IPsec tunel nefunguje

[noger]

Zdravím Vás, obraciam sa so žiadosťou o pomoc pri konfigurácii ipsec tunela medzi dvomi spločnosťami.

Skusil som nasledovné:

https://gir.me.uk/ipsec-vpn-with-debian-3-1/
http://braindump.bun.ch/VPN/Racoon_as_IPsec_client_for_Zywall
http://www.slashroot.in/linux-ipsec-site-site-vpnvirtual-private-network-configuration-using-openswan

Kód: [Vybrat]

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=auto
        # Use this to log to a file, or disable logging on embedded systems (lik
        #plutostderrlog=/dev/null
        interfaces=%defaultroute

# Add connections here

# sample VPN connection                 
# for more examples, see /etc/ipsec.d/examples
conn Alt                                
#               # Left security gateway, subnet behind it, nexthop toward right.
                left=217.67.31.7        
#               leftsubnet=217.67.31.7/ 
#               leftnexthop=10.22.33.44 
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1        
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                auto=add                
                right=213.151.204.148   
                rightsubnet=213.151.208.151/32
                ikelifetime=24h         
                keylife=24h             
                ike=aes256-sha1-modp1024
                esp=aes256-sha1         
                pfs=yes

V prílohe sú technické parametre ipsec vpn

Ipsec som nikdy nekonfiguroval a ani s nim nemám  žiadne skúsenosti.

Ked zadám

Kód: [Vybrat]

ipsec auto --up Alt

tak mi ostane kurzor blikat a nic sa mi neudeje.
Vopred ďakujem za akúkoľvek pomoc

Mišo

[Reklama]

[Rootless Rooter]

nechybi Ti tam maska v 'sekci leftsubnet' ?
v tom kofiguraku mas 'leftsubnet=217.67.31.7/'

[noger]

@Rootless Rooter > ten riadok je zakomentovaný

[noger]

Ešte pridám výstup pri reštarte ipsec:

Kód: [Vybrat]

ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY

a /var/log/authlog

Kód: [Vybrat]

Nov 15 09:51:48 istp pluto[1191]: "Alt" #76: received and ignored informational message
Nov 15 09:52:28 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:52:28 istp pluto[1191]: "Alt" #76: received and ignored informational message
Nov 15 09:53:08 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:53:08 istp pluto[1191]: "Alt" #76: received and ignored informational message
Nov 15 09:53:48 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:53:48 istp pluto[1191]: "Alt" #76: received and ignored informational message
Nov 15 09:54:28 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:54:28 istp pluto[1191]: "Alt" #76: received and ignored informational message
Nov 15 09:55:08 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:55:08 istp pluto[1191]: "Alt" #76: received and ignored informational message
Nov 15 09:55:48 istp pluto[1191]: "Alt" #76: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:55:48 istp pluto[1191]: "Alt" #76: received and ignored informational message
Nov 15 09:56:28 istp pluto[1191]: "Alt" #76: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Nov 15 09:56:28 istp pluto[1191]: "Alt" #76: starting keying attempt 76 of an unlimited number
Nov 15 09:56:28 istp pluto[1191]: "Alt" #77: initiating Main Mode to replace #76
Nov 15 09:56:28 istp pluto[1191]: "Alt" #77: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:56:28 istp pluto[1191]: "Alt" #77: received and ignored informational message
Nov 15 09:56:38 istp pluto[1191]: "Alt" #77: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:56:38 istp pluto[1191]: "Alt" #77: received and ignored informational message
Nov 15 09:56:58 istp pluto[1191]: "Alt" #77: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Nov 15 09:56:58 istp pluto[1191]: "Alt" #77: received and ignored informational message
Nov 15 09:57:08 istp pluto[1191]: "Alt": deleting connection
Nov 15 09:57:08 istp pluto[1191]: "Alt" #77: deleting state (STATE_MAIN_I1)
Nov 15 09:57:11 istp pluto[30492]: added connection description "Alt"
Nov 15 10:07:07 istp pluto[30492]: "Alt": deleting connection
Nov 15 10:07:10 istp pluto[31129]: added connection description "Alt"
Nov 15 10:08:22 istp pluto[31129]: "Alt": deleting connection
Nov 15 10:08:25 istp pluto[31432]: added connection description "Alt"

[noger]

Ešte pridávam

Kód: [Vybrat]

telnet 213.151.208.151 9352
Trying 213.151.208.151...
telnet: Unable to connect to remote host: No route to host
telnet 213.151.208.151 9352
Trying 213.151.208.151...
telnet: Unable to connect to remote host: No route to host

[Reklama]

[Host]

Protokol ESP a udp/500 je povoleno?
Pripadne zmenit parametry sifrovani (3DES,DES,..).

[noger]

Ahojte, dakujem vsetkym za intervencie. Nizsie je kratky sumar funkncej konfiguracie

Potrebne baliky:
ipsec-tools
openswan

Problem bol jednak v mojm konfiguraku, tak aj na strane vpn koncentratora.

Funknce pripojenie VPN :

/etc/ipsec.conf

Kód: [Vybrat]

cat /etc/ipsec.conf
version 2.0

config setup
        nat_traversal=no  #v tomto pripade nebolo treba natovat)
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/24,$v:!172.16.2.0/24
        protostack=netkey

include /etc/ipsec.d/*.conf

cat /etc/ipsec.d/nazov_pripojenia.conf

Kód: [Vybrat]

cat /etc/ipsec.d/nazov_pripojenia.conf 



conn orange
        type=tunnel
        forceencaps=yes
        auto=start								#zabezpeci start ipsec tunela po zapnuti servera
        left=xxx.yyy.zzz.aaa							#ip adresa servera z ktoreho sa vpn vytvara
        leftsubnet=xxx.yyy.zzz.aaa/32						#subnet
        leftnexthop=%defaultroute						
        authby=secret								
        auth=esp        							
        right=yyy.yyy.yyy.yyy							#ip vpn koncentratora kam sa pripajam
        rightid=yyy.yyy.yyy.yyy							#id koncentratora nemusi byt
        rightsubnets={xxx.xxx.xxx.xxx/32 xxx.xxx.xxx.yyy/32}			#subnet - ktore subnety pojdu do ipsec tunela
        rightnexthop=%defaultroute						
        ikelifetime=24h
        keylife=24h
        ike=aes256-sha1-modp1024						
        esp=aes256-sha1
        pfs=yes
        keyexchange=ike
#       phase2=esp								#nedefinuje sa ak je su rovnake prametre pre fazu1
#       phase2alg=aes256-sha1							#nedefinuje sa ak je su rovnake prametre pre fazu1

zadat pre shared key do /etc/ipsec.secrets :

Kód: [Vybrat]

<public ip> <public ip of other side>: PSK "password"

a samozrejme spustit:

Kód: [Vybrat]

ipsec auto --up nazov_pripojenia