IPSec a nenavazujici se spojeni [delsi]

Zdenek SUTR Kaminski xkaminsk na rubisko.ascs.muni.cz
Pondělí Květen 5 11:25:45 CEST 2003 

Dobry den,

 mam takovy "mensi" problem.

Mam v ipsec.conf nadefinovane dva tunely. Konec prvniho tunelu zije a 
IPsec tam je nakonfigurovay, konec druheho tunelu taky zije, ale IPsec tam 
nakonfigurovany neni.

Pluto mi taky pochopitelne pise:

pluto[5667]: ERROR: asynchronous network error report on eth1 for message 
to 194.228.230.98 port 500, complainant 194.22.230.98: Connection refused 
[errno 111, origin ICMP type 3 code 3 (not authenticated)]
pluto[5667]: | next event EVENT_RETRANSMIT in 40 seconds for #1
... a porad to zkousi dal a dokolecka dokola

coz je pochopitelne a ocekavane. Problem vsak je, ze IPsec se vubec 
nepokusi nahodit ten funkcni tunel. V logu o nem neni ani zminak :-(((

Pokud mam v ipsec.conf definici jen toho prvniho tunelu, tak vsechno 
funguje jak ma:

pluto[6069]: "cscargo_jicin_i-liberec_bremse_i" #1: initiating Main Mode
pluto[6069]: "cscargo_jicin_i-liberec_bremse_i" #1: ISAKMP SA established
pluto[6069]: "cscargo_jicin_i-liberec_bremse_i" #2: initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS
pluto[6069]: "cscargo_jicin_i-liberec_bremse_i" #2: sent QI2, IPsec SA 
established

a vali to!

procitam manual k ipsec.conf jako blazen a nic tam nevidim :-( Urcite 
existuje nejaka volba, ktera toto osetruje, jen ji nemohu najit.

Pouzivam: rh8.0, 2.4.20 a freeswan-1.99

ipsec.conf:
config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=all
    plutoload=%search
    plutostart=%search
    uniqueids=yes

conn %default
    keyingtries=0
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%dnsondemand
    rightrsasigkey=%dnsondemand

# TOTO je nefungujici tunel...
conn cscargo_i-radotin_i
    keyingtries=0
    left=194.228.238.164
    leftnexthop=194.228.238.161
    leftsubnet=192.168.0.0/16
    right=194.228.230.98
    rightnexthop=194.228.230.97
    rightsubnet=192.168.2.0/24
    auto=start
    leftid=@cscargo
    rightid=@radotin
    leftrsasigkey=...
    rightrsasigkey=...

# TOTO je funkcni tunel
conn cscargo_jicin_i-liberec_bremse_i
    keyingtries=0
    left=194.228.238.164
    leftnexthop=194.228.238.161
    leftsubnet=192.168.0.0/16
    right=149.244.166.147
    rightnexthop=149.244.166.14
    rightsubnet=149.244.166.0/23
    auto=start
    leftid=@cscargo
    rightid=@knorr_liberec
    leftrsasigkey=...
    rightrsasigkey=...

a to je vse. Nemate prosim nekdo nejaky tip?
Diiky.


-- 
Bc. Zdenek Kaminski <xkaminsk at fi.muni.cz>

homepage: http://www.fi.muni.cz/~xkaminsk/
IPv6 router homepage: http://www.liberouter.net/
Key: 0xD7315488
Key fingerprint: 3CB0 8108 CB76 446E 2895 AF33 9B3A 851B D731 5488

Další informace o konferenci Linux