chyby v me konfiguraci ipsecu

Pavel Just Pavel.Just na simac.cz
Úterý Březen 18 08:50:14 CET 2008 

Zdravím.

 Myslím si, že problém je psk.txt. Viz hláška:

Mar 18 09:33:14 proxy racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.

Zkontrolujte přístupová práva, měl jsem i problém, že  předchozí záznam 
v byl špatně azarazil se na něm.
Pro úplnost, práva mají být 600 a mezi adresou a heslem má být tabelátor.

Pavel

Zdenek Kaminski napsal(a):
> Dobry den,
>
>   snazim se rozchodit IPSec v konfiguraci Network-Network na RHEL5 proti
> Checkpoint Firewallu.
>
>   Nedari se mi jiz faze vyjednavani, muzete mne prosim nakopnout spravnym
> smerem?
>
> /var/log/messages:
> Mar 18 09:33:03 proxy kernel: NET: Registered protocol family 15
> Mar 18 09:33:04 proxy racoon: ERROR: racoon: MLS support is not enabled.
> Mar 18 09:33:04 proxy racoon: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
> Mar 18 09:33:04 proxy racoon: INFO: @(#)This product linked OpenSSL 0.9.8b 04 May 2006 (http://www.openssl.org/)
> Mar 18 09:33:04 proxy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
> Mar 18 09:33:04 proxy racoon: INFO: 127.0.0.1[500] used for NAT-T
> Mar 18 09:33:04 proxy racoon: INFO: 90.183.41.194[500] used as isakmp port (fd=9)
> Mar 18 09:33:04 proxy racoon: INFO: 90.183.41.194[500] used for NAT-T
> Mar 18 09:33:04 proxy racoon: INFO: 192.168.1.30[500] used as isakmp port (fd=10)
> Mar 18 09:33:04 proxy racoon: INFO: 192.168.1.30[500] used for NAT-T
> Mar 18 09:33:14 proxy racoon: INFO: IPsec-SA request for 194.228.231.162 queued due to no phase1 found.
> Mar 18 09:33:14 proxy racoon: INFO: initiate new phase 1 negotiation: 90.183.41.194[500]<=>194.228.231.162[500]
> Mar 18 09:33:14 proxy racoon: INFO: begin Aggressive mode.
> Mar 18 09:33:14 proxy racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
> Mar 18 09:33:14 proxy racoon: INFO: ISAKMP-SA established 90.183.41.194[500]-194.228.231.162[500] spi:55d9714aaeaa54e2:1323e983db34f7a0
> Mar 18 09:33:15 proxy racoon: INFO: initiate new phase 2 negotiation: 90.183.41.194[500]<=>194.228.231.162[500]
> Mar 18 09:33:15 proxy racoon: ERROR: unknown notify message, no phase2 handle found.
> Mar 18 09:33:45 proxy racoon: INFO: IPsec-SA expired: AH/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=163819046(0x9c3ae26)
> Mar 18 09:33:45 proxy racoon: WARNING: the expire message is received but the handler has not been established.
> Mar 18 09:33:45 proxy racoon: ERROR: 194.228.231.162 give up to get IPsec-SA due to time up to wait.
> Mar 18 09:33:45 proxy racoon: INFO: IPsec-SA expired: ESP/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=163582615(0x9c01297)
> Mar 18 09:34:07 proxy racoon: INFO: initiate new phase 2 negotiation: 90.183.41.194[500]<=>194.228.231.162[500]
> Mar 18 09:34:07 proxy racoon: ERROR: unknown notify message, no phase2 handle found.
> Mar 18 09:34:37 proxy racoon: INFO: IPsec-SA expired: AH/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=164533252(0x9ce9404)
> Mar 18 09:34:37 proxy racoon: WARNING: the expire message is received but the handler has not been established.
> Mar 18 09:34:37 proxy racoon: ERROR: 194.228.231.162 give up to get IPsec-SA due to time up to wait.
> Mar 18 09:34:37 proxy racoon: INFO: IPsec-SA expired: ESP/Tunnel 194.228.231.162[0]->90.183.41.194[0] spi=110409714
>
>
> tcpdump -i eth0 -n host 194.228.231.162:
> 09:33:14.679078 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 1 I agg
> 09:33:14.721774 IP 194.228.231.162.isakmp > 90.183.41.194.isakmp: isakmp: phase 1 R agg
> 09:33:14.734211 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 1 I agg
> 09:33:14.734451 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I inf[E]
> 09:33:15.746369 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]
> 09:33:15.767936 IP 194.228.231.162.isakmp > 90.183.41.194.isakmp: isakmp: phase 2/others R inf[E]
> 09:33:25.765567 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]
> 09:33:35.763134 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]
> 09:34:07.930939 IP 90.183.41.194.isakmp > 194.228.231.162.isakmp: isakmp: phase 2/others I oakley-quick[E]
>
>
> Na svem konci mi nebezi ZADNY firewall, forwardovani v
> /proc/sys/.../ip_forward mam povoleno (1)
>
>
> ----------
> Dostal jsem parametry druheho konce:
> 1. adresa k sestaveni tunelu: 194.228.231.162
> 2. adresa interni LAN 172.17.0.0/16
> 3. PSK:   <prideleny_tajny_klic>
>
> Dale mi bylo sdeleno:
> encyption metoda: 3DES + radeji SH1 (popr. MD5) jak pro fazi 1, tak pro fazi 2.
> Pre-Shared secr.key : <prideleny_tajny_klic>
> DH groups pro IKE : Group2 (1024 bit)
> podpora agresivniho modu : povolena
>
> ostatni parametry jakymi jsou napr. casove intervaly pro Renegotiate IKE
> faze ponechany v defaultu 1440min/3600s
> ------------
>
> Postupoval jsem podle
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/en-US/RHEL510/Deployment_Guide/s2-ipsec-net2net-cfg.html
>
> takze v /etc/sysconfig/network-scripts/ifcfg-ipsec0 mam:
> TYPE=IPSEC
> ONBOOT=no
> IKE_METHOD=PSK
> SRC=90.183.41.194
> SRCGW=192.168.1.30
> SRCNET=192.168.1.0/24
>
> #DSTGW= - tento parametr jsem neobdrzel
> DST=194.228.231.162
> DSTNET=172.17.0.0/16
>
> v /etc/sysconfig/network-scripts/keys-ipsec0:
> IKE_PSK=<prideleny_tajny_klic>
>
>
> v /etc/racoon.conf:
> path include "/etc/racoon";
> path pre_shared_key "/etc/racoon/psk.txt";
> path certificate "/etc/racoon/certs";
>
> sainfo anonymous
> {
>          pfs_group 2;
>          lifetime time 1 hour ;
>          encryption_algorithm 3des, blowfish 448, rijndael ;
>          authentication_algorithm hmac_sha1, hmac_md5 ;
>          compression_algorithm deflate ;
> }
> include "/etc/racoon/194.228.231.162.conf";
>
> v /etc/racoon/194.228.231.162.conf:
> remote 194.228.231.162
> {
>          exchange_mode aggressive, main;
>          my_identifier address;
>          proposal {
>                  encryption_algorithm 3des;
>                  hash_algorithm sha1;
>                  authentication_method pre_shared_key;
>                  dh_group 2 ;
>          }
> }
>
> a konecne v /etc/racoon/psk.txt:
> 194.228.231.162 <prideleny_tajny_klic>
>
>
>
> Zda se mi, ze je vse spravne. Poradite mi prosim?
>
> Z.K.
> --
> Wallachian Laboratories? Freeride in UN*X systems...
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
>   


-- 
Tato zpráva neobsahuje viry, protože nepoužívám MS Windows.

Další informace o konferenci Linux