racoon problem

Mon, 04 Oct 2010 07:00:36 -0700 

Caute,
mam fbsd 8.1-Stable, potrebujem spravit spojenie s cisco zariadenim na druhej strane. 

racoon.conf :

# the file should contain key ID/key pairs, for pre-shared key 
authentication.

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
#log debug;
listen {
        isakmp          217.67.31.61 [500];
        }
timer {
                phase1 60 seconds ;
                phase2 60 seconds ;
}

remote 195.80.190.60
{
#       exchange_mode main,aggressive,base;
        exchange_mode aggressive;
    doi ipsec_doi;
    situation identity_only;


#       my_identifier fqdn "192.168.8.95";
        my_identifier fqdn "217.67.31.61";

        lifetime time 24 hour ; # sec,min,hour

        initial_contact off ;
        passive on ;

        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm aes 256;
#               encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }

        # the configuration could makes racoon (as a responder)
        # to obey the initiator's lifetime and PFS group proposal,
        # by setting proposal_check to obey.
        # this would makes testing "so much easier", but is really
        # *not* secure !!!
        proposal_check obey;
}

#sainfo anonymous
sainfo (address 192.168.8.95/32 any address 192.168.7.95/32 any)
{
        pfs_group 5;
        lifetime time 28800 sec ;
       encryption_algorithm des;
        authentication_algorithm hmac_sha1 ;
        compression_algorithm deflate ;
}
setkey.conf

flush;
spdflush;
spdadd 192.168.7.95/32 192.168.8.95/32 any -P in ipsec
esp/tunnel/195.80.190.60-217.67.31.61/require; # (alebo /require)
spdadd 192.168.8.95/32 192.168.7.95/32 any -P out ipsec
esp/tunnel/217.67.31.61-195.80.190.60/require; #(alebo /require)

rc.conf
gif_interfaces="gif0"
gifconfig_gif0="217.67.31.61 195.80.190.60"
ifconfig_gif0="192.168.8.95 192.168.7.95 netmask 255.255.255.0 up"

ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"

ked spustim racoon s konfigurakom :


2010-10-04 12:35:56: INFO: @(#)ipsec-tools 0.7.3 
(http://ipsec-tools.sourceforge.net)
2010-10-04 12:35:56: INFO: @(#)This product linked OpenSSL 1.0.0a 1 Jun 
2010 (http://www.openssl.org/)

2010-10-04 12:35:56: INFO: Reading configuration from "racoon2.conf"
2010-10-04 12:35:56: INFO: remote 195.80.190.60[500] {
2010-10-04 12:35:56: INFO:      exchange_type aggressive;
2010-10-04 12:35:56: INFO:      doi ipsec_doi;
2010-10-04 12:35:56: INFO:      my_identifier fqdn "217.67.31.61";
2010-10-04 12:35:56: INFO:      send_cert on;
2010-10-04 12:35:56: INFO:      send_cr on;
2010-10-04 12:35:56: INFO:      verify_cert on;
2010-10-04 12:35:56: INFO:      verify_identifier off;
2010-10-04 12:35:56: INFO:      nat_traversal off;
2010-10-04 12:35:56: INFO:      nonce_size 16;
2010-10-04 12:35:56: INFO:      passive on;
2010-10-04 12:35:56: INFO:      ike_frag off;
2010-10-04 12:35:56: INFO:      esp_frag 65535;
2010-10-04 12:35:56: INFO:      initial_contact off;
2010-10-04 12:35:56: INFO:      generate_policy off;
2010-10-04 12:35:56: INFO:      support_proxy off;
2010-10-04 12:35:56: INFO:

2010-10-04 12:35:56: INFO:      /* prop_no=1, trns_no=1, 
rmconf=195.80.190.60[500] */

2010-10-04 12:35:56: INFO:      proposal {
2010-10-04 12:35:56: INFO:              lifetime time 86400 sec;
2010-10-04 12:35:56: INFO:              lifetime bytes 0;
2010-10-04 12:35:56: INFO:              dh_group modp1024;
2010-10-04 12:35:56: INFO:              encryption_algorithm aes;
2010-10-04 12:35:56: INFO:              hash_algorithm sha1;

2010-10-04 12:35:56: INFO:              authentication_method 
pre_shared_key;

2010-10-04 12:35:56: INFO:      }
2010-10-04 12:35:56: INFO: }
2010-10-04 12:35:56: INFO:
2010-10-04 12:35:56: INFO: 217.67.31.61[500] used as isakmp port (fd=6)

2010-10-04 12:35:56: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): 
UDP_ENCAP Invalid argument


^ ten varning neviem ci je daka zavazna vec..

pripojim VPN
racoonctl vc 195.80.190.60

2010-10-04 12:36:36: INFO: accept a request to establish IKE-SA: 
195.80.190.60
2010-10-04 12:36:36: INFO: initiate new phase 1 negotiation: 
217.67.31.61[500]<=>195.80.190.60[500]

2010-10-04 12:36:36: INFO: begin Aggressive mode.
2010-10-04 12:36:36: INFO: received Vendor ID: CISCO-UNITY

2010-10-04 12:36:36: INFO: received Vendor ID: 
draft-ietf-ipsra-isakmp-xauth-06.txt

2010-10-04 12:36:36: INFO: received Vendor ID: DPD
2010-10-04 12:36:36: INFO: received broken Microsoft ID: FRAGMENTATION
2010-10-04 12:36:36: WARNING: port 500 expected, but 0

2010-10-04 12:36:36: NOTIFY: couldn't find the proper pskey, try to get 
one by the peer's address.
2010-10-04 12:36:36: INFO: ISAKMP-SA established 
217.67.31.61[500]-195.80.190.60[500] spi:c965effcc3c71c8d:b6707de2d30471a4


isakmp spojenie sa nadviazalo ale ipsec kryptovanie nejde... a neviem preco

vidite tam niekto daku chybu preco by to nemalo chodit ?






--
------------------------------
S pozdravom
Robert Popelka (jimy)

mail    : [email protected]          
mob.    : +421 (0) 915 770 987
msn     : [email protected]
jabber  : [email protected]
icq     : 120614660
www     : http://www.kick.sk/


-- 
FreeBSD mailing list ([email protected])
http://www.freebsd.cz/listserv/listinfo/users-l






















					Odpovedet emailem