Nu am folosit strongswan, doar openswan ;
Citeva observatii :
- vrei sa faci un tunel ? daca da, poate ar trebui sa adaugi
type=tunnel
-sigur capetele de tunel sint 19.1.255.254 si 19.1.255.253 ?
-pentru ceva mai multe informatii, ia da si un
ipsec barf |grep ipsec01-cisco6500
Mentionez ca sugestiile de mai sus vin in lumina experientei cu
openswan, s-ar putea ca la strongswan lucrurile sa fie un pic diferite
in ciuda originilor comune.
On Tue, 2007-11-27 at 17:20 +0000, cristina vintila wrote:
> Hello
>
> Am rezolvat problema initiala, acum se face Phase1 intre debian si ruter. Am
> dezinstalat tot si am pus Strongswan 4.1.8-2:
>
> ---------------debian-----------
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> klipsdebug=all
> plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=no
> plutostart=yes
> charonstart=yes
> charondebug=dmn4,mgr4,ike4,chd4,job4,cfg4,knl4,net4,enc4,lib4
>
> conn %default
> ikelifetime=5m
> keylife=5m
> rekeymargin=5m
> keyingtries=50
> compress=no
> mobike=no
> authby=secret
> auth=esp
> pfs=yes
> keyexchange=ikev1
> conn ipsec01-cisco6500
> left=19.1.255.254
> leftsubnet=19.2.0.0/16
> right=19.1.255.253
> rightsubnet=66.6.0.0/16
> auto=add
> authby=secret
> auth=esp
> compress=no
> pfs=yes
> esp=3des-md5-modp1024
> ike=3des-md5-modp1024
> keyexchange=ikev1
> mobike=no
>
>
> fisierul ipsec.secrets are:
> : PSK "cheie"
>
>
>
>
> eth1 Link encap:Ethernet HWaddr 00:0A:5E:5C:7C:E7
> inet addr:19.1.255.254 Bcast:19.1.255.255 Mask:255.255.0.0
> inet6 addr: 2000:99:99:100:20a:5eff:fe5c:7ce7/64 Scope:Global
> inet6 addr: fe80::20a:5eff:fe5c:7ce7/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1901 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1411 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:196249 (191.6 KiB) TX bytes:145534 (142.1 KiB)
> Interrupt:23
>
>
>
> in syslog am:
>
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[DMN] starting charon (strongSwan
> Version 4.1.8)
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading ocsp certificates
> from '/etc/ipsec.d/ocspcerts'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading secrets from
> "/etc/ipsec.secrets"
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading shared key for %any
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading control interface
> modules from '/usr/lib/ipsec/plugins/interfaces'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loaded control interface
> module successfully from libstroke.so
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading backend modules from
> '/usr/lib/ipsec/plugins/backends'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loaded backend module
> successfully from liblocal.so
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] listening on interfaces:
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] eth4
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] 19.2.0.254
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL]
> 2000:99:99:100:204:23ff:feb5:2ae1
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] fe80::204:23ff:feb5:2ae1
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] eth0
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] 10.205.16.62
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] fe80::20a:5eff:fe5c:8252
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] eth1
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] 19.1.255.254
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL]
> 2000:99:99:100:20a:5eff:fe5c:7ce7
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[KNL] fe80::20a:5eff:fe5c:7ce7
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[LIB] initializing libcurl
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loading EAP modules from
> '/usr/lib/ipsec/plugins/eap'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[CFG] loaded EAP method
> EAP_IDENTITY successfully from libeapidentity.so
> Nov 27 18:53:23 cvintila-ipsec01 charon: 01[JOB] spawning 16 worker threads
> Nov 27 18:53:23 cvintila-ipsec01 charon: 03[CFG] received stroke: add
> connection 'ipsec01-cisco6500'
> Nov 27 18:53:23 cvintila-ipsec01 charon: 03[CFG] added configuration
> 'ipsec01-cisco6500': 19.1..255.254[19.1.255.254]...19.1.255.253[19.1.255.253]
>
>
> ---------------ruter-----------
>
> !
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cheie address 19.1.255.254
> !
> crypto ipsec security-association lifetime seconds 86400
> !
> crypto ipsec transform-set IL esp-3des esp-md5-hmac
> !
> crypto map IL 10 ipsec-isakmp
> set peer 19.1.255.254
> set transform-set IL
> match address 100
>
> -------map-ul este aplicat pe interfata gi4/27, care are ip 19.1.255.253/16
>
> Extended IP access list 100
> 10 permit ip any any (1420 matches)
>
>
>
> dau ping de pe ruter pe debian sau invers
>
>
> avand
> debug crypto verbose, pe cisco am:
>
>
> 7w3d: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) vrf/dest_addr= /192.168.1.255, src_addr= 192.168.1.2, prot= 17
> 7w3d: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 19.1.255.253, remote= 19.1.255.254,
> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
> remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-md5-hmac ,
> lifedur= 86400s and 4608000kb,
> spi= 0x905A43B8(2421834680), conn_id= 0, keysize= 0, flags= 0x400A
> 7w3d: ISAKMP: received ke message (1/1)
> 7w3d: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
> 7w3d: ISAKMP: Attempting to insert peer index node : 18
> 7w3d: ISAKMP: Created a peer struct for 19.1.255.254, peer port 500, peer
> index 18
> 7w3d: ISAKMP: Locking peer struct 0x53EBA708, IKE refcount 1 for
> isakmp_initiator
> 7w3d: ISAKMP: local port 500, remote port 500
> 7w3d: ISAKMP: set new node 0 to QM_IDLE
> 7w3d: insert sa successfully sa = 53EA83A0
> 7w3d: ISAKMP:(0:1:SW:1):Can not start Aggressive mode, trying Main mode.
> 7w3d: ISAKMP: Looking for a matching key for 19.1.255..254 in default :
> success
> 7w3d: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 19.1.255.254
> 7w3d: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-03 ID
> 7w3d: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-02 ID
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_READY New State = IKE_I_MM1
>
> 7w3d: ISAKMP:(0:1:SW:1): beginning Main Mode exchange
> 7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
> 500 (I) MM_NO_STATE
> 7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
> 500 Global (I) MM_NO_STATE
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM1 New State = IKE_I_MM2
>
> 7w3d: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 0
> 7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
> 7w3d: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 234 mismatch
> 7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
> 7w3d: ISAKMP:(0:1:SW:1): vendor ID is Unity
> 7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
> 7w3d: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 215 mismatch
> 7w3d: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
> 7w3d: ISAKMP:(0:1:SW:1): processing vendor id payload
> 7w3d: ISAKMP:(0:1:SW:1): vendor ID is DPD
> 7w3d: ISAKMP: Looking for a matching key for 19.1.255.254 in default : success
> 7w3d: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 19.1.255.254
> 7w3d: ISAKMP:(0:1:SW:1): local preshared key found
> 7w3d: ISAKMP : Scanning profiles for xauth ...
> 7w3d: ISAKMP:(0:1:SW:1):Checking ISAKMP transform 1 against priority 10 policy
> 7w3d: ISAKMP: encryption 3DES-CBC
> 7w3d: ISAKMP: hash MD5
> 7w3d: ISAKMP: default group 2
> 7w3d: ISAKMP: auth pre-share
> 7w3d: ISAKMP: life type in seconds
> 7w3d: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
> 7w3d: ISAKMP:(0:1:SW:1):atts are acceptable. Next payload is 0
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
>
> 7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
> 500 (I) MM_SA_SETUP
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
>
> 7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
> 500 Global (I) MM_SA_SETUP
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
>
> 7w3d: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
> 7w3d: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
> 7w3d: ISAKMP: Looking for a matching key for 19.1.255.254 in default : success
> 7w3d: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 19.1.255.254
> 7w3d: ISAKMP:(0:1:SW:1):SKEYID state generated
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
>
> 7w3d: ISAKMP:(0:1:SW:1):Send initial contact
> 7w3d: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id
> type ID_IPV4_ADDR
> 7w3d: ISAKMP (0:134217729): ID payload
> next-payload : 8
> type : 1
> address : 19.1.255.253
> protocol : 17
> port : 500
> length : 12
> 7w3d: ISAKMP:(0:1:SW:1):Total payload length: 12
> 7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
> 500 (I) MM_KEY_EXCH
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
>
> 7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
> 500 Global (I) MM_KEY_EXCH
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
>
> 7w3d: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
> 7w3d: ISAKMP (0:134217729): ID payload
> next-payload : 8
> type : 1
> address : 19.1.255.254
> protocol : 0
> port : 0
> length : 12
> 7w3d: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
> 7w3d: ISAKMP:(0:1:SW:1):SA authentication status:
> 7w3d: ISAKMP:(0:1:SW:1): authenticated
> 7w3d: ISAKMP:(0:1:SW:1):SA has been authenticated with 19.1.255.254
> 7w3d: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
> 7w3d: ISAKMP: Trying to insert a peer 19.1.255.253/19..1.255.254/500/, and
> inserted successfully 53EBA708.
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
>
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
>
> 7w3d: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 1651465696
> 7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
> 500 (I) QM_IDLE
> 7w3d: ISAKMP:(0:1:SW:1):Node 1651465696, Input = IKE_MESG_INTERNAL,
> IKE_INIT_QM
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State =
> IKE_P1_COMPLETE
>
> 7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
> 500 Global (I) QM_IDLE
> 7w3d: ISAKMP: set new node -1908897605 to QM_IDLE
> 7w3d: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1908897605
> 7w3d: ISAKMP:(0:1:SW:1): processing NOTIFY INVALID_ID_INFO protocol 1
> spi 0, message ID = -1908897605, sa = 53EA83A0
> 7w3d: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.
>
> 7w3d: ISAKMP:(0:1:SW:1):deleting SA reason "recevied fatal informational"
> state (I) QM_IDLE (peer 19.1.255.254) input queue 0
> 7w3d: ISAKMP:(0:1:SW:1):deleting node -1908897605 error FALSE reason
> "informational (in) state 1"
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State =
> IKE_P1_COMPLETE
>
> 7w3d: ISAKMP: set new node 318867261 to QM_IDLE
> 7w3d: ISAKMP:(0:1:SW:1): sending packet to 19.1.255.254 my_port 500 peer_port
> 500 (I) QM_IDLE
> 7w3d: ISAKMP:(0:1:SW:1):purging node 318867261
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
>
> 7w3d: ISAKMP:(0:1:SW:1):deleting SA reason "" state (I) QM_IDLE (peer
> 19.1.255.254) input queue 0
> 7w3d: ISAKMP: Unlocking IKE struct 0x53EBA708 for isadb_mark_sa_deleted(),
> count 0
> 7w3d: ISAKMP: Deleting peer node by peer_reap for 19.1.255.254: 53EBA708
> 7w3d: ISAKMP: Freeing node for peer index 18
> 7w3d: ISAKMP:(0:1:SW:1):deleting node 1651465696 error FALSE reason ""
> 7w3d: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> 7w3d: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
>
> 7w3d: ISAKMP (0:134217729): received packet from 19.1.255.254 dport 500 sport
> 500 Global (I) MM_NO_STATE
> 7w3d: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
> (ip) vrf/dest_addr= /19.1.255.253, src_addr= 19.1.255.254, prot= 1
>
>
> -------------
>
>
> Am facut captura cu ethereal pe switch si am doar pachete ISAKMP Identity
> Protection (Main Mode), ISAKMP Quick Mode si ISAKMP Informational.
>
>
>
> Gresesc ceva in acl?...trebuie definit exact traficul intre noduri (nu e
> suficient permit ip any any?)...sau problema este pe linux undeva?
>
> Mersi frumos,
> Cristina
>
>
>
>
>
> ----- Original Message ----
> From: Silviu Dicu <[EMAIL PROTECTED]>
> To: Romanian Linux Users Group <[email protected]>
> Sent: Monday, 26 November, 2007 6:48:13 PM
> Subject: RE: [rlug] ipsec server sub debian vs. cisco
>
>
>
> hey
>
> 1. tcpdump-ul imi arata mesaje icmp in clar, nimic de esp sau isakmp 2.
> lista de acces este definita
>
> ms,
> Cristina
>
> ---
> Hey
>
> Tcpdump trebuie sa iti spuna ceva de genul
>
> ESP(spi=0x00000301,seq=0x1cee8d)
>
> Ruleaza tcpdump fara nici un filtru si dai un grep ESP ori AH.
>
> Daca nu vezi nici un fel de traffic de genul asta e sigur ca nu ai
> traffic
> Via ipsec. Poate iti lipseste o ruta, nu prea e clar din examplul tau
> care sint ip urile.
>
> Ai pus in cisco peer 20.0.0.254 iar in linux spui ca esti 26.0.0.254 -
> poate doar e un typo
>
>
> silviu
>
> _______________________________________________
> RLUG mailing list
> [email protected]
> http://lists.lug.ro/mailman/listinfo/rlug
>
>
>
>
>
>
> ___________________________________________________________
> Want ideas for reducing your carbon footprint? Visit Yahoo! For Good
> http://uk.promotions.yahoo.com/forgood/environment.html
> _______________________________________________
> RLUG mailing list
> [email protected]
> http://lists.lug.ro/mailman/listinfo/rlug
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
