Доброе время суток всем.
Взяли на тестирование DFL-600. Задача - организация VPN канала между центральным и удаленным офисом. В центре стоит m0n0wall 1.11 (Основанный на FreeBSD, если я не ошибаюсь), IP - 212.1.x.x Lan - 192.168.10.0/24. Ну а на перифирии - соответственно DFL-600 (Device Name DFL-600; Hardware Version 2A1; Firmware Version 3.00), IP - 212.17.x.x Lan - 192.168.0.0/24.
Проблема в том что VPN соединение не устанавливается.
Лог D-Linka
43 Start P1 negotiation with peer 212.1.x.x
44 AggressiveMode Exchange Selected
45 AM init:sent [HDR][SA][KE][Ni][IDii]
46 AM init:recv [HDR][SA][KE][Nr][IDir][HASH_R]
47 AM init:sent [HDR][HASH_I]
48 Phase 1 negotiation succeeded with 212.1.x.x
49 Sent Notification INITIAL_CONTACT to 212.1.x.x
50 Start P2 negotiation with peer 212.1x.x.x
51 QM init:sent [HDR][HASH(1)][SA][Ni][KE][IDci,IDcr]
Лог m0n0wallа
Mar 12 18:41:19 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation: 212.1.x.x[500]<=>212.17.x.x[500]
Mar 12 18:41:19 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Aggressive mode.
Mar 12 18:41:21 racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address.
Mar 12 18:41:21 racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established 212.1.x.x[500]-212.17.x.x[500] spi:ac4ef1d9ef244fd5:38eb718f01285f2f
Mar 12 18:41:22 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation: 212.1.x.x[0]<=>212.17.x.x[0]
Mar 12 18:41:22 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get sainfo.
Mar 12 18:41:22 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get sainfo.
Mar 12 18:41:22 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet.
Mar 12 18:41:29 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation: 212.1.x.x[0]<=>212.17.x.x[0]
Mar 12 18:41:29 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get sainfo.
Mar 12 18:41:29 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get sainfo.
Mar 12 18:41:29 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet.
Mar 12 18:41:37 racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation: 212.1.x.x[0]<=>212.17.x.x[0]
Mar 12 18:41:37 racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get sainfo.
Mar 12 18:41:37 racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get sainfo.
Mar 12 18:41:37 racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to pre-process packet.
При этом на перифирии доступ к хосту 212.1.x.x в это время вообще невозможен (Пока на D-Linke не выключишь IPSec).
Правила на D-Linke
IPSec Status Enable
Tunnel Name XXX
Peer Tunnel Type Static IP
Termination IP 212.1.x.x
Peer ID Type Address IPV4_Addr
Peer ID 212.17.x.x
Shared Key qwerty
IKE Mode Agressive
Encapsulation Tunnel
NAT traversal Normal
IPSec Operation ESP
P1 Proposals Authentication
P2 Proposals SA/Key Exchange
Target Host Range
Starting Target Host 192.168.10.1
Subnet Mask 255.255.255.0
P1 Proposals
Name Authentication
DH Group Group 2
IKE Life Duration 6000
IKE Encryption 3DES
IKE Hash MD5
P2 Proposals
Name SA/Key Exchange
PFS Mode Group 2
Encapsulation ESP
IPSec Life Duration 6000
ESP Transform 3DES
ESP Auth HMAC-MD5
Правила на m0n0wall'е
Remote subnet 192.168.0.0/24
Remote gateway 212.17.x.x
Phase 1 proposal
Negotiation mode Aggresive
My identifier My IP Address
Encryption algorithm 3DES
Hash algorithm MD5
DH key group 2
Lifetime 6000
Pre-Shared Key qwerty
Phase 2 proposal
Protocol ESP
Encryption algorithms 3DES
Hash algorithms MD5
PFS key group 2
Lifetime 6000
Фу, дописал кажись. Надеюсь не здря
Вход
Регистрация
FAQ
Поиск
