eth0 Link encap:Ethernet HWaddr 00:04:75:94:6E:5D
inet addr:192.168.0.90 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:326951 errors:0 dropped:0 overruns:0 frame:0
TX packets:278471 errors:0 dropped:0 overruns:0 carrier:0
collisions:328 txqueuelen:1000
RX bytes:121577058 (115.9 Mb) TX bytes:33765098 (32.2 Mb)
Interrupt:16eth1 Link encap:Ethernet HWaddr 00:0C:76:8A:17:25
inet addr:192.168.35.2 Bcast:192.168.35.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:335754 errors:0 dropped:0 overruns:0 frame:0
TX packets:348544 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38987878 (37.1 Mb) TX bytes:127166529 (121.2 Mb)
Interrupt:20 Base address:0x2000lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.12.27.33 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.228.79.201 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
198.41.0.4 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
193.0.14.129 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.5.5.241 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
128.8.10.90 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.112.36.4 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.203.230.10 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.58.128.30 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
128.63.2.53 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.36.148.17 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
198.32.64.12 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.33.4.12 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.168.55.0 192.168.0.100 255.255.255.0 UG 0 0 0 eth0
192.168.35.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.100 128.0.0.0 UG 0 0 0 eth0
128.0.0.0 192.168.0.100 128.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.0.100 0.0.0.0 UG 0 0 0 eth0# cat /etc/ipsec/ipsec.conf
version 2config setup
interfaces=чfaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.35.0/255.255.255.0,%v4:!192.168.55.0/255.255.255.0conn чfault
keyingtries=0
disablearrivalcheck=noconn ascn
left=192.168.0.90
leftnexthop=чfaultroute
leftsubnet=192.168.35.0/255.255.255.0
right=192.168.0.91
rightsubnet=192.168.55.0/255.255.255.0
rightnexthop=чfaultroute
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
ikelifetime=1h
keylife=8h
dpddelay=30
dpdtimeout=120
dpdaction=hold
pfs=yes
authby=secret
auto=start# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 888Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.35.0/24 !192.168.55.0/24Chain OUTPUT (policy ACCEPT)
target prot opt source destination# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.19-gentoo-r5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!Checking for RSA private key (/etc/ipsec/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: nixgate [MISSING]
Cannot execute command "host -t txt nixgate": No such file or directory
Does the machine have at least one non-private address? [FAILED]# ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=192.168.0.90
routenexthop=192.168.0.100# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.90
000 interface eth0/eth0 192.168.0.90
000 interface eth1/eth1 192.168.35.2
000 interface eth1/eth1 192.168.35.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,216} attrs={0,2,144}
000
000 "ascn": 192.168.35.0/24===192.168.0.90---192.168.0.100...192.168.0.100---192.168.0.91===192.168.55.0/24; erouted; eroute owner: #2
000 "ascn": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "ascn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ascn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; encap: esp;
000 "ascn": dpd: action:hold; delay:30; timeout:120;
000 "ascn": newest ISAKMP SA: #3; newest IPsec SA: #2;
000 "ascn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5), AES_CBC(7)_128-SHA1(2)-MODP1024(2), AES_CBC(7)_128-MD5(1)-MODP1536(5), AES_CBC(7)_128-MD5(1)-MODP1024(2), 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2), 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "ascn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-MD5(1)_128-MODP1536(5), AES_CBC(7)_128-MD5(1)_128-MODP1024(2), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "ascn": IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
000 "ascn": ESP algorithms wanted: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000 "ascn": ESP algorithms loaded: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000 "ascn": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000 "block": 192.168.0.90[%myid]---192.168.0.100...%group; unrouted; eroute owner: #0
000 "block": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "block": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "block": policy: TUNNEL+PFS+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "block": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear": 192.168.0.90[%myid]---192.168.0.100...%group; unrouted; eroute owner: #0
000 "clear": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear": policy: TUNNEL+PFS+GROUP+GROUTED+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#128.63.2.53/32": 192.168.0.90[%myid]---192.168.0.100...%any===128.63.2.53/32; prospective erouted; eroute owner: #0
000 "clear#128.63.2.53/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#128.63.2.53/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#128.63.2.53/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#128.63.2.53/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#128.8.10.90/32": 192.168.0.90[%myid]---192.168.0.100...%any===128.8.10.90/32; prospective erouted; eroute owner: #0
000 "clear#128.8.10.90/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#128.8.10.90/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#128.8.10.90/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#128.8.10.90/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.112.36.4/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.112.36.4/32; prospective erouted; eroute owner: #0
000 "clear#192.112.36.4/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.112.36.4/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.112.36.4/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.112.36.4/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.203.230.10/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.203.230.10/32; prospective erouted; eroute owner: #0
000 "clear#192.203.230.10/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.203.230.10/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.203.230.10/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.203.230.10/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.228.79.201/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.228.79.201/32; prospective erouted; eroute owner: #0
000 "clear#192.228.79.201/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.228.79.201/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.228.79.201/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.228.79.201/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.33.4.12/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.33.4.12/32; prospective erouted; eroute owner: #0
000 "clear#192.33.4.12/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.33.4.12/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.33.4.12/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.33.4.12/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.36.148.17/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.36.148.17/32; prospective erouted; eroute owner: #0
000 "clear#192.36.148.17/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.36.148.17/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.36.148.17/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.36.148.17/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.5.5.241/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.5.5.241/32; prospective erouted; eroute owner: #0
000 "clear#192.5.5.241/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.5.5.241/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.5.5.241/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.5.5.241/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.58.128.30/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.58.128.30/32; prospective erouted; eroute owner: #0
000 "clear#192.58.128.30/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.58.128.30/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.58.128.30/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.58.128.30/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#193.0.14.129/32": 192.168.0.90[%myid]---192.168.0.100...%any===193.0.14.129/32; prospective erouted; eroute owner: #0
000 "clear#193.0.14.129/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#193.0.14.129/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#193.0.14.129/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#193.0.14.129/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#198.32.64.12/32": 192.168.0.90[%myid]---192.168.0.100...%any===198.32.64.12/32; prospective erouted; eroute owner: #0
000 "clear#198.32.64.12/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#198.32.64.12/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#198.32.64.12/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#198.32.64.12/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#198.41.0.4/32": 192.168.0.90[%myid]---192.168.0.100...%any===198.41.0.4/32; prospective erouted; eroute owner: #0
000 "clear#198.41.0.4/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#198.41.0.4/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#198.41.0.4/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#198.41.0.4/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#202.12.27.33/32": 192.168.0.90[%myid]---192.168.0.100...%any===202.12.27.33/32; prospective erouted; eroute owner: #0
000 "clear#202.12.27.33/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#202.12.27.33/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#202.12.27.33/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#202.12.27.33/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear-or-private": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "clear-or-private": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear-or-private": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "clear-or-private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+PASS+failurePASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear-or-private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "packetdefault": 0.0.0.0/0===192.168.0.90[%myid]---192.168.0.100...%opportunistic; prospective erouted; eroute owner: #0
000 "packetdefault": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "packetdefault": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "packetdefault": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 0,0; interface: eth0; encap: esp;
000 "packetdefault": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "private": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failureDROP+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "private-or-clear": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private-or-clear": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#0.0.0.0/0": 192.168.0.90[%myid]---192.168.0.100...%opportunistic; prospective erouted; eroute owner: #0
000 "private-or-clear#0.0.0.0/0": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private-or-clear#0.0.0.0/0": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear#0.0.0.0/0": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private-or-clear#0.0.0.0/0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "ascn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 24586s; newest IPSEC; eroute owner
000 #2: "ascn" esp.2ec1503b@192.168.0.91 esp.135442ca@192.168.0.90 tun.0@192.168.0.91 tun.0@192.168.0.90
000 #1: "ascn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 433s; lastdpd=617s(seq in:8878 out:0)
000 #3: "ascn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1969s; newest ISAKMP; lastdpd=17s(seq in:29893 out:0)
000
000 192.168.0.90/32:0 -0-> 65.207.183.49/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 65.207.183.49/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 129.33.13.208/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.98/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.123/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 129.33.13.208/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.45.123/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 77.234.201.242/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 77.234.201.242/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.30/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.30/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 88.212.196.78/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.19/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 195.146.77.222/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 195.146.77.222/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.2/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.194/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 81.19.66.19/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.19/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 195.190.105.235/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.13.52/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.13/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.20/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.23.102/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.23.102/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 81.19.66.20/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 194.67.23.102/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 81.19.66.20/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 88.212.196.67/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.45.13/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 205.188.8.134/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 205.188.8.134/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.8.134/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.8.238/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 205.188.8.238/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.194/32:0 -0-> 205.188.8.238/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 88.212.196.77/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 88.212.196.105/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 89.108.124.101/32:0 -0-> 192.168.35.30/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 89.108.124.101/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.30/32:0 -0-> 89.108.124.101/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.2/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 195.209.233.192/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 195.209.233.192/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of nixgate.: Host name lookup failure
000 192.168.35.16/32:0 -0-> 195.209.233.192/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of nixgate.: Host name lookup failure# traceroute 192.168.55.101
traceroute to 192.168.55.101 (192.168.55.101), 30 hops max, 40 byte packets
1 ACHTUNG.sbs (192.168.0.100) 0.533 ms 0.547 ms 0.577 ms
2 vl800.cr1-faber.r.westcall.net (84.52.109.177) 2.228 ms 2.225 ms 2.528 ms
3 c7206.rtr-morsk.westcall.net (84.52.73.45) 2.164 ms 2.129 ms 2.130 ms
4 c7206.rtr-morsk.westcall.net (84.52.73.45) 2.099 ms 2.147 ms 2.149 ms
5 87.226.229.161 (87.226.229.161) 20.904 ms 20.915 ms 20.924 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *Где затык не пойму, поможите люди добрыя.
Проблема, как я понял, в релизации стека. С одной стороны NETKEY (Gentoo), с другой KLIPS (IpCop)... Теперь вопрос таков: как в ядре 2.6 включить реализацию KLIPS?
>Проблема, как я понял, в релизации стека. С одной стороны NETKEY (Gentoo),
>с другой KLIPS (IpCop)... Теперь вопрос таков: как в ядре 2.6
>включить реализацию KLIPS?Нужно модуль ipsec.ko для ядра собрать, и сам openswan.