[FUGSPBR] VPN IPSEC+POPTOP+RACOON
Ricardo A. Reis
ricardo_bsd em yahoo.com.br
Qui Jul 17 18:31:13 BRT 2003
Caros GURUS,
Estou enfrentando algumas dificuldades para estabelecer uma vpn
entre um servidor FreeBSD 4.8 - STABLE e uma maquina Win98,
Segue abaixo as configuracoes..
KERNEL com ipsec
---------------------
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
---------------------
Tanto o racoon e poptop esta instalado pelo ports, seque a
configuracao de ambos.
RACOON
------------------
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
log debug;
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
listen
{
isakmp 172.16.158.253[500];
}
remote 200.xxx.xxx.xxx
{
exchange_mode aggressive, main, base;
doi ipsec_doi;
situation identity_only;
certificate_type x509 "user.crt" "user.key";
my_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2 ;
}
}
---------------------------------
CERTIFICADOR
ca.pem
server-key.pem
server.crt
server.key
ca.crt
ca.pem
user.crt
user.key
---------------------------------
POPTOP
speed 115200
option /etc/ppp/options.pptpd
debug
localip 172.22.8.3
remoteip 172.22.8.128-254
----------------------------------
options.pptpd
auth
require-chap
proxyarp
-chap
-chapms
+chapms-v2
mppe-128
mppe-stateless
ms-wins 200.xxx.xxx.xxx
ms-dns 200.xxx.xxx.xxx
-----------------------------------
ppp.conf
loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
# Server (local) IP address, Range for Clients, and Netmask
set ifaddr 172.22.8.3 172.22.8.128-254 255.255.255.255
set server /tmp/loop "" 0177
loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct
pptp:
load loop
enable chap
enable MSChapV2
enable mppe
disable deflate pred1
deny deflate pred1
disable pap
# The next depends on your routing. Proxy arp is an easy way out
# enable proxy
accept dns # DNS Servers to assign client
set dns 200.xxx.xxx.xxx 200.xxx.xxx.xxx
#NetBIOS/WINS Servers to assign client
set nbns 200.xxx.xxx.xxx
set device !/etc/ppp/secure
-------------------------------
Racoon debug log
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:222:isakmp_handler(): 172
bytes message received from 200.xxx.xxx.xxx[500]
Jul 17 20:23:01 jail racoon: DEBUG: plog.c:193:plogdump():
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:2248:isakmp_printpacket():
begin.
Jul 17 20:23:01 jail racoon: DEBUG: remoteconf.c:118:getrmconf():
configuration found for 200.xxx.xxx.xxx[500].
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:889:isakmp_ph1begin_r(): ===
Jul 17 20:23:01 jail racoon: INFO: isakmp.c:894:isakmp_ph1begin_r():
respond new phase 1 negotiation: 172.16.158.253[500]<=>200.xxx.xxx.xxx[500]
Jul 17 20:23:01 jail racoon: INFO: isakmp.c:899:isakmp_ph1begin_r():
begin Identity Protection mode.
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1112:isakmp_parsewoh(): begin.
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1139:isakmp_parsewoh():
seen nptype=1(sa)
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1139:isakmp_parsewoh():
seen nptype=13(vid)
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1139:isakmp_parsewoh():
seen nptype=13(vid)
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1139:isakmp_parsewoh():
seen nptype=13(vid)
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1178:isakmp_parsewoh():
succeed.
Jul 17 20:23:01 jail racoon: DEBUG: vendorid.c:137:check_vendorid():
received unknown Vendor ID
Jul 17 20:23:01 jail racoon: DEBUG: vendorid.c:137:check_vendorid():
received unknown Vendor ID
Jul 17 20:23:01 jail racoon: DEBUG: vendorid.c:137:check_vendorid():
received unknown Vendor ID
Jul 17 20:23:01 jail racoon: DEBUG: ipsec_doi.c:1117:get_proppair():
total SA len=80
Jul 17 20:23:01 jail racoon: DEBUG: plog.c:193:plogdump():
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1112:isakmp_parsewoh(): begin.
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1139:isakmp_parsewoh():
seen nptype=2(prop)
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1178:isakmp_parsewoh():
succeed.
Jul 17 20:23:01 jail racoon: DEBUG: ipsec_doi.c:1170:get_proppair():
proposal #1 len=72
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1112:isakmp_parsewoh(): begin.
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1139:isakmp_parsewoh():
seen nptype=3(trns)
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1139:isakmp_parsewoh():
seen nptype=3(trns)
Jul 17 20:23:01 jail racoon: DEBUG: isakmp.c:1178:isakmp_parsewoh():
succeed.
Jul 17 20:23:01 jail racoon: DEBUG: ipsec_doi.c:1311:get_transform():
transform #1 len=32
Jul 17 20:23:01 jail racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Encryption Algorithm,
flag=0x8000, lorv=3DES-CBC
Jul 17 20:23:01 jail racoon: DEBUG: algorithm.c:382:alg_oakley_encdef():
encription(3des)
Jul 17 20:23:01 jail racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000,
lorv=SHA
Jul 17 20:23:01 jail racoon: DEBUG:
algorithm.c:252:alg_oakley_hashdef(): hash(sha1)
Jul 17 20:23:01 jail racoon: DEBUG:
ipsec_doi.c:1870:check_attr_isakmp(): type=Group Description,
flag=0x8000, lorv=1024-bit MODP group
Jul 17 20:23:01 jail racoon: DEBUG: algorithm.c:610:alg_oakley_dhdef():
hmac(modp1024)
Jul 17 20:23:06 jail racoon: DEBUG: isakmp.c:221:isakmp_handler(): ===
Na maquina win98 foi instalado o client da Microsoft L2tp/IPsec, o
certificado .p12 ja foi instalado e configurado pra ser usado pela maquina.
O POPtop nao apresenta nenhum log, mais aparentemente estou no caminho.
Espero alguns alguns comentarios, "Patrick,Jean,Edson, e companhia
ltda heheh"
Atenciosamente Soulofblack
UNIVERSIDADE FEDERAL DE SAO PAULO - UNIFESP
D.I.S - LABOTARIO DE INFORMATICA EM SAUDE
-------------- Próxima Parte ----------
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd