Frozen Fido : RU.UNIX.BSD : Re: IpSec (racoon) и WinXP

ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Andrew Lutov                         2:5000/26      23 Dec 2005  09:21:06
 To : Alexey Popov
 Subject : Re: IpSec (racoon) и WinXP
 --------------------------------------------------------------------------------

 Hello, Alexey!
 
  ??>> на новые ключи, один из старых ключей (на стороне FreeBSD от WinXP)
  ??>> "залипает" и канал перестает функционировать до следующего обмена
  ??>> ключами (в данном случае стоит минимум - 300 секунд).
 
  AP> echo net.key.preferred_oldsa=0 >> /etc/sysctl.conf
 
 Hа самом деле net.key.prefered_oldsa  :)
 
 Hе помогло  :(
 
 Вот как это выглядит в момент перехода (внизу вывод tcpdump-а):
 
 # setkey -D
 8.1.5.201 8.1.5.181
         esp mode=transport spi=3342980830(0xc741d6de) reqid=0(0x00000000)
         E: 3des-cbc  62aa031f 4f31c3c8 f8c885fb a32f3d07 1280b834 ffb89bba
         A: hmac-sha1  5ac4ff47 6e409dce 2bf53304 9f901910 9b658b1a
         seq=0x00000046 replay=4 flags=0x00000000 state=mature
         created: Dec 23 08:15:26 2005   current: Dec 23 08:16:36 2005
         diff: 70(s)     hard: 300(s)    soft: 240(s)
         last: Dec 23 08:16:36 2005      hard: 0(s)      soft: 0(s)
         current: 76160(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 70   hard: 0 soft: 0
         sadb_seq=2 pid=17393 refcnt=2
 8.1.5.181 8.1.5.201
 test# setkey -D
         E: 3des-cbc  a86320dd 839c965e f78d8a86 c38fbbfe e2bb00c3 55540774
         A: hmac-sha1  4ce2a4f8 5668db3f f7181c2e b46479fc 7c117af6
         seq=0x00000046 replay=4 flags=0x00000000 state=mature
         created: Dec 23 08:15:26 2005   current: Dec 23 08:16:36 2005
         diff: 70(s)     hard: 300(s)    soft: 240(s)
         last: Dec 23 08:16:36 2005      hard: 0(s)      soft: 0(s)
         current: 73640(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 70   hard: 0 soft: 0
         sadb_seq=1 pid=17393 refcnt=1
 8.1.5.181 8.1.5.201
         esp mode=transport spi=166391361(0x09eaee41) reqid=0(0x00000000)
         E: 3des-cbc  51459d72 c0b4aad5 55f7635b 5b1a92f9 9510b79e f86049aa
         A: hmac-sha1  184d8137 6467ec69 d63baab1 1d82e9dc 64a442ed
         seq=0x000000e2 replay=4 flags=0x00000000 state=dying
         created: Dec 23 08:11:40 2005   current: Dec 23 08:16:36 2005
         diff: 296(s)    hard: 300(s)    soft: 240(s)
         last: Dec 23 08:15:26 2005      hard: 0(s)      soft: 0(s)
         current: 237752(bytes)  hard: 0(bytes)  soft: 0(bytes)
         allocated: 226  hard: 0 soft: 0
         sadb_seq=0 pid=17393 refcnt=1
 # setkey -D
 8.1.5.201 8.1.5.181
         esp mode=transport spi=3342980830(0xc741d6de) reqid=0(0x00000000)
         E: 3des-cbc  62aa031f 4f31c3c8 f8c885fb a32f3d07 1280b834 ffb89bba
         A: hmac-sha1  5ac4ff47 6e409dce 2bf53304 9f901910 9b658b1a
         seq=0x0000004a replay=4 flags=0x00000000 state=mature
         created: Dec 23 08:15:26 2005   current: Dec 23 08:16:41 2005
         diff: 75(s)     hard: 300(s)    soft: 240(s)
         last: Dec 23 08:16:40 2005      hard: 0(s)      soft: 0(s)
         current: 80512(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 74   hard: 0 soft: 0
         sadb_seq=1 pid=17394 refcnt=2
 8.1.5.181 8.1.5.201
         esp mode=transport spi=46143897(0x02c01999) reqid=0(0x00000000)
         E: 3des-cbc  a86320dd 839c965e f78d8a86 c38fbbfe e2bb00c3 55540774
         A: hmac-sha1  4ce2a4f8 5668db3f f7181c2e b46479fc 7c117af6
         seq=0x0000004a replay=4 flags=0x00000000 state=mature
         created: Dec 23 08:15:26 2005   current: Dec 23 08:16:41 2005
         diff: 75(s)     hard: 300(s)    soft: 240(s)
         last: Dec 23 08:16:40 2005      hard: 0(s)      soft: 0(s)
         current: 77848(bytes)   hard: 0(bytes)  soft: 0(bytes)
         allocated: 74   hard: 0 soft: 0
         sadb_seq=0 pid=17394 refcnt=1
 А это вывод tcpdump:
 
 08:16:39.135161 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x49)
 08:16:39.135538 8.1.5.201 > 8.1.5.181: ESP(spi=0xc741d6de,seq=0x49)
 08:16:40.135229 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4a)
 08:16:40.135592 8.1.5.201 > 8.1.5.181: ESP(spi=0xc741d6de,seq=0x4a)
 08:16:41.135214 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4b)
 08:16:41.135421 8.1.5.201 > 8.1.5.181: icmp: echo reply
 08:16:46.572885 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4c)
 08:16:46.573082 8.1.5.201 > 8.1.5.181: icmp: echo reply
 08:16:52.072993 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4d)
 08:16:52.073188 8.1.5.201 > 8.1.5.181: icmp: echo reply
 08:16:57.573146 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4e)
 08:16:57.573339 8.1.5.201 > 8.1.5.181: icmp: echo reply
 
 -- 
 А5 увидимся е2 ли 
 --- ifmail v.2.14.os-p7
  * Origin: Garant-Siberia fidonet station (2:5000/26@fidonet)

Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор

Тема:	Автор:	Дата:
Re: IpSec (racoon) и WinXP	Andrew Lutov	23 Dec 2005 09:21:06
Re: IpSec (racoon) и WinXP	Andrew Lutov	23 Dec 2005 09:24:59

Архивное /ru.unix.bsd/121096f3d339b.html, оценка 3 из 5, голосов 10