Главная страница
О проекте Навигация Контакт
Поиск


ru.unix.bsd

 
 - RU.UNIX.BSD ------------------------------------------------------------------
 From : Alexey Vlasov                        2:5020/400     17 Aug 2007  15:41:53
 To : All
 Subject : FreeBSD, Win2k3, IPSec/transport
 -------------------------------------------------------------------------------- 
 
 Привет друзья.
 
 Попробовал тут настроить шифрование трафика между Windows и FreeBSD,
 получилось, но только как-то на половину.
 
 FreeBSD 6.2, ipsec-tools-0.6.7: 111.111.111.2
 Windows 2003: 111.111.111.1
 
 Конфиги:
 # cat /etc/ipsec.conf
 spdadd 111.111.111.2 111.111.111.1 any -P out ipsec
 esp/transport//require;
 spdadd 111.111.111.1 111.111.111.2 any -P in ipsec
 esp/transport//require;
 
 # cat /usr/local/etc/racoon/racoon.conf
 path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
 log notify;
 
 padding
 {
     maximum_length 20;
     randomize off;
     strict_check off;
     exclusive_tail off;
 }
 
 timer
 {
     counter 5; # maximum trying count to send.
     interval 20 sec; # maximum interval to resend.
     persend 1; # the number of packets per a send.
     phase1 30 sec;
     phase2 15 sec;
 }
 
 remote anonymous
 {
     # exchange_mode aggressive,main;
     exchange_mode main, base;
     doi ipsec_doi;
     situation identity_only;
     nonce_size 16;
     lifetime time 1 min; # sec, min, hour
     initial_contact on;
     support_proxy on;
     proposal_check obey; # obey, strict or claim
 
  proposal {
         encryption_algorithm 3des;
         hash_algorithm sha1;
         authentication_method pre_shared_key ;
         dh_group 2 ;
     }
 }
 sainfo anonymous
 {
     pfs_group 1;
     lifetime time 36000 sec;
     encryption_algorithm 3des,des,cast128,blowfish ;
     authentication_algorithm hmac_sha1,hmac_md5;
     compression_algorithm deflate ;
 }
 
 /usr/local/etc/racoon]# ls -l
 -rw-------   1 root  wheel     98 Aug 17 08:18 psk.txt
 
 Стартую racoon и пингую с FreeBSD:
 # ping 111.111.111.1
 PING 111.111.111.1 (111.111.111.1): 56 data bytes
 ^C
 - --- 111.111.111.1 ping statistics ---
 5 packets transmitted, 0 packets received, 100% packet loss
 
 В логе:
 2007-08-17 12:44:16: INFO: @(#)ipsec-tools 0.6.7
 (http://ipsec-tools.sourceforge.net)
 2007-08-17 12:44:16: INFO: @(#)This product linked OpenSSL 0.9.7e-p1
 25
 Oct 2004 (http://www.openssl.org/)
 2007-08-17 12:44:16: INFO: 111.111.111.2[500] used as isakmp port
 (fd=5)
 2007-08-17 12:44:21: INFO: IPsec-SA request for 111.111.111.1 queued
 due to no phase1 found.
 2007-08-17 12:44:21: INFO: initiate new phase 1 negotiation:
 111.111.111.2[500]<=>111.111.111.1[500]
 2007-08-17 12:44:21: INFO: begin Identity Protection mode.
 2007-08-17 12:44:21: INFO: received broken Microsoft ID: MS NT5
 ISAKMPOAKLEY
 2007-08-17 12:44:21: INFO: received Vendor ID: FRAGMENTATION
 2007-08-17 12:44:21: INFO: received Vendor ID:
 draft-ietf-ipsec-nat-t-ike-02
 2007-08-17 12:44:21: INFO: ISAKMP-SA established
 111.111.111.2[500]-111.111.111.1[500]
 spi:94372eb384516aef:bccacea73409cfc6
 2007-08-17 12:44:22: INFO: initiate new phase 2 negotiation:
 111.111.111.2[0]<=>111.111.111.1[0]
 2007-08-17 12:44:22: ERROR: unknown notify message, no phase2 handle
 found.
 2007-08-17 12:44:38: ERROR: 111.111.111.1 give up to get IPsec-SA due
 to time up to wait.
 2007-08-17 12:45:21: INFO: ISAKMP-SA expired
 111.111.111.2[500]-111.111.111.1[500]
 spi:94372eb384516aef:bccacea73409cfc6
 2007-08-17 12:45:21: ERROR: unknown Informational exchange received.
 2007-08-17 12:45:22: INFO: ISAKMP-SA deleted
 111.111.111.2[500]-111.111.111.1[500]
 spi:94372eb384516aef:bccacea73409cfc6
 
 Перезапускаю racoon и начинаю пинговать в Windows:
 C:\Documents and Settings>ping 111.111.111.2
 
 Pinging 111.111.111.2 with 32 bytes of data:
 
 Negotiating IP Security.
 Reply from 111.111.111.2: bytes=32 time<1ms TTL=63
 Reply from 111.111.111.2: bytes=32 time<1ms TTL=63
 
 Лог:
 2007-08-17 12:10:18: INFO: @(#)ipsec-tools 0.6.7
 (http://ipsec-tools.sourceforge.net)
 2007-08-17 12:10:18: INFO: @(#)This product linked OpenSSL 0.9.7e-p1
 25
 Oct 2004 (http://www.openssl.org/)
 2007-08-17 12:10:18: INFO: 111.111.111.2[500] used as isakmp port
 (fd=5)
 
 2007-08-17 12:29:16: INFO: respond new phase 1 negotiation:
 111.111.111.2[500]<=>111.111.111.1[500]
 2007-08-17 12:29:16: INFO: begin Identity Protection mode.
 2007-08-17 12:29:16: INFO: received broken Microsoft ID: MS NT5
 ISAKMPOAKLEY
 2007-08-17 12:29:16: INFO: received Vendor ID: FRAGMENTATION
 2007-08-17 12:29:16: INFO: received Vendor ID:
 draft-ietf-ipsec-nat-t-ike-02
 
 2007-08-17 12:29:16: INFO: ISAKMP-SA established
 111.111.111.2[500]-111.111.111.1[500]
 spi:ceb3ba2040683da6:f80fc5ab1e3d931e
 2007-08-17 12:29:16: INFO: respond new phase 2 negotiation:
 111.111.111.2[0]<=>111.111.111.1[0]
 2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport
 111.111.111.1[0]->111.111.111.2[0] spi=36304726(0x229f756)
 2007-08-17 12:29:16: INFO: IPsec-SA established: ESP/Transport
 111.111.111.2[0]->111.111.111.1[0] spi=3194585143(0xbe698037)
 
 ну и после этого уже и с FreeBSD нормально пингуется.
 
 Это я что-то в конфигах не докрутил?
 
 --
 BRGDS. Alesha.
 
 --- ifmail v.2.15dev5.4
  * Origin: http://groups.google.com (2:5020/400)

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

 Тема:    Автор:    Дата:  
 FreeBSD, Win2k3, IPSec/transport   Alexey Vlasov   17 Aug 2007 15:41:53 
Архивное /ru.unix.bsd/73890e84e96f1.html, оценка 1 из 5, голосов 10
Яндекс.Метрика
Valid HTML 4.01 Transitional