racoon ipsec <-> zywall 5, dlhe - doplnene
Mato Gajdos
mato na d15.sk
Čtvrtek Červenec 10 12:54:35 CEST 2008
DD,
zabudol som na ipsec.conf:
#!/usr/sbin/setkey -f
#nat_traversal=yes
flush;
spdflush;
spdadd 192.168.0.10[any] 192.168.100.0/24[any] any -P out ipsec
esp/tunnel/192.168.0.10-SG.SG.SG.SG/require ;
spdadd 192.168.100.0/24[any] 192.168.0.10[any] any -P in ipsec
esp/tunnel/SG.SG.SG.SG-192.168.0.10/require ;
**************************************************************
Prajem pekny den,
snazim sa rozchodit ipsec vpn, neuspesne.
Situacia:
[client] <--> [GWC] <-- internet --> [ADSL] <--> [ZyWall5] <--> [target LAN]
client: 192.168.0.10, gentoo linux 2.6.25-gentoo-r6, ipsec-tools-0.6.7
GWC: NAT GW. WAN IP: CG.CG.CG.CG, forward UDP 500 a 4500 na client
ADSL: WAN IP: SG.SG.SG.SG, forward 500 na ZyWall
target LAN: 192.168.100.0/24
Po spusteni racoon a ping na stroj v cielovej LAN v logu racoon to
vyzera takto:
2008-07-10 12:01:35: INFO: @(#)ipsec-tools 0.6.7
(http://ipsec-tools.sourceforge.net)
2008-07-10 12:01:35: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct
2007 (http://www.openssl.org/)
2008-07-10 12:01:35: INFO: 192.168.0.10[500] used as isakmp port (fd=6)
2008-07-10 12:01:35: INFO: 192.168.0.10[500] used for NAT-T
2008-07-10 12:01:35: INFO: 192.168.0.10[4500] used as isakmp port (fd=7)
2008-07-10 12:01:35: INFO: 192.168.0.10[4500] used for NAT-T
2008-07-10 12:01:47: INFO: IPsec-SA request for SG.SG.SG.SG queued due
to no phase1 found.
2008-07-10 12:01:47: INFO: initiate new phase 1 negotiation:
192.168.0.10[500]<=>SG.SG.SG.SG[500]
2008-07-10 12:01:47: INFO: begin Aggressive mode.
2008-07-10 12:01:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2008-07-10 12:01:48: INFO: Selected NAT-T version:
draft-ietf-ipsec-nat-t-ike-00
2008-07-10 12:01:48: INFO: Hashing 192.168.0.10[500] with algo #1
2008-07-10 12:01:48: INFO: NAT-D payload #-1 doesn't match
2008-07-10 12:01:48: INFO: Hashing SG.SG.SG.SG[500] with algo #1
2008-07-10 12:01:48: INFO: NAT-D payload #0 doesn't match
2008-07-10 12:01:48: INFO: NAT detected: ME PEER
2008-07-10 12:01:48: INFO: KA list add: 192.168.0.10[500]->SG.SG.SG.SG[500]
2008-07-10 12:01:48: NOTIFY: couldn't find the proper pskey, try to get
one by the peer's address.
2008-07-10 12:01:48: INFO: Adding remote and local NAT-D payloads.
2008-07-10 12:01:48: INFO: Hashing SG.SG.SG.SG[500] with algo #1
2008-07-10 12:01:48: INFO: Hashing 192.168.0.10[500] with algo #1
2008-07-10 12:01:48: INFO: ISAKMP-SA established
192.168.0.10[500]-SG.SG.SG.SG[500] spi:a711d657e0928c96:b8cb97467d024f0d
2008-07-10 12:01:48: INFO: initiate new phase 2 negotiation:
192.168.0.10[500]<=>SG.SG.SG.SG[500]
2008-07-10 12:01:48: INFO: NAT detected -> UDP encapsulation (ENC_MODE
1->61443).
2008-07-10 12:01:49: WARNING: attribute has been modified.
2008-07-10 12:01:49: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
2008-07-10 12:01:49: INFO: Adjusting peer's encmode
UDP-Tunnel(61443)->Tunnel(1)
2008-07-10 12:01:49: INFO: IPsec-SA established: ESP/Tunnel
SG.SG.SG.SG[0]->192.168.0.10[0] spi=77699812(0x4a19ae4)
2008-07-10 12:01:49: INFO: IPsec-SA established: ESP/Tunnel
192.168.0.10[0]->SG.SG.SG.SG[0] spi=3670754123(0xdacb434b)
Niekto znaly tam vidi nejaky zasadny problem? Podla dvoch poslednych
riadkov som presvedceny o tom, ze spojenie sa podarilo. I ked nie som o
tom 100% presvedceny :-).
Tcpdump na [GWC] ukazuje toto:
(nadviazanie)
12:01:48.008203 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 1 I agg
12:01:48.755760 IP SG.SG.SG.SG.500 > CG.CG.CG.CG.500: isakmp: phase 1 R agg
12:01:48.780412 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 1 I agg
12:01:48.781367 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others I inf[E]
12:01:48.793385 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others I oakley-quick[E]
12:01:49.538332 IP SG.SG.SG.SG.500 > CG.CG.CG.CG.500: isakmp: phase
2/others R oakley-quick[E]
12:01:49.540478 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others I oakley-quick[E]
12:01:49.562731 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #246[EC]
12:01:50.562247 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #125[C]
12:01:55.562376 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: [|isakmp]
(ping ciela v ciel. LAN)
12:02:05.763689 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #80[E]
12:02:06.763675 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #156[C]
12:02:13.870675 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #177[E]
12:02:14.869877 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #50[]
12:02:15.562872 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: [|isakmp]
12:02:15.869885 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #140[EC]
12:02:16.869908 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #214[E]
12:02:17.869943 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #42[]
12:02:18.869975 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #23[C]
12:02:19.869996 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #196[E]
12:02:20.870014 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #206[EC]
12:02:21.870045 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #41[EC]
12:02:22.870082 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #212[E]
12:02:23.870081 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #181[EC]
12:02:24.870151 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase
2/others ? #138[C]
Tu jasne vidim, ze pakety idu iba jednym smerom, z druhej strany nic.
Vobec netusim, kde je zrada.
Konfiguracia racoon:
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
isakmp_natt 192.168.0.10[4500];
isakmp 192.168.0.10[500];
}
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer {
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 30 sec;
natt_keepalive 10 sec;
}
remote SG.SG.SG.SG {
exchange_mode aggressive;
proposal_check obey;
initial_contact on;
nat_traversal on;
my_identifier fqdn "aaaaaaaaaaaaaaaaaa";
peers_identifier fqdn "bbbbbbbbbbbbbbbbbb";
nonce_size 16;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
lifetime time 28800 sec;
}
}
sainfo address 192.168.0.10/32 any address 192.168.100.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
pfs_group modp1024;
}
Predpokladam, ze v psk.txt sa toho az tak vela neda pokazit, ale pre
istotu, vyzera takto:
SG.SG.SG.SG xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Kde xxxx je preshared key.
Tusite niekto co robit?
BTW, z Windowsu to ide OK. Rovnaky stroj (notebook). Jediny rozdiel
podla tcpdump som nasiel vo flags UDP paketu, ak idem z linuxu, ma
nastavene DF, v pripade win tam nie je ziadny [none].
S pozdravom,
Matej Gajdos
Další informace o konferenci Linux