Доброго времени суток!Ситуация такая что по ИПСеку с помощью Ракуна завязывается два ФриБСД.
Конфиги идентичны, с такими же конфигами работают другие сервера.
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;
# "padding" defines some padding parameters. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 192.168.1.24 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
isakmp хх.хх.хх.хх[500];
}
# Specify various default timers.
timer
{
# These value can be changed per remote node.
counter 10; # maximum trying count to send.
interval 50 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 50 sec;
phase2 30 sec;
}
remote уу.уу.уу.уу[500]
{
exchange_mode main,base;
doi ipsec_doi;
situation identity_only;
lifetime time 30 min;
support_mip6 on;
nonce_size 256;
support_mip6 on;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.0.0/24 any address 192.168.60.0/24 any
{
pfs_group 1;
lifetime time 30 min;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
remote уу.уу.уу.уу[500]
{
exchange_mode main,base;
doi ipsec_doi;
situation identity_only;
lifetime time 30 min;
support_mip6 on;
nonce_size 256;
support_mip6 on;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.0.0/24 any address 192.168.63.0/24 any
{
pfs_group 1;
lifetime time 30 min;
encryption_algorithm blowfish;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Филе psk.txt тоже идентичны.
yy.yy.yy.yy passsword
ipsec.conf на серверах зеркальны.
flush;
spdflush;
spdadd 192.168.64.0/24 192.168.60.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/require;
spdadd 192.168.60.0/24 192.168.64.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/require;
spdadd 192.168.64.0/24 192.168.63.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/require;
spdadd 192.168.63.0/24 192.168.64.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/require;
в рк.конф гиф поднят.
gifconfig_gif0="192.168.46.71 192.168.41.34"
ifconfig_gif0="inet 192.168.64.5 192.168.60.1 netmask 255.255.255.0"
Но, не давно поднимая сервер появилась какая то ошибка, про которую в инете не смог найти инфу, может спецы знают что это такое и подскажут как ее побороть.
В логах показывает следующее:
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)
Oct 4 04:12:11 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=633): 0.000045
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)
Oct 4 04:12:11 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=633): 0.000042
Oct 4 04:12:11 racoon: DEBUG: cf39cc7b 0baea584 f1d5243b 763f7064 c68d18f3 0cf82224 9e2b9ece c1d4f480 aa8469d1 379cda54 f2cb9c27 43ec364a c45f2a9e 44afb4
Oct 4 04:12:11 racoon: DEBUG: KEYMAT compute with
Oct 4 04:12:11 racoon: DEBUG: 044e5584 9cd8db28 316b8e42 e490750a 7d782b8c 281fdea8 471ce1a7 c2674cfd b38f715f 580c7436 57a10bb9 feee94f4 0050ba0c a167f3
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)
Oct 4 04:12:11 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=613): 0.000065
Oct 4 04:12:11 racoon: DEBUG: encryption(blowfish)
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)
Oct 4 04:12:11 racoon: DEBUG: encklen=128 authklen=160
Oct 4 04:12:11 racoon: DEBUG: generating 480 bits of key (dupkeymat=3)
Oct 4 04:12:11 racoon: DEBUG: generating K1...K3 for KEYMAT.
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)
Oct 4 04:12:11 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=633): 0.000047
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)
Oct 4 04:12:11 racoon: alg_oakley_hmacdef_one(hmac_sha1 size=633): 0.000043
Oct 4 04:12:11 racoon: DEBUG: 58efdef9 0cc54229 f3ae7495 589403e1 28bf816c 1975c6bb bd62558f e83b7727 fbbea385 0071f5fb e2d36e07 2d757ff9 f71214b4 53ced0
Oct 4 04:12:11 racoon: DEBUG: KEYMAT computed.
Oct 4 04:12:11 racoon: DEBUG: call pk_sendupdate
Oct 4 04:12:11 racoon: DEBUG: encryption(blowfish)
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)
Oct 4 04:12:11 racoon: DEBUG: call pfkey_send_update
Oct 4 04:12:11 racoon: DEBUG: pfkey update sent.
Oct 4 04:12:11 racoon: DEBUG: encryption(blowfish)_sha1 size=613): 0.000065
Oct 4 04:12:11 racoon: DEBUG: hmac(hmac_sha1)fish)
Oct 4 04:12:11 racoon: DEBUG: call pfkey_send_add
Oct 4 04:12:11 racoon: DEBUG: pfkey add sent.hklen=160
Oct 4 04:12:11 racoon: phase2(???): 0.018168 bits of key (dupkeymat=3)
Oct 4 04:12:11 racoon: DEBUG: get pfkey UPDATE messageEYMAT.
Oct 4 04:12:11 racoon: DEBUG2: 02020203 1b000000 c8c572a0 b3030000 02000100 076dc32c 04000307 00000000 02001300 00000000 00000000 00000000 03000500 ff200
Oct 4 04:12:11 racoon: ERROR: pfkey UPDATE failed: No such file or directory
Oct 4 04:12:11 racoon: DEBUG: get pfkey ADD message
Oct 4 04:12:11 racoon: DEBUG2: 02030003 14000000 c8c572a0 b3030000 02000100 08399e1a 04000307 00000000 02001300 00000000 00000000 00000000 03000500 ff200
Oct 4 04:12:11 racoon: INFO: IPsec-SA established: ESP xx.xx.xx.xx[0]->yy.yy.yy.yy[0] spi=137993754(0x8399e1a)1f5fb e2d36e07 2d757ff9 f71214b4 53ced0
Oct 4 04:12:11 racoon: DEBUG: ===MAT computed.
Oct 4 04:12:40 racoon: ERROR: yy.yy.yy.yy give up to get IPsec-SA due to time up to wait.
Вроде все идет нормально, но соединение не устанавливается.
А ошибка уоторая мне нозит вот эта:
Oct 4 04:12:11 racoon: ERROR: pfkey UPDATE failed: No such file or directory
Заранее благодарен за любую помощь.
Да, еще забыл сказать на psk.txt и racoon.conf права и пользователь выставлены как надо.
