Em 9 de agosto de 2012 15:37, Saul Figueiredo <[email protected]>escreveu:
> > > Em 9 de agosto de 2012 12:13, Saul Figueiredo > <[email protected]>escreveu: > > >> >> Em 9 de agosto de 2012 10:59, Saul Figueiredo >> <[email protected]>escreveu: >> >> >>> >>> Em 8 de agosto de 2012 14:47, Saul Figueiredo >>> <[email protected]>escreveu: >>> >>> Boa tarde. >>>> >>>> Estou tentando fechar uma vpn ipsec entre um router e um FreeBSD 8.2. >>>> Já tentei com o strongswan e com o raccon mas não funciona de jeito >>>> nenhum com os dois. >>>> >>>> Duvidando que seria as configurações, peguei a conf do strongswan e >>>> coloquei em um servidor CentOS [Linux] que tem o OpenSwan Instalado, apenas >>>> me atentando de mudar os ips externos e a faixa de rede. RESULTADO: >>>> Funcionou no Openswan. A VPN fechou e consegui pingar nas duas pontas. >>>> >>>> Para usar o StrongSwan e o Racoon tive que compilar o kernel com essas >>>> opções: >>>> options IPSEC >>>> options IPSEC_DEBUG >>>> options IPSEC_NAT_T >>>> options IPSEC_FILTERTUNNEL >>>> #options IPSEC_ESP >>>> >>>> Com o mesmo router e o mesmo conf funciona no Linux. O que estaria >>>> errado ? >>>> Valeu!!! >>>> >>>> >>>> -- >>>> "Deve-se aprender sempre, até mesmo com um inimigo." >>>> (Isaac Newton) >>>> >>>> Atenciosamente, >>>> Saul Figueiredo >>>> Analista FreeBSD/Linux >>>> Linux Professional Institute Certification Level 2 >>>> [email protected] >>>> <[email protected]> >>>> >>> >>> >>> >>> >>> >>> Quando o cliente router tenta conectar no meu servidor racoon dá esse >>> erro: >>> >>> 2012-08-08 17:02:23: ERROR: no suitable proposal found. >>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to get valid >>> proposal. >>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to pre-process ph1 >>> packet (side: 1, status 1). >>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: phase1 negotiation failed. >>> >>> >>> Quebrando a cabeça com isso viu... >>> >>> >>> -- >>> "Deve-se aprender sempre, até mesmo com um inimigo." >>> (Isaac Newton) >>> >>> Atenciosamente, >>> Saul Figueiredo >>> Analista FreeBSD/Linux >>> Linux Professional Institute Certification Level 2 >>> [email protected] >>> <[email protected]> >>> >> >> >> >> >> >> >> >> Novo erro agora: >> ERROR: exchange Identity Protection not allowed in any applicable rmconf >> >> >> >> -- >> "Deve-se aprender sempre, até mesmo com um inimigo." >> (Isaac Newton) >> >> Atenciosamente, >> Saul Figueiredo >> Analista FreeBSD/Linux >> Linux Professional Institute Certification Level 2 >> [email protected] >> <[email protected]> >> > > > > > > Agora o tunel fechou, mas as redes não se comunicam :( > > > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb4), length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb5), length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb6), length 92 > IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 > IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 > IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb7), length 92 > IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb8), length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb9), length 92 > IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 > IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xba), length 92 > IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbb), length 92 > IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbc), length 92 > IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbd), length 92 > > > > > e no ipfw a policy está allow > > > > > -- > "Deve-se aprender sempre, até mesmo com um inimigo." > (Isaac Newton) > > Atenciosamente, > Saul Figueiredo > Analista FreeBSD/Linux > Linux Professional Institute Certification Level 2 > [email protected] > <[email protected]> > no log do racoon: 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: 192.168.1.0/24[0] 192.168.70.0/24[0] proto=any dir=out. 2012-08-09 15:56:29: DEBUG: sub:0xbfbfe594: 192.168.70.0/24[0] 192.168.1.0/24[0] proto=any dir=in 2012-08-09 15:56:29: DEBUG: db :0x28547148: 192.168.70.0/24[0] 192.168.1.0/24[0] proto=any dir=in 2012-08-09 15:56:29: DEBUG: suitable inbound SP found: 192.168.70.0/24[0] 192.168.1.0/24[0] proto=any dir=in. 2012-08-09 15:56:29: DEBUG: new acquire 192.168.1.0/24[0] 192.168.70.0/24[0]proto=any dir=out 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf "anonymous" anonymous. 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches. 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous" selected. 2012-08-09 15:56:29: DEBUG: getsainfo params: loc='192.168.1.0/24' rmt=' 192.168.70.0/24' peer='NULL' client='NULL' id=0 2012-08-09 15:56:29: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched (ANONYMOUS) 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched (ANONYMOUS) 2012-08-09 15:56:29: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2012-08-09 15:56:29: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2012-08-09 15:56:29: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) 2012-08-09 15:56:29: DEBUG: in post_acquire 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf "anonymous" anonymous. 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches. 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous" selected. 2012-08-09 15:56:29: DEBUG2: getph1: start 2012-08-09 15:56:29: DEBUG2: local: 187.xxx.xxx.30[500] 2012-08-09 15:56:29: DEBUG2: remote: 187.xxx.xxx.44[500] 2012-08-09 15:56:29: DEBUG2: no match 2012-08-09 15:56:29: INFO: IPsec-SA request for 187.xxx.xxx.44 queued due to no phase1 found. 2012-08-09 15:56:29: DEBUG: === 2012-08-09 15:56:29: INFO: initiate new phase 1 negotiation: 187.xxx.xxx.30[500]<=>187.xxx.xxx.44[500] 2012-08-09 15:56:29: INFO: begin Identity Protection mode. 2012-08-09 15:56:29: DEBUG: new cookie: 5d18382ba03058d4 2012-08-09 15:56:29: DEBUG: add payload of len 52, next type 13 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 0 2012-08-09 15:56:29: ERROR: phase1 negotiation failed due to send error. 5d18382ba03058d4:0000000000000000 2012-08-09 15:56:29: ERROR: failed to begin ipsec sa negotication. 2012-08-09 15:56:29: DEBUG: got pfkey ACQUIRE message 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: 192.168.1.0/24[0] 192.168.70.0/24[0] proto=any dir=out. 2012-08-09 15:56:29: DEBUG: ignore the acquire because ph2 found 2012-08-09 15:56:37: DEBUG: === 2012-08-09 15:56:37: DEBUG: 92 bytes message received from 187.xxx.xxx.44[500] to 187.xxx.xxx.30[500] Esse error na phase1 acontece mas a vpn fecha... estranho... -- "Deve-se aprender sempre, até mesmo com um inimigo." (Isaac Newton) Atenciosamente, Saul Figueiredo Analista FreeBSD/Linux Linux Professional Institute Certification Level 2 [email protected] <[email protected]> ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
