Zum Inhalt springen

Empfohlene Beiträge

Geschrieben

Hallo,,

ich habe ein Problem, werde aus dem IPsec/Openswan Gemisch nicht wirklich schlau.

ich verstehe nicht, warum die sa nicht aufgebaut wird

hat jemand eine ahnung ??

Ich habe mir ein kleines netz aufgebaut

openswanA <---> router <---> openswanB

dirk@ubuvmsrv04:/tmp$ sudo ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]

Linux Openswan 2.6.22 (klips)

Checking for IPsec support in kernel [OK]

KLIPS detected, checking for NAT Traversal support [OK]

Checking for RSA private key (/etc/ipsec.secrets) [OK]

Checking that pluto is running [OK]

Two or more interfaces found, checking IP forwarding [FAILED]

Checking for 'ip' command [OK]

Checking for 'iptables' command [OK]

Opportunistic Encryption Support [DISABLED]

Konfig openswanA:

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

interfaces="ipsec0=eth1"

klipsdebug=none

plutodebug=none

oe=off

protostack=klips

# Add connections here

conn %default

keyingtries=0

authby=secret

conn lan

leftid=10.0.0.1

left=10.0.0.1

leftsubnet=172.16.0.0/22

leftnexthop=10.0.0.2

right=10.0.1.1

rightid=10.1.1

rightsubnet=172.16.4.0/22

auto=start

type=tunnel

openswanB

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

interfaces="ipsec0=eth1"

klipsdebug=none

plutodebug=none

# Do not set debug options to debug configuration issues!

oe=off

# which IPsec stack to use. netkey,klips,mast,auto or none

protostack=klips

# Add connections here

conn %default

keyingtries=0

authby=secret

# sample VPN connection

# for more examples, see /etc/ipsec.d/examples/

conn lan

leftid=10.0.1.1

left=10.0.1.1

leftsubnet=172.16.4.0/22

leftnexthop=10.0.1.2

rightid=10.0.0.1

right=10.0.0.1

rightsubnet=172.16.0.0/22

auto=start

type=tunnel

output openswanA ipsec auto status:

000 using kernel interface: klips

000 interface ipsec0/eth1 10.0.0.1

000 %myid = (none)

000 debug none

000

000 virtual_private (%priv):

000 - allowed 0 subnets:

000 - disallowed 0 subnets:

000 WARNING: Either virtual_private= was not specified, or there was a syntax

000 error in that line. 'left/rightsubnet=%priv' will not work!

000

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160

000

000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32

000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

000

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

000

000 "lan": 172.16.0.0/22===10.0.0.1<10.0.0.1>[+S=C]---10.0.0.2...10.0.1.1<10.0.1.1>[10.1.1.0,+S=C]===172.16.4.0/22; prospective ero

000 "lan": myip=unset; hisip=unset;

000 "lan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "lan": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 22,22; interface: eth1;

000 "lan": newest ISAKMP SA: #0; newest IPsec SA: #0;

000

000 #1: "lan":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

000 #1: pending Phase 2 for "lan" replacing #0

000

output von openswanB

000 using kernel interface: klips

000 interface ipsec0/eth1 10.0.1.1

000 %myid = (none)

000 debug none

000

000 virtual_private (%priv):

000 - allowed 0 subnets:

000 - disallowed 0 subnets:

000 WARNING: Either virtual_private= was not specified, or there was a syntax

000 error in that line. 'left/rightsubnet=%priv' will not work!

000

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160

000

000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32

000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

000

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

000

000 "lan": 172.16.4.0/22===10.0.1.1<10.0.1.1>[+S=C]---10.0.1.2...10.0.0.1<10.0.0.1>[+S=C]===172.16.0.0/22; prospective erouted; eroute owner: #0

000 "lan": myip=unset; hisip=unset;

000 "lan": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "lan": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 22,22; interface: eth1;

000 "lan": newest ISAKMP SA: #0; newest IPsec SA: #0;

000

000 #1: "lan":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 0s; nodpd; idle; import:admin initiate

000 #1: pending Phase 2 for "lan" replacing #0

000 #1: pending Phase 2 for "lan" replacing #0

000

Dein Kommentar

Du kannst jetzt schreiben und Dich später registrieren. Wenn Du ein Konto hast, melde Dich jetzt an, um unter Deinem Benutzernamen zu schreiben.

Gast
Auf dieses Thema antworten...

×   Du hast formatierten Text eingefügt.   Formatierung wiederherstellen

  Nur 75 Emojis sind erlaubt.

×   Dein Link wurde automatisch eingebettet.   Einbetten rückgängig machen und als Link darstellen

×   Dein vorheriger Inhalt wurde wiederhergestellt.   Editor leeren

×   Du kannst Bilder nicht direkt einfügen. Lade Bilder hoch oder lade sie von einer URL.

Fachinformatiker.de, 2024 by SE Internet Services

fidelogo_small.png

Schicke uns eine Nachricht!

Fachinformatiker.de ist die größte IT-Community
rund um Ausbildung, Job, Weiterbildung für IT-Fachkräfte.

Fachinformatiker.de App

Download on the App Store
Get it on Google Play

Kontakt

Hier werben?
Oder sende eine E-Mail an

Social media u. feeds

Jobboard für Fachinformatiker und IT-Fachkräfte

×
×
  • Neu erstellen...