Вопрос к специалистам, настраивавшим IPSec под FreeBSD.
Имеется 2 узла в одной локальной сети - 10.75.99.166 и 10.75.99.167. На обоих установлены FreeBSD 4.10 и ipsec-tools 0.6.6. Последние правда не родные из коллекции портов, а установлены из исходных кодов (пакет взят на sourceforge.net). Firewall не настроен (пропускает весь входящий и исходящий трафик).
Безуспешно пытаюсь настроить простейшее transport mode соединение. На обоих машинах запускаю Racoon: /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
Затем скрипты:
#!/bin/sh
skeycmd="/usr/sbin/setkey"
$skeycmd -FP
$skeycmd -F
$skeycmd -c << EOF
spdadd 10.75.99.167/32 10.75.99.166/32 any -P out ipsec esp/transport//require;
spdadd 10.75.99.166/32 10.75.99.167/32 any -P in ipsec esp/transport//require;
EOF
И
#!/bin/sh
skeycmd="/usr/sbin/setkey"
$skeycmd -FP
$skeycmd -F
$skeycmd -c << EOF
spdadd 10.75.99.166/32 10.75.99.167/32 any -P out ipsec esp/transport//require;
spdadd 10.75.99.167/32 10.75.99.166/32 any -P in ipsec esp/transport//require;
EOF
на 1-й и 2-й машинах соответственно.
Racoon.log на 1-ой машине (10.75.99.167) выдает:
2006-07-20 09:45:00: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
.net)
2006-07-20 09:45:00: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:45:00: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2006-07-20 09:45:00: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2006-07-20 09:45:00: INFO: ::1[500] used as isakmp port (fd=7)
2006-07-20 09:45:00: INFO: 10.75.99.167[500] used as isakmp port (fd=
2006-07-20 09:45:00: INFO: fe80::230:84ff:fe0f:e5dd%rl0[500] used as isakmp port
(fd=9)
СЛЕДУЮЩАЯ СТРОКА ПОЯВЛЯЕТСЯ ПОСЛЕ ТОГО КАК ДОБАВЛЯЮТСЯ ЗАПИСИ В SPD (С ПОМОЩЬЮ setkey spdadd), А ОСТАЛЬНЫЕ ПОСЛЕ ПОПЫТКИ ПРОПИНГОВАТЬ ВТОРОЙ УЗЕЛ (10.75.99.166)
2006-07-20 09:52:47: INFO: unsupported PF_KEY message REGISTER
2006-07-20 09:54:27: INFO: IPsec-SA request for 10.75.99.166 queued due to no ph
ase1 found.
2006-07-20 09:54:27: INFO: initiate new phase 1 negotiation: 10.75.99.167[500]<=
>10.75.99.166[500]
2006-07-20 09:54:27: INFO: begin Identity Protection mode.
2006-07-20 09:54:58: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:54:58: INFO: delete phase 2 handler.
2006-07-20 09:55:00: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:55:28: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
c8ea55:0000000000000000
2006-07-20 09:55:32: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.166[0]->10.75.99.167[0]
2006-07-20 09:55:32: INFO: delete phase 2 handler.
Racoon.log на 2-й машине (10.75.99.166):
2006-07-20 09:52:01: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge
.net)
2006-07-20 09:52:01: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (h
ttp://www.openssl.org/)
2006-07-20 09:52:01: INFO: 127.0.0.1[500] used as isakmp port (fd=5)
2006-07-20 09:52:01: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2006-07-20 09:52:01: INFO: ::1[500] used as isakmp port (fd=7)
2006-07-20 09:52:01: INFO: 192.168.0.1[500] used as isakmp port (fd=
2006-07-20 09:52:01: INFO: fe80::230:4fff:fe08:4f85%rl1[500] used as isakmp port
(fd=9)
2006-07-20 09:52:01: INFO: 10.75.99.166[500] used as isakmp port (fd=10)
2006-07-20 09:52:01: INFO: fe80::202:44ff:fe8b:4ed3%rl0[500] used as isakmp port
(fd=11)
2006-07-20 09:52:58: INFO: unsupported PF_KEY message REGISTER
2006-07-20 09:56:22: INFO: respond new phase 1 negotiation: 10.75.99.166[500]<=>
10.75.99.167[500]
2006-07-20 09:56:22: INFO: begin Identity Protection mode.
2006-07-20 09:56:22: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:56:32: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:42: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:52: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:56:53: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:56:53: INFO: delete phase 2 handler.
2006-07-20 09:57:03: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:57:12: INFO: request for establishing IPsec-SA was queued due to n
o phase1 found.
2006-07-20 09:57:13: NOTIFY: the packet is retransmitted by 10.75.99.167[500].
2006-07-20 09:57:22: ERROR: phase1 negotiation failed due to time up. 6abcce46eb
c8ea55:4babaf5d82e8cf88
2006-07-20 09:57:43: ERROR: phase2 negotiation failed due to time up waiting for
phase1. ESP 10.75.99.167[0]->10.75.99.166[0]
2006-07-20 09:57:43: INFO: delete phase 2 handler.
Racoon.conf я использую из сэмплов:
# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/usr/local/v6/etc" ;
#include "remote.conf" ;
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/openssl/certs" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;
#my_identifier fqdn "server.kame.net";
#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
lifetime time 24 hour ; # sec,min,hour
#initial_contact off ;
#passive on ;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
# the configuration makes racoon (as a responder) to obey the
# initiator's lifetime and PFS group proposal.
# this makes testing so much easier.
proposal_check obey;
}
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
PSK.TXT на 1-й машине (10.75.99.167):
10.75.99.166 Secretkey123
PSK.TXT на 2-й:
10.75.99.167 Secretkey123
Права доступа к ним 0600.
Всем благодарен за помощь.