>Всем привет! >Есть такая конфигурация: есть комп с freebsd 6.1 на ней два интерфейса >один wifi в режиме точки доступа смотрит внутрь 192.168.1.1, другая сетевуха >смотрит в сеть провайдера адрес по дцхп получает(192.168.201.x) к инету коннект >через pptp vpn, также поднят нат чтоб с буком (192.168.1.11)по квартире >ходить, теперь необходимо защитить wifi с помощью ipsec делал как в >мануале тимоти хана ничего не получилось >Вот конфиги: >rc.conf > >gateway_enable="YES" >inetd_enable="YES" >keymap="ru.koi8-r" >linux_enable="YES" >sshd_enable="YES" >usbd_enable="YES" >#ipsec_enable="YES" >#ipsec_file="/etc/ipsec.conf" >ifconfig_fxp0="DHCP" >hostname=",бла бла бла" >firewall_enable="YES" >firewall_type="OPEN" >natd_enable="YES" >natd_interface="tun0" >natd_flags="-dynamic" > >правила при загрузке отключены я загружаю командой setkey -f /etc/ipsec.conf > > >ipsec.conf >flush; > spdflush; > spdadd 192.168.1.11 0.0.0.0/0 any >-P in ipsec > esp/tunnel/192.168.1.11-192.168.1.1/require; > spdadd 0.0.0.0/0 192.168.1.11 any >-P out ipsec > esp/tunnel/192.168.1.1-192.168.1.11/require; > > > >racoon.conf > ># $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ > ># "path" affects "include" directives. "path" must be specified before any > ># "include" directive with relative file path. ># you can overwrite "path" directive afterwards, however, doing so may add > ># more confusion. >path include "/usr/local/etc/racoon"; >#include "remote.conf"; > ># the file should contain key ID/key pairs, for pre-shared key authentication. > >path pre_shared_key "/usr/local/etc/racoon/psk.txt"; > ># racoon will look for certificate file in the directory, ># if the certificate/certificate request payload is received. >#path certificate "@sysconfdir_x@/cert"; > ># "log" specifies logging level. It is followed by either "notify", >"debug" ># or "debug2". >#log debug; > ># "padding" defines some padding parameters. You should not touch these. > >padding >{ > maximum_length 20; > # maximum padding length. > randomize off; > # enable randomize length. > > strict_check off; > # enable strict check. > exclusive_tail off; > # extract last one octet. >} > ># if no listen directive is specified, racoon will listen on all > ># available interface addresses. >listen >{ > #isakmp ::1 [7000]; > isakmp 192.168.1.1 [500]; > #admin [7002]; > # administrative port for >racoonctl. > #strict_address; > # requires that all addresses must be >bound. >} > ># Specify various default timers. >timer >{ > # These value can >be changed per remote node. > counter 5; > ># maximum trying count to send. > interval 20 sec; > # maximum interval to resend. > > persend 1; > ># the number of packets per send. > > # maximum time to >wait for completing each phase. > phase1 30 sec; > phase2 15 sec; >} > >remote 192.168.1.11 [500] >{ > exchange_mode main,aggressive; > doi ipsec_doi; > situation identity_only; > > lifetime time 3600 sec; > > nonce_size 16; > initial_contact on; > proposal_check obey; > # obey, strict, or claim > > proposal { > > lifetime time 3600 sec; > > encryption_algorithm 3des; > > hash_algorithm md5; > > authentication_method pre_shared_key; > > dh_group 2; > } >} > >sainfo anonymous >{ > lifetime time 3600 sec; > > pfs_group 2; > encryption_algorithm 3des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; >} > > >psk.txt > ># IPv4/v6 addresses >192.168.1.11 sekretkeyfrase > >доступ у файла 600 > >Политики ipsec для винды в точности как в выше указаной статье! >ракун выводит слудующее > >ERROR: unknown informational exchange received. >INFO: respond new phase 1 negotiation :192.168.1.1[500]<=>192.168.1.11[500] >INFO: begin identity protection mode >INFO: received broken microsoft ID: MS NT5 ISAKMPOAKLEY >INFO: received vendor ID: FRAGMENTATION >INFO: received vendor ID: draft-ietf-ipsec-nat-t-ike-02 > >ERROR: phrase1 negotiation failed due to time up > >Если есть знающие люди подскажите что не так, может я какой то >пакет не установил????????? up
|