Привет всем!
Никак не могу соединить DFL-800 и SWAN по IPSec тоннелю. Настройки таковы:
lannet - 192.168.0.0/24, ct_remote_ipsec_net - 192.168.2.0/24
ct_key - mysecret
DFL-800 - IPSec
General: name: ct_ipsec, localnetwork: lannet, remove network: ct_remote_ipsec_net, remote endpoint: ct_remote_nic_ip, Encapsulation Mode: Tunnel, IKE Config Mode: None, IKE Algorithms: ike_alg_swan (3DES, MD5), IKE Life Time: 28800, IPsec Algorithms: ipsec_alg_swan (3DES, MD5), IPsec Life Time: 3600 (seconds), IPsec Life Time: 0 (kilobytes)
---
Authentication: Pre-shared Key: ct_key , Local ID Type: Auto
---
XAuth: Off
---
Routing: Allow DHCP over IPsec from single-host clients, Dynamically add route to the remote network when a tunnel is established (стоят галочки), Plaintext MTU: 1420, IP address to use as source IP of the tunnel: Automatically pick the address of a local interface that corresponds to the local net
---
IKE Settings: Main, PFS: DH Group 2, Security Association:
Per Net, NAT Traversal: On if supported and NATed
---
Dead Peer Detection: Dead Peer Detection (галочка не стоит)
---
Keep-alive: Disabled
---
Advanced: Add route for remote network (стоит галочка), Route metric 190
--------
IP Rules:
ipsec_to_lan Allow ct_ipsec ct_remote_ipsec_net lan lannet all_services
lan_to_ipsec Allow lan lannet ct_ipsec ct_remote_ipsec_net all_services
-------
Debian - ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
plutodebug="all"
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
# Uncomment to activate Opportunistic Encryption (OE)
# include /etc/ipsec.d/examples/oe.conf
conn main
leftsubnet=192.168.2.0/24
left=191.x.x.x
right=89.179.x.x
rightsubnet=192.168.0.0/24
auth=esp
authby=secret
auto=start
----
ipsec.secrets:
: PSK "mysecret"
----
Логи DFL:
---
Info IPSEC 1802708 ike_sa_destroyed ike_sa_killed ike_sa=" Initiator SPI ESP=0xab080c83, AH=0x8df11fe7, IPComp=0x46bb88d"
Warning IPSEC 1802022 ike_sa_failed no_ike_sa statusmsg="No proposal chosen" local_peer="89.179.x.x ID No Id" remote_peer="191.x.x.x ID No Id" initiator_spi="ESP=0xab080c83, AH=0x8df11fe7, IPComp=0x46bb88d9"
Warning IPSEC 1802715 event_on_ike_sa side=Responder msg="failed" int_severity=6
Warning IPSEC 1800107 ike_invalid_proposal local_ip=89.179.x.x remote_ip=191.x.x.x cookies=ab080c838df11fe746bb88d9796ab5f6 reason="Could not find acceptable proposal"
Notice IPSEC 1802300 rule_selection_failed info="Peer IP address mismatch" int_severity=6
Info IPSEC 1803001 failed_to_select_policy_rule
Warning IPSEC 1802715 event_on_ike_sa side=Responder msg="failed" int_severity=6
Info IPSEC 1800201 commit succeeded
----
Лог ikesnoop (ikesnoop -on -verbose):
---
IkeSnoop: Received IKE packet from 191.x.x.x:500
Exchange type : Identity Protection (main mode)
ISAKMP Version : 1.0
Flags :
Cookies : 0xac0ed0be67f9b9 -> 0x00000000
Message ID : 0x00000000
Packet length : 296 bytes
# payloads : 7
Payloads:
SA (Security Association)
Payload data length : 144 bytes
DOI : 1 (IPsec DOI)
Proposal 1/1
Protocol 1/1
Protocol ID : ISAKMP
SPI Size : 0
Transform 1/4
Transform ID : IKE
Life type : Seconds
Life duration : 10800
Encryption algorithm : 3DES-cbc
Hash algorithm : SHA
Authentication method : Pre-Shared Key
Group description : MODP 1536
Transform 2/4
Transform ID : IKE
Life type : Seconds
Life duration : 10800
Encryption algorithm : 3DES-cbc
Hash algorithm : SHA
Authentication method : Pre-Shared Key
Group description : MODP 1024
Transform 3/4
Transform ID : IKE
Life type : Seconds
Life duration : 10800
Encryption algorithm : 3DES-cbc
Hash algorithm : MD5
Authentication method : Pre-Shared Key
Group description : MODP 1536
Transform 4/4
Transform ID : IKE
Life type : Seconds
Life duration : 10800
Encryption algorithm : 3DES-cbc
Hash algorithm : MD5
Authentication method : Pre-Shared Key
Group description : MODP 1024
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 32 f0 e9 b9 c0 6d fe 8c 9a d5 59 9a 63 69 71 a1
Description : (unknown)
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Description : draft-ietf-ipsec-dpd-00
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Description : RFC 3947
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Description : draft-ietf-ipsec-nat-t-ike-03
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
Description : draft-ietf-ipsec-nat-t-ike-02
VID (Vendor ID)
Payload data length : 16 bytes
Vendor ID : 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
Description : draft-ietf-ipsec-nat-t-ike-00
2009-07-19 20:58:38: IkeSnoop: Sending IKE packet to 191.x.x.x:500
Exchange type : Informational
ISAKMP Version : 1.0
Flags :
Cookies : 0xac0ed0be67f9b9 -> 0x3e5669ac15fa51b9
Message ID : 0x2caf065d
Packet length : 102 bytes
# payloads : 1
Payloads:
N (Notification)
Payload data length : 70 bytes
Protocol ID : ISAKMP
Notification : No proposal chosen
Notification data:
Notify message version: 1
Error text: "Could not find acceptable proposal"
Offending message ID: 0x00000000
---
Пробовал разные способы (Алгоритмы, принудительное отключение компрессии, без pfs и и.д.), ничего не выходит
Подскажите, пожалуйста в чем может быть проблема.
Вход
Регистрация
FAQ
Поиск
