---192.168.0.100...%opportunistic; prospective erouted; eroute owner: #0
000 "packetdefault":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "packetdefault":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "packetdefault":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 0,0; interface: eth0; encap: esp;
000 "packetdefault":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "private":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failureDROP+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "private-or-clear":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private-or-clear":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private-or-clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#0.0.0.0/0": 192.168.0.90[%myid]---192.168.0.100...%opportunistic; prospective erouted; eroute owner: #0
000 "private-or-clear#0.0.0.0/0":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private-or-clear#0.0.0.0/0":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear#0.0.0.0/0":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private-or-clear#0.0.0.0/0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000  
000 #2: "ascn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 24586s; newest IPSEC; eroute owner
000 #2: "ascn" esp.2ec1503b@192.168.0.91 esp.135442ca@192.168.0.90 tun.0@192.168.0.91 tun.0@192.168.0.90
000 #1: "ascn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 433s; lastdpd=617s(seq in:8878 out:0)
000 #3: "ascn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1969s; newest ISAKMP; lastdpd=17s(seq in:29893 out:0)
000  
000 192.168.0.90/32:0 -0-> 65.207.183.49/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 65.207.183.49/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 129.33.13.208/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.98/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.123/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 129.33.13.208/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.45.123/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 77.234.201.242/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 77.234.201.242/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.30/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.30/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 88.212.196.78/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.19/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 195.146.77.222/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 195.146.77.222/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.2/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.194/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 81.19.66.19/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.19/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 195.190.105.235/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.13.52/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.13/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.20/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.23.102/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.23.102/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 81.19.66.20/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 194.67.23.102/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 81.19.66.20/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 88.212.196.67/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.45.13/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 205.188.8.134/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 205.188.8.134/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.8.134/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.8.238/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 205.188.8.238/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.194/32:0 -0-> 205.188.8.238/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 88.212.196.77/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 88.212.196.105/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 89.108.124.101/32:0 -0-> 192.168.35.30/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 89.108.124.101/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.30/32:0 -0-> 89.108.124.101/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.2/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 195.209.233.192/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 195.209.233.192/32:0 => %pass 32,0    KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of nixgate.: Host name lookup failure
000 192.168.35.16/32:0 -0-> 195.209.233.192/32:0 => %pass 0,0    KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of nixgate.: Host name lookup failure

# traceroute 192.168.55.101
traceroute to 192.168.55.101 (192.168.55.101), 30 hops max, 40 byte packets
1  ACHTUNG.sbs (192.168.0.100)  0.533 ms  0.547 ms  0.577 ms
2  vl800.cr1-faber.r.westcall.net (84.52.109.177)  2.228 ms  2.225 ms  2.528 ms
3  c7206.rtr-morsk.westcall.net (84.52.73.45)  2.164 ms  2.129 ms  2.130 ms
4  c7206.rtr-morsk.westcall.net (84.52.73.45)  2.099 ms  2.147 ms  2.149 ms
5  87.226.229.161 (87.226.229.161)  20.904 ms  20.915 ms  20.924 ms
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *

Где затык не пойму, поможите люди добрыя.


Содержание

Сообщения в этом обсуждении
"ipsec, проблемы с маршрутизацией."
Отправлено OzZ , 21-Мрт-08 09:58 
Проблема, как я понял, в релизации стека. С одной стороны NETKEY (Gentoo), с другой KLIPS (IpCop)... Теперь вопрос таков: как в ядре 2.6 включить реализацию KLIPS?

"ipsec, проблемы с маршрутизацией."
Отправлено sshd.root , 13-Май-08 12:55 
>Проблема, как я понял, в релизации стека. С одной стороны NETKEY (Gentoo),
>с другой KLIPS (IpCop)... Теперь вопрос таков: как в ядре 2.6
>включить реализацию KLIPS?

Нужно модуль ipsec.ko для ядра собрать, и сам openswan.