Jump to content

Не работает ipsec racoon <-> Huawei USG2110-A-GW-W

Nomad-71
 Share

Recommended Posts

Nomad-71

Nomad-71

Posted
Posted

Здравствуйте, помогите пожалуйста: пытаюсь настроить ipsec между Racoon (Debian Squeeze) и Huawei USG2110-A-GW-W

Туннель устанавливается, но траффик внутри не ходит, помогите разобраться, в чём дело?

 

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log info;

listen { 
   isakmp racoon_ip [500];
   isakmp racoon_ip [4500];
}


remote huawei_ip                                                                                                                                      
{                                                                                                                                                           
   ph1id 1;
   exchange_mode main;
   my_identifier address racoon_ip;
   peers_identifier address huawei_ip;
   ike_frag on;
   generate_policy = off;
   initial_contact = on;
   nat_traversal = on;

   support_proxy on;
   proposal_check claim;

   proposal
   {
       authentication_method pre_shared_key;
       encryption_algorithm des;
       hash_algorithm sha1;
       dh_group 1;
       lifetime time 28800 secs;
   }
}

sainfo subnet 192.168.70.0/24 any subnet 192.168.17.0/24 any
{
   remoteid 1;
   encryption_algorithm aes 256, aes 192, aes 128, blowfish 256, blowfish 248, blowfish 240, blowfish 232, blowfish 224, blowfish 216, blowfish 208, blowfish 200, blowfish 192, blowfish 184, blowfish 176, blowfish 168, blowfish 160, blowfish 152, blowfish 144, blowfish 136, blowfish 128, 3des, cast128, des;
   authentication_algorithm hmac_sha1,hmac_md5;
   lifetime time 3600 secs;
   compression_algorithm deflate;
}

 

/etc/ipsec.conf

spdadd 192.168.70.0/24 192.168.17.0/24 any -P out ipsec esp/tunnel/racoon_ip-huawei_ip/unique;
spdadd 192.168.17.0/24 192.168.70.0/24 any -P in ipsec esp/tunnel/huawei_ip-racoon_ip/unique;

 

Настройки Huawei:

Phase 1:

Encryption Algorithm: DES-CBC
DH Group: DH-Group 1
Authentication Algorithm: SHA1
SA Timeout: 86400
DPD Mode: none
Nat traversal: enabled

 

Phase 2:

Encapsulation Mode: Tunnel Mode
Security Protocol: ESP
ESP Encryption Algorithm: DES
ESP Authentication Algorithm: MD5
PFS: none
SA Timeout based on time 3600 Second
SA Timeout based on traffic 1843200 KB

iptables:

root@gw:/etc/racoon# iptables -L INPUT |grep 192.168.17
ACCEPT     all  --  192.168.17.0/24      anywhere            
root@gw:/etc/racoon# iptables -L FORWARD |grep 192.168.17
ACCEPT     all  --  192.168.17.0/24      anywhere            
ACCEPT     all  --  anywhere             192.168.17.0/24

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...
На сайте используются файлы cookie и сервисы аналитики для корректной работы форума и улучшения качества обслуживания. Продолжая использовать сайт, вы соглашаетесь с использованием файлов cookie и с Политикой конфиденциальности.