IpSec / Racoon: Pacotes vão para o túnel errado

1

Eu uso o Debian e o Racoon para conectar-me a um Cisco VPN Gateway. Nós temos dois túneis entre os mesmos endpoints. De alguma forma e às vezes, os pacotes vão para o túnel errado.

Esta é a mensagem de log do sistema Cisco remoto:

Aug 13 17:55:01 XXXXX %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x5CAAB58E, sequence number= 0x6) from MY_PUBLIC_IP_ADDRESS (user= MY_PUBLIC_IP_ADDRESS) to REMOTE_PUBLIC_IP_ADDRESS. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as REMOTE_INNER_HOST_PRIVATE_IP_2, its source as MY_INNER_HOST_PRIVATE_IP, and its protocol as icmp. The SA specifies its local proxy as REMOTE_INNER_HOST_PRIVATE_IP_1/255.255.255.255/ip/0 and its remote_proxy as MY_INNER_HOST_NETWORK/255.255.255.0/ip/0.

A mensagem apareceu quando tentei "pingar" REMOTE_INNER_HOST_PRIVATE_IP_2 de MY_INNER_HOST_PRIVATE_IP. (Eu substituí os endereços IP.)

Esta é a saída do setkey -D -P | grep REMOTE_INNER_HOST_PRIVATE_IP_1 | 2:

REMOTE_INNER_HOST_PRIVATE_IP_2[any] MY_INNER_HOST_NETWORK[any] 255 REMOTE_INNER_HOST_PRIVATE_IP_2[any] MY_INNER_HOST_NETWORK[any] 255 MY_INNER_HOST_NETWORK[any] REMOTE_INNER_HOST_PRIVATE_IP_2[any] 255 REMOTE_INNER_HOST_PRIVATE_IP_1[any] MY_INNER_HOST_NETWORK[any] 255 REMOTE_INNER_HOST_PRIVATE_IP_1[any] MY_INNER_HOST_NETWORK[any] 255 MY_INNER_HOST_NETWORK[any] REMOTE_INNER_HOST_PRIVATE_IP_1[any] 255

Na minha opinião, isso mostra que o arquivo /etc/ipsec-tools.conf é lido com sucesso. Aqui está a seção relevante deste arquivo:

spdadd MY_INNER_HOST_NETWORK/24 REMOTE_INNER_HOST_PRIVATE_IP_1/32 any -P out ipsec esp/tunnel/MY_PUBLIC_IP_ADDRESS-REMOTE_PUBLIC_IP_ADDRESS/require;

spdadd REMOTE_INNER_HOST_PRIVATE_IP_1/32 MY_INNER_HOST_NETWORK/24 any -P in ipsec esp/tunnel/REMOTE_PUBLIC_IP_ADDRESS-MY_PUBLIC_IP_ADDRESS/require;

spdadd MY_INNER_HOST_NETWORK/24 REMOTE_INNER_HOST_PRIVATE_IP_2/32 any -P out ipsec esp/tunnel/MY_PUBLIC_IP_ADDRESS-REMOTE_PUBLIC_IP_ADDRESS/require;

spdadd REMOTE_INNER_HOST_PRIVATE_IP_2/32 MY_INNER_HOST_NETWORK/24 any -P in ipsec esp/tunnel/REMOTE_PUBLIC_IP_ADDRESS-MY_PUBLIC_IP_ADDRESS/require;

Por fim, esta é a seção relevante do /etc/racoon/racoon.conf (não há linhas de log suspeitas em /var/log/racoon.log):

remote REMOTE_PUBLIC_IP_ADDRESS 
{
        exchange_mode main;
        proposal_check obey;
        my_identifier address MY_PUBLIC_IP_ADDRESS;
        lifetime time 86400 sec;

        proposal 
        {
                encryption_algorithm aes 256;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
                lifetime time 86400 sec;
        } 
}

sainfo address MY_INNER_HOST_NETWORK/24 any address REMOTE_INNER_HOST_PRIVATE_IP_1/32 any 
{
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate; 
}

sainfo address MY_INNER_HOST_NETWORK/24 any address REMOTE_INNER_HOST_PRIVATE_IP_2/32 any {
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate; 
}

Existe um conflito de identificadores? O que posso fazer para resolver a situação? Muito obrigado!

    
por Matthias Wuttke 13.08.2014 / 19:28

1 resposta

0

Eu aprendi que preciso usar

spdadd xxxx/32 yyyy/32 any -P out ipsec
esp/tunnel/aaaa-bbbb/unique;

Aviso: "exclusivo" em vez de "exigir".

    
por 06.02.2017 / 20:33