Перейти к содержимому
Калькуляторы

cisco881 + freebsd IPSEC

Ответить

dimka799   

dimka799
Опубликовано (изменено) · Жалоба

Подскажите пожалуйста, в чем может быть проблема.

Хотел настроить IPSEC между freebsd 10 и cisco 881, в самой простом случае, когда они в подключены к одному коммутатору.

Будет ли он работать, если они находятся в одном ethernet сегменте?

Настраивал по мануалу, но соединение почему то не хочет подниматься. Маршруты прописаны, пинги ходят.

На фре выдает:

root@freebsd10_test:/usr/home/ice # setkey -D

No SAD entries.

 

На циске вообще молчок, ничего не пишет:

term mon

debug crypto isamkp

debug crypto ipsek

ничего не выводится.

 

IP freebsd - 10.1.1.145/24

IP cisco - 10.1.1.77/24

 

Подсеть за freebsd - 192.168.10.0/24

Подсеть за циско - 192.168.21.0/24

 

 

 

Конфиг циски:

 

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname kbls
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$np4Z$UM3xSq1uUB62KejV6oAjf0
enable password ciscoadmin
!
no aaa new-model
memory-size iomem 10
clock timezone Yekst 6
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-598190490
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-598190490
revocation-check none
rsakeypair TP-self-signed-598190490
!
!
crypto pki certificate chain TP-self-signed-598190490
certificate self-signed 01
 3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
 69666963 6174652D 35393831 39303439 30304E17 0D313430 33313830 39353731
 385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3539 38313930
 34393030 819F300D 06092A86 4886F70D 01010605 0003818D 00308189 02818100
 B91AAC19 C5069E0C AB5D5084 9A34ECC6 4F6872FB 53E6FF6A 23BD04A6 0A33982C
 13616E12 AA3143CE 3A79C080 2C01ED34 384801A6 B94AE326 E1C90447 7E7CE07F
 A8AB44A9 5F46FA2B 3B576A6F 4C1D6240 48E3006C 990F4AD5 7AFCC912 E7572BD8
 74CEC2D1 09E98F1A 4B4FA305 823E1DC5 0A695F67 18E49F4E CFF98941 94047965
 02030100 01A37430 72300F06 03561D13 0101FF04 05300301 01FF301F 0603551D
 11041830 1682146B 626C736B 7274722E 6B616D61 2D6F696C 2E727530 1F060355
 1D230418 30168014 46EAE6E2 4F15CE00 CC5984E2 C74BCFA8 0BD6867C 301D0603
 551D0E04 16041446 EAE6E24F 15CE00CC 5984E2C7 4BCFA80B D6867C30 0D06092A
 864886F7 0D010104 05000381 8100728E 1ED79E96 AAAB509D 8676A2E2 35697E14
 98675388 0DE44579 818BCF0A 4C1C4FF6 9809F9F1 0E625325 8434209A F7423428
 DA605598 AFB0959C E9BBEF9F 9998D7C9 2290DC0F 56D0E5EA 50EB2711 01163E1F
 8F2FAA37 034031A1 5B5DB3FA E683F6A4 5679A22B 8A6F7EF7 FEBA8D2B 6591BC0E
 194C8983 0AA840D6 B01BECE9 32FB
       quit
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name domain.ru
ip name-server 8.8.8.8
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX15040BWN
!
!
username root privilege 15 secret 5 $1$264I$T3D6YKd/kIkKBRpJ/
!
!
ip ssh version 1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key key12345 address 10.1.1.145
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set SDM_CMAP_1 esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description tunnel to freebsd
set peer 10.1.1.145
set transform-set SDM_CMAP_1
set pfs group2
match address 100
!
!
!
!
!
interface FastEthernet0
switchport access vlan 3
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 5
!
interface FastEthernet3
!
interface FastEthernet4
ip address 138.166.144.210 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan3
ip address 10.1.1.77 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface Vlan5
ip address 192.168.21.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 192.168.10.0 255.255.255.0 10.1.1.145
!
ip access-list extended TEST
permit icmp host 192.168.106.5 host 192.168.109.50
permit ip host 192.168.106.5 host 192.168.109.50
permit icmp any any
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.109.0 0.0.0.255
access-list 100 permit ip 192.168.21.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.21.0 0.0.0.255
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
snmp-server community ko_r0 RO
snmp-server community public RW
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 123
login local
transport input ssh
!
scheduler max-task-time 5000
ntp source Vlan1
ntp update-calendar
ntp server 192.168.100.14
end

 

Freebsd

 

ifconfig

ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
       ether 00:0c:29:62:11:c2
       inet 10.1.1.145 netmask 0xffffff00 broadcast 10.1.1.255
       inet6 fe80::20c:29ff:fe62:11c2%em0 prefixlen 64 scopeid 0x1
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
       media: Ethernet autoselect (1000baseT <full-duplex>)
       status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
       inet6 ::1 prefixlen 128
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
       inet 127.0.0.1 netmask 0xff000000
       nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vlan33: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=3<RXCSUM,TXCSUM>
       ether 00:0c:29:62:11:c2
       inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
       inet6 fe80::20c:29ff:fe62:11c2%vlan33 prefixlen 64 scopeid 0x3
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
       media: Ethernet autoselect (1000baseT <full-duplex>)
       status: active
       vlan: 33 parent interface: em0

 

netstat

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.1.1.5           UGS         0        0    em0
10.1.1.0/24        link#1             U           0      151    em0
10.1.1.145         link#1             UHS         0        0    lo0
127.0.0.1          link#2             UH          0        0    lo0
192.168.10.0/24    link#3             U           0        0 vlan33
192.168.10.1       link#3             UHS         0        0    lo0

 

racoon.conf

 

 # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

       path include "/usr/local/etc/racoon" ;

       path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
       #path pre_shared_key "/etc/psk.txt" ;

       # "log" specifies logging level.  It is followed by either "notify", "debug"
       # or "debug2".
       log debug2;

       # "padding" defines some parameter of padding.  You should not touch these.
       padding
       {
         maximum_length 20;
         randomize off;
         strict_check off;
         exclusive_tail off;
       }
........
       # if no listen directive is specified, racoon will listen to all
       # available interface addresses.
       listen
       {
         isakmp 10.1.1.145 [500];
       }
........
       # Specification of default various timer.
........
       timer
........
       {
       # These value can be changed per remote node.
         counter 5;# maximum trying count to send.
         interval 20 sec;# maximum interval to resend.
         persend 1;# the number of packets per a send.
........
       # timer for waiting to complete each phase.
         phase1 30 sec;
         phase2 15 sec;
       }

........
       remote 10.1.1.77<------><------>
       {
           exchange_mode main; <------>
           #exchange_mode aggressive;
           doi ipsec_doi;
           situation identity_only;
           nonce_size 16;
           lifetime time 60 min;
           initial_contact on;
           support_proxy on;
           proposal_check obey;# obey, strict or claim
       proposal {
                   encryption_algorithm 3des; 
                   hash_algorithm sha1;
                   authentication_method pre_shared_key;
                   dh_group 2;>
                }
       }
sainfo subnet 192.168.10.0/24 any address 192.168.21.0/24 any  {


           pfs_group 2;
           lifetime time 24 hour;
           encryption_algorithm aes;
           authentication_algorithm hmac_sha1;
           compression_algorithm deflate;
       }........

 

psk.txt

 

10.1.1.77<----->key12345

 

rc.conf

 

hostname="freebsd10_test"
ifconfig_em0="inet 10.1.1.145 netmask 255.255.255.0"
defaultrouter="10.1.1.5"
sshd_enable="YES"
moused_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

racoon_enable="YES"
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_flags="-f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log"

ifconfig_em1="up"
cloned_interfaces="vlan33"
ifconfig_vlan33="inet 192.168.10.1 netmask 255.255.255.0 vlan 33 vlandev em0"

 

ipsec.conf

flush;
spdflush;

spdadd 192.168.10.0/24 192.168.21.0/24 any -P out ipsec esp/tunnel/10.1.1.145-10.1.1.77/unique;
spdadd 192.168.21.0/24 192.168.10.0/24 any -P in ipsec esp/tunnel/10.1.1.77-10.1.1.145/unique;

 

racoon.log

2014-03-21 17:34:15: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
2014-03-21 17:34:15: INFO: @(#)This product linked OpenSSL 1.0.1e-freebsd 11 Feb 2013 (http://www.openssl.org/)
2014-03-21 17:34:15: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2014-03-21 17:34:15: DEBUG2: lifetime = 3600
2014-03-21 17:34:15: DEBUG2: lifebyte = 0
2014-03-21 17:34:15: DEBUG2: encklen=0
2014-03-21 17:34:15: DEBUG2: p:1 t:1
2014-03-21 17:34:15: DEBUG2: 3DES-CBC(5)
2014-03-21 17:34:15: DEBUG2: SHA(2)
2014-03-21 17:34:15: DEBUG2: 1024-bit MODP group(2)
2014-03-21 17:34:15: DEBUG2: pre-shared key(1)
2014-03-21 17:34:15: DEBUG2:
2014-03-21 17:34:15: DEBUG2: Etype mismatch: got 2, expected 4.
2014-03-21 17:34:15: DEBUG: no check of compression algorithm; not supported in sadb message.
2014-03-21 17:34:15: DEBUG: getsainfo params: loc='192.168.10.0/24' rmt='192.168.21.0/24' peer='NULL' client='NULL' id=0
2014-03-21 17:34:15: DEBUG2: parse successed.
2014-03-21 17:34:15: INFO: 10.1.1.145[500] used for NAT-T
2014-03-21 17:34:15: INFO: 10.1.1.145[500] used as isakmp port (fd=5)
2014-03-21 17:34:15: DEBUG: pk_recv: retry[0] recv()
2014-03-21 17:34:15: DEBUG: got pfkey X_SPDDUMP message
2014-03-21 17:34:15: DEBUG2:
02120000 0f000100 01000000 49030000 03000500 ff180000 10020000 c0a81500
00000000 00000000 03000600 ff180000 10020000 c0a80a00 00000000 00000000
07001200 02000100 02000000 00000000 28003200 02030240 10020000 0a01014d
00000000 00000000 10020000 0a010191 00000000 00000000
2014-03-21 17:34:15: DEBUG: pk_recv: retry[0] recv()
2014-03-21 17:34:15: DEBUG: got pfkey X_SPDDUMP message
2014-03-21 17:34:15: DEBUG2:
02120000 0f000100 00000000 49030000 03000500 ff180000 10020000 c0a80a00
00000000 00000000 03000600 ff180000 10020000 c0a81500 00000000 00000000
07001200 02000200 01000000 00000000 28003200 02030140 10020000 0a010191
00000000 00000000 10020000 0a01014d 00000000 00000000
2014-03-21 17:34:15: DEBUG: sub:0x7fffffffd5c0: 192.168.10.0/24[0] 192.168.21.0/24[0] proto=any dir=out
2014-03-21 17:34:15: DEBUG: db :0x80205a490: 192.168.21.0/24[0] 192.168.10.0/24[0] proto=any dir=in
2014-03-21 17:34:48: DEBUG: pk_recv: retry[0] recv()
2014-03-21 17:34:48: DEBUG: got pfkey REGISTER message
2014-03-21 17:34:48: DEBUG2:
02070002 15000000 00000000 b4030000 0a000e00 00414000 02008000 80000191
0300a000 a0000589 05000001 00013e60 06008001 80010000 07000002 00028bd4
0800a000 a00019fb f9008000 80001749 fa00a000 a00050af fb000800 00085694
09000f00 b6cba495 02084000 4000940f 0308c000 c000ade3 06082800 80003a4c
07082800 c001fc66 0b040000 0008b1fc 0c104000 0001b501 16104000 00010000
f9085000 50000016
2014-03-21 17:34:48: INFO: unsupported PF_KEY message REGISTER
2014-03-21 17:34:48: DEBUG: pk_recv: retry[0] recv()
2014-03-21 17:34:48: DEBUG: got pfkey REGISTER message
2014-03-21 17:34:48: DEBUG2:
02070003 15000000 00000000 b4030000 0a000e00 00000000 02008000 80000000
0300a000 a0000000 05000001 00010000 06008001 80010000 07000002 00020000
0800a000 a0000000 f9008000 80000000 fa00a000 a0000000 fb000800 00080000
09000f00 00000000 02084000 40000000 0308c000 c0000100 06082800 80000000
07082800 c0010240 0b040000 0008014d 0c104000 00010000 16104000 00010191
f9085000 50000000
2014-03-21 17:34:48: INFO: unsupported PF_KEY message REGISTER
2014-03-21 17:45:08: DEBUG: pk_recv: retry[0] recv()
2014-03-21 17:45:08: DEBUG: got pfkey FLUSH message
2014-03-21 17:45:08: DEBUG2:
02090000 02000000 00000000 b4030000
2014-03-21 17:45:08: DEBUG2: flushing all ph2 handlers...

В чем может быть ошибка?

Спасибо за помощь!

Изменено пользователем dimka799

Поделиться сообщением

Ссылка на сообщение
Поделиться на других сайтах

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гость
Ответить в тему...

×   Вставлено в виде отформатированного текста.   Вставить в виде обычного текста

  Разрешено не более 75 смайлов.

×   Ваша ссылка была автоматически встроена.   Отобразить как ссылку

×   Ваш предыдущий контент был восстановлен.   Очистить редактор

×   Вы не можете вставить изображения напрямую. Загрузите или вставьте изображения по ссылке.

×
Подписчики 0
Перейти к списку тем Активное оборудование Ethernet, IP, MPLS, SDN/NFV...