forum.opennet.ru

Составление сообщения

Исходное сообщение

"ipsec ZYWALL и RACOON (Centos 6.3)"
Отправлено AleR, 06-Фев-13 15:37

Помогите организовать ipsec между zywall и raccon
Имеем, Linux(Centos 6.3) racoon
#cat /etc/racoon/racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
{
    isakmp 77.233.5.123 [500];
    strict_address;
}
include "/etc/racoon/109.172.Y.Y.conf" ;
#cat /etc/racoon/109.172.Y.Y.conf
remote 109.172.Y.Y
{
    exchange_mode main;
    my_identifier address 77.233.X.X;
    lifetime time 28800 sec;
    generate_policy on;
    nat_traversal on;
    proposal {
        encryption_algorithm des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2 ;
    }
}
sainfo address 172.16.0.0/24 any address 192.168.5.0/24 any
   {
      pfs_group 2;
      lifetime time 28800 sec;
      encryption_algorithm des;
      authentication_algorithm hmac_sha1;
      compression_algorithm deflate;
   }
#cat /etc/racoon/setkey.conf
#!/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/use;
spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/use;
#cat /etc/racoon/psk.txt
109.172.Y.Y PASSWORD_KEY
Параметры роутера ZYWALL
interface lan1
ip address 172.16.0.1 255.255.255.0
type internal
mtu 1500
ip helper-address 172.16.0.100
!
address-object KM2_VPN_LOCAL 172.16.0.0/24
address-object KM2_VPN_REMOTE 192.168.5.0/24
!
isakmp policy KM2
peer-ip 77.233.X.X
local-ip interface wan1
authentication pre-share
encrypted-keystring $4$q9S6rDm7$t8BJG/RC7K5uX9Exdq8F0NbZXYp8suJuPJPP0gPB5Us8LDhOCqrU5Cd2UGDPu5pDtuGDHlg7Zug/YSZLE1004U$
mode main
transform-set des-md5
group2
lifetime 28800
natt
xauth type server default deactivate
peer-id type ip 77.233.X.X
local-id type ip 109.172.Y.Y
!
crypto ignore-df-bit
!
crypto map KM2
ipsec-isakmp KM2
encapsulation tunnel
transform-set esp-des-sha
set security-association lifetime seconds 28800
set pfs group2
scenario site-to-site-static
local-policy KM2_LOCAL
remote-policy KM2_REMOTE
replay-detection
!
vpn-configuration-provision authentication default
!
router rip
!
router ospf
!
zone IPSec_VPN
crypto KM2
!
zone TUNNEL
Не хочет подниматься.
В логах racoon
[root@gtw racoon]# racoon -Fddd
Foreground mode.
2013-02-06 15:31:25: ERROR: racoon: MLS support is not enabled.
2013-02-06 15:31:25: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-02-06 15:31:25: INFO: @(#)This product linked OpenSSL 1.0.0-fips 29 Mar 2010 (http://www.openssl.org/)
2013-02-06 15:31:25: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2013-02-06 15:31:25: DEBUG: call pfkey_send_register for AH
2013-02-06 15:31:26: DEBUG: call pfkey_send_register for ESP
2013-02-06 15:31:26: DEBUG: call pfkey_send_register for IPCOMP
2013-02-06 15:31:26: DEBUG: reading config file /etc/racoon/racoon.conf
2013-02-06 15:31:26: DEBUG: filename: /etc/racoon/109.172.Y.Y.conf
2013-02-06 15:31:26: DEBUG: reading config file /etc/racoon/109.172.Y.Y.conf
2013-02-06 15:31:26: DEBUG2: parse successed.
2013-02-06 15:31:26: DEBUG: open /var/racoon/racoon.sock as racoon management.
2013-02-06 15:31:26: INFO: 77.233.X.X[500] used for NAT-T
2013-02-06 15:31:26: INFO: 77.233.X.X[500] used as isakmp port (fd=6)
2013-02-06 15:31:26: DEBUG: pk_recv: retry[0] recv()
2013-02-06 15:31:26: DEBUG: got pfkey X_SPDDUMP message
2013-02-06 15:31:26: DEBUG2:
02120200 02000000 00000000 4f0b0000
2013-02-06 15:31:26: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
2013-02-06 15:31:47: DEBUG: ===
2013-02-06 15:31:47: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500]
2013-02-06 15:31:47: DEBUG:
ddd20d33 7e5c3d31 00000000 00000000 01100200 00000000 000000ec 0d000034
00000001 00000001 00000028 00010001 00000020 00010000 80010001 80020001
80030001 80040002 800b0001 800c7080 0d000014 f758f226 68750f03 b08df6eb
e1d00403 0d000012 afcad713 68a1f1c9 6b8696fc 77570d00 0014cd60 464335df
21f87cfd b2fc68b6 a4480d00 001490cb 80913ebb 696e0863 81b5ec42 7b1f0d00
00147d94 19a65310 ca6f2c17 9d921552 9d560d00 00144a13 1c810703 58455c57
28f20e95 452f0d00 0014afca d71368a1 f1c96b86 96fc7757 01000000 0012afca
d71368a1 f1c96b86 96fc7757
2013-02-06 15:31:47: [109.172.Y.Y] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
2013-02-06 15:31:48: DEBUG: ===
2013-02-06 15:31:48: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500]
2013-02-06 15:31:48: DEBUG:
ddd20d33 7e5c3d31 00000000 00000000 01100200 00000000 000000ec 0d000034
00000001 00000001 00000028 00010001 00000020 00010000 80010001 80020001
80030001 80040002 800b0001 800c7080 0d000014 f758f226 68750f03 b08df6eb
e1d00403 0d000012 afcad713 68a1f1c9 6b8696fc 77570d00 0014cd60 464335df
21f87cfd b2fc68b6 a4480d00 001490cb 80913ebb 696e0863 81b5ec42 7b1f0d00
00147d94 19a65310 ca6f2c17 9d921552 9d560d00 00144a13 1c810703 58455c57
28f20e95 452f0d00 0014afca d71368a1 f1c96b86 96fc7757 01000000 0012afca
d71368a1 f1c96b86 96fc7757
2013-02-06 15:31:48: [109.172.Y.Y] ERROR: exchange Identity Protection not allowed in any applicable rmconf.
2013-02-06 15:31:49: DEBUG: ===
2013-02-06 15:31:49: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500]
2013-02-06 15:31:49: DEBUG:
Т.е. не проходит даже первая фаза
ERROR: exchange Identity Protection not allowed in any applicable rmconf.
Подскажите в какую сторону копать? Толкового мана по связке ZYWALL с RACOON не нашел...

Исходное сообщение
"ipsec ZYWALL и RACOON (Centos 6.3)" Отправлено AleR, 06-Фев-13 15:37
Помогите организовать ipsec между zywall и raccon Имеем, Linux(Centos 6.3) racoon #cat /etc/racoon/racoon.conf path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; { isakmp 77.233.5.123 [500]; strict_address; } include "/etc/racoon/109.172.Y.Y.conf" ; #cat /etc/racoon/109.172.Y.Y.conf remote 109.172.Y.Y { exchange_mode main; my_identifier address 77.233.X.X; lifetime time 28800 sec; generate_policy on; nat_traversal on; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2 ; } } sainfo address 172.16.0.0/24 any address 192.168.5.0/24 any { pfs_group 2; lifetime time 28800 sec; encryption_algorithm des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } #cat /etc/racoon/setkey.conf #!/sbin/setkey -f flush; spdflush; spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/use; spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/use; #cat /etc/racoon/psk.txt 109.172.Y.Y PASSWORD_KEY Параметры роутера ZYWALL interface lan1 ip address 172.16.0.1 255.255.255.0 type internal mtu 1500 ip helper-address 172.16.0.100 ! address-object KM2_VPN_LOCAL 172.16.0.0/24 address-object KM2_VPN_REMOTE 192.168.5.0/24 ! isakmp policy KM2 peer-ip 77.233.X.X local-ip interface wan1 authentication pre-share encrypted-keystring $4$q9S6rDm7$t8BJG/RC7K5uX9Exdq8F0NbZXYp8suJuPJPP0gPB5Us8LDhOCqrU5Cd2UGDPu5pDtuGDHlg7Zug/YSZLE1004U$ mode main transform-set des-md5 group2 lifetime 28800 natt xauth type server default deactivate peer-id type ip 77.233.X.X local-id type ip 109.172.Y.Y ! crypto ignore-df-bit ! crypto map KM2 ipsec-isakmp KM2 encapsulation tunnel transform-set esp-des-sha set security-association lifetime seconds 28800 set pfs group2 scenario site-to-site-static local-policy KM2_LOCAL remote-policy KM2_REMOTE replay-detection ! vpn-configuration-provision authentication default ! router rip ! router ospf ! zone IPSec_VPN crypto KM2 ! zone TUNNEL Не хочет подниматься. В логах racoon [root@gtw racoon]# racoon -Fddd Foreground mode. 2013-02-06 15:31:25: ERROR: racoon: MLS support is not enabled. 2013-02-06 15:31:25: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) 2013-02-06 15:31:25: INFO: @(#)This product linked OpenSSL 1.0.0-fips 29 Mar 2010 (http://www.openssl.org/) 2013-02-06 15:31:25: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2013-02-06 15:31:25: DEBUG: call pfkey_send_register for AH 2013-02-06 15:31:26: DEBUG: call pfkey_send_register for ESP 2013-02-06 15:31:26: DEBUG: call pfkey_send_register for IPCOMP 2013-02-06 15:31:26: DEBUG: reading config file /etc/racoon/racoon.conf 2013-02-06 15:31:26: DEBUG: filename: /etc/racoon/109.172.Y.Y.conf 2013-02-06 15:31:26: DEBUG: reading config file /etc/racoon/109.172.Y.Y.conf 2013-02-06 15:31:26: DEBUG2: parse successed. 2013-02-06 15:31:26: DEBUG: open /var/racoon/racoon.sock as racoon management. 2013-02-06 15:31:26: INFO: 77.233.X.X[500] used for NAT-T 2013-02-06 15:31:26: INFO: 77.233.X.X[500] used as isakmp port (fd=6) 2013-02-06 15:31:26: DEBUG: pk_recv: retry[0] recv() 2013-02-06 15:31:26: DEBUG: got pfkey X_SPDDUMP message 2013-02-06 15:31:26: DEBUG2: 02120200 02000000 00000000 4f0b0000 2013-02-06 15:31:26: DEBUG: pfkey X_SPDDUMP failed: No such file or directory 2013-02-06 15:31:47: DEBUG: === 2013-02-06 15:31:47: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500] 2013-02-06 15:31:47: DEBUG: ddd20d33 7e5c3d31 00000000 00000000 01100200 00000000 000000ec 0d000034 00000001 00000001 00000028 00010001 00000020 00010000 80010001 80020001 80030001 80040002 800b0001 800c7080 0d000014 f758f226 68750f03 b08df6eb e1d00403 0d000012 afcad713 68a1f1c9 6b8696fc 77570d00 0014cd60 464335df 21f87cfd b2fc68b6 a4480d00 001490cb 80913ebb 696e0863 81b5ec42 7b1f0d00 00147d94 19a65310 ca6f2c17 9d921552 9d560d00 00144a13 1c810703 58455c57 28f20e95 452f0d00 0014afca d71368a1 f1c96b86 96fc7757 01000000 0012afca d71368a1 f1c96b86 96fc7757 2013-02-06 15:31:47: [109.172.Y.Y] ERROR: exchange Identity Protection not allowed in any applicable rmconf. 2013-02-06 15:31:48: DEBUG: === 2013-02-06 15:31:48: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500] 2013-02-06 15:31:48: DEBUG: ddd20d33 7e5c3d31 00000000 00000000 01100200 00000000 000000ec 0d000034 00000001 00000001 00000028 00010001 00000020 00010000 80010001 80020001 80030001 80040002 800b0001 800c7080 0d000014 f758f226 68750f03 b08df6eb e1d00403 0d000012 afcad713 68a1f1c9 6b8696fc 77570d00 0014cd60 464335df 21f87cfd b2fc68b6 a4480d00 001490cb 80913ebb 696e0863 81b5ec42 7b1f0d00 00147d94 19a65310 ca6f2c17 9d921552 9d560d00 00144a13 1c810703 58455c57 28f20e95 452f0d00 0014afca d71368a1 f1c96b86 96fc7757 01000000 0012afca d71368a1 f1c96b86 96fc7757 2013-02-06 15:31:48: [109.172.Y.Y] ERROR: exchange Identity Protection not allowed in any applicable rmconf. 2013-02-06 15:31:49: DEBUG: === 2013-02-06 15:31:49: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500] 2013-02-06 15:31:49: DEBUG: Т.е. не проходит даже первая фаза ERROR: exchange Identity Protection not allowed in any applicable rmconf. Подскажите в какую сторону копать? Толкового мана по связке ZYWALL с RACOON не нашел...

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> Помогите организовать ipsec между zywall и raccon > Имеем, Linux(Centos 6.3) racoon > #cat /etc/racoon/racoon.conf > path include "/etc/racoon"; > path pre_shared_key "/etc/racoon/psk.txt"; > { > isakmp 77.233.5.123 [500]; > strict_address; > } > include "/etc/racoon/109.172.Y.Y.conf" ; > #cat /etc/racoon/109.172.Y.Y.conf > remote 109.172.Y.Y > { > exchange_mode main; > my_identifier address 77.233.X.X; > lifetime time 28800 sec; > generate_policy on; > nat_traversal on; > proposal { > encryption_algorithm des; > hash_algorithm md5; > authentication_method pre_shared_key; > dh_group 2 ; > } > } > sainfo address 172.16.0.0/24 any address 192.168.5.0/24 any > { > pfs_group 2; > lifetime time 28800 sec; > encryption_algorithm des; > authentication_algorithm hmac_sha1; > compression_algorithm deflate; > } > #cat /etc/racoon/setkey.conf > #!/sbin/setkey -f > flush; > spdflush; > spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/use; > spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/use; > #cat /etc/racoon/psk.txt > 109.172.Y.Y PASSWORD_KEY > Параметры роутера ZYWALL > interface lan1 > ip address 172.16.0.1 255.255.255.0 > type internal > mtu 1500 > ip helper-address 172.16.0.100 > ! > address-object KM2_VPN_LOCAL 172.16.0.0/24 > address-object KM2_VPN_REMOTE 192.168.5.0/24 > ! > isakmp policy KM2 > peer-ip 77.233.X.X > local-ip interface wan1 > authentication pre-share > encrypted-keystring $4$q9S6rDm7$t8BJG/RC7K5uX9Exdq8F0NbZXYp8suJuPJPP0gPB5Us8LDhOCqrU5Cd2UGDPu5pDtuGDHlg7Zug/YSZLE1004U$ > mode main > transform-set des-md5 > group2 > lifetime 28800 > natt > xauth type server default deactivate > peer-id type ip 77.233.X.X > local-id type ip 109.172.Y.Y > ! > crypto ignore-df-bit > ! > crypto map KM2 > ipsec-isakmp KM2 > encapsulation tunnel > transform-set esp-des-sha > set security-association lifetime seconds 28800 > set pfs group2 > scenario site-to-site-static > local-policy KM2_LOCAL > remote-policy KM2_REMOTE > replay-detection > ! > vpn-configuration-provision authentication default > ! > router rip > ! > router ospf > ! > zone IPSec_VPN > crypto KM2 > ! > zone TUNNEL > Не хочет подниматься. > В логах racoon > [root@gtw racoon]# racoon -Fddd > Foreground mode. > 2013-02-06 15:31:25: ERROR: racoon: MLS support is not enabled. > 2013-02-06 15:31:25: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) > 2013-02-06 15:31:25: INFO: @(#)This product linked OpenSSL 1.0.0-fips 29 Mar 2010 (http://www.openssl.org/) > 2013-02-06 15:31:25: INFO: Reading configuration from "/etc/racoon/racoon.conf" > 2013-02-06 15:31:25: DEBUG: call pfkey_send_register for AH > 2013-02-06 15:31:26: DEBUG: call pfkey_send_register for ESP > 2013-02-06 15:31:26: DEBUG: call pfkey_send_register for IPCOMP > 2013-02-06 15:31:26: DEBUG: reading config file /etc/racoon/racoon.conf > 2013-02-06 15:31:26: DEBUG: filename: /etc/racoon/109.172.Y.Y.conf > 2013-02-06 15:31:26: DEBUG: reading config file /etc/racoon/109.172.Y.Y.conf > 2013-02-06 15:31:26: DEBUG2: parse successed. > 2013-02-06 15:31:26: DEBUG: open /var/racoon/racoon.sock as racoon management. > 2013-02-06 15:31:26: INFO: 77.233.X.X[500] used for NAT-T > 2013-02-06 15:31:26: INFO: 77.233.X.X[500] used as isakmp port (fd=6) > 2013-02-06 15:31:26: DEBUG: pk_recv: retry[0] recv() > 2013-02-06 15:31:26: DEBUG: got pfkey X_SPDDUMP message > 2013-02-06 15:31:26: DEBUG2: > 02120200 02000000 00000000 4f0b0000 > 2013-02-06 15:31:26: DEBUG: pfkey X_SPDDUMP failed: No such file or directory > 2013-02-06 15:31:47: DEBUG: === > 2013-02-06 15:31:47: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500] > 2013-02-06 15:31:47: DEBUG: > ddd20d33 7e5c3d31 00000000 00000000 01100200 00000000 000000ec 0d000034 > 00000001 00000001 00000028 00010001 00000020 00010000 80010001 80020001 > 80030001 80040002 800b0001 800c7080 0d000014 f758f226 68750f03 b08df6eb > e1d00403 0d000012 afcad713 68a1f1c9 6b8696fc 77570d00 0014cd60 464335df > 21f87cfd b2fc68b6 a4480d00 001490cb 80913ebb 696e0863 81b5ec42 7b1f0d00 > 00147d94 19a65310 ca6f2c17 9d921552 9d560d00 00144a13 1c810703 58455c57 > 28f20e95 452f0d00 0014afca d71368a1 f1c96b86 96fc7757 01000000 0012afca > d71368a1 f1c96b86 96fc7757 > 2013-02-06 15:31:47: [109.172.Y.Y] ERROR: exchange Identity Protection not allowed in > any applicable rmconf. > 2013-02-06 15:31:48: DEBUG: === > 2013-02-06 15:31:48: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500] > 2013-02-06 15:31:48: DEBUG: > ddd20d33 7e5c3d31 00000000 00000000 01100200 00000000 000000ec 0d000034 > 00000001 00000001 00000028 00010001 00000020 00010000 80010001 80020001 > 80030001 80040002 800b0001 800c7080 0d000014 f758f226 68750f03 b08df6eb > e1d00403 0d000012 afcad713 68a1f1c9 6b8696fc 77570d00 0014cd60 464335df > 21f87cfd b2fc68b6 a4480d00 001490cb 80913ebb 696e0863 81b5ec42 7b1f0d00 > 00147d94 19a65310 ca6f2c17 9d921552 9d560d00 00144a13 1c810703 58455c57 > 28f20e95 452f0d00 0014afca d71368a1 f1c96b86 96fc7757 01000000 0012afca > d71368a1 f1c96b86 96fc7757 > 2013-02-06 15:31:48: [109.172.Y.Y] ERROR: exchange Identity Protection not allowed in > any applicable rmconf. > 2013-02-06 15:31:49: DEBUG: === > 2013-02-06 15:31:49: DEBUG: 236 bytes message received from 109.172.Y.Y[500] to 77.233.X.X[500] > 2013-02-06 15:31:49: DEBUG: > Т.е. не проходит даже первая фаза > ERROR: exchange Identity Protection not allowed in any applicable rmconf. > Подскажите в какую сторону копать? Толкового мана по связке ZYWALL с RACOON > не нашел...
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру