The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS


Индекс форумов
Составление сообщения

Исходное сообщение
"OpenSWAN vs WinXP клиент"
Отправлено ambient_sky, 10-Апр-07 14:53 
Здравствуйте гуру!
Заранее всех благодарю за помощь!
Крик души: ХЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЕЛП!!!!!
Ситуция:

Клиент (ХР, roadwarrior с дин. ИП) ------- ФВ/НАТ ---------- ВПН (Trustix 3.0.5/Linux lion-gw 2.6.19.7-1tr-TuxFire /OpenSWAN 2.4.5-2tr)

Авторизация решится с помощью сертификатов (OpenSSL http://www.natecarlson.com/linux/ipsec-x509.php#clientopenswan). На клиенте установлен сертификат СА и pkcs12 сертификат клиента.

При попытке подключения в логах такие вот ошибки, клиент не подключится.

Apr 10 11:41:05 lion-gw ipsec__plutorun: Starting Pluto subsystem...
Apr 10 11:41:05 lion-gw pluto[17898]: Starting Pluto (Openswan Version 2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEnMCu\177xOp@c)
Apr 10 11:41:05 lion-gw pluto[17898]: Setting NAT-Traversal port-4500 floating to on
Apr 10 11:41:05 lion-gw pluto[17898]:    port floating activation criteria nat_t=1/port_fload=1
Apr 10 11:41:05 lion-gw pluto[17898]:   including NAT-Traversal patch (Version 0.6c)
Apr 10 11:41:05 lion-gw pluto[17898]: 1 bad entries in virtual_private - none loaded
Apr 10 11:41:05 lion-gw pluto[17898]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 10 11:41:05 lion-gw pluto[17898]: starting up 1 cryptographic helpers
Apr 10 11:41:05 lion-gw pluto[17898]: started helper pid=17899 (fd:6)
Apr 10 11:41:05 lion-gw pluto[17898]: Using Linux 2.6 IPsec interface code on 2.6.19.7-1tr-TuxFire
Apr 10 11:41:05 lion-gw pluto[17898]: Changing to directory '/etc/ipsec.d/cacerts'
Apr 10 11:41:05 lion-gw pluto[17898]:   loaded CA cert file 'cacert.pem' (1464 bytes)
Apr 10 11:41:05 lion-gw pluto[17898]: Changing to directory '/etc/ipsec.d/aacerts'
Apr 10 11:41:05 lion-gw pluto[17898]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 10 11:41:05 lion-gw pluto[17898]: Changing to directory '/etc/ipsec.d/crls'
Apr 10 11:41:05 lion-gw pluto[17898]:   loaded crl file 'crl.pem' (568 bytes)
Apr 10 11:41:05 lion-gw pluto[17898]: listening for IKE messages
Apr 10 11:41:05 lion-gw pluto[17898]: adding interface eth1/eth1 217.172.151.26:500
Apr 10 11:41:05 lion-gw pluto[17898]: adding interface eth1/eth1 217.172.151.26:4500
Apr 10 11:41:05 lion-gw pluto[17898]: adding interface eth0:1/eth0:1 217.172.149.158:500
Apr 10 11:41:06 lion-gw pluto[17898]: adding interface eth0:1/eth0:1 217.172.149.158:4500
Apr 10 11:41:06 lion-gw pluto[17898]: adding interface eth0/eth0 10.0.0.55:500
Apr 10 11:41:06 lion-gw pluto[17898]: adding interface eth0/eth0 10.0.0.55:4500
Apr 10 11:41:06 lion-gw pluto[17898]: adding interface lo/lo 127.0.0.1:500
Apr 10 11:41:06 lion-gw pluto[17898]: adding interface lo/lo 127.0.0.1:4500
Apr 10 11:41:06 lion-gw pluto[17898]: loading secrets from "/etc/ipsec.secrets"
Apr 10 11:41:06 lion-gw pluto[17898]:   loaded private key file '/etc/ipsec.d/private/gw.lion.key' (1743 bytes)
Apr 10 11:41:13 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 10 11:41:13 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr 10 11:41:13 lion-gw pluto[17898]: packet from 213.160.183.147:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 10 11:41:13 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 10 11:41:13 lion-gw pluto[17898]: packet from 213.160.183.147:500: initial Main Mode message received on 217.172.151.26:500 but no connection has been authorized
Apr 10 11:41:14 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 10 11:41:14 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr 10 11:41:14 lion-gw pluto[17898]: packet from 213.160.183.147:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 10 11:41:14 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 10 11:41:14 lion-gw pluto[17898]: packet from 213.160.183.147:500: initial Main Mode message received on 217.172.151.26:500 but no connection has been authorized
Apr 10 11:41:16 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 10 11:41:16 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr 10 11:41:16 lion-gw pluto[17898]: packet from 213.160.183.147:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 10 11:41:16 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 10 11:41:16 lion-gw pluto[17898]: packet from 213.160.183.147:500: initial Main Mode message received on 217.172.151.26:500 but no connection has been authorized
Apr 10 11:41:17 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Delete SA payload: not encrypted
Apr 10 11:41:17 lion-gw pluto[17898]: packet from 213.160.183.147:500: received and ignored informational message
Apr 10 11:47:53 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 10 11:47:53 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr 10 11:47:53 lion-gw pluto[17898]: packet from 213.160.183.147:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 10 11:47:53 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 10 11:47:53 lion-gw pluto[17898]: packet from 213.160.183.147:500: initial Main Mode message received on 217.172.151.26:500 but no connection has been authorized
Apr 10 11:47:54 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 10 11:47:54 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr 10 11:47:54 lion-gw pluto[17898]: packet from 213.160.183.147:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 10 11:47:54 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 10 11:47:54 lion-gw pluto[17898]: packet from 213.160.183.147:500: initial Main Mode message received on 217.172.151.26:500 but no connection has been authorized
Apr 10 11:47:56 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 10 11:47:56 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [FRAGMENTATION]
Apr 10 11:47:56 lion-gw pluto[17898]: packet from 213.160.183.147:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Apr 10 11:47:56 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 10 11:47:56 lion-gw pluto[17898]: packet from 213.160.183.147:500: initial Main Mode message received on 217.172.151.26:500 but no connection has been authorized
Apr 10 11:47:58 lion-gw pluto[17898]: packet from 213.160.183.147:500: ignoring Delete SA payload: not encrypted
Apr 10 11:47:58 lion-gw pluto[17898]: packet from 213.160.183.147:500: received and ignored informational message
=====================================

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec0=eth1"
        overridemtu=1410
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

# Add connections here

conn rw-test
        type=tunnel
        #leftrsasigkey=нrt
        #rightrsasigkey=нrt
        left=чfaultgw
        right=%any
        auto=none

conn чfault
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=нrt
        rightrsasigkey=нrt


conn roadwarrior-l2tp
        pfs=no
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        pfs=no
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior
        type=tunnel
        auth=esp
        left=x.x.151.26
        leftsubnet=10.0.0.0/24
        leftcert=gw.lion.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        rightcert=%any
        pfs=yes
        auto=start


# sample VPN connection
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

=====================================
ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:E0:4C:03:A7:90
          inet addr:10.0.0.55  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9167220 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9578455 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2438773899 (2325.7 Mb)  TX bytes:1680683297 (1602.8 Mb)
          Interrupt:18 Base address:0x4c00

eth1      Link encap:Ethernet  HWaddr 00:17:31:91:FD:2D
          inet addr:x.x.151.26  Bcast:217.172.151.27  Mask:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10553616 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9999378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:27409 txqueuelen:1000
          RX bytes:1365485331 (1302.2 Mb)  TX bytes:2467187465 (2352.8 Mb)
          Interrupt:19 Base address:0x6800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:178083 errors:0 dropped:0 overruns:0 frame:0
          TX packets:178083 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:20858181 (19.8 Mb)  TX bytes:20858181 (19.8 Mb)

====================================
route:
212.65.244.134  10.0.0.57       255.255.255.255 UGH   0      0        0 eth0
194.149.124.60  10.0.0.57       255.255.255.255 UGH   0      0        0 eth0
195.70.150.41   10.0.0.57       255.255.255.255 UGH   0      0        0 eth0
217.172.151.24  0.0.0.0         255.255.255.252 U     0      0        0 eth1
217.172.149.152 0.0.0.0         255.255.255.248 U     0      0        0 eth0
217.172.149.152 0.0.0.0         255.255.255.248 U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         217.172.151.25  0.0.0.0         UG    0      0        0 eth1

=====================================
iptables
   50 13928 ACCEPT     udp  --  eth1   *       0.0.0.0/0            217.172.151.26      udp dpt:500
    0     0 ACCEPT     esp  --  eth1   *       0.0.0.0/0            217.172.151.26
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            217.172.151.26      udp dpt:4500

 

Ваше сообщение
Имя*:
EMail:
Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:
  Введите код, изображенный на картинке: КОД
 
При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

На сайте действует частичное премодерирование - после публикации некоторые сообщения от анонимов могут автоматически скрываться ботом. После проверки модератором ошибочно скрытые сообщения раскрываются. Для ускорения раскрытия можно воспользоваться ссылкой "Сообщить модератору", указав в качестве причины обращения "скрыто по ошибке".



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру