Re: [rlug] Problema Openswan

[nelu]

lonely wolf wrote:
On 04/24/2006 10:57 AM, nelu wrote:
# ipsec look pare ok pe ambele masini...
fireant Sun Apr 23 23:34:17 EEST 2006
10.0.0.0/24        -> 192.168.0.0/24     => %trap (0)
ipsec0->eth0 mtu=16260(1500)->1500 

acel %trap (0) de fapt spunea ca nu s-a ridicat tunelul. n-am fost 
atent si nu l-am vazut la prima tura, scuze.
cind tunelul e up, apare cam asa (pe kernel 2.4 ) :
   192.168.1.0/29     -> 192.168.10.0/24    => [EMAIL PROTECTED] 
[EMAIL PROTECTED]  (0)


3. Ce zice /var/log/secure ? Ar trebui sa ai ceva de genul

   pluto[2748]: "test-test" #8754: STATE_QUICK_R2: IPsec SA 
established {ESP=>0x645xxx57a <0x07ae2d4d xfrm=3DES_0-HMAC_MD5 
NATD=none DPD=none}
daca ai, aproape sigur fie testezi gresit, fie ai un firewall pe drum.

Aici cred ca este problema, nu am asa ceva in loguri

daca dau ipsec auto --down test-test si apoi incerc repornirea manual 
primesc:

[EMAIL PROTECTED]:/var/log# ipsec auto --up test-test
104 "test-test" #6: STATE_MAIN_I1: initiate
010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 20s for 
response
010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for 
response
010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for 
response
010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for 
response
010 "test-test" #6: STATE_MAIN_I1: retransmission; will wait 40s for 
response 

nu comunica intre ele cele 2 gw.
pune un tcpdump pe interfetele de iesire (pe ambele gw) si vezi care 
dintre ele nu raspunde sau la care nu ajung pachetele de initiere a 
conexiunii.
pt functionare corecta ar trebui sa comunice intre ele prin protocol 
esp (protocol numar 51 daca tin eu bine minte) precum si pe udp, port 
500 (pt schimbul de chei).

am facut unele modificari si acum pare conectat dar tot nu pot face 
trafic prin tunel:

[EMAIL PROTECTED]:~/openswan_back-up# ipsec auto --up test
104 "vulcan" #4: STATE_MAIN_I1: initiate
003 "vulcan" #4: received Vendor ID payload [Openswan (this version) 
2.4.4  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "vulcan" #4: received Vendor ID payload [Dead Peer Detection]
106 "vulcan" #4: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vulcan" #4: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vulcan" #4: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1536}
117 "vulcan" #5: STATE_QUICK_I1: initiate
004 "vulcan" #5: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0xcb4138ed <0xeefe363b xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}



ipsec look:

fileserver Wed Apr 26 17:19:25 EEST 2006
10.50.23.0/24      -> 192.168.0.0/24     => [EMAIL PROTECTED] 
[EMAIL PROTECTED]  (0)
ipsec0->eth0 mtu=1492(1500)->1500
[EMAIL PROTECTED] ESP_AES_HMAC_SHA1: dir=out src=82.76.xxx.xxx 
iv_bits=128bits iv=0x9fdaf929ba75a7dada209ff5a6a249ac ooowin=64 alen=160 
aklen=160 eklen=128 life(c,s,h)=addtime(300,0,0) natencap=na refcount=4 
ref=258
[EMAIL PROTECTED] ESP_AES_HMAC_SHA1: dir=out src=82.76.xxx.xxx 
iv_bits=128bits iv=0xf45bcdd805139e11b00c17fcdbc0b7b2 ooowin=64 alen=160 
aklen=160 eklen=128 life(c,s,h)=addtime(287,0,0) natencap=na refcount=4 
ref=268
[EMAIL PROTECTED] ESP_AES_HMAC_SHA1: dir=in  src=82.76.xxx.xxx 
iv_bits=128bits iv=0x43d79fa39ee0216fcf02c5c9f56da138 ooowin=64 alen=160 
aklen=160 eklen=128 life(c,s,h)=addtime(300,0,0) natencap=na refcount=4 
ref=253
[EMAIL PROTECTED] ESP_AES_HMAC_SHA1: dir=in  src=82.76.xxx.xxx 
iv_bits=128bits iv=0xcafd6bdf1c7bf3db72dfc45798ce2728 ooowin=64 alen=160 
aklen=160 eklen=128 life(c,s,h)=addtime(287,0,0) natencap=na refcount=4 
ref=263
[EMAIL PROTECTED] IPIP: dir=in  src=82.76.xxx.xxx 
policy=192.168.0.0/24->10.50.23.0/24 flags=0x8<> 
life(c,s,h)=addtime(300,0,0) natencap=na refcount=4 ref=252
[EMAIL PROTECTED] IPIP: dir=out src=82.76.xxx.xxx 
life(c,s,h)=addtime(300,0,0) natencap=na refcount=4 ref=257
[EMAIL PROTECTED] IPIP: dir=in  src=82.76.xxx.xxx 
policy=192.168.0.0/24->10.50.23.0/24 flags=0x8<> 
life(c,s,h)=addtime(287,0,0) natencap=na refcount=4 ref=262
[EMAIL PROTECTED] IPIP: dir=out src=82.76.xxx.xxx 
life(c,s,h)=addtime(287,0,0) natencap=na refcount=4 ref=267
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
0.0.0.0         82.76.xxx.189   0.0.0.0         UG        0 0          0 
eth0
192.168.0.0     82.76.xxx.189   255.255.255.0   UG        0 0          0 
ipsec0
82.76.xxx.188   0.0.0.0         255.255.255.252 U         0 0          0 
eth0
82.76.xxx.188   0.0.0.0         255.255.255.252 U         0 0          0 
ipsec0]


ipsec setup status:
IPsec running  - pluto pid: 1563
pluto pid 1563
1 tunnels up



[EMAIL PROTECTED]:~# cat /etc/ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

config setup
       interfaces="ipsec0=eth0"
       overridemtu=1492 (se conecteaza si cu si fara sa impun un anumit 
MTU)
       klipsdebug=none
       plutodebug=none

conn test
       #
       left=82.76.xxx.xxx
       leftnexthop=82.76.xxx.189
       leftsubnet=10.50.23.0/24
       leftrsasigkey=ceva_mult_prea_mare_de _pus_aici
       right=82.76.xxx.xxx
       rightnexthop=82.76.xxx.1
       rightsubnet=192.168.0.0/24
       rightrsasigkey=inca_ceva_mult_prea_mare_de _pus_aici
       auto=add


daca incerc sa dau ping chiar si direct de pe interfata de ipsec nu 
merge (ping -I ipsec0 192.168.0.1 de ex), cele dou servere sunt in RDS 
deci pe drum nu cred ca mai este vreun firewall sau altceva
mai mult de atat nu stiu ce sa fac orice idee este binevenita...

Nelu



_______________________________________________
RLUG mailing list
RLUG@lists.lug.ro
http://lists.lug.ro/mailman/listinfo/rlug