chyby v me konfiguraci ipsecu

Zdenek Kaminski sutr na valasske-laboratore.cz
Úterý Březen 18 08:17:41 CET 2008 

Dobry den,

  snazim se rozchodit IPSec v konfiguraci Network-Network na RHEL5 proti 
Checkpoint Firewallu.

  Nedari se mi jiz faze vyjednavani, muzete mne prosim nakopnout spravnym 
smerem?

/var/log/messages:
Mar 18 09:33:03 proxy kernel: NET: Registered protocol family 15
Mar 18 09:33:04 proxy racoon: ERROR: racoon: MLS support is not enabled.
Mar 18 09:33:04 proxy racoon: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
Mar 18 09:33:04 proxy racoon: INFO: @(#)This product linked OpenSSL 0.9.8b 04 May 2006 (http://www.openssl.org/)
Mar 18 09:33:04 proxy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Mar 18 09:33:04 proxy racoon: INFO: 127.0.0.1[500] used for NAT-T
Mar 18 09:33:04 proxy racoon: INFO: 90.183.41.194[500] used as isakmp port (fd=9)
Mar 18 09:33:04 proxy racoon: INFO: 90.183.41.194[500] used for NAT-T
Mar 18 09:33:04 proxy racoon: INFO: 192.168.1.30[500] used as isakmp port (fd=10)
Mar 18 09:33:04 proxy racoon: INFO: 192.168.1.30[500] used for NAT-T
Mar 18 09:33:14 proxy racoon: INFO: IPsec-SA request for 194.228.231.162 queued due to no phase1 found.
Mar 18 09:33:14 proxy racoon: INFO: initiate new phase 1 negotiation: 90.183.41.194[500]<=>194.228.231.162[500]
Mar 18 09:33:14 proxy racoon: INFO: begin Aggressive mode.
Mar 18 09:33:14 proxy racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Mar 18 09:33:14 proxy racoon: INFO: ISAKMP-SA established 90.183.41.194[500]-194.228.231.162[500] spi:55d9714aaeaa54e2:1323e983db34f7a0
Mar 18 09:33:15 proxy racoon: INFO: initiate new phase 2 negotiation: 90.183.41.194[500]<=>194.228.231.162[500]
Mar 18 09:33:15 proxy racoon: ERROR: unknown notify message, no phase2 handle found.
Mar 18 09:33:45 proxy racoon: INFO: IPsec-SA expired: AH/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=163819046(0x9c3ae26)
Mar 18 09:33:45 proxy racoon: WARNING: the expire message is received but the handler has not been established.
Mar 18 09:33:45 proxy racoon: ERROR: 194.228.231.162 give up to get IPsec-SA due to time up to wait.
Mar 18 09:33:45 proxy racoon: INFO: IPsec-SA expired: ESP/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=163582615(0x9c01297)
Mar 18 09:34:07 proxy racoon: INFO: initiate new phase 2 negotiation: 90.183.41.194[500]<=>194.228.231.162[500]
Mar 18 09:34:07 proxy racoon: ERROR: unknown notify message, no phase2 handle found.
Mar 18 09:34:37 proxy racoon: INFO: IPsec-SA expired: AH/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=164533252(0x9ce9404)
Mar 18 09:34:37 proxy racoon: WARNING: the expire message is received but the handler has not been established.
Mar 18 09:34:37 proxy racoon: ERROR: 194.228.231.162 give up to get IPsec-SA due to time up to wait.
Mar 18 09:34:37 proxy racoon: INFO: IPsec-SA expired: ESP/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=110409714


tcpdump -i eth0 -n host 194.228.231.162:
09:33:14.679078 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 1 I agg
09:33:14.721774 IP 194.228.231.162.isakmp > 90.183.41.194.isakmp: isakmp: phase 1 R agg
09:33:14.734211 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 1 I agg
09:33:14.734451 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I inf[E]
09:33:15.746369 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]
09:33:15.767936 IP 194.228.231.162.isakmp > 90.183.41.194.isakmp: isakmp: phase 2/others R inf[E]
09:33:25.765567 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]
09:33:35.763134 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]
09:34:07.930939 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]


Na svem konci mi nebezi ZADNY firewall, forwardovani v 
/proc/sys/.../ip_forward mam povoleno (1)


----------
Dostal jsem parametry druheho konce:
1. adresa k sestaveni tunelu: 194.228.231.162
2. adresa interni LAN 172.17.0.0/16
3. PSK:   <prideleny_tajny_klic>

Dale mi bylo sdeleno:
encyption metoda: 3DES + radeji SH1 (popr. MD5) jak pro fazi 1, tak pro fazi 2.
Pre-Shared secr.key : <prideleny_tajny_klic>
DH groups pro IKE : Group2 (1024 bit)
podpora agresivniho modu : povolena

ostatni parametry jakymi jsou napr. casove intervaly pro Renegotiate IKE 
faze ponechany v defaultu 1440min/3600s
------------

Postupoval jsem podle 
http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/s2-ipsec-net2net-cfg.html

takze v /etc/sysconfig/network-scripts/ifcfg-ipsec0 mam:
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRC=90.183.41.194
SRCGW=192.168.1.30
SRCNET=192.168.1.0/24

#DSTGW= - tento parametr jsem neobdrzel
DST=194.228.231.162
DSTNET=172.17.0.0/16

v /etc/sysconfig/network-scripts/keys-ipsec0:
IKE_PSK=<prideleny_tajny_klic>


v /etc/racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
         pfs_group 2;
         lifetime time 1 hour ;
         encryption_algorithm 3des, blowfish 448, rijndael ;
         authentication_algorithm hmac_sha1, hmac_md5 ;
         compression_algorithm deflate ;
}
include "/etc/racoon/194.228.231.162.conf";

v /etc/racoon/194.228.231.162.conf:
remote 194.228.231.162
{
         exchange_mode aggressive, main;
         my_identifier address;
         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group 2 ;
         }
}

a konecne v /etc/racoon/psk.txt:
194.228.231.162 <prideleny_tajny_klic>



Zda se mi, ze je vse spravne. Poradite mi prosim?

Z.K.
--
Wallachian Laboratories? Freeride in UN*X systems...

Další informace o konferenci Linux