>Всем привет!
>Есть такая конфигурация: есть комп с freebsd 6.1 на ней два интерфейса
>один wifi в режиме точки доступа смотрит внутрь 192.168.1.1, другая сетевуха
>смотрит в сеть провайдера адрес по дцхп получает(192.168.201.x) к инету коннект
>через pptp vpn, также поднят нат чтоб с буком (192.168.1.11)по квартире
>ходить, теперь необходимо защитить wifi с помощью ipsec делал как в
>мануале тимоти хана ничего не получилось
>Вот конфиги:
>rc.conf
>
>gateway_enable="YES"
>inetd_enable="YES"
>keymap="ru.koi8-r"
>linux_enable="YES"
>sshd_enable="YES"
>usbd_enable="YES"
>#ipsec_enable="YES"
>#ipsec_file="/etc/ipsec.conf"
>ifconfig_fxp0="DHCP"
>hostname=",бла бла бла"
>firewall_enable="YES"
>firewall_type="OPEN"
>natd_enable="YES"
>natd_interface="tun0"
>natd_flags="-dynamic"
>
>правила при загрузке отключены я загружаю командой setkey -f /etc/ipsec.conf
>
>
>ipsec.conf
>flush;
> spdflush;
> spdadd 192.168.1.11 0.0.0.0/0 any
>-P in ipsec
> esp/tunnel/192.168.1.11-192.168.1.1/require;
> spdadd 0.0.0.0/0 192.168.1.11 any
>-P out ipsec
> esp/tunnel/192.168.1.1-192.168.1.11/require;
>
>
>
>racoon.conf
>
># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
>
># "path" affects "include" directives. "path" must be specified before any
>
># "include" directive with relative file path.
># you can overwrite "path" directive afterwards, however, doing so may add
>
># more confusion.
>path include "/usr/local/etc/racoon";
>#include "remote.conf";
>
># the file should contain key ID/key pairs, for pre-shared key authentication.
>
>path pre_shared_key "/usr/local/etc/racoon/psk.txt";
>
># racoon will look for certificate file in the directory,
># if the certificate/certificate request payload is received.
>#path certificate "@sysconfdir_x@/cert";
>
># "log" specifies logging level. It is followed by either "notify",
>"debug"
># or "debug2".
>#log debug;
>
># "padding" defines some padding parameters. You should not touch these.
>
>padding
>{
> maximum_length 20;
> # maximum padding length.
> randomize off;
> # enable randomize length.
>
> strict_check off;
> # enable strict check.
> exclusive_tail off;
> # extract last one octet.
>}
>
># if no listen directive is specified, racoon will listen on all
>
># available interface addresses.
>listen
>{
> #isakmp ::1 [7000];
> isakmp 192.168.1.1 [500];
> #admin [7002];
> # administrative port for
>racoonctl.
> #strict_address;
> # requires that all addresses must be
>bound.
>}
>
># Specify various default timers.
>timer
>{
> # These value can
>be changed per remote node.
> counter 5;
>
># maximum trying count to send.
> interval 20 sec;
> # maximum interval to resend.
>
> persend 1;
>
># the number of packets per send.
>
> # maximum time to
>wait for completing each phase.
> phase1 30 sec;
> phase2 15 sec;
>}
>
>remote 192.168.1.11 [500]
>{
> exchange_mode main,aggressive;
> doi ipsec_doi;
> situation identity_only;
>
> lifetime time 3600 sec;
>
> nonce_size 16;
> initial_contact on;
> proposal_check obey;
> # obey, strict, or claim
>
> proposal {
>
> lifetime time 3600 sec;
>
> encryption_algorithm 3des;
>
> hash_algorithm md5;
>
> authentication_method pre_shared_key;
>
> dh_group 2;
> }
>}
>
>sainfo anonymous
>{
> lifetime time 3600 sec;
>
> pfs_group 2;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
>}
>
>
>psk.txt
>
># IPv4/v6 addresses
>192.168.1.11 sekretkeyfrase
>
>доступ у файла 600
>
>Политики ipsec для винды в точности как в выше указаной статье!
>ракун выводит слудующее
>
>ERROR: unknown informational exchange received.
>INFO: respond new phase 1 negotiation :192.168.1.1[500]<=>192.168.1.11[500]
>INFO: begin identity protection mode
>INFO: received broken microsoft ID: MS NT5 ISAKMPOAKLEY
>INFO: received vendor ID: FRAGMENTATION
>INFO: received vendor ID: draft-ietf-ipsec-nat-t-ike-02
>
>ERROR: phrase1 negotiation failed due to time up
>
>Если есть знающие люди подскажите что не так, может я какой то
>пакет не установил?????????
up
|
