вот логи и конфиги
2007-11-13 16:07:10: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
2007-11-13 16:07:10: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2007-11-13 16:07:10: INFO: YYY.YYY.YYY.YYY[500] used as isakmp port (fd=6)
2007-11-13 16:08:07: INFO: IPsec-SA request for XXX.XXX.XXX.XXX queued due to no phase1 found.
2007-11-13 16:08:07: INFO: initiate new phase 1 negotiation: YYY.YYY.YYY.YYY[500]<=>XXX.XXX.XXX.XXX[500]
2007-11-13 16:08:07: INFO: begin Aggressive mode.
2007-11-13 16:08:07: INFO: received Vendor ID: DPD
2007-11-13 16:08:07: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
2007-11-13 16:08:07: ERROR: HASH mismatchedконфиг racoon
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log notify;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
#isakmp ::1 [7000];
isakmp YYY.YYY.YYY.YYY [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
#certificate_type x509 "mycert" "mypriv";
#nonce_size 16;
lifetime time 2 min; # sec,min,hour
initial_contact on;
#support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 2 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
скриптик ipsec.conf
spdadd yyy.yyy.yyy.yyy/32 xxx.xxx.xxx.xxx/32 ipencap -P out ipsec esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/require;
spdadd xxx.xxx.xxx.xxx/32 yyy.yyy.yyy.yyy/32 ipencap -P in ipsec esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/require;
скриптик запуска туннеля
ifconfig gif1 create tunnel yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx
ifconfig gif1 inet 172.16.2.66 172.16.1.66 netmask 255.255.255.255 mtu 1450
route add 172.16.1.0 172.16.1.66
в fw добавил такие вещи
${fwcmd} add pass all from any to any via gif0
${fwcmd} add pass udp from yyy.yyy.yyy.yyy to xxx.xxx.xxx.xxx isakmp
${fwcmd} add pass udp from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy isakmp
${fwcmd} add pass esp from yyy.yyy.yyy.yyy to xxx.xxx.xxx.xxx
${fwcmd} add pass esp from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy
${fwcmd} add pass ipencap from yyy.yyy.yyy.yyy to xxx.xxx.xxx.xxx
${fwcmd} add pass ipencap from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy