1. Уважаемые посетители форума! Прежде чем помещать в форум новое сообщение о возникшей у Вас проблеме, пожалуйста, поищите ее решение в ответах на часто задаваемые вопросы FAQ, или воспользуйтесь поиском по форуму.
  2. Форум не является системой моментального ответа на вопросы. Если Вам необходимо получить ответ на ваш вопрос в кратчайшие сроки - пожалуйста, позвоните в ближайший к Вам региональный офис D-Link.
faq обучение настройка
Текущее время: Сб июл 19, 2025 15:59

Сообщения без ответов | Активные темы


Список форумов » Маршрутизаторы и Firewall

Часовой пояс: UTC + 3 часа




Начать новую тему Ответить на тему  Страница 1 из 1
  [ Сообщений: 5 ] 
  Предыдущая тема | Следующая тема 
Автор Сообщение
Beny
 Заголовок сообщения: DI-804HV - VPN IPsec - openswan
СообщениеДобавлено: Вт фев 15, 2011 00:34 
Не в сети

Зарегистрирован: Вс сен 06, 2009 22:41
Сообщений: 8
Приветствую!
Имеется
1)DI-804HV: железо C3 \\ прошика V1.51b16 (последняя с этого сайта)
WAN 172.21.136.194/26 \\ LAN 192.168.2.1/24

2) сервер: AltLinux Server 5.0.2 + Openswan Version 2.6.32
WAN 172.21.136.195/26 \\ LAN 192.168.1.2/24

нужно поднять между ними тунель IPsec.
начинал с нуля, прокопал кучу материала, но не получается...
конфиги:
D-link: в основе http://dlink.ru/ru/faq/92/500.html и http://wiki.openswan.org/index.php/Openswan/DI-804HV и пр.
Код:
Local Subnet: 192.168.2.0
Local Netmask: 255.255.255.0
Remote Subnet: 192.168.1.0
Remote Netmask: 255.255.255.0
Remote Gateway: 172.21.136.195
Preshare Key: PASSWORD
Extended Authentication: NOT Enabled
IPSec NAT Traversal: NOT Enabled
Remote ID: IP Address
   Value: 172.21.136.195 <- Set to external IP of remote gateway
Local ID: IP Address
   Value: 172.21.136.194 <- Set to external IP of D-Link

----- IKE PROPOSAL INDEX -------

Proposal Name: IKE Proposal
DH Group: Group 2
Encrypt Algorithm: 3DES
Auth Algorithm: MD5
Life Time: 28800

----- IPSEC PROPOSAL INDEX -----

Proposal Name: IPSEC Proposal
DH Group: Group 2
Encap Protocol: ESP
Encrypt algorithm: 3DES
Auth algorithm: SHA1
Life Time: 3600


на сервере - файл ipsec.conf
Цитата:
# /etc/ipsec.conf - Openswan IPsec configuration file
config setup
plutodebug=all
interfaces=%defaultroute
klipsdebug=none
uniqueids=yes
nat_traversal=no
protostack=netkey

conn small
left=172.21.136.195
leftid=172.21.136.195
leftsubnet=192.168.1.0/24
#leftsourceip=192.168.1.2
#leftnexthop=172.21.136.194
right=172.21.136.194
rightsubnet=192.168.2.0/24
rightid=172.21.136.194
#rightnexthop=172.21.136.195
keyexchange=ike
ikelifetime=240m
keylife=3600s
pfs=yes
ike=3des-md5
compress=no
authby=secret
keyingtries=0
disablearrivalcheck=no
auto=start
rekey=no
auth=esp



логи с D-Link
Код:
Mon Feb 14 20:55:43 2011 Receive IKE M1(INIT) : 172.21.136.195 --> 172.21.136.194
Mon Feb 14 20:55:43 2011 Try to match with ENC:3DES AUTH:PSK HASH:MD5 Group:Group5
Mon Feb 14 20:55:43 2011 Try to match with ENC:3DES AUTH:PSK HASH:MD5 Group:Group2
Mon Feb 14 20:55:43 2011 Send IKE M2(RESP) : 172.21.136.194 --> 172.21.136.195
Mon Feb 14 20:55:46 2011 Receive IKE INFO : 172.21.136.195 --> 172.21.136.194
Mon Feb 14 20:55:49 2011 IKED re-TX : RESP to 172.21.136.195
Mon Feb 14 20:55:51 2011 Receive IKE INFO : 172.21.136.195 --> 172.21.136.194
Mon Feb 14 20:55:54 2011 IKED re-TX : RESP to 172.21.136.195
Mon Feb 14 20:55:56 2011 Receive IKE INFO : 172.21.136.195 --> 172.21.136.194
Mon Feb 14 20:55:57 2011     receiving a re-Tx MM msg, response the last msg
Mon Feb 14 20:55:57 2011 IKED re-TX : MM to 172.21.136.195
Mon Feb 14 20:55:59 2011 Receive IKE INFO : 172.21.136.195 --> 172.21.136.194
Mon Feb 14 20:56:07 2011 IKED re-TX : RESP to 172.21.136.195
Mon Feb 14 20:56:09 2011 Receive IKE INFO : 172.21.136.195 --> 172.21.136.194
Mon Feb 14 20:56:17 2011     receiving a re-Tx MM msg, response the last msg
Mon Feb 14 20:56:17 2011 IKED re-TX : MM to 172.21.136.195
Mon Feb 14 20:56:18 2011 Send IKE (INFO) : delete 172.21.136.194 -> 172.21.136.195 phase 1
Mon Feb 14 20:56:18 2011 IKE phase1 (ISAKMP SA) remove : 172.21.136.194 <-> 172.21.136.195


лог с сервера /var/log/auth/secure
Скрытый текст: показать
Код:
----------------
Starting Pluto subsystem...
 Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:19664
 LEAK_DETECTIVE support [disabled]
 OCF support for IKE [disabled]
 SAref support [disabled]: Protocol not available
 SAbind support [disabled]: Protocol not available
 NSS support [disabled]
 HAVE_STATSD notification support not compiled in
 Setting NAT-Traversal port-4500 floating to off
    port floating activation criteria nat_t=0/port_float=1
    NAT-Traversal support  [disabled]
 | opening /dev/urandom
 using /dev/urandom as source of random entropy
 | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
 | event added at head of queue
 | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
 | event added at head of queue
 | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
 | event added after event EVENT_PENDING_DDNS
 ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
 ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
 ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
 ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
 ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
 ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
 ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
 no helpers will be started, all cryptographic operations will be done inline
 Using Linux 2.6 IPsec interface code on 2.6.27-ovz-smp-alt9 (experimental code)
 | process 19664 listening for PF_KEY_V2 on file descriptor 9
 | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
 |   02 07 00 02  02 00 00 00  01 00 00 00  d0 4c 00 00
 | pfkey_get: K_SADB_REGISTER message 1
 | AH registered with kernel.
 | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
 |   02 07 00 03  02 00 00 00  02 00 00 00  d0 4c 00 00
 | pfkey_get: K_SADB_REGISTER message 2
 | alg_init():memset(0x700be0, 0, 2016) memset(0x7013c0, 0, 2048)
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=19 sadb_supported_len=56
 | kernel_alg_add():satype=3, exttype=14, alg_id=251
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=14, alg_id=2
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=14, alg_id=3
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=14, alg_id=5
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=14, alg_id=8
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=14, alg_id=9
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=19 sadb_supported_len=80
 | kernel_alg_add():satype=3, exttype=15, alg_id=11
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=2
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=3
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=7
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=12
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=252
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=22
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=253
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=13
 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
 | kernel_alg_add():satype=3, exttype=15, alg_id=18
 | kernel_alg_add():satype=3, exttype=15, alg_id=19
 | kernel_alg_add():satype=3, exttype=15, alg_id=20
 | kernel_alg_add():satype=3, exttype=15, alg_id=14
 | kernel_alg_add():satype=3, exttype=15, alg_id=15
 | kernel_alg_add():satype=3, exttype=15, alg_id=16
 ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
 | ESP registered with kernel.
 | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
 |   02 07 00 09  02 00 00 00  03 00 00 00  d0 4c 00 00
 | pfkey_get: K_SADB_REGISTER message 3
 | IPCOMP registered with kernel.
 Changed path to directory '/etc/ipsec.d/cacerts'
 Changed path to directory '/etc/ipsec.d/aacerts'
 Changed path to directory '/etc/ipsec.d/ocspcerts'
 Changing to directory '/etc/ipsec.d/crls'
   Warning: empty directory
 | inserting event EVENT_LOG_DAILY, timeout in 10012 seconds
 | event added after event EVENT_REINIT_SECRET
 | next event EVENT_PENDING_DDNS in 57 seconds
 | 
 | *received whack message
 | alg_info_parse_str() ealg_buf=3des aalg_buf=md5eklen=0  aklen=0
 | enum_search_prefix () calling enum_search(0x4c4740, "OAKLEY_3DES")
 | enum_search_ppfixi () calling enum_search(0x4c4740, "OAKLEY_3DES_CBC")
 | parser_alg_info_add() ealg_getbyname("3des")=5
 | enum_search_prefix () calling enum_search(0x4c4780, "OAKLEY_MD5")
 | parser_alg_info_add() aalg_getbyname("md5")=1
 | __alg_info_ike_add() ealg=5 aalg=1 modp_id=5, cnt=1
 | __alg_info_ike_add() ealg=5 aalg=1 modp_id=2, cnt=2
 | Added new connection small with policy PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK
 | from whack: got --esp=3des-sha1;modp1024
 | enum_search_prefix () calling enum_search(0x4c4820, "OAKLEY_GROUP_MODP1024")
 | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0  aklen=0
 | enum_search_prefix () calling enum_search(0x4c4220, "ESP_3DES")
 | parser_alg_info_add() ealg_getbyname("3des")=3
 | enum_search_prefix () calling enum_search(0x4c4440, "AUTH_ALGORITHM_HMAC_SHA1")
 | parser_alg_info_add() aalg_getbyname("sha1")=2
 | __alg_info_esp_add() ealg=3 aalg=2 cnt=1
 | esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
 | ike (phase1) algorihtm values: 3DES_CBC(5)_000-MD5(1)_000-MODP1536(5), 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
 | counting wild cards for 172.21.136.195 is 0
 | counting wild cards for 172.21.136.194 is 0
 | alg_info_addref() alg_info->ref_cnt=1
 | alg_info_addref() alg_info->ref_cnt=1
 added connection description "small"
 | 192.168.1.0/24===172.21.136.195<172.21.136.195>[+S=C]...172.21.136.194<172.21.136.194>[+S=C]===192.168.2.0/24
 | ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK
 | * processed 0 messages from cryptographic helpers
 | next event EVENT_PENDING_DDNS in 56 seconds
 | next event EVENT_PENDING_DDNS in 56 seconds
 | 
 | *received whack message
 listening for IKE messages
 | found lo with address 127.0.0.1
 | found eth0 with address 172.21.136.195
 | found eth1 with address 192.168.1.2
 adding interface eth1/eth1 192.168.1.2:500
 adding interface eth0/eth0 172.21.136.195:500
 adding interface lo/lo 127.0.0.1:500
 | could not open /proc/net/if_inet6
 | connect_to_host_pair: 172.21.136.195:500 172.21.136.194:500 -> hp:none
 loading secrets from "/etc/ipsec.secrets"
 | id type added to secret(0x705d40) PPK_PSK: 172.21.136.194
 | id type added to secret(0x705d40) PPK_PSK: 172.21.136.195
 | Processing PSK at line 1: passed
 | * processed 0 messages from cryptographic helpers
 | next event EVENT_PENDING_DDNS in 55 seconds
 | next event EVENT_PENDING_DDNS in 55 seconds
 | 
 | *received whack message
 | processing connection small
 | route owner of "small" unrouted: NULL; eroute owner: NULL
 | could_route called for small (kind=CK_PERMANENT)
 | route owner of "small" unrouted: NULL; eroute owner: NULL
 | route_and_eroute with c: small (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
 | request to add a prospective erouted policy with netkey kernel --- experimental
 | route_and_eroute: firewall_notified: true
 | command executing prepare-client
 | executing prepare-client: 2>&1 PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='small' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='172.21.136.194' PLUTO_ME='172.21.136.195' PLUTO_MY_ID='172.21.136.195' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='172.21.136.194' PLUTO_PEER_ID='172.21.136.194' PLUTO_PEER_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'  PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK'   PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' ipsec _updown
 | popen(): cmd is 746 chars long
 | cmd(   0):2>&1 PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='small' PL:
 | cmd(  80):UTO_INTERFACE='eth0' PLUTO_NEXT_HOP='172.21.136.194' PLUTO_ME='172.21.136.195' P:
 | cmd( 160):LUTO_MY_ID='172.21.136.195' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET:
 | cmd( 240):='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_P:
 | cmd( 320):ROTOCOL='0' PLUTO_PEER='172.21.136.194' PLUTO_PEER_ID='172.21.136.194' PLUTO_PEE:
 | cmd( 400):R_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_:
 | cmd( 480):MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=':
 | cmd( 560):' PLUTO_STACK='netkey'  PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv:
 | cmd( 640):2ALLOW+SAREFTRACK'   PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PE:
 | cmd( 720):ER_BANNER='' ipsec _updown:
 | command executing route-client
 | executing route-client: 2>&1 PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='small' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='172.21.136.194' PLUTO_ME='172.21.136.195' PLUTO_MY_ID='172.21.136.195' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET='192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='172.21.136.194' PLUTO_PEER_ID='172.21.136.194' PLUTO_PEER_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'  PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK'   PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' ipsec _updown
 | popen(): cmd is 744 chars long
 | cmd(   0):2>&1 PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='small' PLUT:
 | cmd(  80):O_INTERFACE='eth0' PLUTO_NEXT_HOP='172.21.136.194' PLUTO_ME='172.21.136.195' PLU:
 | cmd( 160):TO_MY_ID='172.21.136.195' PLUTO_MY_CLIENT='192.168.1.0/24' PLUTO_MY_CLIENT_NET=':
 | cmd( 240):192.168.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PRO:
 | cmd( 320):TOCOL='0' PLUTO_PEER='172.21.136.194' PLUTO_PEER_ID='172.21.136.194' PLUTO_PEER_:
 | cmd( 400):CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MA:
 | cmd( 480):SK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' :
 | cmd( 560):PLUTO_STACK='netkey'  PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2A:
 | cmd( 640):LLOW+SAREFTRACK'   PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER:
 | cmd( 720):_BANNER='' ipsec _updown:
 | * processed 0 messages from cryptographic helpers
 | next event EVENT_PENDING_DDNS in 54 seconds
 | next event EVENT_PENDING_DDNS in 54 seconds
 | 
 | *received whack message
 | processing connection small
 | kernel_alg_db_new() initial trans_cnt=90
 | kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
 | kernel_alg_db_new()     trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
 | returning new proposal from esp_info
 | creating state object #1 at 0x705e40
 | processing connection small
 | ICOOKIE:  55 91 31 ac  75 e9 24 fe
 | RCOOKIE:  00 00 00 00  00 00 00 00
 | state hash entry 13
 | inserting state object #1 on chain 13
 | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
 | event added at head of queue
 | processing connection small
 | Queuing pending Quick Mode with 172.21.136.194 "small"
 "small" #1: initiating Main Mode
 | **emit ISAKMP Message:
 |    initiator cookie:
 |   55 91 31 ac  75 e9 24 fe
 |    responder cookie:
 |   00 00 00 00  00 00 00 00
 |    next payload type: ISAKMP_NEXT_SA
 |    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
 |    exchange type: ISAKMP_XCHG_IDPROT
 |    flags: none
 |    message ID:  00 00 00 00
 | ***emit ISAKMP Security Association Payload:
 |    next payload type: ISAKMP_NEXT_VID
 |    DOI: ISAKMP_DOI_IPSEC
 | ****emit IPsec DOI SIT:
 |    IPsec DOI SIT: SIT_IDENTITY_ONLY
 | out_sa pcn: 0 has 1 valid proposals
 | out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2
 | ****emit ISAKMP Proposal Payload:
 |    next payload type: ISAKMP_NEXT_NONE
 |    proposal number: 0
 |    protocol ID: PROTO_ISAKMP
 |    SPI size: 0
 |    number of transforms: 2
 | *****emit ISAKMP Transform Payload (ISAKMP):
 |    next payload type: ISAKMP_NEXT_T
 |    transform number: 0
 |    transform ID: KEY_IKE
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_LIFE_TYPE
 |    length/value: 1
 |     [1 is OAKLEY_LIFE_SECONDS]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_LIFE_DURATION
 |    length/value: 14400
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
 |    length/value: 5
 |     [5 is OAKLEY_3DES_CBC]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_HASH_ALGORITHM
 |    length/value: 1
 |     [1 is OAKLEY_MD5]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_AUTHENTICATION_METHOD
 |    length/value: 1
 |     [1 is OAKLEY_PRESHARED_KEY]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_GROUP_DESCRIPTION
 |    length/value: 5
 |     [5 is OAKLEY_GROUP_MODP1536]
 | emitting length of ISAKMP Transform Payload (ISAKMP): 32
 | *****emit ISAKMP Transform Payload (ISAKMP):
 |    next payload type: ISAKMP_NEXT_NONE
 |    transform number: 1
 |    transform ID: KEY_IKE
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_LIFE_TYPE
 |    length/value: 1
 |     [1 is OAKLEY_LIFE_SECONDS]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_LIFE_DURATION
 |    length/value: 14400
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
 |    length/value: 5
 |     [5 is OAKLEY_3DES_CBC]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_HASH_ALGORITHM
 |    length/value: 1
 |     [1 is OAKLEY_MD5]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_AUTHENTICATION_METHOD
 |    length/value: 1
 |     [1 is OAKLEY_PRESHARED_KEY]
 | ******emit ISAKMP Oakley attribute:
 |    af+type: OAKLEY_GROUP_DESCRIPTION
 |    length/value: 2
 |     [2 is OAKLEY_GROUP_MODP1024]
 | emitting length of ISAKMP Transform Payload (ISAKMP): 32
 | emitting length of ISAKMP Proposal Payload: 72
 | emitting length of ISAKMP Security Association Payload: 84
 | ***emit ISAKMP Vendor ID Payload:
 |    next payload type: ISAKMP_NEXT_VID
 | emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
 | Vendor ID  4f 45 68 79  4c 64 41 43  65 63 66 61
 | emitting length of ISAKMP Vendor ID Payload: 16
 | out_vendorid(): sending [Dead Peer Detection]
 | ***emit ISAKMP Vendor ID Payload:
 |    next payload type: ISAKMP_NEXT_NONE
 | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
 | V_ID  af ca d7 13  68 a1 f1 c9  6b 86 96 fc  77 57 01 00
 | emitting length of ISAKMP Vendor ID Payload: 20
 | nat traversal enabled: 0
 | emitting length of ISAKMP Message: 148
 | sending 148 bytes for main_outI1 through eth0:500 to 172.21.136.194:500 (using #1)
 |   55 91 31 ac  75 e9 24 fe  00 00 00 00  00 00 00 00
 |   01 10 02 00  00 00 00 00  00 00 00 94  0d 00 00 54
 |   00 00 00 01  00 00 00 01  00 00 00 48  00 01 00 02
 |   03 00 00 20  00 01 00 00  80 0b 00 01  80 0c 38 40
 |   80 01 00 05  80 02 00 01  80 03 00 01  80 04 00 05
 |   00 00 00 20  01 01 00 00  80 0b 00 01  80 0c 38 40
 |   80 01 00 05  80 02 00 01  80 03 00 01  80 04 00 02
 |   0d 00 00 10  4f 45 68 79  4c 64 41 43  65 63 66 61
 |   00 00 00 14  af ca d7 13  68 a1 f1 c9  6b 86 96 fc
 |   77 57 01 00
 | deleting event for #1
 | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
 | event added at head of queue
 | * processed 0 messages from cryptographic helpers
 | next event EVENT_RETRANSMIT in 10 seconds for #1
 | next event EVENT_RETRANSMIT in 10 seconds for #1
 | 
 | *received 84 bytes from 172.21.136.194:500 on eth0 (port=500)
 |   55 91 31 ac  75 e9 24 fe  5b 2a 88 b8  36 16 dc 01
 |   01 10 02 00  00 00 00 00  00 00 00 54  04 00 00 38
 |   00 00 00 01  00 00 00 01  00 00 00 2c  01 01 00 01
 |   00 00 00 24  01 01 00 00  80 01 00 05  80 02 00 01
 |   80 03 00 01  80 04 00 02  80 0b 00 01  00 0c 00 04
 |   00 00 38 40
 | **parse ISAKMP Message:
 |    initiator cookie:
 |   55 91 31 ac  75 e9 24 fe
 |    responder cookie:
 |   5b 2a 88 b8  36 16 dc 01
 |    next payload type: ISAKMP_NEXT_SA
 |    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
 |    exchange type: ISAKMP_XCHG_IDPROT
 |    flags: none
 |    message ID:  00 00 00 00
 |    length: 84
 |  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
 | ICOOKIE:  55 91 31 ac  75 e9 24 fe
 | RCOOKIE:  5b 2a 88 b8  36 16 dc 01
 | state hash entry 25
 | v1 state object not found
 | ICOOKIE:  55 91 31 ac  75 e9 24 fe
 | RCOOKIE:  00 00 00 00  00 00 00 00
 | state hash entry 13
 | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
 | v1 state object #1 found, in STATE_MAIN_I1
 | processing connection small
 | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
 | ***parse ISAKMP Security Association Payload:
 |    next payload type: ISAKMP_NEXT_KE
 |    length: 56
 |    DOI: ISAKMP_DOI_IPSEC
 "small" #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_KE)
 "small" #1: sending notification INVALID_PAYLOAD_TYPE to 172.21.136.194:500
 | **emit ISAKMP Message:
 |    initiator cookie:
 |   55 91 31 ac  75 e9 24 fe
 |    responder cookie:
 |   00 00 00 00  00 00 00 00
 |    next payload type: ISAKMP_NEXT_N
 |    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
 |    exchange type: ISAKMP_XCHG_INFO
 |    flags: none
 |    message ID:  00 00 00 00
 | ***emit ISAKMP Notification Payload:
 |    next payload type: ISAKMP_NEXT_NONE
 |    DOI: ISAKMP_DOI_IPSEC
 |    protocol ID: 1
 |    SPI size: 0
 |    Notify Message Type: INVALID_PAYLOAD_TYPE
 | emitting length of ISAKMP Notification Payload: 12
 | emitting length of ISAKMP Message: 40
 | sending 40 bytes for notification packet through eth0:500 to 172.21.136.194:500 (using #1)
 |   55 91 31 ac  75 e9 24 fe  00 00 00 00  00 00 00 00
 |   0b 10 05 00  00 00 00 00  00 00 00 28  00 00 00 0c
 |   00 00 00 01  01 00 00 01
 | * processed 0 messages from cryptographic helpers
 | next event EVENT_RETRANSMIT in 7 seconds for #1


как мне кажется ключевыми могут быть эти строчки
Код:
....
 ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
 ike_alg_add(): ERROR: Algorithm already exists
 ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
.....................
 | *received 84 bytes from 172.21.136.194:500 on eth0 (port=500)
 |   55 91 31 ac  75 e9 24 fe  5b 2a 88 b8  36 16 dc 01
 |   01 10 02 00  00 00 00 00  00 00 00 54  04 00 00 38
 |   00 00 00 01  00 00 00 01  00 00 00 2c  01 01 00 01
 |   00 00 00 24  01 01 00 00  80 01 00 05  80 02 00 01
 |   80 03 00 01  80 04 00 02  80 0b 00 01  00 0c 00 04
 |   00 00 38 40
 | **parse ISAKMP Message:
 |    initiator cookie:
 |   55 91 31 ac  75 e9 24 fe
 |    responder cookie:
 |   5b 2a 88 b8  36 16 dc 01
 |    next payload type: ISAKMP_NEXT_SA
 |    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
 |    exchange type: ISAKMP_XCHG_IDPROT
 |    flags: none
 |    message ID:  00 00 00 00
 |    length: 84
 |  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
 | ICOOKIE:  55 91 31 ac  75 e9 24 fe
 | RCOOKIE:  5b 2a 88 b8  36 16 dc 01
 | state hash entry 25
 | v1 state object not found
 | ICOOKIE:  55 91 31 ac  75 e9 24 fe
 | RCOOKIE:  00 00 00 00  00 00 00 00
 | state hash entry 13
 | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
 | v1 state object #1 found, in STATE_MAIN_I1
 | processing connection small
 | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
 | ***parse ISAKMP Security Association Payload:
 |    next payload type: ISAKMP_NEXT_KE
 |    length: 56
 |    DOI: ISAKMP_DOI_IPSEC
 "small" #1: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_KE)
 "small" #1: sending notification INVALID_PAYLOAD_TYPE to 172.21.136.194:500
..........

прошу совета :?:
Вернуться наверх
 Профиль  
 
Beny
 Заголовок сообщения: Re: DI-804HV - VPN IPsec - openswan
СообщениеДобавлено: Ср фев 16, 2011 00:51 
Не в сети

Зарегистрирован: Вс сен 06, 2009 22:41
Сообщений: 8
ни у кого и мыслей по этой проблеме нет ?? :?:
Вернуться наверх
 Профиль  
 
Beny
 Заголовок сообщения: Re: DI-804HV - VPN IPsec - openswan
СообщениеДобавлено: Чт фев 17, 2011 01:04 
Не в сети

Зарегистрирован: Вс сен 06, 2009 22:41
Сообщений: 8
немного сдвинулся с места - не заметил что был включен агрессивный режим нa Dlink
теперь выдает следующее
Код:
 Send IKE M1(INIT) : 172.21.136.194 --> 172.21.136.195
 IKED re-TX : INIT to 172.21.136.195
 Receive IKE M2(RESP) : 172.21.136.195 --> 172.21.136.194
 Try to match with ENC:3DES AUTH:PSK HASH:SHA1 Group:Group2
Send IKE M3(KEYINIT) : 172.21.136.194 --> 172.21.136.195
 Receive IKE M4(KEYRESP) : 172.21.136.195 --> 172.21.136.194
 Send IKE M5(IDINIT) : 172.21.136.194 --> 172.21.136.195
 Receive IKE INFO : 172.21.136.195 --> 172.21.136.194
 Send IKE (INFO) : delete 172.21.136.194 -> 172.21.136.195 phase 1
 IKE phase1 (ISAKMP SA) remove : 172.21.136.194 <-> 172.21.136.195
Вернуться наверх
 Профиль  
 
gsi0
 Заголовок сообщения: Re: DI-804HV - VPN IPsec - openswan
СообщениеДобавлено: Ср фев 22, 2012 10:41 
Не в сети

Зарегистрирован: Ср фев 22, 2012 10:36
Сообщений: 65
Присоединяюсь к вопросу! Получилось ли установить канал? Если получилось, то как?
Вернуться наверх
 Профиль  
 
gsi0
 Заголовок сообщения: Re: DI-804HV - VPN IPsec - openswan
СообщениеДобавлено: Пн фев 04, 2013 22:16 
Не в сети

Зарегистрирован: Ср фев 22, 2012 10:36
Сообщений: 65
тем 2ух годичной давности! решилось ли чего с айписеками ? Как ? Делитесь информэйшн!
Вернуться наверх
 Профиль  
 
Показать сообщения за:  Сортировать по:  
Начать новую тему Ответить на тему  Страница 1 из 1
  [ Сообщений: 5 ] 

Список форумов » Маршрутизаторы и Firewall

Часовой пояс: UTC + 3 часа


Кто сейчас на форуме

Сейчас этот форум просматривают: Google [Bot] и гости: 429

Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Русская поддержка phpBB