[linux] IPSec Linux<-->Vigor2700
Mike
mike na spinet.sk
Úterý Březen 27 11:22:17 CEST 2007
Zdravim,
Snazim sa urobit tunel medzi dvoma sietami, na jednej strane je linux,
na druhej je len ADSL router Draytek Vigor 2700. Nasiel som v archive
konfery, ze ste niekto mali rozbehany IPSec tunel na uvedeny router, ale
neboli tam detaily. Viete mi niekto pomoct s nastavenim ?
Nepouzivam certifikaty , iba PSK. Bohuzial tusim zradu skor na strane
Vigoru, ale k tomu je dost zla dokumentacia.
Aktualny stav konfigurakov v linuxe pri ktorych sa zhodnu sifry a hash
algoritmy:
racoon.conf:
remote x.x.x.x
{
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 1;
}
}
sainfo address 10.1.1.0/24 any address 192.168.90.0/24 any {
lifetime time 3600sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
pfs_group 1;
}
setkey.conf:
#!/sbin/setkey -f
flush;
spdflush;
spdadd 10.1.1.0/24 192.168.90.0/24 any -P out ipsec
esp/tunnel/y.y.y.y-x.x.x.x/require;
spdadd 192.168.90.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/x.x.x.x-y.y.y.y/require;
racoon -F -v vypise nasledujuci vypis (okrem uvodnych hlaseni):
INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
INFO: begin Identity Protection mode.
INFO: received Vendor ID: DPD
WARNING: ignore INITIAL-CONTACT notification, because it is only
accepted after phase1.
INFO: ISAKMP-SA established y.y.y.y[500]-x.x.x.x[500]
spi:00fbc99a964f43c2:b7e1bd14fbd6176a
INFO: initiate new phase 2 negotiation: y.y.y.y[0]<=>x.x.x.x[0]
INFO: IPsec-SA expired: ESP/Tunnel x.x.x.x->y.y.y.y spi=32255224(0x1ec2cf8)
WARNING: the expire message is received but the handler has not been
established.
ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
---
Mike
Další informace o konferenci linux