hello incerc sa configurez un security gateway sub un debian
# uname -a Linux ipsec01 2.6.22-2-686 #1 SMP Fri Aug 31 00:24:01 UTC 2007 i686 GNU/Linux practic, setup-ul asta va trebui sa stie ipsec transport si tunneling ipv4 si ipv6, sa negocieze automat asocieri de securitate, atat pe baza de pre-shared keys, cat si pe baza de certificate digitale, sa faca atat criptare cat si autentificare, cu mai multi algoritmi ma intereseaza in mod special feature-urile de ike v2 si isakmp logging tunnelingul se va face versus un alt security gateway, un cisco 6500 am incercat un config de transport mode cu ipsec-tools si racoon, pot porni ambii demoni (la rularea /etc/init.d/ipsec start si /etc/init.d/racoon start nu primesc niciun mesaj de eroare), insa cand dau ping de la un security gateway la altul nu vad nicio negociere, numai mesaje clare fisierul ipsec-tools.conf: #!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; ## Some sample SPDs for use racoon spdadd 26.0.0.254 26.0.0.250 any -P out ipsec esp/transport/require; spdadd 26.0.0.250 26.0.0.254 any -P in ipsec esp/transport/require; #add 26.0.0.250 26.0.0.254 esp 15701 -E des-cbc "cheie" #add 26.0.0.254 26.0.0.250 esp 24501 -E des-cbc "cheie" fisierul racoon.conf: # NOTE: This file will not be used if you use racoon-tool(8) to manage your # IPsec connections. racoon-tool will process racoon-tool.conf(5) and # generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead # of this file. # # Simple racoon.conf # # # Please look in /usr/share/doc/racoon/examples for # examples that come with the source. # # Please read racoon.conf(5) for details, and alsoread setkey(8). # # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # #RACOON_OPTS="-4 -l /var/log/racoon.log" #RACOON_CONF="/etc/racoon/racoon.conf" #RACOON_PSK_FILE="/etc/racoon/psk.txt" #SETKEY_CONF="/etc/ipsec-tools.conf" #RACOON_RESET_TABLES="true" path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } listen { isakmp 26.0.0.254[10]; #admin[7002]; #strict_address; } timer { counter 5; interval 20 sec; persend 1; #cat astept pt. fiecare faza phase1 90 sec; phase2 90 sec; } # aici am config-ul pt. second peer remote anonymous { exchange_mode aggressive,main; my_identifier address "26.0.0.254"; # doi ipsec_doi; situation identity_only; initial_contact on; proposal_check obey; proposal { encryption_algorithm des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; lifetime time 3600 sec; } iptables-ul lasa tot: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination cand dau ping intre security gateways am asta in /var/log/syslog: Nov 22 20:06:18 ipsec01 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: giving up on message 0x828ccc0, exchange ISAKMP-peer-west Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: either this message did not reach the other peer Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: or the responsemessage did not reach us back Config-ul de pe ruter e ceva de genul: crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key cheie address 20.0.0.254 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set IL esp-des esp-md5-hmac ! crypto map IL 10 ipsec-isakmp set peer 20.0.0.254 set transform-set IL match address 100 care este aplicat unei interfete interface FastEthernet5/0 ip address 26.0.0.250 255.255.0.0 duplex auto speed auto crypto map IL no shut am folosit tutoriale de pe net, insa nu fac ceva cum trebuie :( ma puteti ajuta? mersi frumos ___________________________________________________________ Want ideas for reducing your carbon footprint? Visit Yahoo! For Good http://uk.promotions.yahoo.com/forgood/environment.html _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
