grishamisha
Newbie | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
Здравствуйте.
Задача: настроить туннель от cisco к centos используя (pre_shared_key).
Схема:
192.168.0.0/24 br0 - GW-01 - eth0 21.22.23.24 --[ IPSEC ]-- 95.46.1.2 - GW-02 - 10.2.2.0/24
Шлюз GW-01 внешний IP 21.22.23.24, сетевой ip 192.168.0.5 CentOS
Шлюз GW-02 внешний IP 95.46.1.2, сетевой ip 10.2.2.4 Cisco (WRVS440N)
GW-01:
/etc/sysconfig/network-scripts/ifcfg-ipsec0
Код: ifcfg-ipsec0
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.0.5
DSTGW=10.2.2.4
SRCNET=192.168.0.0/24
DSTGW=10.2.2.0/24
DST=95.46.1.2 |
/etc/sysconfig/network-scripts/keys-ipsec0
Код:
/etc/racoon/racoon.conf
Код: path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;
listen
{
isakmp 21.22.23.24 [500];
strict_address;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
} |
/etc/racoon/psk.txt
Код:
/etc/racoon/setkey.conf
Код: flush;
spdflush;
spdadd 192.168.0.0/24 10.2.2.0/24 any -P out ipsec esp/tunnel/21.22.23.24-95.46.1.2/require;
spdadd 10.2.2.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/95.46.1.2-21.22.23.24/require; |
GW-02
Tunnel name ipsec0
Ip address: 95.46.1.2
Local Security Group Type: subnet
Ip address: 10.2.2.4
subnet mask: 255.255.255.0
Remote Group Setup
IP adress 21.22.23.24
IP adress 192.168.0.5
subnet mask: 255.255.255.0
IPsec Setup
Keying Mode: IKE with Preshared Key
Phase1:Encryption:3DES, Authentification:SHA1, Group: 1024bit, Key Lifetime: 28800 sec
Phase2:Encryption:3DES, Authentification:MD5, Group: 1024bit, Key Lifetime: 3600sec
Preshared Key: 123456, Prefect Forward Secrecy:Enable.
маршрут:
/sbin/route add -net 10.2.2.0 netmask 255.255.255.0 br0
Запускаю racoon на GW-01:
/var/log/message
GW-01 racoon: ERROR: racoon: MLS support is not enabled.
GW-01 racoon: INFO: 21.22.23.24[500] used as isakmp port (fd=9)
GW-01 racoon: INFO: 21.22.23.24[500] used for NAT-T
GW-01 racoon: INFO: unsupported PF_KEY message REGISTER
GW-01 racoon: INFO: respond new phase 1 negotiation: 21.22.23.24[500]<=>95.46.1.2[500]
GW-01 racoon: INFO: begin Identity Protection mode.
GW-01 racoon: INFO: received Vendor ID: DPD
GW-01 racoon: INFO: received Vendor ID: RFC 3947
GW-01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
GW-01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
GW-01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Нажимаю "Connect" на GW-02
GW-01 racoon: INFO: ISAKMP-SA established 21.22.23.24[500]-95.46.1.2[500] spi:e5785a33a4ab8cd0:ff4cff7394ca78f9
GW-01 racoon: INFO: respond new phase 2 negotiation: 21.22.23.24[500]<=>95.46.1.2[500]
GW-01 racoon: ERROR: no policy found: 10.2.2.0/24[0] 192.168.0.0/24[0] proto=any dir=in
GW-01 racoon: ERROR: failed to get proposal for responder.
GW-01 racoon: ERROR: failed to pre-process packet.
/usr/sbin/tcpdump -i eth0 -n host 95.46.1.2
IP 95.46.1.2.isakmp > 21.22.23.24.isakmp: isakmp: phase 1 I ident
IP 21.22.23.24.isakmp > 95.46.1.2.isakmp: isakmp: phase 1 R ident
IP 21.22.23.24.isakmp > 95.46.1.2.isakmp: isakmp: phase 2/others R inf[E]
IP 95.46.1.2.isakmp > 21.22.23.24.isakmp: isakmp: phase 2/others I oakley-quick[E]
IP 95.46.1.2.isakmp > 21.22.23.24.isakmp: isakmp: phase 2/others I oakley-quick[E]
IP 95.46.1.2.isakmp > 21.22.23.24.isakmp: isakmp: phase 2/others I oakley-quick[E]
Как исправить ошибки?
п. 1.7. главы VIII Соглашения по использованию /ShriEkeR/ |
Всего записей: 10 | Зарегистр. 14-12-2010 | Отправлено: 10:23 07-04-2011 | Исправлено: ShriEkeR, 08:10 08-04-2011 |
|
