racoon ipsec <-> zywall 5, dlhe - doplnene
Mato Gajdos
mato na d15.sk
Pátek Červenec 11 13:23:36 CEST 2008
Dobry den,
zo Zywall-u som z logu vytiahol toto:
07/11/2008 08:41:23 Rule [Design d15] Tunnel built successfully
C.C.C.C S.S.S.S IKE
07/11/2008 08:41:23 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:22 Recv:[HASH] C.C.C.C S.S.S.S IKE
07/11/2008 08:41:22 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:22 Send:[HASH][SA][NONCE][NATOA][KE][I988AFBE4
S.S.S.S C.C.C.C IKE
07/11/2008 08:41:22 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 S.S.S.S C.C.C.C IKE
07/11/2008 08:41:21 Swap rule to rule [Design d15] C.C.C.C
S.S.S.S IKE
07/11/2008 08:41:21 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:21 Swap rule to rule [Design d15] C.C.C.C
S.S.S.S IKE
07/11/2008 08:41:21 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:21 Start Phase 2: Quick Mode C.C.C.C S.S.S.S IKE
07/11/2008 08:41:21 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:21 Recv:[HASH][SA][NONCE][KE][ID][ID] C.C.C.C
S.S.S.S IKE
07/11/2008 08:41:21 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:21 Recv:[HASH][NOTFY:INIT_CONTACT] C.C.C.C
S.S.S.S IKE
07/11/2008 08:41:21 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:21 Phase 1 IKE SA process done S.S.S.S C.C.C.C IKE
07/11/2008 08:41:21 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 S.S.S.S C.C.C.C IKE
07/11/2008 08:41:21 Recv:[HASH][NATD][NATD] C.C.C.C S.S.S.S IKE
07/11/2008 08:41:21 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:20 Send:[SA][KE][NONCE][ID][HASH][VID]988AFBE4
S.S.S.S C.C.C.C IKE
07/11/2008 08:41:20 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 S.S.S.S C.C.C.C IKE
07/11/2008 08:41:19 Recv:[SA][KE][NONCE][ID][VID][VID][988AFBE4
C.C.C.C S.S.S.S IKE
07/11/2008 08:41:19 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
07/11/2008 08:41:19 Recv Aggressive Mode request from [C.C.C.C]
C.C.C.C S.S.S.S IKE
07/11/2008 08:41:19 Rule [Design d15] Receiving IKE request
C.C.C.C S.S.S.S IKE
07/11/2008 08:41:19 The cookie pair is : 0xEACBBA820414E012 /
0x66E6365B988AFBE4 C.C.C.C S.S.S.S IKE
C.C.C.C je verejna IP GW spoza ktorej sa pripajam
S.S.S.S je WAN IP Zywall-u
Podla "Tunnel built successfully" to vyzera byt OK. Kade kde som cital
nejake problemy z MTU, MSS, hlavne pokial sa ide cez ADSL modemy (ktore
su "po ceste"). Ci nie je tam zrada.
Este sa pokusim nejako odtial dostat detaily cez command line (ipsec
debug) priamo cez telnet, trochu to mam zlozite, lebo to vsetko skusam
na dialku, a pripojit sa mi da jedine cez VPN klienta z Win na ten
Zywall. BTW je tam nejaky prehistoricky FW (asi z roku 2005).
Mato Gajdos
Mašek Radek wrote / napísal(a):
> Dobry vecer,
>
>
>> Najhorsie na tom je to, ze protistrana, Zywall 5 v logu nic zaujimave
>> nepise (t.j. nestazuje sa a tvari sa ze je vsetko OK).
>>
>
> Řekl bych ze Zyxel bude mit moznost nastavit logovani všech IKE a IPSEC SAD a
> SPD
> ja to do nich cpu telnetem a mam v logu kazdou IKE komunikaci a zapisy
> policies
>
> sys logs load
> sys logs category ipsec 1
> sys logs category ike 1
> sys logs save
>
> mělo by to jit nastavit i přes web rozhrani
>
> navíc přes telnet jde zapnout diagnostika a ukazat sa a spd runtime ;-)
>
>
>>> SAD vypisete přes setkey -D
>>>
>
> za setkey -D se malinko omlouvam, SAD je nahrana přes racoon .. dulezita je
> SPD, tu vytvari kernel na zaklade IKE .. tu vypisete přes setkey -DP
>
> Radek Masek
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
>
S pozdravom,
Matej Gajdos
--
Design d15 v.o.s
creative design studio
http://www.d15.sk, http://photo.d15.sk
E-mail: design na d15.sk
Bystricka cesta 68,034 01 Ruzomberok
ICO: 36 401 200
DIC: 202 160 0592
mobil: 0907 809 846
tel: 044 430 30 67, fax: 044 430 30 66
jabber: matoo na jabbim.sk
ICQ: 295618680
--
Další informace o konferenci Linux