[FUGSPBR] problemas ipsec freebsd - checkpoint VPN-1/FW1

Alexandre Nuernberg berg em viaip.com.br
Seg Jul 15 11:35:48 BRT 2002 

problemas ipsec freebsd - checkpoint VPN-1/FW1 

ola pessoal,

estamos c/ problemas p/ estabelecer a seguinte VPN:

De um lado temos FreeBSD 4.4 e do outro um cluster Solaris rodando Checkpoint Firewall1/VPN1

o esquema segue:

MAQ1-----SWITCH_PRIV1---------CLUSTER<----->INTERNET<----------->FREEBSD------MAQ2

ONDE (IP's meramente ilustrativos):
MAQ1=10.10.10.10
CLUSTER:
MAQ1_CLUSTER_PUB=200.200.200.131
MAQ2_CLUSTER_PUB=200.200.200.132
IP_PUB_CLUSTER-200.200.200.134
FREEBSD_PUB=100.100.100.100
FREBSD_PRIV=192.168.255.1
MAQ2=192.168.255.200

O problema eh que c/ o cluster, o ip publico (200.200.200.134) que estabelece a VPN pode redirecionar p/ qualquer uma das 

maquinas (200.200.200.131 ou 200.200.200.132) dependendo a que tiver c/ menos trafego naquele momento.

com isso tenho que enviar a requisicao de VPN p/ o IP publico 200.200.200.134 e esperar a resposte de uma das maquinas do 

cluster 200.200.200.131 ou 200.200.200.132.

acho que esse eh o motivo da conexao estar se perdendo (segue logs).

alguem ja fez algo parecido?

as configuracoes foram feitas como recomendado em:
http://restricted.dyndns.org/freebsd/index.html

e qdo fazo de freebsd p/ freebsd, mas s/ o cluster nao ha problemas

e no checkpoint, os seguintes padroes sao configurados:
Protocolo: IPSec
Algoritmo de encriptação - DES
Algoritmo de hash - MD5
Método de autenticação - pre-shared key(1)

no freebsd, estamos usando o racon para a troca das chaves:

cat /usr/local/etc/racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
#log notify;
log debug;
#log debug2;

# "padding" defines some parameter of padding.  You should not touch these.
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
        #isakmp ::1 [7000];
        isakmp 100.100.100.100 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous
{
        exchange_mode main,aggressive;
        #exchange_mode aggressive,main;
        #doi ipsec_doi;
        #situation identity_only;

        #my_identifier address;
        #my_identifier user_fqdn "sakane em kame.net";
        #peers_identifier user_fqdn "sakane em kame.net";
        #certificate_type x509 "mycert" "mypriv";

        nonce_size 16;
        lifetime time 10 min;   # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}


sainfo anonymous
{
        pfs_group 1;
        lifetime time 10 min;
        encryption_algorithm des ;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}


cat /usr/local/etc/racoon/psk.txt
200.200.200.131 senha
200.200.200.132 senha
200.200.200.134 senha
10.10.10.10  senha
100.100.100.100 senha
192.168.254.200 senha


e  o seguinte shell p/ estabelecer o tunel:
[root em berg /usr/local/etc/rc.d]# more tunnel.sh
#!/bin/sh
ifconfig gif0 create tunnel 100.100.100.100 200.200.200.134
ifconfig gif0 inet 192.168.255.200 10.10.10.10 netmask 255.255.255.255

#
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd 192.168.255.200/32 10.10.10.10/32 any -P out ipsec esp/tunnel/100.100.100.100-200.200.200.134/requir
e;
spdadd 10.10.10.10/32 192.168.255.200/32 any -P in ipsec esp/tunnel/200.200.200.134-100.100.100.100/require
;
EOF
[root em berg /usr/local/etc/rc.d]#


rodando o script acima e  iniciando o racoon o tunel aparentemente eh estabelecido:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 100.100.100.100 --> 200.200.200.134
        inet6 fe80::200:21ff:fe29:25dd%gif0 prefixlen 64 scopeid 0xa
        inet 192.168.255.200 --> 10.10.10.10 netmask 0xffffffff
[root em berg /usr/local/etc/rc.d]# ifconfig

mas depois de um tempo ele cai.

mandando um ping da MAQ1 p/ a MAQ2, as chaves parece que sao trocadas:
2aed b201b6d0 b72beba4 b4ba9c6f
Jul 15 11:21:25 berg racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)
Jul 15 11:21:25 berg racoon: DEBUG: oakley.c:755:oakley_compute_hash1(): HASH computed:
Jul 15 11:21:25 berg racoon: DEBUG: plog.c:193:plogdump():  e6efdac0 5e302969 803ff21c 36088619
Jul 15 11:21:25 berg racoon: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin.
Jul 15 11:21:25 berg racoon: DEBUG: oakley.c:2739:oakley_do_encrypt(): begin encryption.
Jul 15 11:21:25 berg racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)
Jul 15 11:21:25 berg racoon: DEBUG: oakley.c:2755:oakley_do_encrypt(): pad length = 8
Jul 15 11:21:25 berg racoon: DEBUG: plog.c:193:plogdump():  0b000014 e6efdac0 5e302969 803ff21c 36088619 0000001c 00000001 

01106002 97082aed b201b6d0 b72beba4 b4ba9c6f 00000000 00000008
Jul 15 11:21:25 berg racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)
Jul 15 11:21:25 berg racoon: DEBUG: oakley.c:2790:oakley_do_encrypt(): with key:
Jul 15 11:21:25 berg racoon: DEBUG: plog.c:193:plogdump():  81189e90 e4c9f994
Jul 15 11:21:25 berg racoon: DEBUG: oakley.c:2798:oakley_do_encrypt(): encrypted payload by IV:
Jul 15 11:21:25 berg racoon: DEBUG: plog.c:193:plogdump():  8e31ce10 fb54f060
Jul 15 11:21:25 berg racoon: DEBUG: oakley.c:2805:oakley_do_encrypt(): save IV for next:
Jul 15 11:21:25 berg racoon: DEBUG: plog.c:193:plogdump():  975b5548 5f44558f
Jul 15 11:21:25 berg racoon: DEBUG: oakley.c:2822:oakley_do_encrypt(): encrypted.
Jul 15 11:21:25 berg racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname  [500]
Jul 15 11:21:25 berg racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 100.100.100.100[500]
Jul 15 11:21:25 berg racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 200.200.200.134[500]
Jul 15 11:21:25 berg racoon: DEBUG: sockmisc.c:563:sendfromto(): 1 times of 84 bytes message will be sent to 

100.100.100.100[500]
Jul 15 11:21:25 berg racoon: DEBUG: plog.c:193:plogdump():  97082aed b201b6d0 b72beba4 b4ba9c6f 08100501 f658d43b 00000054 

b3b82a53 1fc348e6 277c7828 0adc529d 27700ffd 3b3aeaf2 c3f80b13 f81f361c f9c16f18 96c3e107 7c96343d d873c76f 975b5548 5f44558f
Jul 15 11:21:25 berg racoon: DEBUG: isakmp_inf.c:634:isakmp_info_send_common(): sendto Information notify.
Jul 15 11:21:25 berg racoon: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established 

100.100.100.100[500]-200.200.200.134[500] spi:97082aedb201b6d0:b72beba4b4ba9c6f
Jul 15 11:21:25 berg racoon: DEBUG: isakmp.c:666:ph1_main(): ===
Jul 15 11:21:26 berg racoon: DEBUG: isakmp.c:218:isakmp_handler(): ===
Jul 15 11:21:26 berg racoon: DEBUG: isakmp.c:219:isakmp_handler(): 68 bytes message received from 200.200.200.131[500]
Jul 15 11:21:26 berg racoon: DEBUG: plog.c:193:plogdump():  97082aed b201b6d0 b72beba4 b4ba9c6f 05100201 00000000 00000044 

d7b7ff80 61b801bb 34c09915 1403de10 e5ede35e 3542413a eb3640df c8c0215f 56c3083d df650c04
Jul 15 11:21:26 berg racoon: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin.


 e no tcpdump:
11:20:59.295801 berg > teste134: fe80::200:21ff:fe29:25dd > ff02::2:b644:f76b: HBH icmp6: multicast listener report max resp 

delay: 0 addr: ff02::2:b644:f76b [hlim 1] (encap)
11:21:00.895717 berg > teste134: fe80::200:21ff:fe29:25dd > ff02::1:ff29:25dd: HBH icmp6: multicast listener report max resp 

delay: 0 addr: ff02::1:ff29:25dd [hlim 1] (encap)
11:21:25.605970 berg.isakmp > teste134.isakmp: isakmp: phase 1 I ident: [|sa]
11:21:25.631815 teste131.isakmp > berg.isakmp: isakmp: phase 1 ? ident: [|sa] (DF)
11:21:25.695637 berg.isakmp > teste134.isakmp: isakmp: phase 1 I ident: [|ke]
11:21:25.777819 teste131.isakmp > berg.isakmp: isakmp: phase 1 ? ident: [|ke] (DF)
11:21:25.864607 berg.isakmp > teste134.isakmp: isakmp: phase 1 I ident[E]: [|id]
11:21:25.944992 teste131.isakmp > berg.isakmp: isakmp: phase 1 ? ident[E]: [|id] (DF)
11:21:25.971345 berg.isakmp > teste134.isakmp: isakmp: phase 2/others I inf[E]: [|hash]
11:21:26.054313 teste131.isakmp > berg.isakmp: isakmp: phase 1 ? ident[E]: [|id] (DF)
11:21:26.091340 berg.isakmp > teste134.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash]
11:21:26.140499 teste131.isakmp > berg.isakmp: isakmp: phase 2/others ? oakley-quick[E]: [|hash] (DF)
11:21:26.151678 berg.isakmp > teste134.isakmp: isakmp: phase 2/others I oakley-quick[E]: [|hash]
11:21:30.689398 berg > teste134: ESP(spi=0x1b91b55e,seq=0x1)
11:21:35.696244 berg > teste134: ESP(spi=0x1b91b55e,seq=0x2)
11:21:40.703329 berg > teste134: ESP(spi=0x1b91b55e,seq=0x3)
11:21:45.710297 berg > teste134: ESP(spi=0x1b91b55e,seq=0x4)
11:21:50.717548 berg > teste134: ESP(spi=0x1b91b55e,seq=0x5)
11:21:55.724778 berg > teste134: ESP(spi=0x1b91b55e,seq=0x6)
11:22:00.732005 berg > teste134: ESP(spi=0x1b91b55e,seq=0x7)
11:22:05.739935 berg > teste134: ESP(spi=0x1b91b55e,seq=0x8)
11:22:10.746493 berg > teste134: ESP(spi=0x1b91b55e,seq=0x9)


alguem tem alguma luz?


alexandre


-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.fug.com.br/pipermail/freebsd/attachments/20020715/775541dc/attachment.html>

Mais detalhes sobre a lista de discussão freebsd