ASPLP n00b
Joined: 16 May 2014 Posts: 13
|
Posted: Fri May 16, 2014 11:12 pm Post subject: ipsec phase two has been completed but no traffic through |
|
|
Hello
Ингнорируются политики IPSec
Сообщение ASPLP » 2014-05-14 11:45:23
Привет
Суть такова
10.20.10.83(host)<->216.193.93.179(remote gw)<--->Internet<--->193.148.246.66(gentoo gw)<->172.16.10.0/24(network)
im using racoon and seems like traffic ignores ipsec tunnel rules
Code: | Sun ~ # setkey -DP
10.20.10.83[any] 172.16.10.0/24[any] 255
in prio def ipsec
esp/tunnel/216.193.93.179-193.148.246.66/require
created: May 14 08:49:57 2014 lastused:
lifetime: 0(s) validtime: 0(s)
spid=4440 seq=26 pid=28964
refcnt=1
172.16.10.0/24[any] 10.20.10.83[any] 255
out prio def ipsec
esp/tunnel/193.148.246.66-216.193.93.179/require
created: May 14 08:49:57 2014 lastused: May 14 08:55:28 2014
lifetime: 0(s) validtime: 0(s)
spid=4433 seq=0 pid=28964
refcnt=2
|
Code: | Sun ~ # setkey -D
193.148.246.66 216.193.93.179
esp mode=tunnel spi=2208704428(0x83a627ac) reqid=0(0x00000000)
E: 3des-cbc 7ad70d0e 59d077f2 13c2734b f08037ee 7003fed7 8961777f
A: hmac-md5 e1e157bd 53ed8edf b1b101c4 0e78f1eb
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 14 08:50:43 2014 current: May 14 09:01:59 2014
diff: 676(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=29030 refcnt=0
216.193.93.179 193.148.246.66
esp mode=tunnel spi=3314345(0x003292a9) reqid=0(0x00000000)
E: 3des-cbc 588a57b6 9be43f4f 8c6b5c7d 612d2601 17f617a8 bff38eb0
A: hmac-md5 a7f6d395 c2acc243 287ed0fc b863d8f2
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 14 08:50:43 2014 current: May 14 09:01:59 2014
diff: 676(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=29030 refcnt=0
|
Code: | Sun ~ # cat /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
remote 216.193.93.179
{
nat_traversal on;
exchange_mode main;
proposal_check claim;
lifetime time 86400 sec;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo address 172.16.10.0/24 any address 10.20.10.83/32 any
{
pfs_group 5;
lifetime time 86400 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
|
Code: | Sun ~ # cat /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 172.16.10.0/24 10.20.10.83 any -P out ipsec esp/tunnel/193.148.246.66-216.193.93.179/require;
spdadd 10.20.10.83 172.16.10.0/24 any -P in ipsec esp/tunnel/216.193.93.179-193.148.246.66/require; |
log file
Code: | May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[500] used for NAT-T
May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=12)
May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[4500] used for NAT-T
May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[4500] used as isakmp port (fd=13)
May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[500] used for NAT-T
May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[500] used as isakmp port (fd=18)
May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[4500] used for NAT-T
May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[4500] used as isakmp port (fd=19)
May 14 08:50:42 Sun racoon: INFO: IPsec-SA request for 216.193.93.179 queued due to no phase1 found.
May 14 08:50:42 Sun racoon: INFO: initiate new phase 1 negotiation: 193.148.246.66[500]<=>216.193.93.179[500]
May 14 08:50:42 Sun racoon: INFO: begin Identity Protection mode.
May 14 08:50:42 Sun racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 14 08:50:42 Sun racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 14 08:50:42 Sun racoon: [216.193.93.179] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
May 14 08:50:42 Sun racoon: [216.193.93.179] INFO: Hashing 216.193.93.179[500] with algo #1
May 14 08:50:42 Sun racoon: [193.148.246.66] INFO: Hashing 193.148.246.66[500] with algo #1
May 14 08:50:42 Sun racoon: INFO: Adding remote and local NAT-D payloads.
May 14 08:50:42 Sun racoon: INFO: received Vendor ID: CISCO-UNITY
May 14 08:50:42 Sun racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 14 08:50:42 Sun racoon: [193.148.246.66] INFO: Hashing 193.148.246.66[500] with algo #1
May 14 08:50:42 Sun racoon: INFO: NAT-D payload #0 verified
May 14 08:50:42 Sun racoon: [216.193.93.179] INFO: Hashing 216.193.93.179[500] with algo #1
May 14 08:50:42 Sun racoon: INFO: NAT-D payload #1 verified
May 14 08:50:42 Sun racoon: INFO: NAT not detected
May 14 08:50:42 Sun racoon: INFO: received Vendor ID: DPD
May 14 08:50:42 Sun racoon: WARNING: port 500 expected, but 0
May 14 08:50:42 Sun racoon: INFO: ISAKMP-SA established 193.148.246.66[500]-216.193.93.179[500] spi:d4308f00f105e919:30df322a74ba9f4d
May 14 08:50:43 Sun racoon: INFO: initiate new phase 2 negotiation: 193.148.246.66[500]<=>216.193.93.179[500]
May 14 08:50:43 Sun racoon: INFO: received RESPONDER-LIFETIME: 28800 seconds
May 14 08:50:43 Sun racoon: INFO: IPsec-SA established: ESP/Tunnel 193.148.246.66[500]->216.193.93.179[500] spi=3314345(0x3292a9)
May 14 08:50:43 Sun racoon: INFO: IPsec-SA established: ESP/Tunnel 193.148.246.66[500]->216.193.93.179[500] spi=2208704428(0x83a627ac) |
as a result i see this
Code: | 09:31:06.722808 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2413, length 64
09:31:07.730926 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2414, length 64
09:31:08.732133 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2415, length 64
09:31:09.738854 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2416, length 64
09:31:10.746983 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2417, length 64 |
and this
Code: | Sun ~ # tcpdump -i eth1 host 216.183.93.178
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
23:11:24.955969 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 ? ident
23:11:24.956322 IP 193.138.246.66 > 216.183.93.178: ICMP 193.138.246.66 udp port isakmp unreachable, length 164
23:11:28.446245 IP 193.138.246.66.isakmp > 216.183.93.178.isakmp: isakmp: phase 1 I ident
23:11:28.592275 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident
23:11:30.132599 IP 216.183.93.178.ipsec-nat-t > 193.138.246.66.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
23:11:30.132773 IP 193.138.246.66.ipsec-nat-t > 216.183.93.178.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
23:11:32.956681 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 ? ident
23:11:35.383959 IP 193.138.246.66.ipsec-nat-t > 216.183.93.178.ipsec-nat-t: isakmp-nat-keep-alive
23:11:36.585266 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident
23:11:38.588043 IP 193.138.246.66.isakmp > 216.183.93.178.isakmp: isakmp: phase 1 I ident
23:11:38.733409 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident
23:11:46.724827 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident
23:11:50.130288 IP 216.183.93.178.ipsec-nat-t > 193.138.246.66.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
23:11:50.130456 IP 193.138.246.66.ipsec-nat-t > 216.183.93.178.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E] |
Thanks for help! |
|