Em 9 de agosto de 2012 15:58, Saul Figueiredo <[email protected]>escreveu:
> > > Em 9 de agosto de 2012 15:37, Saul Figueiredo > <[email protected]>escreveu: > > >> >> Em 9 de agosto de 2012 12:13, Saul Figueiredo >> <[email protected]>escreveu: >> >> >>> >>> Em 9 de agosto de 2012 10:59, Saul Figueiredo >>> <[email protected]>escreveu: >>> >>> >>>> >>>> Em 8 de agosto de 2012 14:47, Saul Figueiredo >>>> <[email protected]>escreveu: >>>> >>>> Boa tarde. >>>>> >>>>> Estou tentando fechar uma vpn ipsec entre um router e um FreeBSD 8.2. >>>>> Já tentei com o strongswan e com o raccon mas não funciona de jeito >>>>> nenhum com os dois. >>>>> >>>>> Duvidando que seria as configurações, peguei a conf do strongswan e >>>>> coloquei em um servidor CentOS [Linux] que tem o OpenSwan Instalado, >>>>> apenas >>>>> me atentando de mudar os ips externos e a faixa de rede. RESULTADO: >>>>> Funcionou no Openswan. A VPN fechou e consegui pingar nas duas pontas. >>>>> >>>>> Para usar o StrongSwan e o Racoon tive que compilar o kernel com essas >>>>> opções: >>>>> options IPSEC >>>>> options IPSEC_DEBUG >>>>> options IPSEC_NAT_T >>>>> options IPSEC_FILTERTUNNEL >>>>> #options IPSEC_ESP >>>>> >>>>> Com o mesmo router e o mesmo conf funciona no Linux. O que estaria >>>>> errado ? >>>>> Valeu!!! >>>>> >>>>> >>>>> -- >>>>> "Deve-se aprender sempre, até mesmo com um inimigo." >>>>> (Isaac Newton) >>>>> >>>>> Atenciosamente, >>>>> Saul Figueiredo >>>>> Analista FreeBSD/Linux >>>>> Linux Professional Institute Certification Level 2 >>>>> [email protected] >>>>> <[email protected]> >>>>> >>>> >>>> >>>> >>>> >>>> >>>> Quando o cliente router tenta conectar no meu servidor racoon dá esse >>>> erro: >>>> >>>> 2012-08-08 17:02:23: ERROR: no suitable proposal found. >>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to get valid >>>> proposal. >>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to pre-process ph1 >>>> packet (side: 1, status 1). >>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: phase1 negotiation failed. >>>> >>>> >>>> Quebrando a cabeça com isso viu... >>>> >>>> >>>> -- >>>> "Deve-se aprender sempre, até mesmo com um inimigo." >>>> (Isaac Newton) >>>> >>>> Atenciosamente, >>>> Saul Figueiredo >>>> Analista FreeBSD/Linux >>>> Linux Professional Institute Certification Level 2 >>>> [email protected] >>>> <[email protected]> >>>> >>> >>> >>> >>> >>> >>> >>> >>> Novo erro agora: >>> ERROR: exchange Identity Protection not allowed in any applicable rmconf >>> >>> >>> >>> -- >>> "Deve-se aprender sempre, até mesmo com um inimigo." >>> (Isaac Newton) >>> >>> Atenciosamente, >>> Saul Figueiredo >>> Analista FreeBSD/Linux >>> Linux Professional Institute Certification Level 2 >>> [email protected] >>> <[email protected]> >>> >> >> >> >> >> >> Agora o tunel fechou, mas as redes não se comunicam :( >> >> >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb4), length >> 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb5), length >> 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb6), length >> 92 >> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 >> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 >> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb7), length >> 92 >> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb8), length >> 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb9), length >> 92 >> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 >> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xba), length >> 92 >> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbb), length >> 92 >> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbc), length >> 92 >> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbd), length >> 92 >> >> >> >> >> e no ipfw a policy está allow >> >> >> >> >> -- >> "Deve-se aprender sempre, até mesmo com um inimigo." >> (Isaac Newton) >> >> Atenciosamente, >> Saul Figueiredo >> Analista FreeBSD/Linux >> Linux Professional Institute Certification Level 2 >> [email protected] >> <[email protected]> >> > > > > > > > no log do racoon: > > 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: > 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D> > 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out. > 2012-08-09 15:56:29: DEBUG: sub:0xbfbfe594: > 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D> > 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in > 2012-08-09 15:56:29: DEBUG: db :0x28547148: > 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D> > 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in > 2012-08-09 15:56:29: DEBUG: suitable inbound SP found: > 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D> > 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in. > 2012-08-09 15:56:29: DEBUG: new acquire > 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D> > 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out > 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf > "anonymous" anonymous. > 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches. > 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous" > selected. > 2012-08-09 15:56:29: DEBUG: getsainfo params: loc='192.168.1.0/24' rmt=' > 192.168.70.0/24' peer='NULL' client='NULL' id=0 > 2012-08-09 15:56:29: DEBUG: evaluating sainfo: loc='ANONYMOUS', > rmt='ANONYMOUS', peer='ANY', id=0 > 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched > (ANONYMOUS) > 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched > (ANONYMOUS) > 2012-08-09 15:56:29: DEBUG: selected sainfo: loc='ANONYMOUS', > rmt='ANONYMOUS', peer='ANY', id=0 > 2012-08-09 15:56:29: DEBUG: (proto_id=ESP spisize=4 spi=00000000 > spi_p=00000000 encmode=Tunnel reqid=0:0) > 2012-08-09 15:56:29: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) > 2012-08-09 15:56:29: DEBUG: in post_acquire > 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf > "anonymous" anonymous. > 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches. > 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous" > selected. > 2012-08-09 15:56:29: DEBUG2: getph1: start > 2012-08-09 15:56:29: DEBUG2: local: 187.xxx.xxx.30[500] > 2012-08-09 15:56:29: DEBUG2: remote: 187.xxx.xxx.44[500] > 2012-08-09 15:56:29: DEBUG2: no match > 2012-08-09 15:56:29: INFO: IPsec-SA request for 187.xxx.xxx.44 queued due > to no phase1 found. > 2012-08-09 15:56:29: DEBUG: === > 2012-08-09 15:56:29: INFO: initiate new phase 1 negotiation: > 187.xxx.xxx.30[500]<=>187.xxx.xxx.44[500] > 2012-08-09 15:56:29: INFO: begin Identity Protection mode. > 2012-08-09 15:56:29: DEBUG: new cookie: > 5d18382ba03058d4 > 2012-08-09 15:56:29: DEBUG: add payload of len 52, next type 13 > 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 > 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 > 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 > 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13 > 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 0 > 2012-08-09 15:56:29: ERROR: phase1 negotiation failed due to send error. > 5d18382ba03058d4:0000000000000000 > 2012-08-09 15:56:29: ERROR: failed to begin ipsec sa negotication. > 2012-08-09 15:56:29: DEBUG: got pfkey ACQUIRE message > 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: > 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D> > 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out. > 2012-08-09 15:56:29: DEBUG: ignore the acquire because ph2 found > 2012-08-09 15:56:37: DEBUG: === > 2012-08-09 15:56:37: DEBUG: 92 bytes message received from > 187.xxx.xxx.44[500] to 187.xxx.xxx.30[500] > > > Esse error na phase1 acontece mas a vpn fecha... estranho... > > -- > "Deve-se aprender sempre, até mesmo com um inimigo." > (Isaac Newton) > > Atenciosamente, > Saul Figueiredo > Analista FreeBSD/Linux > Linux Professional Institute Certification Level 2 > [email protected] > <[email protected]> > Meus confs: -rw-r--r-- 1 root wheel 18 Aug 8 15:37 ipsec.conf fw# cat ipsec.conf flush; spdflush; _____________________________________________________ -rwx------ 1 root wheel 25 Aug 9 15:00 psk.txt fw# cat psk.txt 187.xxx.xxx.44 Pre-Shared onde 187.xxx.xxx.44 é o ip do router _________________________________________________________ -rw-r--r-- 1 root wheel 1485 Aug 9 14:50 racoon.conf fw# cat racoon.conf path pre_shared_key "/usr/local/etc/racoon/psk.txt"; log debug; #log notify; listen { isakmp 187.32.229.30 [500]; isakmp_natt 187.32.229.30 [4500]; adminsock disabled; } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 10 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 300 sec; phase2 300 sec; } remote anonymous { exchange_mode main, aggressive; lifetime time 86400 sec; #passive off; generate_policy on; nat_traversal on; dpd_delay 20; # DPD poll every 20 seconds ike_frag on; # use IKE fragmentation #esp_frag 552; # use ESP fragmentation at 552 bytes proposal_check strict; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo anonymous { lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } -- "Deve-se aprender sempre, até mesmo com um inimigo." (Isaac Newton) Atenciosamente, Saul Figueiredo Analista FreeBSD/Linux Linux Professional Institute Certification Level 2 [email protected] <[email protected]> ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
