racoon erzeugt keine policies

[engelinzivil71]

Hallo, hier ist meine server config:

RACOON.CONF

# Simple racoon.conf

#

path include "/etc/racoon";

include "ubudesklab02.conf";

#include "ubuvmsrv02.conf";

UBUDESKLAB02.CONF

path certificate "/etc/racoon/certs";

remote anonymous {

exchange_mode main;

passive on;

certificate_type x509 "ubuvmsrv01_cert.pem" "ubuvmsrv01_key.pem";

# peers_certfile x509 "ubudesklab02_cert.pem";

# verify_cert on;

my_identifier asn1dn;

peers_identifier asn1dn;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method rsasig;

# authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy on;

}

sainfo anonymous {

pfs_group modp768;

encryption_algorithm 3des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

setkey.conf

#!/bin/sh

flush;

spdflush;

log:

2009-09-29 22:29:19: INFO: 10.0.0.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: 10.0.1.1[500] used as isakmp port (fd=10)

2009-09-29 22:29:19: INFO: 10.0.1.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: 172.16.1.1[500] used as isakmp port (fd=11)

2009-09-29 22:29:19: INFO: 172.16.1.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: ::1[500] used as isakmp port (fd=12)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16)

2009-09-29 22:29:31: INFO: caught signal 15

2009-09-29 22:29:32: INFO: racoon shutdown

2009-09-29 22:29:37: INFO: @(#)ipsec-tools 0.7 (IPsec Tools Homepage)

2009-09-29 22:29:37: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (OpenSSL: The Open Source toolkit for SSL/TLS)

2009-09-29 22:29:37: INFO: Reading configuration from "/etc/racoon/racoon.conf"

2009-09-29 22:29:37: DEBUG: call pfkey_send_register for AH

2009-09-29 22:29:37: DEBUG: call pfkey_send_register for ESP

2009-09-29 22:29:38: DEBUG: call pfkey_send_register for IPCOMP

2009-09-29 22:29:38: INFO: Resize address pool from 0 to 255

2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/racoon.conf

2009-09-29 22:29:38: DEBUG: filename: /etc/racoon/ubudesklab02.conf

2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/ubudesklab02.conf

2009-09-29 22:29:38: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.

2009-09-29 22:29:38: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0

2009-09-29 22:29:38: DEBUG: getsainfo pass #2

2009-09-29 22:29:38: DEBUG: open /var/run/racoon/racoon.sock as racoon management.

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9387%eth3 (eth3)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:937d%eth2 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9373%eth1 (eth1)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9369%eth0 (eth0)

2009-09-29 22:29:38: DEBUG: my interface: ::1 (lo)

2009-09-29 22:29:38: DEBUG: my interface: 172.16.1.1 (eth3)

2009-09-29 22:29:38: DEBUG: my interface: 10.0.1.1 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: 10.0.0.1 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: 192.168.3.10 (eth1)

2009-09-29 22:29:38: DEBUG: my interface: 192.168.1.10 (eth0)

2009-09-29 22:29:38: DEBUG: my interface: 127.0.0.1 (lo)

2009-09-29 22:29:38: DEBUG: configuring default isakmp port.

2009-09-29 22:29:38: DEBUG: 11 addrs are configured successfully

2009-09-29 22:29:38: INFO: 127.0.0.1[500] used as isakmp port (fd=6)

2009-09-29 22:29:38: INFO: 127.0.0.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 192.168.1.10[500] used as isakmp port (fd=7)

2009-09-29 22:29:38: INFO: 192.168.1.10[500] used for NAT-T

2009-09-29 22:29:38: INFO: 192.168.3.10[500] used as isakmp port (fd=8)

2009-09-29 22:29:38: INFO: 192.168.3.10[500] used for NAT-T

2009-09-29 22:29:38: INFO: 10.0.0.1[500] used as isakmp port (fd=9)

2009-09-29 22:29:38: INFO: 10.0.0.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 10.0.1.1[500] used as isakmp port (fd=10)

2009-09-29 22:29:38: INFO: 10.0.1.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 172.16.1.1[500] used as isakmp port (fd=11)

2009-09-29 22:29:38: INFO: 172.16.1.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: ::1[500] used as isakmp port (fd=12)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16)

2009-09-29 22:29:38: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:29:38: DEBUG: get pfkey X_SPDDUMP message

2009-09-29 22:29:38: DEBUG: pfkey X_SPDDUMP failed: No such file or directory

...

2009-09-29 22:30:36: DEBUG: get pfkey UPDATE message

2009-09-29 22:30:36: DEBUG: pfkey UPDATE succeeded: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445)

2009-09-29 22:30:36: INFO: IPsec-SA established: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445)

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey UPDATE message

2009-09-29 22:30:36: DEBUG: pfkey UPDATE succeeded: ESP/Transport 10.0.1.4[0]->10.0.1.1[0] spi=143781562(0x891eeba)

2009-09-29 22:30:36: INFO: IPsec-SA established: ESP/Transport 10.0.1.4[0]->10.0.1.1[0] spi=143781562(0x891eeba)

2009-09-29 22:30:36: DEBUG: ===

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey ADD message

2009-09-29 22:30:36: INFO: IPsec-SA established: AH/Transport 10.0.1.1[500]->10.0.1.4[500] spi=156377460(0x9522174)

2009-09-29 22:30:36: DEBUG: ===

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey ADD message

2009-09-29 22:30:36: INFO: IPsec-SA established: ESP/Transport 10.0.1.1[500]->10.0.1.4[500] spi=212631701(0xcac8095)

2009-09-29 22:30:36: DEBUG: ===

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey X_SPDUPDATE message

2009-09-29 22:30:36: ERROR: such policy does not already exist: "10.0.1.4/32[500] 10.0.1.1/32[500] proto=any dir=in"

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey X_SPDUPDATE message

2009-09-29 22:30:36: DEBUG: sub:0xbffbbd90: 10.0.1.1/32[500] 10.0.1.4/32[500] proto=any dir=out

2009-09-29 22:30:36: DEBUG: db :0x8a2e7d0: 10.0.1.4/32[500] 10.0.1.1/32[500] proto=any dir=in

2009-09-29 22:30:36: ERROR: such policy does not already exist: "10.0.1.1/32[500] 10.0.1.4/32[500] proto=any dir=out"

client:

setkey.conf.

#SPD Konfig

spdadd 10.0.1.4 10.0.1.1 any -P out ipsec

esp/transport//require

ah/transport//require;

spdadd 10.0.1.1 10.0.1.4 any -P in ipsec

esp/transport//require

ah/transport//require;

ubuvmsrv01.conf

path certificate "/etc/racoon/certs";

remote 10.0.1.1 {

exchange_mode main;

certificate_type x509 "ubudesklab02_cert.pem" "ubudesklab02_key.pem";

# peers_certfile x509 "ubuvmsrv01_cert.pem";

# verify_cert on;

my_identifier asn1dn;

peers_identifier asn1dn;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method rsasig;

# authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy on;

}

sainfo address 10.0.1.4 any address 10.0.1.1 any {

pfs_group modp768;

encryption_algorithm 3des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}

die racoon.conf ist analog wie beim server aufgebaut.

wieso kommt kein tunnel zustande ???