День добрый. Собственно исходные данные: Две машины (ради эксперимента использовал внешние ИП адреса в одном блоке). Первая (beta) - 82.140.78.114, вторая (delta) 82.140.78.116.
Локальная сеть слева: 192.168.1.0/24, локальная сеть справа: 192.168.4.0/24. Создал сертификаты, обменял файлы *.public между шлюзами. Настроил файл ipsec-tools.conf на beta: #!/usr/sbin/setkey -f flush; spdflush; spdadd 82.140.78.114/29 82.140.78.116/29 ipencap -P out ipsec esp/tunnel/82.140.78.114-82.140.78.116/require; spdadd 82.140.78.116/29 82.140.78.114/29 ipencap -P in ipsec esp/tunnel/82.140.78.116-82.140.78.114/require; Настроил файл ipsec-tools.conf на delta: #!/usr/sbin/setkey -f flush; spdflush; spdadd 82.140.78.116/29 82.140.78.114/29 ipencap -P out ipsec esp/tunnel/82.140.78.116-82.140.78.114/require; spdadd 82.140.78.114/29 82.140.78.116/29 ipencap -P in ipsec esp/tunnel/82.140.78.114-82.140.78.116/require; /etc/racoon/racoon.conf на beta: path include "/etc/racoon"; path certificate "/etc/racoon/certs"; log debug2; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } listen { isakmp 82.140.78.114 [500]; } timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } remote 82.140.78.116 { exchange_mode aggressive,main; my_identifier asn1dn; peers_identifier asn1dn; certificate_type x509 "beta.auto.local.public" "beta.auto.local.private"; peers_certfile x509 "delta.auto.local.public"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2 ; } } sainfo anonymous { pfs_group 5; lifetime time 60 min; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } /etc/racoon/racoon.conf на delta: path include "/etc/racoon"; path certificate "/etc/racoon/certs"; log debug2; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } listen { isakmp 82.140.78.116 [500]; } timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } remote 82.140.78.114 { exchange_mode aggressive,main; certificate_type x509 "delta.auto.local.public" "delta.auto.local.private"; peers_certfile x509 "beta.auto.local.public"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2 ; } } sainfo anonymous { pfs_group 5; lifetime time 60 min; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } После запуска racoon в /var/log/daemon.log пишет следующее: Feb 6 11:15:55 beta racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net) Feb 6 11:15:55 beta racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/) Feb 6 11:15:55 beta racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Feb 6 11:15:55 beta racoon: INFO: Resize address pool from 0 to 255 Feb 6 11:15:55 beta racoon: DEBUG2: lifetime = 28800 Feb 6 11:15:55 beta racoon: DEBUG2: lifebyte = 0 Feb 6 11:15:55 beta racoon: DEBUG2: encklen=0 Feb 6 11:15:55 beta racoon: DEBUG2: p:1 t:1 Feb 6 11:15:55 beta racoon: DEBUG2: 3DES-CBC(5) Feb 6 11:15:55 beta racoon: DEBUG2: SHA(2) Feb 6 11:15:55 beta racoon: DEBUG2: 1024-bit MODP group(2) Feb 6 11:15:55 beta racoon: DEBUG2: RSA signatures(3) Feb 6 11:15:55 beta racoon: DEBUG2: Feb 6 11:15:55 beta racoon: DEBUG: hmac(modp1024) Feb 6 11:15:55 beta racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. Feb 6 11:15:55 beta racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 Feb 6 11:15:55 beta racoon: DEBUG: getsainfo pass #2 Feb 6 11:15:55 beta racoon: DEBUG2: parse successed. Feb 6 11:15:55 beta racoon: DEBUG: open /var/run/racoon/racoon.sock as racoon management. Feb 6 11:15:55 beta racoon: INFO: 82.140.78.114[500] used as isakmp port (fd=7) Feb 6 11:15:55 beta racoon: INFO: 82.140.78.114[500] used for NAT-T Feb 6 11:15:55 beta racoon: DEBUG: pk_recv: retry[0] recv() Feb 6 11:15:55 beta racoon: DEBUG: get pfkey X_SPDDUMP message Feb 6 11:15:55 beta racoon: DEBUG2: #01202120000 1c000100 01000000 6a0f0000 03000500 041d0000 02000000 528c4e74#01200000000 00000000 03000600 041d0000 02000000 528c4e72 00000000 00000000#01204000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000#01204000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000#01204000200 00000000 00000000 00000000 23216d4b 00000000 00000000 00000000#01208001200 02000300 1a1a0000 00000000 30003200 02020000 00000000 00000000#01202000000 528c4e74 00000000 00000000 02000000 528c4e72 00000000 00000000 Feb 6 11:15:55 beta racoon: DEBUG: pk_recv: retry[0] recv() Feb 6 11:15:55 beta racoon: DEBUG: get pfkey X_SPDDUMP message Feb 6 11:15:55 beta racoon: DEBUG2: #01202120000 1c000100 02000000 6a0f0000 03000500 041d0000 02000000 528c4e74#01200000000 00000000 03000600 041d0000 02000000 528c4e72 00000000 00000000#01204000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000#01204000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000#01204000200 00000000 00000000 00000000 23216d4b 00000000 00000000 00000000#01208001200 02000100 101a0000 00000000 30003200 02020000 00000000 00000000#01202000000 528c4e74 00000000 00000000 02000000 528c4e72 00000000 00000000 Feb 6 11:15:55 beta racoon: DEBUG: sub:0xff946228: 82.140.78.116/29[0] 82.140.78.114/29[0] proto=4 dir=in Feb 6 11:15:55 beta racoon: DEBUG: db :0x83d7880: 82.140.78.116/29[0] 82.140.78.114/29[0] proto=4 dir=fwd Feb 6 11:15:55 beta racoon: DEBUG: pk_recv: retry[0] recv() Feb 6 11:15:55 beta racoon: DEBUG: get pfkey X_SPDDUMP message Feb 6 11:15:55 beta racoon: DEBUG2: #01202120000 1c000100 00000000 6a0f0000 03000500 041d0000 02000000 528c4e72#01200000000 00000000 03000600 041d0000 02000000 528c4e74 00000000 00000000#01204000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000#01204000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000#01204000200 00000000 00000000 00000000 23216d4b 00000000 00000000 00000000#01208001200 02000200 091a0000 00000000 30003200 02020000 00000000 00000000#01202000000 528c4e72 00000000 00000000 02000000 528c4e74 00000000 00000000 Feb 6 11:15:55 beta racoon: DEBUG: sub:0xff946228: 82.140.78.114/29[0] 82.140.78.116/29[0] proto=4 dir=out Feb 6 11:15:55 beta racoon: DEBUG: db :0x83d7880: 82.140.78.116/29[0] 82.140.78.114/29[0] proto=4 dir=fwd Feb 6 11:15:55 beta racoon: DEBUG: sub:0xff946228: 82.140.78.114/29[0] 82.140.78.116/29[0] proto=4 dir=out Feb 6 11:15:55 beta racoon: DEBUG: db :0x83d7ac8: 82.140.78.116/29[0] 82.140.78.114/29[0] proto=4 dir=in На второй машине инфа примерно идентичная. Firewall отключен. tcpdump -p esp ничего не показывает. Что нетак? || -- To UNSUBSCRIBE, email to debian-russian-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org