openswan
Michal Lubecki
Michal w Lubecki.oswiecenia.NET
Nie, 20 Lut 2005, 22:59:01 CET
Witaj pld-users-pl!
openswan-2.2.0-1
kernel-2.6.8-4
i niestety cos nie dziala... co robie źle?
na firewallu wpuscilem wszystko wszędzie
/etc/ipsec.conf:
version 2.0
config setup
interfaces="ipsec1=eth1 "
nat_traversal="no"
klipsdebug="all"
plutodebug="all"
rp_filter=0
conn mojVPN
left=<ipdrugiejstrony>
leftnexthop=
leftsubnet=<drugapodsiec>/29
right=<mojip>
rightnexthop=<mojgateway>
keyexchange=ike
auth=esp
esp=3des-md5-96
authby=secret
leftrsasigkey=%none
pfs=yes
keylife=3600s
ikelifetime=14400s
rekeymargin=300s
auto=start
/etc/ipsec.secrets:
<mojip> <ipdrugiejstrony> : PSK "po_obu_stronach_to_samo"
konfiguracja po drugiej strone tylko poodwracana left/right
log u mnie:
Feb 20 22:37:59 serwerek pluto[14220]: | *received kernel message
Feb 20 22:37:59 serwerek pluto[14220]: | netlink_get: XFRM_MSG_ACQUIRE message
Feb 20 22:37:59 serwerek pluto[14220]: | add bare shunt 0x80eb748 <mojip>/32:0 -17-> <ipdrugiejstrony>/32:0 => %hold 0 %acquire-netlink
Feb 20 22:37:59 serwerek pluto[14220]: | initiate on demand from <mojip>:0 to <ipdrugiejstrony>:0 proto=0 state: fos_start because: acquire
Feb 20 22:37:59 serwerek pluto[14220]: | find_connection: looking for policy for connection: <mojip>:0/0 -> <ipdrugiejstrony>:0/0
Feb 20 22:37:59 serwerek pluto[14220]: | find_connection: conn "mojVPN" has compatible peers: <mojip>/32 -> 62.233.162.144/29 [pri: 15269901]
Feb 20 22:37:59 serwerek pluto[14220]: | find_connection: comparing best "mojVPN" [pri:15269901]{0x80e8c48} (child none) to "mojVPN" [pri:15269901]{0x80e8c48} (child none)
Feb 20 22:37:59 serwerek pluto[14220]: | find_connection: concluding with "mojVPN" [pri:15269901]{0x80e8c48} kind=CK_PERMANENT
Feb 20 22:37:59 serwerek pluto[14220]: | assign hold, routing was erouted HOLD, needs to be erouted HOLD
Feb 20 22:37:59 serwerek pluto[14220]: | delete narrow %hold eroute <mojip>/32:0 --0-> <ipdrugiejstrony>/32:0 => %hold (raw_eroute)
Feb 20 22:37:59 serwerek pluto[14220]: | delete bare shunt: null pointer
Feb 20 22:37:59 serwerek pluto[14220]: | Queuing pending Quick Mode with <ipdrugiejstrony> "mojVPN"
Feb 20 22:37:59 serwerek pluto[14220]: | next event EVENT_RETRANSMIT in 4 seconds for #1
Feb 20 22:38:03 serwerek pluto[14220]: |
Feb 20 22:38:03 serwerek pluto[14220]: | *time to handle event
Feb 20 22:38:03 serwerek pluto[14220]: | event after this is EVENT_RETRANSMIT in 15 seconds
Feb 20 22:38:03 serwerek pluto[14220]: | handling event EVENT_RETRANSMIT for <ipdrugiejstrony> "mojVPN" #1
Feb 20 22:38:03 serwerek pluto[14220]: | sending 176 bytes for EVENT_RETRANSMIT through eth1 to <ipdrugiejstrony>:500:
Feb 20 22:38:03 serwerek pluto[14220]: | ff 16 9f ea a4 2a 2d fc 00 00 00 00 00 00 00 00
Feb 20 22:38:03 serwerek pluto[14220]: | 01 10 02 00 00 00 00 00 00 00 00 b0 00 00 00 94
Feb 20 22:38:03 serwerek pluto[14220]: | 00 00 00 01 00 00 00 01 00 00 00 88 00 01 00 04
Feb 20 22:38:03 serwerek pluto[14220]: | 03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 38 40
Feb 20 22:38:03 serwerek pluto[14220]: | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05
Feb 20 22:38:03 serwerek pluto[14220]: | 03 00 00 20 01 01 00 00 80 0b 00 01 80 0c 38 40
Feb 20 22:38:03 serwerek pluto[14220]: | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 02
Feb 20 22:38:03 serwerek pluto[14220]: | 03 00 00 20 02 01 00 00 80 0b 00 01 80 0c 38 40
Feb 20 22:38:03 serwerek pluto[14220]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05
Feb 20 22:38:03 serwerek pluto[14220]: | 00 00 00 20 03 01 00 00 80 0b 00 01 80 0c 38 40
Feb 20 22:38:03 serwerek pluto[14220]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02
Feb 20 22:38:03 serwerek pluto[14220]: ERROR: "mojVPN" #1: sendto on eth1 to <ipdrugiejstrony>:500 failed in EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb 20 22:38:03 serwerek pluto[14220]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
Feb 20 22:38:03 serwerek pluto[14220]: | next event EVENT_RETRANSMIT in 15 seconds for #6
[root w serwerek etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.8 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: serwerek [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: <mojip>.in-addr.arpa. [MISSING]
[root w serwerek etc]# ipsec auto status
ipsec auto: warning: obsolete command syntax used
<ciach interface>
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,96} attrs={0,2,160}
000
000 "mojVPN": <mojip>---80.53.179.57...<ipdrugiejstrony>===62.233.162.144/29; erouted HOLD; eroute owner: #0
000 "mojVPN": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 300s; rekey_fuzz: 100%; keyingtries: 0
000 "mojVPN": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 29,32; interface: eth1;
000 "mojVPN": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "mojVPN": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "mojVPN": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "mojVPN": ESP algorithms wanted: 3_000-1, flags=-strict
000 "mojVPN": ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #1: "mojVPN" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 8s
000 #1: pending Phase 2 for "mojVPN" replacing #0
000 #1: pending Phase 2 for "mojVPN" replacing #0
000 #1: pending Phase 2 for "mojVPN" replacing #0
000
000 <mojip>/32:0 -17-> <ipdrugiejstrony>/32:0 => %hold 0 %acquire-netlink
000 <mojip>/32:0 -17-> <ipdrugiejstrony>/32:0 => %hold 0 %acquire-netlink
--
Pozdrowienia,
Michal mailto:Michal w Lubecki.oswiecenia.NET
Więcej informacji o liście dyskusyjnej pld-users-pl