Cred ca ai inteles ca trebuie sa faci cite o cheie ipsec.secrets
DISTINCTA pt fiecare host, da?
Ambele chei (left si right) trebuie sa le pui in ipsec.conf folosind
"ipsec showhostkey".
Iata ce trebuie sa faci:
a) /proc/sys/net/ipv4/conf/*/rp_filter trebuie sa fie 0 (de fapt doar pe
interfata pe care se face traficul IPSec)
b) verifica sa nu blochezi portul UDP 500 precum si protocoalele 50(esp;
in cazul in care e o conexiune criptata) sau 51(ah; in cazul in care
datele nu sint criptate ci doar autentificate) (e.g. -p 50) in iptables
c) tcpdump port 500 te ajuta. Este portul pe care se negociaza
parametrii conexiunii.
d) leftnexthop si rightnexthop sint f. importante. Ai grija sa fie
setate corect.
e) pune
klipsdebug=all
plutodebug=all
si cauta in FAQ ce spune despre ultimul mesaj care-ti apare in log-uri.
In general, te uiti in loguri si vezi ce il supara.
[EMAIL PROTECTED] wrote:
>dupa mai multe cercetari si documentari am ajuns in acesta situatie:
>calc1:
>
>[EMAIL PROTECTED]:/etc# ipsec verify
>Checking your system to see if IPsec got installed and started correctly
>Version check and ipsec on-path [OK]
>Checking for KLIPS support in kernel [OK]
>Checking for RSA private key (/etc/ipsec.secrets) [OK]
>Checking that pluto is running [OK]
>DNS checks.
>Looking for forward key for omidex [NO KEY]
>Does the machine have at least one non-private address [OK]
>Two or more interfaces found, checking IP forwarding [OK]
>Checking NAT and MASQUERADING
>
>calc 2:
>[EMAIL PROTECTED]:/etc# ipsec verify
>Checking your system to see if IPsec got installed and started correctly
>Version check and ipsec on-path [OK]
>Checking for KLIPS support in kernel [OK]
>Checking for RSA private key (/etc/ipsec.secrets) [OK]
>Checking that pluto is running [OK]
>DNS checks.
>Looking for TXT in forward map: mail [MISSING]
>Does the machine have at least one non-private address [OK]
>Two or more interfaces found, checking IP forwarding [OK]
>Checking NAT and MASQUERADING
>
>
>ceea ce ma "supara" e acel text acre spune "[NO KEY]", din pacate nu am
>gasit nimic legat de aceasta problema
>* routele par in ergula
>* iar la "ipsec auto status", la fel totul pare
>
>now what's wrong? :((
>
>
> Omide
>-------------
> http://www.grozav.ro
> http://mail.grozav.ro
>
>
>
>>le-am facut si tot primeam acel mesaj
>>mai nou, dupa ce dau
>>ipsec setup --start
>>urmat de
>>ipsec verify, primesc
>>-------
>>Checking your system to see if IPsec got installed and started correctly
>>Version check and ipsec on-path [OK]
>>Checking for KLIPS support in kernel [OK]
>>Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
>>ipsec showhostkey: no pubkey line found -- key information old?
>>Checking that pluto is running [OK]
>>DNS checks.
>>Looking for TXT in forward map: mail [MISSING]
>>Does the machine have at least one non-private address [OK]
>>Two or more interfaces found, checking IP forwarding [OK]
>>----
>>(presupun ca era normal, my mistake)
>>pana la urma se pare ca s-a rezolvat pb cu KLIPS
>>
>>iar tunelul tot nu vrea sa mearga :((
>>in ambele parti am folosit acelasi fisier ipsec.secrets, din documentatiea
>>am observat ca acesta eraiare nu este CRITICA, fata de KLIPS care era.
>>
>>unde am gresit?
>>
>>
>>
---
Detalii despre listele noastre de mail: http://www.lug.ro/
