[FUG-BR] VPN IPSEC [racoon ou strongswan]
Saul Figueiredo
saulfelipecf em gmail.com
Quinta Agosto 9 16:17:50 BRT 2012
Em 9 de agosto de 2012 15:58, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>
>
> Em 9 de agosto de 2012 15:37, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>
>
>>
>> Em 9 de agosto de 2012 12:13, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>>
>>
>>>
>>> Em 9 de agosto de 2012 10:59, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>>>
>>>
>>>>
>>>> Em 8 de agosto de 2012 14:47, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>>>>
>>>> Boa tarde.
>>>>>
>>>>> Estou tentando fechar uma vpn ipsec entre um router e um FreeBSD 8.2.
>>>>> Já tentei com o strongswan e com o raccon mas não funciona de jeito
>>>>> nenhum com os dois.
>>>>>
>>>>> Duvidando que seria as configurações, peguei a conf do strongswan e
>>>>> coloquei em um servidor CentOS [Linux] que tem o OpenSwan Instalado, apenas
>>>>> me atentando de mudar os ips externos e a faixa de rede. RESULTADO:
>>>>> Funcionou no Openswan. A VPN fechou e consegui pingar nas duas pontas.
>>>>>
>>>>> Para usar o StrongSwan e o Racoon tive que compilar o kernel com essas
>>>>> opções:
>>>>> options IPSEC
>>>>> options IPSEC_DEBUG
>>>>> options IPSEC_NAT_T
>>>>> options IPSEC_FILTERTUNNEL
>>>>> #options IPSEC_ESP
>>>>>
>>>>> Com o mesmo router e o mesmo conf funciona no Linux. O que estaria
>>>>> errado ?
>>>>> Valeu!!!
>>>>>
>>>>>
>>>>> --
>>>>> "Deve-se aprender sempre, até mesmo com um inimigo."
>>>>> (Isaac Newton)
>>>>>
>>>>> Atenciosamente,
>>>>> Saul Figueiredo
>>>>> Analista FreeBSD/Linux
>>>>> Linux Professional Institute Certification Level 2
>>>>> saulfelipecf em gmail.com
>>>>> <saul-felipe em hotmail.com>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Quando o cliente router tenta conectar no meu servidor racoon dá esse
>>>> erro:
>>>>
>>>> 2012-08-08 17:02:23: ERROR: no suitable proposal found.
>>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to get valid
>>>> proposal.
>>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to pre-process ph1
>>>> packet (side: 1, status 1).
>>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: phase1 negotiation failed.
>>>>
>>>>
>>>> Quebrando a cabeça com isso viu...
>>>>
>>>>
>>>> --
>>>> "Deve-se aprender sempre, até mesmo com um inimigo."
>>>> (Isaac Newton)
>>>>
>>>> Atenciosamente,
>>>> Saul Figueiredo
>>>> Analista FreeBSD/Linux
>>>> Linux Professional Institute Certification Level 2
>>>> saulfelipecf em gmail.com
>>>> <saul-felipe em hotmail.com>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Novo erro agora:
>>> ERROR: exchange Identity Protection not allowed in any applicable rmconf
>>>
>>>
>>>
>>> --
>>> "Deve-se aprender sempre, até mesmo com um inimigo."
>>> (Isaac Newton)
>>>
>>> Atenciosamente,
>>> Saul Figueiredo
>>> Analista FreeBSD/Linux
>>> Linux Professional Institute Certification Level 2
>>> saulfelipecf em gmail.com
>>> <saul-felipe em hotmail.com>
>>>
>>
>>
>>
>>
>>
>> Agora o tunel fechou, mas as redes não se comunicam :(
>>
>>
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb4), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb5), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb6), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb7), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb8), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb9), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xba), length
>> 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbb), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbc), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbd), length
>> 92
>>
>>
>>
>>
>> e no ipfw a policy está allow
>>
>>
>>
>>
>> --
>> "Deve-se aprender sempre, até mesmo com um inimigo."
>> (Isaac Newton)
>>
>> Atenciosamente,
>> Saul Figueiredo
>> Analista FreeBSD/Linux
>> Linux Professional Institute Certification Level 2
>> saulfelipecf em gmail.com
>> <saul-felipe em hotmail.com>
>>
>
>
>
>
>
>
> no log do racoon:
>
> 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D>
> 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out.
> 2012-08-09 15:56:29: DEBUG: sub:0xbfbfe594: 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D>
> 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in
> 2012-08-09 15:56:29: DEBUG: db :0x28547148: 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D>
> 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in
> 2012-08-09 15:56:29: DEBUG: suitable inbound SP found: 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D>
> 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in.
> 2012-08-09 15:56:29: DEBUG: new acquire 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D>
> 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf
> "anonymous" anonymous.
> 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches.
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous"
> selected.
> 2012-08-09 15:56:29: DEBUG: getsainfo params: loc='192.168.1.0/24' rmt='
> 192.168.70.0/24' peer='NULL' client='NULL' id=0
> 2012-08-09 15:56:29: DEBUG: evaluating sainfo: loc='ANONYMOUS',
> rmt='ANONYMOUS', peer='ANY', id=0
> 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched
> (ANONYMOUS)
> 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched
> (ANONYMOUS)
> 2012-08-09 15:56:29: DEBUG: selected sainfo: loc='ANONYMOUS',
> rmt='ANONYMOUS', peer='ANY', id=0
> 2012-08-09 15:56:29: DEBUG: (proto_id=ESP spisize=4 spi=00000000
> spi_p=00000000 encmode=Tunnel reqid=0:0)
> 2012-08-09 15:56:29: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
> 2012-08-09 15:56:29: DEBUG: in post_acquire
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf
> "anonymous" anonymous.
> 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches.
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous"
> selected.
> 2012-08-09 15:56:29: DEBUG2: getph1: start
> 2012-08-09 15:56:29: DEBUG2: local: 187.xxx.xxx.30[500]
> 2012-08-09 15:56:29: DEBUG2: remote: 187.xxx.xxx.44[500]
> 2012-08-09 15:56:29: DEBUG2: no match
> 2012-08-09 15:56:29: INFO: IPsec-SA request for 187.xxx.xxx.44 queued due
> to no phase1 found.
> 2012-08-09 15:56:29: DEBUG: ===
> 2012-08-09 15:56:29: INFO: initiate new phase 1 negotiation:
> 187.xxx.xxx.30[500]<=>187.xxx.xxx.44[500]
> 2012-08-09 15:56:29: INFO: begin Identity Protection mode.
> 2012-08-09 15:56:29: DEBUG: new cookie:
> 5d18382ba03058d4
> 2012-08-09 15:56:29: DEBUG: add payload of len 52, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 0
> 2012-08-09 15:56:29: ERROR: phase1 negotiation failed due to send error.
> 5d18382ba03058d4:0000000000000000
> 2012-08-09 15:56:29: ERROR: failed to begin ipsec sa negotication.
> 2012-08-09 15:56:29: DEBUG: got pfkey ACQUIRE message
> 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D>
> 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out.
> 2012-08-09 15:56:29: DEBUG: ignore the acquire because ph2 found
> 2012-08-09 15:56:37: DEBUG: ===
> 2012-08-09 15:56:37: DEBUG: 92 bytes message received from
> 187.xxx.xxx.44[500] to 187.xxx.xxx.30[500]
>
>
> Esse error na phase1 acontece mas a vpn fecha... estranho...
>
> --
> "Deve-se aprender sempre, até mesmo com um inimigo."
> (Isaac Newton)
>
> Atenciosamente,
> Saul Figueiredo
> Analista FreeBSD/Linux
> Linux Professional Institute Certification Level 2
> saulfelipecf em gmail.com
> <saul-felipe em hotmail.com>
>
Meus confs:
-rw-r--r-- 1 root wheel 18 Aug 8 15:37 ipsec.conf
fw# cat ipsec.conf
flush;
spdflush;
_____________________________________________________
-rwx------ 1 root wheel 25 Aug 9 15:00 psk.txt
fw# cat psk.txt
187.xxx.xxx.44 Pre-Shared
onde 187.xxx.xxx.44 é o ip do router
_________________________________________________________
-rw-r--r-- 1 root wheel 1485 Aug 9 14:50 racoon.conf
fw# cat racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug;
#log notify;
listen
{
isakmp 187.32.229.30 [500];
isakmp_natt 187.32.229.30 [4500];
adminsock disabled;
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 10 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 300 sec;
phase2 300 sec;
}
remote anonymous
{
exchange_mode main, aggressive;
lifetime time 86400 sec;
#passive off;
generate_policy on;
nat_traversal on;
dpd_delay 20; # DPD poll every 20 seconds
ike_frag on; # use IKE fragmentation
#esp_frag 552; # use ESP fragmentation at 552 bytes
proposal_check strict;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
--
"Deve-se aprender sempre, até mesmo com um inimigo."
(Isaac Newton)
Atenciosamente,
Saul Figueiredo
Analista FreeBSD/Linux
Linux Professional Institute Certification Level 2
saulfelipecf em gmail.com
<saul-felipe em hotmail.com>
Mais detalhes sobre a lista de discussão freebsd