Добрый день, помогите с проблемкой пожалуйста
Пытаюсь объединить сети 192.168.0.0/24 роутер D-Link DI-824VUP+ белый ИП ZZZ.ZZZ.ZZZ.ZZZ
и 192.168.1.0/24 роутер ubuntu server 11.04 ядро 2.6.38.2 ipsec-tools 0.7.3 белый ИП XXX.XXX.XXX.XXXСоединение поднимается, на D-Link DI-824VUP+ пишется
IKE Phase2 (IPSEC SA) established : [192.168.1.0|XXX.XXX.XXX.XXX]<->[ZZZ.ZZZ.ZZZ.ZZZ|192.168.0.0]
С него 192.168.1.1 пингуется, другие машины нет
C убунты ни 192.168.0.1 ни другие машины не пингуются
В iptables всё разрешено по умолчанию
Конфиги, логи с убунты:
Подскажите, что я делаю не так?
racoon.conf
# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
# "path" affects "include" directives. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/usr/local/v6/etc" ;
#include "remote.conf" ;
# the file should contain key ID/key pairs, for pre-shared key authentication.
#path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
path include "/etc/racoon" ;
path pre_shared_key "/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/local/openssl/certs" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen on all
# available interface addresses.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
# maximum time to wait for completing each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;
#my_identifier fqdn "server.kame.net";
#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
lifetime time 24 hour ; # sec,min,hour
#initial_contact off ;
#passive on ;
generate_policy on;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
# the configuration could makes racoon (as a responder)
# to obey the initiator's lifetime and PFS group proposal,
# by setting proposal_check to obey.
# this would makes testing "so much easier", but is really
# *not* secure !!!
proposal_check strict;
}
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
# pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm des, cast128, blowfish 448, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
ipsec-tools.conf
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/XXX.XXX.XXX.XXX-ZZZ.ZZZ.ZZZ.ZZZ/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/ZZZ.ZZZ.ZZZ.ZZZ-XXX.XXX.XXX.XXX/require;
racoon.log
2011-05-17 15:30:35: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2011-05-17 15:30:35: INFO: @(#)This product linked OpenSSL 0.9.8o 01 Jun 2010 (http://www.openssl.org/)
2011-05-17 15:30:35: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2011-05-17 15:30:35: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
2011-05-17 15:30:35: INFO: 127.0.0.1[500] used for NAT-T
2011-05-17 15:30:35: INFO: XXX.XXX.XXX.XXX[500] used as isakmp port (fd=8)
2011-05-17 15:30:35: INFO: XXX.XXX.XXX.XXX[500] used for NAT-T
2011-05-17 15:30:35: INFO: 192.168.1.1[500] used as isakmp port (fd=9)
2011-05-17 15:30:35: INFO: 192.168.1.1[500] used for NAT-T
2011-05-17 15:30:35: INFO: ::1[500] used as isakmp port (fd=10)
2011-05-17 15:30:35: INFO: fe80::1e6f:65ff:fe2b:2659%eth2[500] used as isakmp port (fd=11)
2011-05-17 15:30:35: INFO: fe80::202:b3ff:fec0:d86d%eth1[500] used as isakmp port (fd=12)
2011-05-17 15:30:36: INFO: respond new phase 1 negotiation: XXX.XXX.XXX.XXX[500]<=>ZZZ.ZZZ.ZZZ.ZZZ[500]
2011-05-17 15:30:36: INFO: begin Identity Protection mode.
2011-05-17 15:30:36: WARNING: SPI size isn't zero, but IKE proposal.
2011-05-17 15:30:36: INFO: ISAKMP-SA established XXX.XXX.XXX.XXX[500]-ZZZ.ZZZ.ZZZ.ZZZ[500] spi:2e743de0e9548774:17b7087cbf50544d
2011-05-17 15:30:36: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>ZZZ.ZZZ.ZZZ.ZZZ[500]
2011-05-17 15:30:36: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2011-05-17 15:30:36: INFO: IPsec-SA established: ESP/Tunnel ZZZ.ZZZ.ZZZ.ZZZ[0]->XXX.XXX.XXX.XXX[0] spi=202565108(0xc12e5f4)
2011-05-17 15:30:36: INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.XXX.XXX[500]->ZZZ.ZZZ.ZZZ.ZZZ[500] spi=1291890512(0x4d00af50)
2011-05-17 15:30:36: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in"
2011-05-17 15:30:36: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd"
2011-05-17 15:30:36: ERROR: such policy does not already exist: "192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out"
Вариант для распечатки
on 19-Май-11, 12:14 
