Здравствуйте.Сушествует проблема с IPSec Opens\Wan,нужно соеденить две локальный сети через интернет по шифрованному каналу.На обоих машина стоит Slackware 10.2, ядро 2.4.32 с наложенными патчами ipsec.Интерфейсы поднимаются соединение устанавливается,но пинги не ходят!Если кто знает в чём может быть проблема подкажите пажайлуста!Ниже привожу выводы ifconfig,netstat -nr,ipsec verify,ipsec --initiate --name one,ipsec auto --status,конфиг ipsec.Все ip адреса изменены.Конфиг на двух машинах одинаковый.Помогите пажайлуста, очень срочно нада решить проблему!
ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:D3:62:92:6C
inet addr:8.20.16.18 Bcast:8.20.16.183 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4382 errors:0 dropped:0 overruns:0 frame:0
TX packets:5483 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1122212 (1.0 Mb) TX bytes:546887 (534.0 Kb)
Interrupt:5 Base address:0xa400
eth1 Link encap:Ethernet HWaddr 00:11:95:F7:F6:E6
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3135 errors:0 dropped:0 overruns:0 frame:0
TX packets:1685 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:291276 (284.4 Kb) TX bytes:324255 (316.6 Kb)
Interrupt:10
ipsec0 Link encap:Ethernet HWaddr 00:13:D3:62:92:6C
inet addr:8.20.16.18 Mask:255.255.255.248
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:432 errors:0 dropped:143 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:73352 (71.6 Kb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
8.20.16.176 0.0.0.0 255.255.255.248 U 0 0 0 eth0
8.20.16.176 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.99.0 8.20.16.177 255.255.255.0 UG 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 8.20.16.177 0.0.0.0 UG 0 0 0 eth0
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan cvs2002Mar12_03:19:03 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
ipsec whack --initiate --name one
002 "one" #4: initiating Quick Mode RSASIG+ENCRYPT+AUTHENTICATE+TUNNEL+PFS+UP {using isakmp#1}
117 "one" #4: STATE_QUICK_I1: initiate
002 "one" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "one" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x976ae219 <0xa44ae1df xfrm=3DES_0- AH=>0x976ae218 <0xa44ae1de NATD=21.3.4.170:500 DPD=none}
ipsec auto --status
000 interface ipsec0/eth0 8.20.16.18
000 interface ipsec0/eth0 8.20.16.18
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "one": 192.168.0.0/24===8.20.16.18---8.20.16.177...8.20.16.177---21.3.4.170===192.168.99.0/24; erouted; eroute owner: #3
000 "one": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "one": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "one": policy: RSASIG+ENCRYPT+AUTHENTICATE+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "one": newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "one": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "one":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27845s; newest IPSEC; eroute owner
000 #3: "one" ah.976ae216@21.3.4.170 ah.a44ae1dc@8.20.16.18 esp.976ae217@21.3.4.170 esp.a44ae1dd@8.20.16.18 tun.1004@21.3.4.170 tun.1003@8.20.16.18
000 #2: "one":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27472s
000 #2: "one" ah.976ae214@21.3.4.170 ah.a44ae1da@8.20.16.18 esp.976ae215@21.3.4.170 esp.a44ae1db@8.20.16.18 tun.1002@21.3.4.170 tun.1001@8.20.16.18
000 #1: "one":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2449s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
plutodebug=all
nat_traversal=yes
forwardcontrol=yes
klipsdebug=none
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# Add connections here
# sample VPN connection
conn one
type=tunnel
left=82.204.162.18
leftsubnet=192.168.0.0/24
leftnexthop=чfaultroute
right=21.3.4.170
rightsubnet=192.168.99.0/24
rightnexthop=чfaultroute
auth=esp
authby=rsasig
auto=start
rightrsasigkey=0sAQPMZT+...
leftrsasigkey=0sAQOShN8gY6VLUVc...
include /etc/ipsec.d/examples/no_oe.conf