engelinzivil71 Geschrieben 29. September 2009 Geschrieben 29. September 2009 Hallo, hier ist meine server config: RACOON.CONF # Simple racoon.conf # path include "/etc/racoon"; include "ubudesklab02.conf"; #include "ubuvmsrv02.conf"; UBUDESKLAB02.CONF path certificate "/etc/racoon/certs"; remote anonymous { exchange_mode main; passive on; certificate_type x509 "ubuvmsrv01_cert.pem" "ubuvmsrv01_key.pem"; # peers_certfile x509 "ubudesklab02_cert.pem"; # verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; # authentication_method pre_shared_key; dh_group modp1024; } generate_policy on; } sainfo anonymous { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; setkey.conf #!/bin/sh flush; spdflush; log: 2009-09-29 22:29:19: INFO: 10.0.0.1[500] used for NAT-T 2009-09-29 22:29:19: INFO: 10.0.1.1[500] used as isakmp port (fd=10) 2009-09-29 22:29:19: INFO: 10.0.1.1[500] used for NAT-T 2009-09-29 22:29:19: INFO: 172.16.1.1[500] used as isakmp port (fd=11) 2009-09-29 22:29:19: INFO: 172.16.1.1[500] used for NAT-T 2009-09-29 22:29:19: INFO: ::1[500] used as isakmp port (fd=12) 2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13) 2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14) 2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15) 2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16) 2009-09-29 22:29:31: INFO: caught signal 15 2009-09-29 22:29:32: INFO: racoon shutdown 2009-09-29 22:29:37: INFO: @(#)ipsec-tools 0.7 (IPsec Tools Homepage) 2009-09-29 22:29:37: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (OpenSSL: The Open Source toolkit for SSL/TLS) 2009-09-29 22:29:37: INFO: Reading configuration from "/etc/racoon/racoon.conf" 2009-09-29 22:29:37: DEBUG: call pfkey_send_register for AH 2009-09-29 22:29:37: DEBUG: call pfkey_send_register for ESP 2009-09-29 22:29:38: DEBUG: call pfkey_send_register for IPCOMP 2009-09-29 22:29:38: INFO: Resize address pool from 0 to 255 2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/racoon.conf 2009-09-29 22:29:38: DEBUG: filename: /etc/racoon/ubudesklab02.conf 2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/ubudesklab02.conf 2009-09-29 22:29:38: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. 2009-09-29 22:29:38: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 2009-09-29 22:29:38: DEBUG: getsainfo pass #2 2009-09-29 22:29:38: DEBUG: open /var/run/racoon/racoon.sock as racoon management. 2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9387%eth3 (eth3) 2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:937d%eth2 (eth2) 2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9373%eth1 (eth1) 2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9369%eth0 (eth0) 2009-09-29 22:29:38: DEBUG: my interface: ::1 (lo) 2009-09-29 22:29:38: DEBUG: my interface: 172.16.1.1 (eth3) 2009-09-29 22:29:38: DEBUG: my interface: 10.0.1.1 (eth2) 2009-09-29 22:29:38: DEBUG: my interface: 10.0.0.1 (eth2) 2009-09-29 22:29:38: DEBUG: my interface: 192.168.3.10 (eth1) 2009-09-29 22:29:38: DEBUG: my interface: 192.168.1.10 (eth0) 2009-09-29 22:29:38: DEBUG: my interface: 127.0.0.1 (lo) 2009-09-29 22:29:38: DEBUG: configuring default isakmp port. 2009-09-29 22:29:38: DEBUG: 11 addrs are configured successfully 2009-09-29 22:29:38: INFO: 127.0.0.1[500] used as isakmp port (fd=6) 2009-09-29 22:29:38: INFO: 127.0.0.1[500] used for NAT-T 2009-09-29 22:29:38: INFO: 192.168.1.10[500] used as isakmp port (fd=7) 2009-09-29 22:29:38: INFO: 192.168.1.10[500] used for NAT-T 2009-09-29 22:29:38: INFO: 192.168.3.10[500] used as isakmp port (fd=8) 2009-09-29 22:29:38: INFO: 192.168.3.10[500] used for NAT-T 2009-09-29 22:29:38: INFO: 10.0.0.1[500] used as isakmp port (fd=9) 2009-09-29 22:29:38: INFO: 10.0.0.1[500] used for NAT-T 2009-09-29 22:29:38: INFO: 10.0.1.1[500] used as isakmp port (fd=10) 2009-09-29 22:29:38: INFO: 10.0.1.1[500] used for NAT-T 2009-09-29 22:29:38: INFO: 172.16.1.1[500] used as isakmp port (fd=11) 2009-09-29 22:29:38: INFO: 172.16.1.1[500] used for NAT-T 2009-09-29 22:29:38: INFO: ::1[500] used as isakmp port (fd=12) 2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13) 2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14) 2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15) 2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16) 2009-09-29 22:29:38: DEBUG: pk_recv: retry[0] recv() 2009-09-29 22:29:38: DEBUG: get pfkey X_SPDDUMP message 2009-09-29 22:29:38: DEBUG: pfkey X_SPDDUMP failed: No such file or directory ... 2009-09-29 22:30:36: DEBUG: get pfkey UPDATE message 2009-09-29 22:30:36: DEBUG: pfkey UPDATE succeeded: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445) 2009-09-29 22:30:36: INFO: IPsec-SA established: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445) 2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv() 2009-09-29 22:30:36: DEBUG: get pfkey UPDATE message 2009-09-29 22:30:36: DEBUG: pfkey UPDATE succeeded: ESP/Transport 10.0.1.4[0]->10.0.1.1[0] spi=143781562(0x891eeba) 2009-09-29 22:30:36: INFO: IPsec-SA established: ESP/Transport 10.0.1.4[0]->10.0.1.1[0] spi=143781562(0x891eeba) 2009-09-29 22:30:36: DEBUG: === 2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv() 2009-09-29 22:30:36: DEBUG: get pfkey ADD message 2009-09-29 22:30:36: INFO: IPsec-SA established: AH/Transport 10.0.1.1[500]->10.0.1.4[500] spi=156377460(0x9522174) 2009-09-29 22:30:36: DEBUG: === 2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv() 2009-09-29 22:30:36: DEBUG: get pfkey ADD message 2009-09-29 22:30:36: INFO: IPsec-SA established: ESP/Transport 10.0.1.1[500]->10.0.1.4[500] spi=212631701(0xcac8095) 2009-09-29 22:30:36: DEBUG: === 2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv() 2009-09-29 22:30:36: DEBUG: get pfkey X_SPDUPDATE message 2009-09-29 22:30:36: ERROR: such policy does not already exist: "10.0.1.4/32[500] 10.0.1.1/32[500] proto=any dir=in" 2009-09-29 22:30:36: DEBUG: pk_recv: retry[0] recv() 2009-09-29 22:30:36: DEBUG: get pfkey X_SPDUPDATE message 2009-09-29 22:30:36: DEBUG: sub:0xbffbbd90: 10.0.1.1/32[500] 10.0.1.4/32[500] proto=any dir=out 2009-09-29 22:30:36: DEBUG: db :0x8a2e7d0: 10.0.1.4/32[500] 10.0.1.1/32[500] proto=any dir=in 2009-09-29 22:30:36: ERROR: such policy does not already exist: "10.0.1.1/32[500] 10.0.1.4/32[500] proto=any dir=out" client: setkey.conf. #SPD Konfig spdadd 10.0.1.4 10.0.1.1 any -P out ipsec esp/transport//require ah/transport//require; spdadd 10.0.1.1 10.0.1.4 any -P in ipsec esp/transport//require ah/transport//require; ubuvmsrv01.conf path certificate "/etc/racoon/certs"; remote 10.0.1.1 { exchange_mode main; certificate_type x509 "ubudesklab02_cert.pem" "ubudesklab02_key.pem"; # peers_certfile x509 "ubuvmsrv01_cert.pem"; # verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; # authentication_method pre_shared_key; dh_group modp1024; } generate_policy on; } sainfo address 10.0.1.4 any address 10.0.1.1 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } die racoon.conf ist analog wie beim server aufgebaut. wieso kommt kein tunnel zustande ??? Zitieren
Empfohlene Beiträge
Dein Kommentar
Du kannst jetzt schreiben und Dich später registrieren. Wenn Du ein Konto hast, melde Dich jetzt an, um unter Deinem Benutzernamen zu schreiben.