После перезагрузки сервера не поднимается туннель. Пробовал обновить ipsec-tools - не помогло.
CentOS 5.3/etc/sysconfig/network-scripts/ifcfg-ipsec1:
DEVICE=ipsec0
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.50.5
DSTGW=192.168.50.33
SRCNET=192.168.50.0/27
DSTNET=192.168.50.32/27
DST=193.233.11.22
racoon.conf:
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;
#
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 87.65.43.21 [500];
}
## IKE phase 1
remote 193.233.11.22
{
exchange_mode main,aggressive;
#doi ipsec_doi;
#situation identity_only;
my_identifier address 87.65.43.21;
#nonce_size 16;
lifetime time 28800 seconds;
#initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
## IKE phase 2
sainfo address 192.168.50.0/27 any address 192.168.50.32/27 any
{
pfs_group 2;
lifetime time 28800 seconds ;
encryption_algorithm 3des, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
sainfo address 192.168.50.32/27 any address 192.168.50.0/27 any
{
pfs_group 2;
lifetime time 28800 seconds ;
encryption_algorithm 3des, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
sainfo address 192.168.50.0/27 any address 192.168.0.0/24 any
{
pfs_group 2;
lifetime time 28800 seconds ;
encryption_algorithm 3des, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
sainfo address 192.168.0.0/24 any address 192.168.50.0/27 any
193.233.11.22.conf:
remote 193.233.70.167
{
exchange_mode main,aggressive;
my_identifier address;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
[root@centos racoon]# /sbin/setkey /etc/racoon/setkey.conf
setkey: /etc/racoon/setkey.conf: Permission denied
Права у setkey.conf - 600, владелец root
[root@centos racoon]# /sbin/ifup ipsec1
racoon: failed to parse configuration file.
[root@centos racoon]# /usr/sbin/racoon -F -v -d -f /etc/racoon/racoon.conf -l /var/log/racoon.log
Foreground mode.
2010-03-16 13:18:33: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
2010-03-16 13:18:33: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/)
2010-03-16 13:18:33: DEBUG: call pfkey_send_register for AH
2010-03-16 13:18:33: DEBUG: call pfkey_send_register for ESP
2010-03-16 13:18:33: DEBUG: call pfkey_send_register for IPCOMP
2010-03-16 13:18:33: DEBUG: reading config file /etc/racoon/racoon.conf
2010-03-16 13:18:33: DEBUG: hmac(modp1024)
2010-03-16 13:18:33: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-03-16 13:18:33: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-03-16 13:18:33: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-03-16 13:18:33: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-03-16 13:18:33: DEBUG: filename: /etc/racoon/.conf
2010-03-16 13:18:33: ERROR: glob found no matches for path2010-03-16 13:18:33: ERROR: fatal parse failure.
racoon: failed to parse configuration file.
[root@centos racoon]#
Откуда берется /etc/racoon/.conf - не понимаю.
В чем проблема? Никакие настройки не менялись.
Вариант для распечатки
Информационная безопасность (VPN, IPSec / Linux)
on 16-Мрт-10, 13:41 
