Zum Inhalt springen

Empfohlene Beiträge

Geschrieben

Hallo, hier ist meine server config:

RACOON.CONF

# Simple racoon.conf

#

path include "/etc/racoon";

include "ubudesklab02.conf";

#include "ubuvmsrv02.conf";

UBUDESKLAB02.CONF

path certificate "/etc/racoon/certs";

remote anonymous {

exchange_mode main;

passive on;

certificate_type x509 "ubuvmsrv01_cert.pem" "ubuvmsrv01_key.pem";

# peers_certfile x509 "ubudesklab02_cert.pem";

# verify_cert on;

my_identifier asn1dn;

peers_identifier asn1dn;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method rsasig;

# authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy on;

}

sainfo anonymous {

pfs_group modp768;

encryption_algorithm 3des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

setkey.conf

#!/bin/sh

flush;

spdflush;

log:

2009-09-29 22:29:19: INFO: 10.0.0.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: 10.0.1.1[500] used as isakmp port (fd=10)

2009-09-29 22:29:19: INFO: 10.0.1.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: 172.16.1.1[500] used as isakmp port (fd=11)

2009-09-29 22:29:19: INFO: 172.16.1.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: ::1[500] used as isakmp port (fd=12)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16)

2009-09-29 22:29:31: INFO: caught signal 15

2009-09-29 22:29:32: INFO: racoon shutdown

2009-09-29 22:29:37: INFO: @(#)ipsec-tools 0.7 (IPsec Tools Homepage)

2009-09-29 22:29:37: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (OpenSSL: The Open Source toolkit for SSL/TLS)

2009-09-29 22:29:37: INFO: Reading configuration from "/etc/racoon/racoon.conf"

2009-09-29 22:29:37: DEBUG: call pfkey_send_register for AH

2009-09-29 22:29:37: DEBUG: call pfkey_send_register for ESP

2009-09-29 22:29:38: DEBUG: call pfkey_send_register for IPCOMP

2009-09-29 22:29:38: INFO: Resize address pool from 0 to 255

2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/racoon.conf

2009-09-29 22:29:38: DEBUG: filename: /etc/racoon/ubudesklab02.conf

2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/ubudesklab02.conf

2009-09-29 22:29:38: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.

2009-09-29 22:29:38: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0

2009-09-29 22:29:38: DEBUG: getsainfo pass #2

2009-09-29 22:29:38: DEBUG: open /var/run/racoon/racoon.sock as racoon management.

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9387%eth3 (eth3)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:937d%eth2 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9373%eth1 (eth1)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9369%eth0 (eth0)

2009-09-29 22:29:38: DEBUG: my interface: ::1 (lo)

2009-09-29 22:29:38: DEBUG: my interface: 172.16.1.1 (eth3)

2009-09-29 22:29:38: DEBUG: my interface: 10.0.1.1 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: 10.0.0.1 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: 192.168.3.10 (eth1)

2009-09-29 22:29:38: DEBUG: my interface: 192.168.1.10 (eth0)

2009-09-29 22:29:38: DEBUG: my interface: 127.0.0.1 (lo)

2009-09-29 22:29:38: DEBUG: configuring default isakmp port.

2009-09-29 22:29:38: DEBUG: 11 addrs are configured successfully

2009-09-29 22:29:38: INFO: 127.0.0.1[500] used as isakmp port (fd=6)

2009-09-29 22:29:38: INFO: 127.0.0.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 192.168.1.10[500] used as isakmp port (fd=7)

2009-09-29 22:29:38: INFO: 192.168.1.10[500] used for NAT-T

2009-09-29 22:29:38: INFO: 192.168.3.10[500] used as isakmp port (fd=8)

2009-09-29 22:29:38: INFO: 192.168.3.10[500] used for NAT-T

2009-09-29 22:29:38: INFO: 10.0.0.1[500] used as isakmp port (fd=9)

2009-09-29 22:29:38: INFO: 10.0.0.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 10.0.1.1[500] used as isakmp port (fd=10)

2009-09-29 22:29:38: INFO: 10.0.1.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 172.16.1.1[500] used as isakmp port (fd=11)

2009-09-29 22:29:38: INFO: 172.16.1.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: ::1[500] used as isakmp port (fd=12)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16)

2009-09-29 22:29:38: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:29:38: DEBUG: get pfkey X_SPDDUMP message

2009-09-29 22:29:38: DEBUG: pfkey X_SPDDUMP failed: No such file or directory

...

2009-09-29 22:30:36: DEBUG: get pfkey UPDATE message

2009-09-29 22:30:36: DEBUG: pfkey UPDATE succeeded: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445)

2009-09-29 22:30:36: INFO: IPsec-SA established: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445)

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey UPDATE message

2009-09-29 22:30:36: DEBUG: pfkey UPDATE succeeded: ESP/Transport 10.0.1.4[0]->10.0.1.1[0] spi=143781562(0x891eeba)

2009-09-29 22:30:36: INFO: IPsec-SA established: ESP/Transport 10.0.1.4[0]->10.0.1.1[0] spi=143781562(0x891eeba)

2009-09-29 22:30:36: DEBUG: ===

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey ADD message

2009-09-29 22:30:36: INFO: IPsec-SA established: AH/Transport 10.0.1.1[500]->10.0.1.4[500] spi=156377460(0x9522174)

2009-09-29 22:30:36: DEBUG: ===

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey ADD message

2009-09-29 22:30:36: INFO: IPsec-SA established: ESP/Transport 10.0.1.1[500]->10.0.1.4[500] spi=212631701(0xcac8095)

2009-09-29 22:30:36: DEBUG: ===

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey X_SPDUPDATE message

2009-09-29 22:30:36: ERROR: such policy does not already exist: "10.0.1.4/32[500] 10.0.1.1/32[500] proto=any dir=in"

2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:30:36: DEBUG: get pfkey X_SPDUPDATE message

2009-09-29 22:30:36: DEBUG: sub:0xbffbbd90: 10.0.1.1/32[500] 10.0.1.4/32[500] proto=any dir=out

2009-09-29 22:30:36: DEBUG: db :0x8a2e7d0: 10.0.1.4/32[500] 10.0.1.1/32[500] proto=any dir=in

2009-09-29 22:30:36: ERROR: such policy does not already exist: "10.0.1.1/32[500] 10.0.1.4/32[500] proto=any dir=out"

client:

setkey.conf.

#SPD Konfig

spdadd 10.0.1.4 10.0.1.1 any -P out ipsec

esp/transport//require

ah/transport//require;

spdadd 10.0.1.1 10.0.1.4 any -P in ipsec

esp/transport//require

ah/transport//require;

ubuvmsrv01.conf

path certificate "/etc/racoon/certs";

remote 10.0.1.1 {

exchange_mode main;

certificate_type x509 "ubudesklab02_cert.pem" "ubudesklab02_key.pem";

# peers_certfile x509 "ubuvmsrv01_cert.pem";

# verify_cert on;

my_identifier asn1dn;

peers_identifier asn1dn;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method rsasig;

# authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy on;

}

sainfo address 10.0.1.4 any address 10.0.1.1 any {

pfs_group modp768;

encryption_algorithm 3des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}

die racoon.conf ist analog wie beim server aufgebaut.

wieso kommt kein tunnel zustande ???

Dein Kommentar

Du kannst jetzt schreiben und Dich später registrieren. Wenn Du ein Konto hast, melde Dich jetzt an, um unter Deinem Benutzernamen zu schreiben.

Gast
Auf dieses Thema antworten...

×   Du hast formatierten Text eingefügt.   Formatierung wiederherstellen

  Nur 75 Emojis sind erlaubt.

×   Dein Link wurde automatisch eingebettet.   Einbetten rückgängig machen und als Link darstellen

×   Dein vorheriger Inhalt wurde wiederhergestellt.   Editor leeren

×   Du kannst Bilder nicht direkt einfügen. Lade Bilder hoch oder lade sie von einer URL.

Fachinformatiker.de, 2024 by SE Internet Services

fidelogo_small.png

Schicke uns eine Nachricht!

Fachinformatiker.de ist die größte IT-Community
rund um Ausbildung, Job, Weiterbildung für IT-Fachkräfte.

Fachinformatiker.de App

Download on the App Store
Get it on Google Play

Kontakt

Hier werben?
Oder sende eine E-Mail an

Social media u. feeds

Jobboard für Fachinformatiker und IT-Fachkräfte

×
×
  • Neu erstellen...