Fórum Root.cz

Hlavní témata => Sítě => Téma založeno: noger 15. 11. 2013, 09:45:33

Název: IPsec tunel nefunguje
Přispěvatel: noger 15. 11. 2013, 09:45:33: Zdravím Vás, obraciam sa so žiadosťou o pomoc pri konfigurácii ipsec tunela medzi dvomi spločnosťami.

Skusil som nasledovné:

https://gir.me.uk/ipsec-vpn-with-debian-3-1/ (https://gir.me.uk/ipsec-vpn-with-debian-3-1/)
http://braindump.bun.ch/VPN/Racoon_as_IPsec_client_for_Zywall (http://braindump.bun.ch/VPN/Racoon_as_IPsec_client_for_Zywall)
http://www.slashroot.in/linux-ipsec-site-site-vpnvirtual-private-network-configuration-using-openswan (http://www.slashroot.in/linux-ipsec-site-site-vpnvirtual-private-network-configuration-using-openswan)

Kód: [Vybrat]
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=auto # Use this to log to a file, or disable logging on embedded systems (lik #plutostderrlog=/dev/null interfaces=%defaultroute # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples conn Alt # # Left security gateway, subnet behind it, nexthop toward right. left=217.67.31.7 # leftsubnet=217.67.31.7/ # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. auto=add right=213.151.204.148 rightsubnet=213.151.208.151/32 ikelifetime=24h keylife=24h ike=aes256-sha1-modp1024 esp=aes256-sha1 pfs=yes

V prílohe sú technické parametre ipsec vpn

Ipsec som nikdy nekonfiguroval a ani s nim nemám žiadne skúsenosti.

Ked zadám
Kód: [Vybrat]
ipsec auto --up Alt tak mi ostane kurzor blikat a nic sa mi neudeje.
Vopred ďakujem za akúkoľvek pomoc

Mišo
Název: Re:ipsec tunel, overovanie psk, routovanie iba na určené ip adresy
Přispěvatel: Rootless Rooter 15. 11. 2013, 10:04:07: nechybi Ti tam maska v 'sekci leftsubnet' ?
v tom kofiguraku mas 'leftsubnet=217.67.31.7/'
Název: Re:ipsec tunel, overovanie psk, routovanie iba na určené ip adresy
Přispěvatel: noger 15. 11. 2013, 10:05:45: @Rootless Rooter > ten riadok je zakomentovaný
Název: Re:ipsec tunel, overovanie psk, routovanie iba na určené ip adresy
Přispěvatel: noger 15. 11. 2013, 10:11:14: Ešte pridám výstup pri reštarte ipsec:

Kód: [Vybrat]
ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec 2.6.37... ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
a /var/log/authlog

Kód: [Vybrat]
Nov 15 09:51:48 istp pluto[1191]: "Alt" #76: received and ignored informational message Nov 15 09:52:28 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:52:28 istp pluto[1191]: "Alt" #76: received and ignored informational message Nov 15 09:53:08 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:53:08 istp pluto[1191]: "Alt" #76: received and ignored informational message Nov 15 09:53:48 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:53:48 istp pluto[1191]: "Alt" #76: received and ignored informational message Nov 15 09:54:28 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:54:28 istp pluto[1191]: "Alt" #76: received and ignored informational message Nov 15 09:55:08 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:55:08 istp pluto[1191]: "Alt" #76: received and ignored informational message Nov 15 09:55:48 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:55:48 istp pluto[1191]: "Alt" #76: received and ignored informational message Nov 15 09:56:28 istp pluto[1191]: "Alt" #76: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message Nov 15 09:56:28 istp pluto[1191]: "Alt" #76: starting keying attempt 76 of an unlimited number Nov 15 09:56:28 istp pluto[1191]: "Alt" #77: initiating Main Mode to replace #76 Nov 15 09:56:28 istp pluto[1191]: "Alt" #77: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:56:28 istp pluto[1191]: "Alt" #77: received and ignored informational message Nov 15 09:56:38 istp pluto[1191]: "Alt" #77: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:56:38 istp pluto[1191]: "Alt" #77: received and ignored informational message Nov 15 09:56:58 istp pluto[1191]: "Alt" #77: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 Nov 15 09:56:58 istp pluto[1191]: "Alt" #77: received and ignored informational message Nov 15 09:57:08 istp pluto[1191]: "Alt": deleting connection Nov 15 09:57:08 istp pluto[1191]: "Alt" #77: deleting state (STATE_MAIN_I1) Nov 15 09:57:11 istp pluto[30492]: added connection description "Alt" Nov 15 10:07:07 istp pluto[30492]: "Alt": deleting connection Nov 15 10:07:10 istp pluto[31129]: added connection description "Alt" Nov 15 10:08:22 istp pluto[31129]: "Alt": deleting connection Nov 15 10:08:25 istp pluto[31432]: added connection description "Alt"
Název: Re:ipsec tunel, overovanie psk, routovanie iba na určené ip adresy
Přispěvatel: noger 15. 11. 2013, 10:16:20: Ešte pridávam

Kód: [Vybrat]
telnet 213.151.208.151 9352 Trying 213.151.208.151... telnet: Unable to connect to remote host: No route to host telnet 213.151.208.151 9352 Trying 213.151.208.151... telnet: Unable to connect to remote host: No route to host
Název: Re:IPsec tunel nefunguje
Přispěvatel: Host 18. 11. 2013, 12:48:24: Protokol ESP a udp/500 je povoleno?
Pripadne zmenit parametry sifrovani (3DES,DES,..).
Název: Re:IPsec tunel nefunguje
Přispěvatel: noger 11. 12. 2013, 09:40:27: Ahojte, dakujem vsetkym za intervencie. Nizsie je kratky sumar funkncej konfiguracie

Potrebne baliky:
ipsec-tools
openswan

Problem bol jednak v mojm konfiguraku, tak aj na strane vpn koncentratora.

Funknce pripojenie VPN :

/etc/ipsec.conf
Kód: [Vybrat]
cat /etc/ipsec.conf version 2.0 config setup nat_traversal=no #v tomto pripade nebolo treba natovat) virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24,$v:!172.16.2.0/24 protostack=netkey include /etc/ipsec.d/*.conf
cat /etc/ipsec.d/nazov_pripojenia.conf
Kód: [Vybrat]
cat /etc/ipsec.d/nazov_pripojenia.conf conn orange type=tunnel forceencaps=yes auto=start #zabezpeci start ipsec tunela po zapnuti servera left=xxx.yyy.zzz.aaa #ip adresa servera z ktoreho sa vpn vytvara leftsubnet=xxx.yyy.zzz.aaa/32 #subnet leftnexthop=%defaultroute authby=secret auth=esp right=yyy.yyy.yyy.yyy #ip vpn koncentratora kam sa pripajam rightid=yyy.yyy.yyy.yyy #id koncentratora nemusi byt rightsubnets={xxx.xxx.xxx.xxx/32 xxx.xxx.xxx.yyy/32} #subnet - ktore subnety pojdu do ipsec tunela rightnexthop=%defaultroute ikelifetime=24h keylife=24h ike=aes256-sha1-modp1024 esp=aes256-sha1 pfs=yes keyexchange=ike # phase2=esp #nedefinuje sa ak je su rovnake prametre pre fazu1 # phase2alg=aes256-sha1 #nedefinuje sa ak je su rovnake prametre pre fazu1
zadat pre shared key do /etc/ipsec.secrets :

Kód: [Vybrat]
<public ip> <public ip of other side>: PSK "password"
a samozrejme spustit:
Kód: [Vybrat]
ipsec auto --up nazov_pripojenia