Прошу помощи, сделал все по мануалу. туннель не устанавливается:
в логах
На длинке
Код:
Monday November 29, 2010 15:53:15 IKED re-TX : AINIT to X.X.X.X
Monday November 29, 2010 15:53:35 IKED re-TX : AINIT to X.X.X.X
Monday November 29, 2010 15:53:36 IKE phase1 (ISAKMP SA) remove : Y.Y.Y.Y <-> X.X.X.X
Monday November 29, 2010 15:53:36 Send IKE A1(AINIT) : Y.Y.Y.Y --> X.X.X.X
Monday November 29, 2010 15:53:41 IKED re-TX : AINIT to X.X.X.X
на FreeBSD
Код:
/usr/home/flash8ack/>/usr/local/sbin/racoon -F -v -f /usr/local/etc/racoon/racoon.conf
Foreground mode.
2010-12-25 13:54:32: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2010-12-25 13:54:32: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
2010-12-25 13:54:32: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2010-12-25 13:54:32: WARNING: /usr/local/etc/racoon/racoon.conf:44: "support_mip6" it is obsoleted. use "support_proxy".
2010-12-25 13:54:32: INFO: X.X.X.X[500] used as isakmp port (fd=5)
2010-12-25 13:54:34: INFO: respond new phase 1 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
2010-12-25 13:54:34: INFO: begin Aggressive mode.
2010-12-25 13:54:34: WARNING: No ID match.
2010-12-25 13:54:34: WARNING: SPI size isn't zero, but IKE proposal.
2010-12-25 13:54:34: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 3DES-CBC:DES-CBC
2010-12-25 13:54:34: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:768-bit MODP group
2010-12-25 13:54:34: ERROR: no suitable proposal found.
2010-12-25 13:54:34: ERROR: failed to get valid proposal.
2010-12-25 13:54:34: ERROR: failed to pre-process packet.
2010-12-25 13:54:34: ERROR: phase1 negotiation failed.
конфиг ракона:
Код:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 192.168.250.25 [500];
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier address;
my_identifier user_fqdn "user@domain.ru";
peers_identifier user_fqdn "user@domain.ru";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 3600 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
>настройки D-Link (DI-804HV):
>IKE: ike1 - group2 - DES-56bit - SHA1 - 3600sec
>IPSEC: ipsec1 - group2 - ESP - DES-56bit - MD5 - 3600sec
Вход
Регистрация
FAQ
Поиск
