Привет всем
Хочу настроить ipsec между PIX 515 и FreeBSD 5.5 конфиги нижеOFFICE 1 lan 172.16.100.6
wan 10.0.7.6
OFFICE 2 LAN 172.16.101.7
WAN 10.0.7.13
PIX
access-list 102 permit ip 172.16.100.0 255.255.254.0 host 172.16.101.7
access-list 102 permit ip host 172.16.101.7 172.16.100.0 255.255.254.0
access-list 102 permit ip host 10.0.7.6 host 10.0.7.13
access-list 102 permit ip host 10.0.7.13 host 10.0.7.6
nat (inside) 0 access-list 102
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set to_diam esp-3des esp-md5-hmac
crypto map kt 10 ipsec-isakmp
crypto map kt 10 match address 102
crypto map kt 10 set peer 10.0.7.13
crypto map kt 10 set transform-set to_diam
crypto map kt interface dmz
isakmp enable dmz
isakmp key ******** address 10.0.7.13 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
FreeBSD
racoon (его кусок)
listen
{
#isakmp ::1 [7000];
isakmp 10.0.7.13 [500];
#admin [7002]; # administrative port for racoonctl.
#strict_address; # requires that all addresses must be bound.
}
remote anonymous
{
exchange_mode main;
doi ipsec_doi;
situation identity_only;
#my_identifier asn1dn;
#certificate_type x509 "my.cert.pem" "my.key.pem";
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des,des,blowfish;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
}
скрипт tunnel.sh
#!/bin/sh
BANKIP_IN="172.16.100.6"
BANKIP_OUT="10.0.7.6"
OTD5_IN="172.16.101.7"
OTD5_OUT="10.0.7.13"
GIF0="gif0 inet "
#GIFCONFIG="/usr/sbin/gifconfig"
IFCONFIG="/sbin/ifconfig"
NETMASK="255.255.254.0"
$IFCONFIG gif0 create
$IFCONFIG gif0 tunnel $OTD5_OUT $BANKIP_OUT
$IFCONFIG $GIF0 $OTD5_IN $BANKIP_IN netmask $NETMASK
---------------------------------
ipsec.conf
spdadd 10.0.7.13 10.0.7.6 any -P out ipsec
esp/transport/10.0.7.13-10.0.7.6/require;
spdadd 10.0.7.6 10.0.7.13 any -P in ipsec
esp/transport/10.0.7.6-10.0.7.13/require;
----------------------------------------------------
ipfw
00010 66 9276 allow ip from 10.0.7.6 to 10.0.7.13 via vr0
00015 98 11424 allow ip from 10.0.7.13 to 10.0.7.6 via vr0
00020 0 0 allow esp from 10.0.7.6 to 10.0.7.13
00025 0 0 allow esp from 10.0.7.13 to 10.0.7.6
00026 0 0 allow gre from any to any
00037 1347 81132 allow icmp from any to any
00045 0 0 allow ah from any to any
00046 0 0 allow ip from any to any via gif0
00050 5126 800312 allow ip from any to any via sk0
ошибку выдает следующую
со стороны фри
ERROR: Expecting IP address type in main mode, but FQDN.
2007-02-20 15:45:16: ERROR: invalid ID payload.
ISAKMP (0): retransmitting phase 2 (5/5)... mess_id 0xd5c6a097
diamantpix#
crypto_isakmp_process_block:src:10.0.7.13, dest:10.0.7.6 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP: encryption 3DES-CBC
ISAKMP: auth pre-share
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.7.13, dest:10.0.7.6 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:10.0.7.13, dest:10.0.7.6 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 29
ISAKMP (0): Total payload length: 33
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Peer ip:10.0.7.13/500 Ref cnt incremented to:3 Total VPN Peers:1
crypto_isakmp_process_block:src:10.0.7.13, dest:10.0.7.6 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ПОДСКАЖИТЕ ПЛИЗ ГДЕ Я ТУПЛЮ....
СПАСИБО