racoon - problem z zestawieniem tunelu

R@dzio radzio w icpnet.pl
Wto, 10 Kwi 2007, 12:29:20 CEST


Użytkownik Andrzej Zawadzki napisał:

>[...]
>Wyślij racoon.conf to sobie popatrzymy ;-)
>Do wieczora.
>
>  
>
Siedze aktualnie w drugiej lokalicacji
stad smiga wszystko ok :)
Łącze jest szyfrowane nawet na sambe sie wbije po ip bramki 1 lokalizacji kt działa siobie tam na routerku 
zaczynam sie zastanawiać czy czasem nie przeszkadza mi router Linksysa kt. robi za acces pointa dla WiFi

wiem że trochę dziwnie ale rozwiązuje problem swicha  i accespointa  w jednym
do tej pory nie miałem problemu z takim rozwiazaniem 



Poni żej racoon .conf 

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" affects "include" directives.  "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
path include "@sysconfdir_x@/racoon";
#include "remote.conf";

# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/etc/racoon/psk.txt";

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "@sysconfdir_x@/cert";

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

# "padding" defines some padding parameters.  You should not touch these.
padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
	#isakmp ::1 [7000];
	#isakmp 202.249.11.124 [500];
	#admin [7002];		# administrative port for racoonctl.
	#strict_address; 	# requires that all addresses must be bound.
}

# Specify various default timers.
timer
{
	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per send.

	# maximum time to wait for completing each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote anonymous
{
	exchange_mode main;
	doi ipsec_doi;
	situation identity_only;

	my_identifier address;
#	certificate_type x509 "my.cert.pem" "my.key.pem";
	lifetime time 2 min;
#	nonce_size 16;
	initial_contact on;
	proposal_check obey;	# obey, strict, or claim

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

remote ::1 [8000]
{
	exchange_mode main;
	doi ipsec_doi;
	situation identity_only;

	my_identifier user_fqdn "sakane w kame.net";
	peers_identifier user_fqdn "sakane w kame.net";
	#certificate_type x509 "mycert" "mypriv";

	nonce_size 16;
	lifetime time 1 min;	# sec,min,hour

	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo anonymous
{
	pfs_group 1;
	lifetime time 2 min;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

sainfo address 203.178.141.209 any address 203.178.141.218 any
{
	pfs_group 2;
	lifetime time 30 sec;
	encryption_algorithm des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}

sainfo address ::1 icmp6 address ::1 icmp6
{
	pfs_group 3;
	lifetime time 60 sec;
	encryption_algorithm 3des, blowfish, aes;
	authentication_algorithm hmac_sha1, hmac_md5;
	compression_algorithm deflate;
}





Więcej informacji o liście dyskusyjnej pld-users-pl