Hello
Am rezolvat problema initiala, acum se face Phase1 intre debian si ruter. Am
dezinstalat tot si am pus Strongswan 4.1.8-2:
---------------debian-----------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
klipsdebug=all
plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
plutostart=yes
charonstart=yes
charondebug=dmn4,mgr4,ike4,chd4,job4,cfg4,knl4,net4,enc4,lib4
conn %default
ikelifetime=5m
keylife=5m
rekeymargin=5m
keyingtries=50
compress=no
mobike=no
authby=secret
auth=esp
pfs=yes
keyexchange=ikev1
conn ipsec01-cisco6500
left=19.1.255.254
leftsubnet=19.2.0.0/16
right=19.1.255.253
rightsubnet=66.6.0.0/16
auto=add
authby=secret
auth=esp
compress=no
pfs=yes
esp=3des-md5-modp1024
ike=3des-md5-modp1024
keyexchange=ikev1
mobike=no
fisierul ipsec.secrets are:
: PSK "cheie"
eth1 Link encap:Ethernet HWaddr 00:0A:5E:5C:7C:E7
inet addr:19.1.255.254 Bcast:19.1.255.255 Mask:255.255.0.0
inet6 addr: 2000:99:99:100:20a:5eff:fe5c:7ce7/64 Scope:Global
inet6 addr: fe80::20a:5eff:fe5c:7ce7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1901 errors:0 dropped:0 overruns:0 frame:0
TX packets:1411 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:196249 (191.6 KiB) TX bytes:145534 (142.1 KiB)
Interrupt:23
in syslog am:
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[DMN] starting charon (strongSwan
Version 4.1.8)
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading ocsp certificates from
'/etc/ipsec.d/ocspcerts'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading crls from
'/etc/ipsec.d/crls'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading secrets from
"/etc/ipsec.secrets"
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading shared key for %any
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading control interface
modules from '/usr/lib/ipsec/plugins/interfaces'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loaded control interface
module successfully from libstroke.so
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading backend modules from
'/usr/lib/ipsec/plugins/backends'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loaded backend module
successfully from liblocal.so
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] listening on interfaces:
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] eth4
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] 19.2.0.254
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL]
2000:99:99:100:204:23ff:feb5:2ae1
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] fe80::204:23ff:feb5:2ae1
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] eth0
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] 10.205.16.62
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] fe80::20a:5eff:fe5c:8252
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] eth1
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] 19.1.255.254
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL]
2000:99:99:100:20a:5eff:fe5c:7ce7
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] fe80::20a:5eff:fe5c:7ce7
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[LIB] initializing libcurl
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading EAP modules from
'/usr/lib/ipsec/plugins/eap'
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loaded EAP method
EAP_IDENTITY successfully from libeapidentity.so
Nov 27 18:53:23 cvintila-ipsec01 charon: 01[JOB] spawning 16 worker threads
Nov 27 18:53:23 cvintila-ipsec01 charon: 03[CFG] received stroke: add
connection 'ipsec01-cisco6500'
Nov 27 18:53:23 cvintila-ipsec01 charon: 03[CFG] added configuration
'ipsec01-cisco6500': 19.1.255.254[19.1.255.254]...19.1.255.253[19.1.255.253]
---------------ruter-----------
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cheie address 19.1.255.254
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IL esp-3des esp-md5-hmac
!
crypto map IL 10 ipsec-isakmp
set peer 19.1.255.254
set transform-set IL
match address 100
-------map-ul este aplicat pe interfata gi4/27, care are ip 19.1.255.253/16
Extended IP access list 100
10 permit ip any any (1420 matches)
dau ping de pe ruter pe debian sau invers
avand
debug crypto verbose, pe cisco am:
7w3d: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /192.168.1.255, src_addr= 192.168.1.2, prot= 17
7w3d: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 19.1.255.253, remote= 19.1.255.254,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 86400s and 4608000kb,
spi= 0x905A43B8(2421834680), conn_id= 0, keysize= 0, flags= 0x400A
7w3d: ISAKMP: received ke message (1/1)
7w3d: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
7w3d: ISAKMP: Attempting to insert peer index node : 18
7w3d: ISAKMP: Created a peer struct for 19.1.255.254, peer port 500, peer index
18
7w3d: ISAKMP: Locking peer struct 0x53EBA708, IKE refcount 1 for
isakmp_initiator
7w3d: ISAKMP: local port 500, remote port 500
7w3d: ISAKMP: set new node 0 to QM_IDLE
7w3d: insert sa successfully sa = 53EA83A0
7w3d: ISAKMP:(0:1:SW:1):Can not start Aggressive mode, trying Main mode.
7w3d: ISAKMP: Looking for a matching key for 19.1.255.254 in default : success
7w3d: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 19.1.255.254
7w3d: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-03 ID
7w3d: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-02 ID
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_READY New State = IKE_I_MM1
7w3d: ISAKMP:(0:1:SW:1): beginning Main Mode exchange
7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
500 (I) MM_NO_STATE
7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
500 Global (I) MM_NO_STATE
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM1 New State = IKE_I_MM2
7w3d: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 0
7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
7w3d: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 234 mismatch
7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
7w3d: ISAKMP:(0:1:SW:1): vendor ID is Unity
7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
7w3d: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 215 mismatch
7w3d: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
7w3d: ISAKMP:(0:1:SW:1): vendor ID is DPD
7w3d: ISAKMP: Looking for a matching key for 19.1.255.254 in default : success
7w3d: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 19.1.255.254
7w3d: ISAKMP:(0:1:SW:1): local preshared key found
7w3d: ISAKMP : Scanning profiles for xauth ...
7w3d: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 1 against priority 10 policy
7w3d: ISAKMP: encryption 3DES-CBC
7w3d: ISAKMP: hash MD5
7w3d: ISAKMP: default group 2
7w3d: ISAKMP: auth pre-share
7w3d: ISAKMP: life type in seconds
7w3d: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
7w3d: ISAKMP:(0:1:SW:1):atts are acceptable. Next payload is 0
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
500 (I) MM_SA_SETUP
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
500 Global (I) MM_SA_SETUP
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
7w3d: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
7w3d: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
7w3d: ISAKMP: Looking for a matching key for 19.1.255.254 in default : success
7w3d: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 19.1.255.254
7w3d: ISAKMP:(0:1:SW:1):SKEYID state generated
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
7w3d: ISAKMP:(0:1:SW:1):Send initial contact
7w3d: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
7w3d: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 19.1.255.253
protocol : 17
port : 500
length : 12
7w3d: ISAKMP:(0:1:SW:1):Total payload length: 12
7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
500 (I) MM_KEY_EXCH
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
500 Global (I) MM_KEY_EXCH
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
7w3d: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
7w3d: ISAKMP (0:134217729): ID payload
next-payload : 8
type : 1
address : 19.1.255.254
protocol : 0
port : 0
length : 12
7w3d: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
7w3d: ISAKMP:(0:1:SW:1):SA authentication status:
7w3d: ISAKMP:(0:1:SW:1): authenticated
7w3d: ISAKMP:(0:1:SW:1):SA has been authenticated with 19.1.255.254
7w3d: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
7w3d: ISAKMP: Trying to insert a peer 19.1.255.253/19.1.255.254/500/, and
inserted successfully 53EBA708.
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
7w3d: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 1651465696
7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
500 (I) QM_IDLE
7w3d: ISAKMP:(0:1:SW:1):Node 1651465696, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
500 Global (I) QM_IDLE
7w3d: ISAKMP: set new node -1908897605 to QM_IDLE
7w3d: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1908897605
7w3d: ISAKMP:(0:1:SW:1): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = -1908897605, sa = 53EA83A0
7w3d: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.
7w3d: ISAKMP:(0:1:SW:1):deleting SA reason "recevied fatal informational" state
(I) QM_IDLE (peer 19.1.255.254) input queue 0
7w3d: ISAKMP:(0:1:SW:1):deleting node -1908897605 error FALSE reason
"informational (in) state 1"
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
7w3d: ISAKMP: set new node 318867261 to QM_IDLE
7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
500 (I) QM_IDLE
7w3d: ISAKMP:(0:1:SW:1):purging node 318867261
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
7w3d: ISAKMP:(0:1:SW:1):deleting SA reason "" state (I) QM_IDLE (peer
19.1.255.254) input queue 0
7w3d: ISAKMP: Unlocking IKE struct 0x53EBA708 for isadb_mark_sa_deleted(),
count 0
7w3d: ISAKMP: Deleting peer node by peer_reap for 19.1.255.254: 53EBA708
7w3d: ISAKMP: Freeing node for peer index 18
7w3d: ISAKMP:(0:1:SW:1):deleting node 1651465696 error FALSE reason ""
7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
500 Global (I) MM_NO_STATE
7w3d: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /19.1.255.253, src_addr= 19.1.255.254, prot= 1
-------------
Am facut captura cu ethereal pe switch si am doar pachete ISAKMP Identity
Protection (Main Mode), ISAKMP Quick Mode si ISAKMP Informational.
Gresesc ceva in acl?...trebuie definit exact traficul intre noduri (nu e
suficient permit ip any any?)...sau problema este pe linux undeva?
Mersi frumos,
Cristina
----- Original Message ----
From: Silviu Dicu <[EMAIL PROTECTED]>
To: Romanian Linux Users Group <[email protected]>
Sent: Monday, 26 November, 2007 6:48:13 PM
Subject: RE: [rlug] ipsec server sub debian vs. cisco
hey
1. tcpdump-ul imi arata mesaje icmp in clar, nimic de esp sau isakmp 2.
lista de acces este definita
ms,
Cristina
---
Hey
Tcpdump trebuie sa iti spuna ceva de genul
ESP(spi=0x00000301,seq=0x1cee8d)
Ruleaza tcpdump fara nici un filtru si dai un grep ESP ori AH.
Daca nu vezi nici un fel de traffic de genul asta e sigur ca nu ai
traffic
Via ipsec. Poate iti lipseste o ruta, nu prea e clar din examplul tau
care sint ip urile.
Ai pus in cisco peer 20.0.0.254 iar in linux spui ca esti 26.0.0.254 -
poate doar e un typo
silviu
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
___________________________________________________________
Want ideas for reducing your carbon footprint? Visit Yahoo! For Good
http://uk.promotions.yahoo.com/forgood/environment.html
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
