Имеем рутер на Fedora Core 3 на нем openswan
конфиг
Код:
conn %default
type=tunnel
auth=esp
authby=secret
keylife=28800s
ikelifetime=86347s
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-sha1
compress=no
keyingtries=0
disablearrivalcheck=no
pfs=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
conn urengoy
left=62.105.xx.xx
leftsubnet=192.168.129.0/24
leftnexthop=62.105.xx.yy
right=88.205.xxx.xxx
rightsubnet=192.168.139.0/24
rightnexthop=88.205.xxx.yyy
auto=add
И dfl-210 на котором настоен ipsec
Код:
Local Network : lannet
Remote Network: ipsec_lan
Remote end point: ipsec_gw
IKE Algorithms: medium
IKE Life Time: 86347
IPsec Algorithms: medium
IPsec Life Time: 28800
[b]Authentication[/b]
PSK
[b]IKE XAuth[/b]
off
[b]Automatic Routing[/b]
Dynamically add route to the remote network when a tunnel is established
Automatically pick the address of a local interface that corresponds to the local net
[b]IKE[/b]
Aggressive DH Group 2
PFS DH Group 2
[b]Security Association[/b]
Per Net
[b]NAT Traversal[/b]
Off
[b]Keep-alive[/b]
Disabled
[b]Automatic Route Creation[/b]
Add route for remote network
Route Metric: 90
при попытке поднять соединение
на openswan
Код:
[root@proxy etc]# ipsec auto --up urengoy
117 "urengoy" #104: STATE_QUICK_I1: initiate
010 "urengoy" #104: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "urengoy" #104: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "urengoy" #104: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "urengoy" #104: starting keying attempt 2 of an unlimited number, but releasing whack
Код:
Jun 15 10:46:54 proxy pluto[2450]: "urengoy" #105: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #100 {using isakmp#5}
Jun 15 10:46:54 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:00 proxy pluto[2450]: "urengoy" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 15 10:47:00 proxy pluto[2450]: "urengoy" #5: received and ignored informational message
Jun 15 10:47:02 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:10 proxy pluto[2450]: "urengoy" #101: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 15 10:47:10 proxy pluto[2450]: "urengoy" #101: starting keying attempt 17 of an unlimited number
Jun 15 10:47:10 proxy pluto[2450]: "urengoy" #106: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #101 {using isakmp#5}
Jun 15 10:47:10 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:18 proxy pluto[2450]: "urengoy" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 15 10:47:18 proxy pluto[2450]: "urengoy" #5: received and ignored informational message
Jun 15 10:47:20 proxy pluto[2450]: "urengoy" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 15 10:47:20 proxy pluto[2450]: "urengoy" #5: received and ignored informational message
Jun 15 10:47:25 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:26 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:28 proxy pluto[2450]: "urengoy" #102: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 15 10:47:28 proxy pluto[2450]: "urengoy" #102: starting keying attempt 25 of an unlimited number
Jun 15 10:47:28 proxy pluto[2450]: "urengoy" #107: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #102 {using isakmp#5}
Jun 15 10:47:28 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:30 proxy pluto[2450]: "urengoy" #103: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 15 10:47:30 proxy pluto[2450]: "urengoy" #103: starting keying attempt 29 of an unlimited number
Jun 15 10:47:30 proxy pluto[2450]: "urengoy" #108: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #103 {using isakmp#5}
Jun 15 10:47:30 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:44 proxy pluto[2450]: "urengoy" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 15 10:47:44 proxy pluto[2450]: "urengoy" #5: received and ignored informational message
Jun 15 10:47:46 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:54 proxy pluto[2450]: "urengoy" #104: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 15 10:47:54 proxy pluto[2450]: "urengoy" #104: starting keying attempt 2 of an unlimited number, but releasing whack
Jun 15 10:47:54 proxy pluto[2450]: "urengoy" #109: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #104 {using isakmp#5}
Jun 15 10:47:54 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:47:54 proxy pluto[2450]: "urengoy" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 15 10:47:54 proxy pluto[2450]: "urengoy" #5: received and ignored informational message
Jun 15 10:47:54 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:48:04 proxy pluto[2450]: "urengoy" #105: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 15 10:48:04 proxy pluto[2450]: "urengoy" #105: starting keying attempt 32 of an unlimited number
Jun 15 10:48:04 proxy pluto[2450]: "urengoy" #110: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #105 {using isakmp#5}
Jun 15 10:48:04 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
Jun 15 10:48:10 proxy pluto[2450]: "urengoy" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 15 10:48:10 proxy pluto[2450]: "urengoy" #5: received and ignored informational message
Jun 15 10:48:11 proxy pluto[2450]: "urengoy" #5: received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client
На DFL 210
Код:
2007-06-15
05:51:35 Info IPSEC
01803024
xauth_exchange_done
rev=1 statusmsg=Authentication
2007-06-15
05:51:35 Info IPSEC
01803021
ipsec_sa_statistics
rev=1 done=1887 success=0 failed=1887
2007-06-15
05:51:35 Warning IPSEC
01800109
ike_quickmode_failed
rev=1 local_ip=88.205.xxx.xxx remote_ip=62.105.xx.xx cookies=7dd8ebed2527af7277399e3cfd9d62d9 reason="Timeout"
2007-06-15
05:51:35 Warning IPSEC
01803020
ipsec_sa_failed
no_ipsec_sa
rev=1 statusmsg="Timeout"
2007-06-15
05:51:35 Info IPSEC
01800102
ipsec_event
rev=1 message=" Remote Proxy ID 192.168.129.0/24 any"
2007-06-15
05:51:35 Info IPSEC
01800102
ipsec_event
rev=1 message=" Local Proxy ID 192.168.139.0/24 any"
2007-06-15
05:51:35 Info IPSEC
01802704
ike_sa_negotiation_completed
ike_sa_completed
rev=1 local_peer="88.205.xxx.xxx ID 88.205.xxx.xxx" remote_peer="62.105.xx.xx ID 62.105.xx.xx" int_severity=6
2007-06-15
05:51:35 Info IPSEC
01800102
ipsec_event
rev=1 message="IPSec SA [Responder] negotiation failed:"
2007-06-15
05:51:11 Info IPSEC
01803021
ipsec_sa_statistics
rev=1 done=1886 success=0 failed=1886
2007-06-15
05:51:11 Warning IPSEC
01800109
ike_quickmode_failed
rev=1 local_ip=88.205.xxx.xxx remote_ip=62.105.xx.xx cookies=7dd8ebed2527af7277399e3cfd9d62d9 reason="No proposal chosen"
2007-06-15
05:51:11 Warning IPSEC
01803020
ipsec_sa_failed
no_ipsec_sa
rev=1 statusmsg="No proposal chosen"
2007-06-15
05:51:11 Info IPSEC
01800102
ipsec_event
rev=1 message=" Remote Proxy ID 192.168.129.0/24 any"
2007-06-15
05:51:11 Info IPSEC
01800102
ipsec_event
rev=1 message=" Local Proxy ID 192.168.139.0/24 any"
2007-06-15
05:51:11 Info IPSEC
01802704
ike_sa_negotiation_completed
ike_sa_completed
rev=1 local_peer="88.205.xxx.xxx ID 88.205.xxx.xxx" remote_peer="62.105.xx.xx ID 62.105.xx.xx" int_severity=6
2007-06-15
05:51:11 Info IPSEC
01800102
ipsec_event
rev=1 message="IPSec SA [Responder] negotiation failed:"
2007-06-15
05:51:11 Notice IPSEC
01802300
rule_selection_failed
rev=1 info=Quick-Mode local ID mismatch int_severity=6
2007-06-15
05:51:11 Info IPSEC
01803001
failed_to_select_policy_rule
rev=1
2007-06-15
05:51:11 Warning IPSEC
01800102
ipsec_event
rev=1 message=" Remote Proxy ID 192.168.129.0/24 any"
2007-06-15
05:51:11 Warning IPSEC
01800102
ipsec_event
rev=1 message=" Local Proxy ID 192.168.139.0/24 any"
2007-06-15
05:51:11 Info IPSEC
01802704
ike_sa_negotiation_completed
ike_sa_completed
rev=1 local_peer="88.205.xxx.xxx ID 88.205.xxx.xxx" remote_peer="62.105.xx.xx ID 62.105.xx.xx" int_severity=4
2007-06-15
05:51:11 Warning IPSEC
01800102
ipsec_event
rev=1 message="IPSec SA [Responder] negotiation failed:"
Вход
Регистрация
FAQ
Поиск
