[FUG-BR] IPSEC e ISAKMP
Matheus Cucoloto
matheuscucoloto em gmail.com
Quarta Setembro 24 12:24:12 BRT 2008
Bom dia.
Estou erguendo uma VPN com Ipsec usando ISAKMP. O Cenário é:
FreeBSD(ISAKMP) -> CheckPoint
O que foi definido:
Fase1:
Cripto AES256
Hash: sha1
Fase2
Cripto: AES128
Hash: md5
Chave=123456
Rede1= 192.168.254.0
Rede2= 192.168.210.0
Peer Freebsd=100.1.1.1
Peer CheckPoint=100.1.1.2
Analisando os pacotes com tcpdump o checkpoint me manda o seguinte:
--------------------------------------------------------------------------------------------------
12:04:07.792500 00:19:e0:73:9b:0a > 00:00:5e:00:01:0b, ethertype IPv4
(0x0800), length 174: (tos 0x0, ttl 60, id 61431, offset 0, flags
[DF], proto: UDP (17), length: 160) 100.1.1.2.500 > 100.1.1.1.500:
[udp sum ok] isakmp 1.0 msgid cookie ->: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=enc value=aes)(type=keylen
value=0100)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))))
(vid: len=40
f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d48da54a20000000018200000)
--------------------------------------------------------------------------------------------------
E o FreeBSD retorna:
--------------------------------------------------------------------------------------------------
11:57:35.663230 00:60:97:0c:5d:10 > 00:00:5e:00:01:0a, ethertype IPv4
(0x0800), length 82: (tos 0x0, ttl 64, id 47232, offset 0, flags
[none], proto: UDP (17), length: 68) 100.1.1.1.500 > 100.1.1.2..500:
[udp sum ok] isakmp 1.0 msgid cookie ->: phase 1 I inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
--------------------------------------------------------------------------------------------------
No Debug do ISAKMP eu tenho apenas o seguinte:
--------------------------------------------------------------------------------------------------
115703.724192 Default dropped message from 100.1.1.2 port 500 due to
notification type NO_PROPOSAL_CHOSEN
--------------------------------------------------------------------------------------------------
O que tem de errado??????
Vejam as minhas configurações:
--------------------------------------------------------------------------------------------------
# cat isakmpd.conf
Retransmits= 5
Exchange-max-time= 120
Listen-on= 100.1.1.1
[Phase 1]
100.1.1.2= ISAKMP-peer-checkpoint
[ISAKMP-peer-checkpoint]
Phase= 1
Transport= udp
Local-address= 100.1.1.1
Address= 100.1.1.2
Configuration= Conf-fase1
Authentication= 123456
[Phase 2]
Connections= VPN-freebsd-checkpoint
[VPN-freebsd-checkpoint]
Phase= 2
ISAKMP-peer= ISAKMP-peer-checkpoint
Configuration= Conf-fase2
Local-ID= rede-freebsd-192.168.254.0/255.255.255.0
Remote-ID= rede-checkpoint-192.168.210.0/255.255.255.0
[rede-freebsd-192.168.254.0/255.255.255.0]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.254.0
Netmask= 255.255.255.0
[rede-checkpoint-192.168.210.0/255.255.255.0]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.210.0
Netmask= 255.255.255.0
[Conf-fase1]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= CRIPTO-FASE1
[Conf-fase2]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-MD5-PFS-SUITE
[CRIPTO-FASE1]
ENCRYPTION_ALGORITHM= AES
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRESHARED
GROUP_DESCRIPTION= modp1024
Life= TEMPO
[TEMPO]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
--------------------------------------------------------------------------------------------------
--
Matheus Cucoloto
System Admin.
Net Admin.
Mais detalhes sobre a lista de discussão freebsd