racoon Cliente IPSec / L2TP

Navegue suas respostas
2

Estou tentando configurar um cliente IPSec / L2TP racoon para conectar um servidor Windows 2003. O servidor é originalmente destinado a ser usado com clientes Windows XP (testado com sucesso com o Windows XP SP3, mas não funciona com o XP SP1 ou o Windows 7). Para complicar ainda mais o assunto, tanto a chave pré-compartilhada quanto os certificados x509 são usados ao mesmo tempo. Eu deduzi o seguinte do cliente em funcionamento e tentei replicar a configuração no racoon:

  • Sem NAT-T (é descartado desde o Windows XP SP2)
  • Não tunneling mode (o Windows XP não suporta isso)
  • Não AH (o Windows XP não suporta isso)
  • 3des para o algoritmo de criptografia
  • sha1 para o algoritmo de hash
  • dh_group 2
  • Não tenho certeza sobre o modo de autenticação e tentei pre_shared_key e rsasig

Meu racoon.conf : 

log debug2;

path certificate "/home/ipsec/out/etc/certs";
path pre_shared_key "/etc/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.1.2 {

       exchange_mode main;

       my_identifier user_fqdn "[email protected]";
       certificate_type x509 "client.example.crt" "client.example.key";
       ca_type x509 "ca.crt";

       passive off;
       generate_policy on;
       dpd_delay 20;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
}

sainfo anonymous {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

Meu setkey.conf 

# Flush the SAD and SPD
flush;
spdflush;


spdadd 0.0.0.0/0 vpn.example.com[1701] any -P out ipsec
        esp/transport//require;


spdadd vpn.example.com [1701] 0.0.0.0/0 any -P in ipsec
        esp/transport//require;

Eu corri setkey -f /etc/setkey.conf e depois corri racoon -F . A seguir está meu log racoon: 

Foreground mode.
2015-07-18 17:25:25: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
2015-07-18 17:25:25: INFO: @(#)This product linked OpenSSL 1.0.0a 1 Jun 2010 (http://www.openssl.org/)
2015-07-18 17:25:25: INFO: Reading configuration from "/home/ipsec/out/etc/racoon.conf"
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/client.example.crt
2015-07-18 17:25:26: DEBUG: filename: /home/ipsec/out/etc/certs/ca.crt
2015-07-18 17:25:26: DEBUG2: lifetime = 28800
2015-07-18 17:25:26: DEBUG2: lifebyte = 0
2015-07-18 17:25:26: DEBUG2: encklen=0
2015-07-18 17:25:26: DEBUG2: p:1 t:1
2015-07-18 17:25:26: DEBUG2: 3DES-CBC(5)
2015-07-18 17:25:26: DEBUG2: SHA(2)
2015-07-18 17:25:26: DEBUG2: 1024-bit MODP group(2)
2015-07-18 17:25:26: DEBUG2: pre-shared key(1)
2015-07-18 17:25:26: DEBUG2: 
2015-07-18 17:25:26: DEBUG2: Etype mismatch: got 2, expected 4.
2015-07-18 17:25:26: DEBUG: no check of compression algorithm; not supported in sadb message.
2015-07-18 17:25:26: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
2015-07-18 17:25:26: DEBUG2: parse successed.
2015-07-18 17:25:26: DEBUG: open /home/ipsec/out/var/racoon/racoon.sock as racoon management.
2015-07-18 17:25:26: DEBUG: Netlink: address 192.168.110.57 added
2015-07-18 17:25:26: INFO: 192.168.110.57[500] used as isakmp port (fd=7)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.1 added
2015-07-18 17:25:26: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2015-07-18 17:25:26: DEBUG: Netlink: address 127.0.0.0 added
2015-07-18 17:25:26: INFO: 127.0.0.0[500] used as isakmp port (fd=9)
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 01000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000300 7a010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 02000000 2d0d0000 03000500 ff200000 020006a5 d401c161
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4a10aa55 00000000 00000000 00000000
04001200 02000100 70010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 18000100 03000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff200000 020006a5 d401c161 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4410aa55 00000000 00000000 00000000
04001200 02000200 69010000 00000080 10003200 01020000 00000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 04000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 2c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 05000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 23000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 06000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 1c000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 07000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 13000000 00000000
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:26: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:26: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:26: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:26: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:26: DEBUG2: 
02120000 16000100 08000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000500 0c000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=5
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out
2015-07-18 17:25:27: DEBUG: pk_recv: retry[0] recv() 
2015-07-18 17:25:27: DEBUG: got pfkey X_SPDDUMP message
2015-07-18 17:25:27: DEBUG2: 
02120000 16000100 00000000 2d0d0000 03000500 ff000000 02000000 00000000
00000000 00000000 03000600 ff000000 02000000 00000000 00000000 00000000
04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000
04000200 00000000 00000000 00000000 4201aa55 00000000 00000000 00000000
02001200 01000400 03000000 00000000
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x97e00: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=fwd
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9cc20: 10.0.1.2/32[1701] 0.0.0.0/0[0] proto=any dir=in
2015-07-18 17:25:27: DEBUG: sub:0xbe9ca868: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=4
2015-07-18 17:25:27: DEBUG: db :0x9df28: 0.0.0.0/0[0] 10.0.1.2/32[1701] proto=any dir=out

Depois disso, nenhum tráfego passa pela vpn estabelecida (nem tenho certeza se uma conexão foi estabelecida) e setkey -D não informa nenhum SAD.

EDITAR:

Descobri que o principal problema é o roteamento . Enquanto o modo L2TP é transport aqui, o servidor deve atuar como um gateway para a rede atrás do servidor, mas nenhum tráfego passa pelo l2tp para o servidor. Portanto, o túnel não é iniciado. Tentei adicionar uma rota, mas não obtive êxito.

    
por Bahribayli 18.07.2015 / 15:05

0 respostas

Tags

udev + udisks2: udisksctl fornece 'Erro ao procurar objeto para o dispositivo' Arrastar e soltar sem arrastar