dimka799 Опубликовано 21 марта, 2014 (изменено) · Жалоба Подскажите пожалуйста, в чем может быть проблема. Хотел настроить IPSEC между freebsd 10 и cisco 881, в самой простом случае, когда они в подключены к одному коммутатору. Будет ли он работать, если они находятся в одном ethernet сегменте? Настраивал по мануалу, но соединение почему то не хочет подниматься. Маршруты прописаны, пинги ходят. На фре выдает: root@freebsd10_test:/usr/home/ice # setkey -D No SAD entries. На циске вообще молчок, ничего не пишет: term mon debug crypto isamkp debug crypto ipsek ничего не выводится. IP freebsd - 10.1.1.145/24 IP cisco - 10.1.1.77/24 Подсеть за freebsd - 192.168.10.0/24 Подсеть за циско - 192.168.21.0/24 Конфиг циски: version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname kbls ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 $1$np4Z$UM3xSq1uUB62KejV6oAjf0 enable password ciscoadmin ! no aaa new-model memory-size iomem 10 clock timezone Yekst 6 crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-598190490 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-598190490 revocation-check none rsakeypair TP-self-signed-598190490 ! ! crypto pki certificate chain TP-self-signed-598190490 certificate self-signed 01 3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 35393831 39303439 30304E17 0D313430 33313830 39353731 385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3539 38313930 34393030 819F300D 06092A86 4886F70D 01010605 0003818D 00308189 02818100 B91AAC19 C5069E0C AB5D5084 9A34ECC6 4F6872FB 53E6FF6A 23BD04A6 0A33982C 13616E12 AA3143CE 3A79C080 2C01ED34 384801A6 B94AE326 E1C90447 7E7CE07F A8AB44A9 5F46FA2B 3B576A6F 4C1D6240 48E3006C 990F4AD5 7AFCC912 E7572BD8 74CEC2D1 09E98F1A 4B4FA305 823E1DC5 0A695F67 18E49F4E CFF98941 94047965 02030100 01A37430 72300F06 03561D13 0101FF04 05300301 01FF301F 0603551D 11041830 1682146B 626C736B 7274722E 6B616D61 2D6F696C 2E727530 1F060355 1D230418 30168014 46EAE6E2 4F15CE00 CC5984E2 C74BCFA8 0BD6867C 301D0603 551D0E04 16041446 EAE6E24F 15CE00CC 5984E2C7 4BCFA80B D6867C30 0D06092A 864886F7 0D010104 05000381 8100728E 1ED79E96 AAAB509D 8676A2E2 35697E14 98675388 0DE44579 818BCF0A 4C1C4FF6 9809F9F1 0E625325 8434209A F7423428 DA605598 AFB0959C E9BBEF9F 9998D7C9 2290DC0F 56D0E5EA 50EB2711 01163E1F 8F2FAA37 034031A1 5B5DB3FA E683F6A4 5679A22B 8A6F7EF7 FEBA8D2B 6591BC0E 194C8983 0AA840D6 B01BECE9 32FB quit ip source-route ! ! ! ! ip cef no ip domain lookup ip domain name domain.ru ip name-server 8.8.8.8 no ipv6 cef ! ! license udi pid CISCO881-K9 sn FTX15040BWN ! ! username root privilege 15 secret 5 $1$264I$T3D6YKd/kIkKBRpJ/ ! ! ip ssh version 1 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key key12345 address 10.1.1.145 crypto isakmp keepalive 10 periodic ! ! crypto ipsec transform-set SDM_CMAP_1 esp-aes esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description tunnel to freebsd set peer 10.1.1.145 set transform-set SDM_CMAP_1 set pfs group2 match address 100 ! ! ! ! ! interface FastEthernet0 switchport access vlan 3 ! interface FastEthernet1 ! interface FastEthernet2 switchport access vlan 5 ! interface FastEthernet3 ! interface FastEthernet4 ip address 138.166.144.210 255.255.255.252 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Vlan1 no ip address ! interface Vlan3 ip address 10.1.1.77 255.255.255.0 ip nat inside ip virtual-reassembly crypto map SDM_CMAP_1 ! interface Vlan5 ip address 192.168.21.1 255.255.255.0 ! ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ip route 192.168.10.0 255.255.255.0 10.1.1.145 ! ip access-list extended TEST permit icmp host 192.168.106.5 host 192.168.109.50 permit ip host 192.168.106.5 host 192.168.109.50 permit icmp any any permit ip any any ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.109.0 0.0.0.255 access-list 100 permit ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255 ! ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! snmp-server community ko_r0 RO snmp-server community public RW ! control-plane ! ! line con 0 login local no modem enable line aux 0 line vty 0 4 privilege level 15 password 123 login local transport input ssh ! scheduler max-task-time 5000 ntp source Vlan1 ntp update-calendar ntp server 192.168.100.14 end Freebsd ifconfig ifconfig em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:0c:29:62:11:c2 inet 10.1.1.145 netmask 0xffffff00 broadcast 10.1.1.255 inet6 fe80::20c:29ff:fe62:11c2%em0 prefixlen 64 scopeid 0x1 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vlan33: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 00:0c:29:62:11:c2 inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255 inet6 fe80::20c:29ff:fe62:11c2%vlan33 prefixlen 64 scopeid 0x3 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 33 parent interface: em0 netstat Destination Gateway Flags Refs Use Netif Expire default 10.1.1.5 UGS 0 0 em0 10.1.1.0/24 link#1 U 0 151 em0 10.1.1.145 link#1 UHS 0 0 lo0 127.0.0.1 link#2 UH 0 0 lo0 192.168.10.0/24 link#3 U 0 0 vlan33 192.168.10.1 link#3 UHS 0 0 lo0 racoon.conf # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; #path pre_shared_key "/etc/psk.txt" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug2; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } ........ # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { isakmp 10.1.1.145 [500]; } ........ # Specification of default various timer. ........ timer ........ { # These value can be changed per remote node. counter 5;# maximum trying count to send. interval 20 sec;# maximum interval to resend. persend 1;# the number of packets per a send. ........ # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } ........ remote 10.1.1.77<------><------> { exchange_mode main; <------> #exchange_mode aggressive; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 60 min; initial_contact on; support_proxy on; proposal_check obey;# obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2;> } } sainfo subnet 192.168.10.0/24 any address 192.168.21.0/24 any { pfs_group 2; lifetime time 24 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; }........ psk.txt 10.1.1.77<----->key12345 rc.conf hostname="freebsd10_test" ifconfig_em0="inet 10.1.1.145 netmask 255.255.255.0" defaultrouter="10.1.1.5" sshd_enable="YES" moused_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" racoon_enable="YES" ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" racoon_flags="-f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log" ifconfig_em1="up" cloned_interfaces="vlan33" ifconfig_vlan33="inet 192.168.10.1 netmask 255.255.255.0 vlan 33 vlandev em0" ipsec.conf flush; spdflush; spdadd 192.168.10.0/24 192.168.21.0/24 any -P out ipsec esp/tunnel/10.1.1.145-10.1.1.77/unique; spdadd 192.168.21.0/24 192.168.10.0/24 any -P in ipsec esp/tunnel/10.1.1.77-10.1.1.145/unique; racoon.log 2014-03-21 17:34:15: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net) 2014-03-21 17:34:15: INFO: @(#)This product linked OpenSSL 1.0.1e-freebsd 11 Feb 2013 (http://www.openssl.org/) 2014-03-21 17:34:15: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf" 2014-03-21 17:34:15: DEBUG2: lifetime = 3600 2014-03-21 17:34:15: DEBUG2: lifebyte = 0 2014-03-21 17:34:15: DEBUG2: encklen=0 2014-03-21 17:34:15: DEBUG2: p:1 t:1 2014-03-21 17:34:15: DEBUG2: 3DES-CBC(5) 2014-03-21 17:34:15: DEBUG2: SHA(2) 2014-03-21 17:34:15: DEBUG2: 1024-bit MODP group(2) 2014-03-21 17:34:15: DEBUG2: pre-shared key(1) 2014-03-21 17:34:15: DEBUG2: 2014-03-21 17:34:15: DEBUG2: Etype mismatch: got 2, expected 4. 2014-03-21 17:34:15: DEBUG: no check of compression algorithm; not supported in sadb message. 2014-03-21 17:34:15: DEBUG: getsainfo params: loc='192.168.10.0/24' rmt='192.168.21.0/24' peer='NULL' client='NULL' id=0 2014-03-21 17:34:15: DEBUG2: parse successed. 2014-03-21 17:34:15: INFO: 10.1.1.145[500] used for NAT-T 2014-03-21 17:34:15: INFO: 10.1.1.145[500] used as isakmp port (fd=5) 2014-03-21 17:34:15: DEBUG: pk_recv: retry[0] recv() 2014-03-21 17:34:15: DEBUG: got pfkey X_SPDDUMP message 2014-03-21 17:34:15: DEBUG2: 02120000 0f000100 01000000 49030000 03000500 ff180000 10020000 c0a81500 00000000 00000000 03000600 ff180000 10020000 c0a80a00 00000000 00000000 07001200 02000100 02000000 00000000 28003200 02030240 10020000 0a01014d 00000000 00000000 10020000 0a010191 00000000 00000000 2014-03-21 17:34:15: DEBUG: pk_recv: retry[0] recv() 2014-03-21 17:34:15: DEBUG: got pfkey X_SPDDUMP message 2014-03-21 17:34:15: DEBUG2: 02120000 0f000100 00000000 49030000 03000500 ff180000 10020000 c0a80a00 00000000 00000000 03000600 ff180000 10020000 c0a81500 00000000 00000000 07001200 02000200 01000000 00000000 28003200 02030140 10020000 0a010191 00000000 00000000 10020000 0a01014d 00000000 00000000 2014-03-21 17:34:15: DEBUG: sub:0x7fffffffd5c0: 192.168.10.0/24[0] 192.168.21.0/24[0] proto=any dir=out 2014-03-21 17:34:15: DEBUG: db :0x80205a490: 192.168.21.0/24[0] 192.168.10.0/24[0] proto=any dir=in 2014-03-21 17:34:48: DEBUG: pk_recv: retry[0] recv() 2014-03-21 17:34:48: DEBUG: got pfkey REGISTER message 2014-03-21 17:34:48: DEBUG2: 02070002 15000000 00000000 b4030000 0a000e00 00414000 02008000 80000191 0300a000 a0000589 05000001 00013e60 06008001 80010000 07000002 00028bd4 0800a000 a00019fb f9008000 80001749 fa00a000 a00050af fb000800 00085694 09000f00 b6cba495 02084000 4000940f 0308c000 c000ade3 06082800 80003a4c 07082800 c001fc66 0b040000 0008b1fc 0c104000 0001b501 16104000 00010000 f9085000 50000016 2014-03-21 17:34:48: INFO: unsupported PF_KEY message REGISTER 2014-03-21 17:34:48: DEBUG: pk_recv: retry[0] recv() 2014-03-21 17:34:48: DEBUG: got pfkey REGISTER message 2014-03-21 17:34:48: DEBUG2: 02070003 15000000 00000000 b4030000 0a000e00 00000000 02008000 80000000 0300a000 a0000000 05000001 00010000 06008001 80010000 07000002 00020000 0800a000 a0000000 f9008000 80000000 fa00a000 a0000000 fb000800 00080000 09000f00 00000000 02084000 40000000 0308c000 c0000100 06082800 80000000 07082800 c0010240 0b040000 0008014d 0c104000 00010000 16104000 00010191 f9085000 50000000 2014-03-21 17:34:48: INFO: unsupported PF_KEY message REGISTER 2014-03-21 17:45:08: DEBUG: pk_recv: retry[0] recv() 2014-03-21 17:45:08: DEBUG: got pfkey FLUSH message 2014-03-21 17:45:08: DEBUG2: 02090000 02000000 00000000 b4030000 2014-03-21 17:45:08: DEBUG2: flushing all ph2 handlers... В чем может быть ошибка? Спасибо за помощь! Изменено 21 марта, 2014 пользователем dimka799 Вставить ник Цитата Ответить с цитированием Поделиться сообщением Ссылка на сообщение Поделиться на других сайтах More sharing options...